Terms

(EC)DH : see document
(KEM) ciphertext : see document

A bit string that is produced by encapsulation and used as an input to decapsulation.

(p, t)-completeness : see document

For a given set of n variables, (p, t)-completeness is the proportion of the C(n, t) combinations that have configuration coverage of at least p.

(t + k)-way combination coverage : see document

For a given test set that provides 100% t-way coverage for n variables, (t+k)-way combination coverage is the proportion of (t+k)-way combinations of n variables for which all variable-values configurations are fully covered.

.csv : see document
[T]2 : see document

A binary representation for the integer T (using an agreed-upon length and bit order).

An integer T represented as a binary string (denoted by the “2”) with a length specified by the function, an algorithm, or a protocol which uses T as an input.

{X} : see document

Used to indicate that data X is an optional input to the key derivation function.

Indicates that the inclusion of X is optional.

+ : see document

Addition. For example, 5 + 4 = 9.

Addition.

(n, d) : see document

RSA private key in the basic format.

(n, e) : see document

RSA public key.

(n, e, d, p, q, dP, dQ, qInv) : see document

RSA private key in the Chinese Remainder Theorem (CRT) format.

(p, q, d) : see document

RSA private key in the prime-factor format.

(r, s) : see document

Digital signature for DSA or ECDSA.

[a, b] : see document

The set of integers x, such that a ≤ x ≤ b.

The set of integers x such that a ≤ x ≤ b.

[x]m : see document

The binary representation of the non-negative integer x, in m bits, where x<2m.

[x]s : see document

The binary representation of the non-negative integer x, in s bits, where x<2s.

The binary representation of the non-negative integer x as a string of s bits, where x<2s.

The binary representation of the non-negative integer x as a string of s bits, where x < 2s.

{a1, ...ai} : see document

The internal state of the DRBG at a point in time. The types and number of the ai values depends on the specific DRBG mechanism.

{x, y} : see document

A set containing the integers x and y.

|x| : see document

The length of a bit string X in bits.

The length (in bits) of the bit string x. For example, |01100100| = 8.

The absolute value of x.

leftmost (V, a) : see document

The leftmost a bits of V.

len (a) : see document

The length in bits of string a.

min (a, b) : see document

The minimum of a and b.

rightmost (V, a) : see document

The rightmost a bits of V.

select (V, a, b) : see document

A substring of string V consisting of bit a through bit b.

X • Y : see document

The product of two blocks, X and Y, regarded as elements of a certain binary Galois field.

xmodn : see document

The unique remainder r (where 0£ r £ n-1) when integer x is divided by n. For example, 23 mod 7 = 2.

∇ψ2m(obs);∇2ψ2m(obs) : see document

A measure of how well the observed values match the expected value. See Sections 2.11 and 3.11.

0s : see document

For a positive integer s, 0s is the string that consists of s consecutive 0 bits.

The bit string that consists of s ‘0’ bits.

The bit string that consists of s consecutive ‘0’ bits.

0x : see document

A string of x zero bits. For example, 05 = 00000.

The prefix to a bit string that is represented in hexadecimal characters.

The marker for the beginning of a hexadecimal representation of a bit string.

A string of x zero bits.

0x0X : see document

8-bit binary representation of the hexadecimal number X, for example, 0x02 = 00000010.

0xab : see document

Hexadecimal notation that is used to define a byte (i.e., eight bits) of information, where a and b each specify four bits of information and have values from the range {0, 1, 2,…F}. For example, 0xc6 is used to represent 11000110, where c is 1100, and 6 is 0110.

a mod b : see document

The modulo operation of integers a and b. “a mod b” returns the remainder after dividing a by b.

A(i) : see document

The output of the ith iteration in the first pipeline of a double pipeline iteration mode.

The output of the ith iteration in the first pipeline in a doublepipeline iteration mode.

A : see document

The associated data string.

The additional authenticated data

Additional input that is bound to the secret keying material; a byte string.

A short, alphanumeric string derived from a user’s public key using a hash function, with additional data to detect errors. Addresses are used to send and receive digital assets.

Additional input that is bound to keying material; a byte string.

a : see document

The significance level.

The octet length of the associated data.

AES(k, input) : see document

A single AES encryption operation as specified in [FIPS 197] with k and input being the AES encryption key and one 128-bit block of plaintext/data, respectively.

Alen : see document

The bit length of the associated data.

Alphabet size : see document

The number of distinct symbols that the noise source produces.

Alphabet : see document

A finite set of two or more symbols.

assurance_level : see document

The level of assurance (e.g., HIGH, MEDIUM, or LOW) that a claimed signatory possesses the private signature key.

b : see document

The block size, in bits.

The bit length of a block.

B : see document

The bit string to be determined

Bi : see document

The ith block of the formatted input.

Binary data (from a noise source) : see document

Digitized output from a noise source that consists of a single bit; that is, each sampled output value is represented as either 0 or 1.

bLen : see document

The length of the bit string B in bits

C#j : see document

The jth ciphertext segment.

C*n : see document

The last block of the ciphertext, which may be a partial block.

CIPH-1K(X) : see document

The inverse cipher function of the block cipher algorithm under the key K applied to the data block X.

The output of the inverse of the designated cipher function of the block cipher under the key K applied to the block X.

CIPHK(X) : see document

The forward cipher function of the block cipher algorithm under the key K applied to the data block X.

The output of the forward cipher function of the block cipher under the key K applied to the block X.

The output of the forward cipher function of the block cipher algorithm under the key K applied to the data block X.

The output of the designated cipher function of the block cipher under the key K applied to the block X.

Cj : see document

The jth ciphertext block.

Clen : see document

The bit length of the ciphertext.

Cn : see document

Block of data representing the Ciphertext n

Conditioning (of noise source output) : see document

A method of processing the raw data to reduce bias and/or ensure that the entropy rate of the conditioned output is no less than some specified amount.

Confidence interval : see document

An interval estimate [low, high] of a population parameter. If the population is repeatedly sampled, and confidence intervals are computed for each sample with significance level α, approximately 100(1− α) % of the intervals are expected to contain the true population parameter.

Continuous test : see document

A type of health test performed within an entropy source on the output of its noise source in order to gain some level of assurance that the noise source is working correctly, prior to producing each output from the entropy source.

Ctri : see document

The ith counter block.

Cumulative Distribution Function (CDF) F(x) : see document

A function giving the probability that the random variable X is less than or equal to x, for every value x. That is, F(x) = P(X £ x).

D : see document

A payload of data that is assembled and transmitted by the message signatory, which includes (at least) the message and a digital signature, and may also include one or more timestamps.

The number of levels of trees in XMSSMT.

d : see document

The normalized difference between the observed and expected number of frequency components. See Sections 2.6 and 3.6.

RSA private exponent; a positive integer.

Dataset : see document

A collection of data.

A sequence of sample values. (See Sample.)

Destruction : see document

The process of overwriting, erasing, or physically destroying a key so that it cannot be recovered.

The process of overwriting, erasing, or physically destroying information (e.g., a cryptographic key) so that it cannot be recovered. See NIST SP 800-88.

Dictionary : see document

A dynamic-length data structure that stores a collection of elements or values, where a unique label identifies each element. The label can be any data type.

Digitization : see document

The process of generating bits from the noise source.

dP : see document

RSA private exponent for the prime factor p in the CRT format, i.e., d mod (p - 1); an integer.

RSA private exponent for the prime factor p in the CRT format, i.e., d mod (p-1); an integer.

dQ : see document

RSA private exponent for the prime factor q in the CRT format, i.e., d mod (q - 1); an integer.

RSA private exponent for the prime factor q in the CRT format, i.e., d mod (q-1); an integer.

E[ ] : see document

The expected value of a random variable.

e : see document

The original input string of zero and one bits to be tested.

RSA public exponent; a positive integer.

eBits : see document

The bit length of the RSA exponent e.

Length in bits of the RSA exponent e.

ei : see document

The ith bit in the original sequencee.

enc8(i) : see document

For an integer i ranging from 0 to 255, enc8(i) is the byte encoding of i, with bit 0 being the low-order bit of the byte.

Entropy rate : see document

The rate at which a digitized noise source (or entropy source) provides entropy; it is computed as the assessed amount of entropy provided by a bitstring output from the source, divided by the total number of bits in the bitstring (yielding the assessed bits of entropy per output bit). This will be a value between zero (no entropy) and one.

Estimate : see document

The estimated value of a parameter, as computed using an estimator.

Estimator : see document

A technique for estimating the value of a parameter.

F : see document

Standard Normal Cumulative Distribution Function (see Section 5.5.3).

fn : see document

The sum of the log2 distances between matching L-bit templates, i.e., the sum of the number of digits in the distance between L-bit templates. See Sections 2.9 and 3.9.

GCD(a, b) : see document

Greatest Common Divisor of two positive integers a and b. For example, GCD(12, 16) = 4.

GCTRK (ICB, X) : see document

The output of the GCTR function for a given block cipher with key K applied to the bit string X with an initial counter block ICB.

GHASHH (X) : see document

The output of the GHASH function under the hash subkey H applied to the bit string X.

gir : see document

DH key exchange value, also called a DH shared secret (in IKE version 2).

Global performance metric : see document

For a predictor, the number of accurate predictions over a long period.

gxy : see document

Diffie-Hellman (DH) key exchange value, also called a DH shared secret (in IKE version 1).

H(M) : see document

A hash value that is generated on M.

H(x) : see document

A cryptographic hash function with x as an input.

A cryptographic hash function with x as an input

h : see document

An ECC domain parameter; the cofactor, a positive integer that is equal to the order of the elliptic curve group, divided by the order of the cyclic subgroup generated by the distinguished point G. That is, nh is the order of the elliptic curve, where n is the order of the cyclic subgroup generated by the distinguished point G.

The length of the PRF output in bits.

An integer whose value is the length of the output of the PRF in bits.

H : see document

The hash subkey.

An auxiliary function used in certain key derivation methods. H is either an approved hash function, hash, or an HMAC-hash based on an approved hash function, hash, with a salt value used as the HMAC key.

In LMS and XMSS, the height of the tree. In XMSSMT, the total height of the multi-tree (the trees at each level have a height of H/D).

H0 : see document

The null hypothesis; i.e., the statement that the sequence is random.

HMAC-hash : see document

The HMAC algorithm using the hash function, HASH (e.g., HASHcould be SHA-1). See FIPS 198-1 for the specification of the HMAC algorithm using one of the approved hash functions.

Keyed-hash Message Authentication Code (as specified in [FIPS 198]) with an approved hash function hash.

i : see document

A counter taking integer values in the interval [1, 2r-1] that is encoded as a bit string of length r; used as an input to each invocation of a PRF in the counter mode and (optionally) in the feedback and double-pipeline iteration modes.

The counter for each iteration, which is represented as a binary string of length r when it is an input to each iteration of the PRF.

ICV1 : see document

The 64-bit default ICV for KW:0xA6A6A6A6A6A6A6A6.

ICV2 : see document

The 32-bit default ICV for KWP:0xA65959A6.

ICV3 : see document

The 32-bit default ICV for TKW:0xA6A6A6A6.

IDP, IDR, IDU, IDV : see document

Identifier bit strings for parties P, R, U, and V, respectively.

Ij : see document

The jth input block.

In : see document

Block of data representing the Input Block n

incs(X) : see document

The output of incrementing the right-most s bits of the bit string X, regarded as the binary representation of an integer, by 1 modulo 2s.

Independent : see document

Two random variables X and Y are independent if they do not convey information about each other. Receiving information about X does not change the assessment of the probability distribution of Y (and vice versa).

int(X) : see document

The integer for which the bit string X is a binary representation. len(X) The bit length of the bit string X.

The integer for which the bit string X is the binary representation.

j : see document

The index to a sequence of data blocks or data segments ordered from left to right.

K1 : see document

The first subkey.

K2 : see document

The second subkey.

Key management product : see document

A key management product is a cryptographic key (symmetric or asymmetric) or certificate used for encryption, decryption, digital signature, or signature verification; and other items, such as certificate revocation lists and compromised key lists, obtained by trusted means from the same source, which validate the authenticity of keys or certificates. Software that performs either a security or cryptographic function (e.g., keying material accounting and control, random number generation, cryptographic module verification) is also considered to be a cryptographic product.

A symmetric or asymmetric cryptographic key, a public-key certificate and other related items (such as domain parameters, IVs, random numbers, certificate revocation lists and compromised key lists, and tokens) that are obtained by a trusted means from some source.

Key specification : see document

A key specification documents the data format, encryption algorithms, hashing algorithms, signature algorithms, physical media, and data constraints for keys required by a cryptographic device and/or application.

A specification of the data format, cryptographic algorithms, physical media, and data constraints for keys required by a cryptographic device, application or process.

Key1 : see document

The first component of a TDEA key.

Key2 : see document

The second component of a TDEA key.

Key3 : see document

The third component of a TDEA key.

KeyData : see document

Keying material other than that which is used for the MacKey employed in key confirmation.

KEYn : see document

Block of data representing KEY n

Kill Command : see document

A command that readers can send to tags that uses electronic disabling mechanisms to prevent tags from responding to any additional commands.

Klen : see document

The bit length of the block cipher key.

kLen : see document

The length of K in bits

L : see document

An integer specifying the length of the derived keying material KOUT in bits, which is represented as a bit string when it is an input to a key-derivation function.

An integer specifying the length of the derived keying material KOin bits, which is represented as a binary string when it is an input to a key derivation function.

An integer specifying the length of the derived keying material KMin bits, which is represented as a binary string when it is an input to a key derivation procedure.

The number of levels of trees in HSS.

L-bit Hash Function : see document

A hash function for which the length of the output is L bits.

LCM(a, b) : see document

Least Common Multiple of two positive integers a and b. For example, LCM(4, 6) = 12.

Len : see document

The number of n-byte string elements in a WOTS+ private key, public key, and signature.

Level of Significance (a) : see document

The probability of falsely rejecting the null hypothesis, i.e., the probability of concluding that the null hypothesis is false when the hypothesis is, in fact, true. The tester usually chooses this value; typical values are 0.05, 0.01 or 0.001; occasionally, smaller values such as 0.0001 are used. The level of significance is the probability of concluding that a sequence is non-random when it is in fact random. Synonyms: Type I error, a error.

lg(x) : see document

The base 2 logarithm of the positive real number x.

List : see document

A dynamic-length data structure that stores a sequence of values, where each value is identified by its integer index.

Local performance metric : see document

For a predictor, the length of the longest run of correct predictions

Lock Command : see document

A command that readers can send to a tag to block access to certain information on the tag.

log(x) : see document

The natural logarithm of x: log(x) = loge(x) = ln(x).

log2(x) : see document

Defined as ln(x)/ln(2), where ln is the natural logarithm.

LSBm(X) : see document

The bit string consisting of the m least significant bits of the bit string X.

MacData : see document

A byte string input to the MacTag computation.

MacDataU, (or MacDataV) : see document

MacData associated with party U (or party V, respectively), and used to generate MacTagU (or MacTagV, respectively). Each is a byte string.

MacKey : see document

Key used to compute the MAC; a byte string.

MacKeyLen : see document

The byte length of the MacKey.

Length in bytes of the MacKey.

MacTagLen : see document

The byte length of MacTag.

The length of MacTag in bytes.

MacTagV, (MacTagU) : see document

The MacTag generated by party V (or party U, respectively). Each is a byte string.

Markov model : see document

A model for a probability distribution where the probability that the ith element of a sequence has a given value depends only on the values of the previous n elements of the sequence. The model is called an nth order Markov model.

MaxErrs : see document

The maximum number of times that the output of any implementation of the decryption verification process can be INVALID before the key is retired.

mgfSeed : see document

String from which a mask is derived; a byte string.

Mi : see document

The ith block of the formatted message.

min(x, y) : see document

The minimum ofx and y. For example, if x < y, then min(x, y) = x.

The minimum of x and y; min(x, y) = x if x < y, and min(x, y) = y otherwise.

The minimum of x and y; min(x, y) = x if x < y, and min(x, y) = y otherwise

Mlen : see document

The bit length of the message.

Mn* : see document

The final block, possibly a partial block, of the formatted message.

Ms : see document

The (original) message prior to randomization.

MSBm(X) : see document

The bit string consisting of the m most significant bits of the bit string X.

N : see document

The number of M-bit blocks to be tested.

The nonce.

n : see document

The number of iterations of the PRF needed to generate L bits of keying material.

The number of bits in the stream being tested.

The number of data blocks or data segments in the plaintext.

The number of blocks in the formatted message.

The octet length of the nonce.

RSA modulus. n = pq, where p and q are distinct odd primes.

The number of bytes in the output of a hash function.

Narrowest internal width : see document

The maximum amount of information from the input that can affect the output. For example, if f(x) = SHA-1(x) || 01, and x consists of a string of 1000 binary bits, then the narrowest internal width of f(x) is 160 bits (the SHA-1 output length), and the output width of f(x) is 162 bits (the 160 bits from the SHA-1 operation, concatenated by 01).

nBits : see document

The bit length of the RSA modulus n.

Length in bits of the RSA modulus n.

nLen : see document

The bit length of the nonce.

The byte length of the RSA modulus n. (Note that in FIPS 186, nlen refers to the bit length of n.)

Length in bytes of the RSA modulus n.

Noise source : see document

The component of an entropy source that contains the non-deterministic, entropy-producing activity (e.g., thermal noise or hard drive seek times).

Non-deterministic Random Bit Generator (NRBG) : see document

An RBG that always has access to an entropy source and (when working properly) produces output bitstrings that have full entropy. Often called a True Random Number (or Bit) Generator. (Contrast with a deterministic random bit generator).

An RBG that always has access to an entropy source and (when working properly) produces outputs that have full entropy (see SP 800-90C). Also called a true random bit (or number) generator (Contrast with a DRBG).

Non-physical non-deterministic random bit generator : see document

An entropy source that does not use dedicated hardware but uses system resources (RAM content, thread number etc.) or the interaction of the user (time between keystrokes etc.).

Null : see document

The empty bit string

The empty bit string.

NV : see document

Nonce contributed by party V; a byte string.

Oj : see document

The jth output block.

On : see document

Block of data representing Output Block n

On-demand test : see document

A type of health test that is available to be run whenever a user or a relying component requests it.

P#j : see document

The jth plaintext segment.

P*n : see document

The last block of the plaintext, which may be a partial block.

p : see document

An FFC domain parameter; an odd prime number that determines the size of the finite field GF(p).

3.14159… unless defined otherwise for a specific test.

First prime factor of the RSA modulus n.

The number of n-byte string elements in an LM-OTS private key, public key, and signature.

padding : see document

A string consisting of a single “1” bit, followed by zero or more “0” bits.

Physical non-deterministic random bit generator : see document

An entropy source that uses dedicated hardware or uses a physical experiment (noisy diode(s), oscillators, event sampling like radioactive decay, etc.)

Pj : see document

The jth plaintext block.

Plen : see document

The bit length of the payload.

Pn : see document

Block of data representing Plaintext n

Predictor : see document

A function that predicts the next value in a sequence, based on previously observed values in the sequence.

PRF(s, x) : see document

A pseudorandom function with seed s and input data x.

PrivKeyU, PrivKeyV : see document

Private key of party U or V, respectively.

Probability model : see document

A mathematical representation of a random phenomenon.

PubKeyU, PubKeyV : see document

Public key of party U or V, respectively.

q : see document

When used as an FFC domain parameter, q is the (odd) prime number equal to the order of the multiplicative subgroup of GF(p)* generated by g. Note that q is a divisor of p – 1.

When used as an ECC domain parameter, q is the field size. It is either an odd prime p or equal to 2m, for some prime integer m.

The octet length of the binary representation of the octet length of the payload.

Second prime factor of the RSA modulus n.

Q : see document

A bit string representation of the octet length of P.

qInv : see document

Inverse of q modulo p in the CRT format, i.e., q-1 mod p; an integer.

r : see document

An integer that is less than or equal to 32, whose value is the bit length of the agreed-upon binary encoding of a counter i used as input during invocations of the PRF employed by a KDF.

An integer, smaller or equal to 32, whose value is the length of the binary representation of the counter i when i is an input in counter mode or (optionally) in feedback mode and double-pipeline iteration mode of each iteration of the PRF.

The number of blocks in the formatted input data (N, A, P).

R : see document

The constant within the algorithm for the block multiplication operation.

In XMSS, the n-byte randomizer used for randomized message hashing.

Raw data : see document

Digitized output of the noise source.

Rb : see document

The constant string for subkey generation for a cipher with block size b.

RESULTn : see document

Block of data representing Plaintext n, if encryption state, or Ciphertext n, if decryption state

Run (of output sequences) : see document

A sequence of identical values.

rv[0…b] : see document

For bit string rv, rv[0…b] is a substring consisting of the leftmost b+1 bit(s) of rv, where b ≥ 0.

rv_length_indicator : see document

A 16-bit binary representation of the length (in bits) of rv.

rv : see document

The random value that is combined with the message Ms to produce the randomized message M.

S_XMSS : see document

A secret random value used for pseudorandom key generation in XMSS.

s : see document

The standard deviation of a random variable =Öò(x-m)2f ( x )dx.

The number of bits in a data segment.

Security strength in bits.

Salt used during randomness extraction.

S : see document

The desired security strength for a digital signature.

The summation symbol.

String of bytes.

s2 : see document

The variance of a random variable = (standard deviation)2.

Sample : see document

An observation of the raw data output by a noise source. Common examples of output values obtained by sampling are single bits, single bytes, etc. (The term “sample” is often extended to denote a sequence of such observations; this Recommendation will refrain from that practice.)

Security boundary : see document

A conceptual boundary that is used to assess the amount of entropy provided by the values output from an entropy source. The entropy assessment is performed under the assumption that any observer (including any adversary) is outside of that boundary.

SEED : see document

An optional ECC domain parameter; an initialization value that is used during domain parameter generation that can also be used to provide assurance at a later time that the resulting domain parameters were generated using a canonical process.

An FFC domain parameter; an initialization value that is used during domain parameter generation that can also be used to provide assurance at a later time that the resulting domain parameters were generated using a canonical process.

In XMSS, the public, random, unique identifier for the long-term key.

In LMS, a secret random value used for pseudorandom key generation.

sig’ : see document

The received digital signature of a randomized message.

sig : see document

A digital signature of a randomized message.

SK_PRF : see document

An n-byte key used to pseudorandomly generate the randomizer r.

SKEY : see document

A session key in TPM.

Sn : see document

The nth partial sum for values Xi = {-1, +1}; i.e., the sum of the first n values of Xi.

sobs : see document

The observed value which is used as a statistic in the Frequency test.

ss_K : see document

The security strength that can be supported by the key K

ss_Mi : see document

The security strength that can be supported by the combination of the methods used to generate a key Ki, and the methods used to protect it after generation (e.g., during key-transport and/or storage)

Start-up testing : see document

A suite of health tests that are performed every time the entropy source is initialized or powered up. These tests are carried out on the noise source before any output is released from the entropy source.

Stochastic model : see document

A stochastic model is a mathematical description (of the relevant properties) of an entropy source using random variables. A stochastic model used for an entropy source analysis is used to support the estimation of the entropy of the digitized data and finally of the raw data. In particular, the model is intended to provide a family of distributions, which contains the true (but unknown) distribution of the noise source outputs. Moreover, the stochastic model should allow an understanding of the factors that may affect the entropy. The distribution of the entropy source needs to remain in the family of distributions, even if the quality of the digitized data goes down.

Submitter : see document

The party that submits the entire entropy source and output from its components for validation. The submitter can be any entity that can provide validation information as required by this Recommendation (e.g., developer, designer, vendor or any organization).

Symbol : see document

The value of the noise source output (i.e., sample value).

T : see document

The MAC.

The MAC that is generated as an internal variable in the CCM processes.

The authentication tag.

t : see document

The octet length of the MAC.

The bit length of the authentication tag.

T192(X) : see document

A truncation function that outputs the most significant (i.e., leftmost) 192 bits of the input bit string X.

Testing laboratory : see document

An accredited cryptographic security testing laboratory.

TEXTn : see document

Block of data representing Plaintext n, if encryption state, or Ciphertext n,

timestamp_signatureTTA : see document

A digital signature that is generated using a TTA’s private signature key.

timestamp_time : see document

The time provided in a timestamp.

timestamp : see document

Contains the time and, possibly, other information; a component of timestamped_data.

timestamped_data : see document

The data on which a digital signature is generated by a TTA.

Tj : see document

The jth counter block.

Tlen : see document

The bit length of the MAC.

TMacTagBits(X) : see document

A truncation function that outputs the most significant (i.e., leftmost) MacTagBits bits of the input string, X, when the bit length of X is greater than MacTagBits; otherwise, the function outputs X. For example, T2(1011) = 10, T3(1011) = 101, and T4(1011) = 1011.

A truncation function that outputs the most significant (i.e., leftmost) MacTagBits bits of the input string, X, when the bit length of X is greater than MacTagBits; otherwise, the function outputs X. For example, T2(1011)=10, T3(1011)=101, and T4(1011)=1011.

TTA_supplied_info : see document

Additional information that is included in the timestamped_data by a TTA during the generation of a timestamp_signature.

TW(S) : see document

The output of the wrapping function for TKW applied to the string S.

TW-1(C) : see document

The output of the unwrapping function for TKW applied to the string C.

Type I error : see document

Incorrectly rejection of a true null hypothesis.

u : see document

The number of bits in the last plaintext or ciphertext block.

user_supplied_info : see document

Additional information that is provided by an entity when requesting a timestamp from a TTA.

VARIABLEn : see document

Block of data representing the value of VARIABLE for the nth iteration

Vn(obs) : see document

The observed number of runs in a sequence of length n. See Sections 2.3 and 3.3.

Vn : see document

The expected number of runs that would occur in a sequence of length n under an assumption of randomness See Sections 2.3 and 3.3.

W(S) : see document

The output of the wrapping function for KW and KWP applied to the bit string S.

w : see document

The length of a key-derivation key in bits.

An integer that denotes the length of a key derivation key in bits.

In XMSS, the length of a Winternitz chain. A single Winternitz chain uses log2(w) bits from the hash or checksum.

In LMS, the number of bits from the hash or checksum used in a single Winternitz chain. The length of a Winternitz chain is 2w. (Note that using a Winternitz parameter of w = 4 in LMS would be comparable to using a parameter of w = 16 in XMSS.)

W-1(C) : see document

The output of the unwrapping function for KW and KWP applied to the bit string C.

X =? Y : see document

Check for the equality of X and Y.

Check for equality of X and Y.

x -1 mod n : see document

The multiplicative inverse of the integer x modulo the positive integer n. This quantity is defined if and only if x is relatively prime to n. For the purposes of this Recommendation, y = x-1 mod n is the unique integer satisfying the following two conditions:

The multiplicative inverse of the integer x modulo the positive integer n. This quantity is defined if and only if x is relatively prime to n. For the purposes of this Recommendation, y = x-1 mod n is the unique integer satisfying the following two conditions: 1) 0 £ y < n, and 2) 1 = (xy) mod n.

x mod n : see document

The unique remainder r, 0£ r £ (n – 1), when integer x is divided by positive integer n. For example, 23 mod 7 = 2.

The modular reduction of the (arbitrary) integer x by the positive integer n (the modulus). For the purposes of this Recommendation, y = x mod n is the unique integer satisfying the following two conditions: 1) 0 £ y < n, and 2) x - y is divisible by n.

X|Y : see document
X⊕Y : see document

Bit-wise inclusive-or of two bit-strings X and Y of the same bit length.

The bitwise exclusive-OR of two bit strings X and Y of the same length.

The bitwise exclusive-OR of bit strings X and Y whose bit lengths are equal.

Bitwise exclusive-or (also bitwise addition modulo 2) of two bitstrings X and Y of the same length.

X : see document

The smallest integer that is larger than or equal to X. The ceiling of X.

Byte string to be converted to or from an integer; the output of conversion from an ASCII string.

⎾x⏋ : see document

The smallest integer that is larger than or equal to X. The ceiling of X. For example, $\lceil$8.2$\rceil$ = 9.

The ceiling of x; the smallest integer ≥ x. For example,⎾5⏋= 5 and⎾5.2⏋= 6.

For a real number x, ⌈x⌉ is the least integer that is not strictly less than x. For example, ⌈3.2⌉ = 4, ⌈−3.2⌉ = −3, and ⌈6⌉=6.

The ceiling of x; the smallest integer ≥ x. For example,⎾5⏋= 5 and⎾5.3⏋= 6.

The ceiling of x; the smallest integer $\geq$ x. For example, $\lceil$5$\rceil$ = 5 and $\lceil$5.3$\rceil$ = 6.

X<< 1 : see document

The bit string that results from discarding the leftmost bit of the bit string X and appending a ‘0’ bit on the right.

X>> 1 : see document

The bit string that results from discarding the rightmost bit of the bit string X and prepending a ‘0’ bit on the left.

x·y : see document

The product of two integers, x and y.

X2(obs) : see document

The chi-square statistic computed on the observed values. See Sections 2.2, 2.4, 2.5, 2.7, 2.8, 2.10, 2.12, 2.14, and the corresponding sections of Section 3.

X2 : see document

The [theoretical] chi-square distribution; used as a test statistic; also, a test statistic that follows the X2 distribution.

Xi : see document

The elements of the string consisting of±1 that is to be tested for randomness, where Xi = 2ei-1.

For a positive integer i, the ith power of X under the product ‘•’.

xj : see document

The total number of times that a given state occurs in the identified cycles. See Section 2.15 and 3.15.

Z : see document

A shared secret (represented as a byte string) that is used to derive secret keying material using a key derivation method.

A shared secret that is used to derive secret keying material using a key-derivation method; a byte string.

Shared secret.

KIN : see document

A key-derivation key used as input to a key-derivation function (along with other data) to derive the output keying material KOUT.

KOUT : see document

Output keying material that is derived from the key-derivation key KIN and other data that were used as input to a key-derivation function.

X := Y : see document

X is defined to be equal to Y.

$\in$ : see document

For an element s and a set S, s $\in$ S, means that s belongs to S.

$\varepsilon$ : see document

A positive constant that is assumed to be no greater than $2^{-32}$

client : see document

a machine or software application that accesses a cloud over a network connection, perhaps on behalf of a consumer; and

A function that uses the PKI to obtain certificates and validate certificates and signatures. Client functions are present in CAs and end entities. Client functions may also be present in entities that are not certificate holders. That is, a system or user that verifies signatures and validation paths is a client, even if it does not hold a certificate itself. See section 2.4.

A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.

A machine or software application that accesses a cloud over a network connection, perhaps on behalf of a consumer.

A function that uses the PKI to obtain certificates and validate certificates and signatures. Client functions are present in CAs and end entities. Client functions may also be present in entities that are not certificate holders. That is, a system or user that verifies signatures and validation paths is a client, even if it does not hold a certificate itself.

cloud consumer or customer : see document

a person or organization that is a customer of a cloud; note that a cloud customer may itself be a cloud and that clouds may offer services to one another;

cloud provider or provider : see document

an organization that provides cloud services.

Shall : see document

The term used to indicate a requirement of a Federal Information Processing Standard (FIPS) or a requirement that needs to be fulfilled to claim conformance with this Recommendation. Note that shall may be coupled with not to become shall not.

A requirement that needs to be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

A requirement for Federal Government use.

Used to indicate a requirement of this standard.

Used to indicate a requirement of this standard.

Used to indicate a requirement of this Recommendation.

This term is used to indicate a requirement of a Federal Information Processing Standard (FIPS) or a requirement that needs to be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

This term is used to indicate a requirement of a Federal Information Processing Standard (FIPS) or a requirement that must be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

This term is used to indicate a requirement that needs to be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

Is required to. Requirements apply to conforming implementations.

A requirement that needs to be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

Used to indicate a requirement of this Recommendation. "Shall" may be coupled with "not" to become "shall not."

The term used to indicate a requirement that needs to be fulfilled to claim conformance to this Recommendation. Note that shall may be coupled with not to become shall not.

A requirement that must be met unless a justification of why it cannot be met is given and accepted.

This term is used to indicate a requirement of a Federal Information Processing Standard (FIPS) or a requirement that must be fulfilled to claim conformance to this Recommendation; note that shall may be coupled with not to become shall not.

Should : see document

The term used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

Used to indicate a strong recommendation but not a requirement of this standard. Ignoring the recommendation could result in undesirable results.

Used to indicate a strong recommendation but not a requirement of this standard. Ignoring the recommendation could lead to undesirable results.

This term is used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

Is recommended to.

An important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

This term is used to indicate a very important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

Used to indicate a strong recommendation, but not a requirement of this Recommendation.

Used to indicate a highly desirable feature for a DRBG mechanism that is not necessarily required by this Recommendation. "Should" may be coupled with "not" to become "should not."

The term used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

When shown in a bold font, this term is used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results. Note that should may be coupled with not to become should not.

This term is used to indicate an important recommendation. Ignoring the recommendation could result in undesirable results.

An objective that can be met. It is used when a specific requirement is not feasible in some situations or with common current technology. Non- conformance to such requirements requires less justification and should be more readily approved.

∅ : see document

The empty binary string. That is, for any binary string A,∅ || A = A || ∅= A.

0x00 : see document

An all-zero octet.

An all zero octet.

An all-zero octet. In this Recommendation, it is suggested for use as an ending indicator of a variable length data field, which holds the ASCII code for a character string.

24 Hours a Day, Seven Days a Week : see document
24/7 : see document
2D : see document
2FA : see document

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

View of an object that focuses on the information relevant to a particular purpose and ignores the remainder of the information.

An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See Authenticator.

2G : see document
2nd Generation : see document
2TDEA : see document

Two-key Triple Data Encryption Algorithm specified in [NIST SP 800-67].

3D : see document
3DES : see document
3G : see document
3rd Generation : see document
3TDEA : see document

Three-key Triple Data Encryption Algorithm specified in [NIST SP 800-67].

4G : see document
4th Generation : see document
5G : see document
5th Generation : see document
6LowPANs : see document
8 Phase Differential Phase Shift Keying : see document
8DPSK : see document
a | x : see document

a divides x.

A&A : see document
A3 : see document
AA : see document

An entity, recognized by the Federal PKI Policy Authority or comparable Agency body as having the authority to verify the association of attributes to an identity.

AAA : see document
AAAK : see document
AAD : see document

The input data to the authenticated encryption function that is authenticated but not encrypted.

AAL : see document

A list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.

A category that describes the strength of the authentication process.

A category describing the strength of the authentication process.

AAMI : see document
AAMVA : see document
AAP : see document
AAR : see document

A document containing findings and recommendations from an exercise or a test.

AAS : see document
AASC : see document
ABAC : see document

An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, access rights, etc. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject.

Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place. See also identity, credential, and access management (ICAM).

an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, environment attribute etc.

High-level requirements that specify how access is managed and who may access information under what circumstances.

The set of rules that define the conditions under which an access may take place.

Abbreviated Dialing Numbers : see document

phone book entries kept on the SIM.

ABE : see document
ABI : see document
absolute error : see document

The absolute difference between the noisy and unaltered versions of a query’s output.

abstraction : see document

View of an object that focuses on the information relevant to a particular purpose and ignores the remainder of the information.

AC : see document

The process of granting or denying specific requests to 1) obtain and use information and related information processing services and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).

The decision to permit or deny a subject access to system objects (network, data, application, service, etc.)

To ensure that an entity can only access protected resources if they have the appropriate permissions based on the predefined access control policies.

The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).

The process of permitting or restricting access to applications at a granular level, such as per-user, per-group, and per-resources.

Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space.

Enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner.

Process of granting access to information system resources only to authorized users, programs, processes, or other systems.

The process of granting access to information technology (IT) system resources only to authorized users, programs, processes, or other systems.

The process of granting or denying specific requests to: (i) obtain and use information and related information processing services; and (ii) enter specific physical facilities (e.g., Federal buildings, military establishments, and border-crossing entrances).

The process of granting or denying specific requests for obtaining and using information and related information processing services; and to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

The process of limiting access to resources of a system only to authorized programs, processes, or other systems (in a network).

The process of granting or denying specific requests for obtaining and using information and related information processing services.

The process of granting or denying specific requests: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances).

AC RAM : see document
ACA : see document
ACC : see document
acceptable use agreement : see document

See user agreement.

access agreement : see document

See user agreement.

access authority : see document

An entity responsible for monitoring and granting access privileges for other authorized entities.

Access Complexity : see document

reflects the complexity of the attack required to exploit the software feature misuse vulnerability.

a means to convey the level of difficulty required for an attacker to exploit a vulnerability once the target system is identified.

access control : see document

The process of granting or denying specific requests to 1) obtain and use information and related information processing services and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).

The decision to permit or deny a subject access to system objects (network, data, application, service, etc.)

To ensure that an entity can only access protected resources if they have the appropriate permissions based on the predefined access control policies.

The right or a permission that is granted to a system entity to access a system resource.

The official management decision given by a senior organizational official to authorize the operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation, based on the implementation of an agreed-upon set of security controls.

The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).

Access privileges granted to a user, program, or process or the act of granting those privileges.

The process of permitting or restricting access to applications at a granular level, such as per-user, per-group, and per-resources.

Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space.

The granting or denying of access rights to a user, program, or process.

Enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner.

Process of granting access to information system resources only to authorized users, programs, processes, or other systems.

The process of granting access to information technology (IT) system resources only to authorized users, programs, processes, or other systems.

Restricts resource access to only privileged entities.

Restricts access to resources only to privileged entities.

The process of granting or denying specific requests to: (i) obtain and use information and related information processing services; and (ii) enter specific physical facilities (e.g., Federal buildings, military establishments, and border-crossing entrances).

As used in this Recommendation, the set of procedures and/or processes that only allow access to information in accordance with pre-established policies and rules.

Restricts resource access to only authorized entities.

The process of granting or denying specific requests for obtaining and using information and related information processing services; and to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

The process of limiting access to resources of a system only to authorized programs, processes, or other systems (in a network).

The process of granting or denying specific requests for obtaining and using information and related information processing services.

The process of granting or denying specific requests: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances).

Restricts access to resources to only privileged entities.

Access Control Entry : see document
Access Control Matrix : see document

A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.

access control mechanism : see document

The logical component that serves to receive the access request from the subject, to decide, and to enforce the access decision.

Implementations of formal AC policy such as AC model. Access control mechanisms can be designed to adhere to the properties of the model by machine implementation using protocols, architecture, or formal languages such as program code.

Security safeguards (i.e., hardware and software features, physical controls, operating procedures, management procedures, and various combinations of these) designed to detect and deny unauthorized access and permit authorized access to an information system.

Access Control Model : see document

Formal presentations of the security policies enforced by AC systems, and are useful for proving theoretical limitations of systems. AC models bridge the gap in abstraction between policy and mechanism.

Access Control Policy : see document

Policies that describe who is allowed to access the data and/or which parts of the data.

an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, environment attribute etc.

High-level requirements that specify how access is managed and who may access information under what circumstances.

The set of rules that define the conditions under which an access may take place.

Access Control Policy Tool : see document
Access Control Rule : see document
Access Control Rule Logic Circuit Simulation : see document
Access control system : see document

A set of procedures and/or processes, normally automated, which allows access to a controlled area or to information to be controlled, in accordance with pre-established policies and rules.

access cross domain solution : see document

A type of transfer cross domain solution (CDS) that provides access to a computing platform, application, or data residing in different security domains without transfer of user data between the domains.

access level : see document

A category within a given security classification limiting entry or system connectivity to only authorized persons.

access list : see document

A list of users, programs, and/or processes and the specifications of access categories to which each is assigned.

Roster of individuals authorized admittance to a controlled area.

Access Management : see document

Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.

Access Point (AP) : see document

A device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.

Access Point Name : see document
access profile : see document

Association of a user with a list of protected objects the user may access.

access program (SAP) : see document

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

Access Rights Management : see document
Access Strum : see document
access type : see document

The nature of an access right to a particular device, program, or file (e.g., read, write, execute, append, modify, delete, or create).

Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types.

Access Vector : see document

reflects the access required to exploit the vulnerability.

measures an attacker’s ability to successfully exploit a vulnerability based on how remote an attacker can be, from a networking perspective, to an information system.

Account : see document

An entity in a blockchain that is identified with an address and can send transactions to the blockchain.

account linking : see document

The association of multiple federated identifiers with a single RP subscriber account or the management of those associations.

account recovery : see document

The ability to regain ownership of a subscriber account and its associated information and privileges.

account resolution : see document

The association of an RP subscriber account with information that is already held by the RP prior to the federation transaction and outside of a trust agreement.

accountability : see document

Property that ensures that the actions of an entity may be traced uniquely to the entity.

A privacy principle (FIPP) that refers to an organization's requirements to demonstrate their implementation of the FIPPs and applicable privacy requirements.

The principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

A property that ensures that the actions of an entity may be traced uniquely to that entity.

The security objective that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

2. The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

1. Assigning key management responsibilities to individuals and holding them accountable for these activities. 2. A property that ensures that the actions of an entity may be traced uniquely to that entity.

The property that ensures that the actions of an entity may be traced uniquely to the entity.

The property of being able to trace activities on a system to individuals who may then be held responsible for their actions.

accounting legend code : see document

A numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC material control system (CMCS).

accounting number : see document

A number assigned to an individual item of COMSEC material at its point of origin to facilitate its handling and accounting.

accreditation : see document

Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.

Formal recognition that a laboratory is competent to carry out specific tests or calibrations or types of tests or calibrations.

Formal recognition that a laboratory is competent to carry out specific tests or calibrations or types of tests or calibrations.

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

also known as authorize processing (OMB Circular A-130, Appendix III),and approval to operate. Accreditation (or authorization to process information) is granted by a management official and provides an important quality control. By accrediting a system or application, a manager accepts the associated risk. Accreditation (authorization) must be based on a review of controls. (See Certification.)

See Accreditation.

Formal declaration by a Designated Approving Authority that an Information System is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

Official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.

See authorization.

accreditation boundary : see document

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging.

For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

Product comprised of a system security plan (SSP) and a report documenting the basis for the accreditation decision. Rationale: The RMF uses a new term to refer to this concept, and it is called RMF security authorization package.

A physical or logical boundary that is defined for a system, domain, or enclave; within which a particular security policy or security architecture is applied.

See Accreditation Boundary.

Accredited Standards Committee : see document
accrediting authority : see document

Synonymous with designated accrediting authority (DAA).

A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

See Authorizing Official.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

Senior federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

accuracy : see document

Closeness of computations or estimates to the exact or true values that the statistics were intended to measure.

The degree to which the noisy and unaltered versions of a query’s output differ.

accuracy (absolute) : see document

The degree of conformity of a measured or calculated value to the true value, typically based on a global reference system. For time, the global reference can be based on the following time scales: UTC, International Atomic Time (TAI), or GPS. For position, the global reference can be WGS 84.

The degree of conformity of a measured or calculated value to the true value, typically based on a global reference system. For time, the global reference can be based on the following time scales: UTC, TAI, or GPS. For position, the global reference can be WGS-84.

accuracy (relative) : see document

The degree of agreement between measured or calculated values among the devices and applications dependent on the position, navigation, or time data at an instant in time.

ACD : see document
ACE : see document
ACI : see document
ACK : see document
Acknowledgement : see document
ACL : see document

A mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.

A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources.

A list of entities, together with their access rights, that are authorized to have access to a resource.

ACM : see document

Implementations of formal AC policy such as AC model. Access control mechanisms can be designed to adhere to the properties of the model by machine implementation using protocols, architecture, or formal languages such as program code.

ACME : see document

A protocol defined in IETF RFC 8555 that provides for the automated enrollment of certificates.

ACO : see document
ACP : see document

High-level requirements that specify how access is managed and who may access information under what circumstances.

The set of rules that define the conditions under which an access may take place.

ACPI : see document
ACPT : see document
acquirer : see document

Organization or entity that acquires or procures a product or service.

Stakeholder that acquires or procures a product or service.

Stakeholder that acquires or procures a product or service from a supplier.

acquisition : see document

Includes all stages of the process of acquiring product or services, beginning with the process for determining the need for the product or services and ending with contract completion and closeout.

The process associated with obtaining products or services, typically through contracts involving the expenditure of financial resources, as well as to products or services that may be obtained on a cost-free basis via other mechanisms (e.g., the downloading of public domain software products and other software products with limited or no warranty, such as those commonly known as freeware or shareware from the commercial Internet).

(See “acquisition.”)

Includes all stages of the process of acquiring product or services, beginning with the process for determining the need for the product or services and ending with contract completion and closeout.

A process by which digital evidence is duplicated, copied, or imaged.

Includes all stages of the process of acquiring product or service, beginning with the process for determining the need for the product or service and ending with contract completion and closeout.

Process of obtaining a system, product, or service.

ACR : see document
ACRLCS : see document
ACT : see document
activation : see document

The process of inputting an activation factor into a multi-factor authenticator to enable its use for authentication.

activation data : see document

A pass-phrase, personal identification number (PIN), biometric data, or other mechanisms of equivalent authentication robustness used to protect access to any use of a private key, except for private keys associated with System or Device certificates.

Private data, other than keys, that are required to access cryptographic modules (i.e., unlock private keys for signing or decryption events).

activation factor : see document

An additional authentication factor that is used to enable successful authentication with a multi-factor authenticator.

activation secret : see document

A password that is used locally as an activation factor for a multi-factor authenticator.

Activation/Issuance : see document

A process that includes the procurement of FIPS-approved blank PIV Cards or hardware/software tokens (for Derived PIV Credential), initializing them using appropriate software and data elements, personalization of these cards/tokens with the identity credentials of authorized subjects, and pick-up/delivery of the personalized cards/tokens to the authorized subjects, along with appropriate instructions for protection and use.

active attack : see document

An attack on a secure communication protocol where the attacker transmits data to the claimant, Credential Service Provider (CSP), verifier, or Relying Party (RP). Examples of active attacks include man-in- the middle (MitM), impersonation, and session hijacking. [NIST SP 800-63-3, adapted]

An attack on a secure communication protocol where the attacker transmits data to the claimant, Credential Service Provider (CSP), verifier, or Relying Party (RP). Examples of active attacks include man-in- the middle (MitM), impersonation, and session hijacking.

An attack on the authentication protocol where the attacker transmits data to the claimant, Credential Service Provider (CSP), verifier, or Relying Party (RP). Examples of active attacks include man-in-the-middle (MitM), impersonation, and session hijacking.

An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-the-middle, impersonation, and session hijacking.

active content : see document

Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user.

active cyber defense : see document

Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.

Active Directory : see document

A Microsoft directory service for the management of identities in Windows domain networks.

Active Directory Authentication Library : see document
Active Directory Certificate Services : see document
Active Directory Federation Services : see document
Active Directory Forest Recovery : see document
Active Directory Services : see document
Active Directory/Domain Name System : see document
Active Security Testing : see document

Security testing that involves direct interaction with a target, such as sending packets to a target.

Active Server Pages : see document
Active state : see document

A lifecycle state for a key in which the key may be used to cryptographically protect information (e.g., encrypt plaintext or generate a digital signature), to cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature) or both.

The key state in which the key may be used to cryptographically protect information (e.g., encrypt plaintext or generate a digital signature), cryptographically process previously protected information (e.g., decrypt ciphertext or verify a digital signature), or both.

Active Tag : see document

A tag that relies on a battery for power.

Activities : see document

An assessment object that includes specific protection-related pursuits or actions supporting a system that involves people (e.g., conducting system backup operations, monitoring network traffic).

An assessment object that includes specific protection-related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).

activity : see document

Set of cohesive tasks of a process.

Actor : see document

The source of risk that can result in harmful impact.

See threat actor.

ACTS : see document
Actual Residual Risk : see document

The risk remaining after management has taken action to alter its severity.

Actual State : see document

The observable state or behavior of an assessment object (device, software, person, credential, account, etc.) at the point in time when the collector generates security-related information. In particular, the actual state includes the states or behaviors that might indicate the presence of security defects.

Actuating Capability : see document

The ability to change something in the physical world.

ACVP : see document
ACVTS : see document
AD : see document

Input data to the CCM generation-encryption process that is authenticated but not encrypted.

A Microsoft directory service for the management of identities in Windows domain networks.

AD DS : see document
AD FS : see document
Ad Hoc HIEs : see document

An Ad Hoc HIE occurs when two healthcare organizations exchange health information, usually under the precondition of familiarity and trust, using existing and usual office infrastructure such as mail, fax, e-mail and phone calls.

Ad Hoc Network : see document

A wireless network that dynamically connects wireless client devices to each other without the use of an infrastructure device, such as an access point or a base station.

A wireless network that allows easy connection establishment between wireless client devices in the same physical area without the use of an infrastructure device, such as an access point or a base station.

AD/DNS : see document
ADAL : see document
adaptability : see document

The property of an architecture, design, and implementation that can accommodate changes to the threat model, mission or business functions, systems, and technologies without major programmatic impacts.

The property of an architecture, design, and implementation which can accommodate changes to the threat model, mission or business functions, systems, and technologies without major programmatic impacts.

Adaptive Network Control : see document
Adaptive Security Appliance : see document
ADC : see document
ADCS : see document
Additional Authenticated Data : see document

The input data to the authenticated encryption function that is authenticated but not encrypted.

Additional input : see document

Information known by two parties that is cryptographically bound to the secret keying material being protected using the encryption operation.

Information known by two parties that is cryptographically bound to the keying material being protected using the encryption operation.

Addition-Rotation-XOR : see document
add-on security : see document

Incorporation of new or additional hardware, software, or firmware safeguards in an operational information system.

Address : see document

The associated data string.

The additional authenticated data

Additional input that is bound to the secret keying material; a byte string.

A short, alphanumeric string derived from a user’s public key using a hash function, with additional data to detect errors. Addresses are used to send and receive digital assets.

Additional input that is bound to keying material; a byte string.

Address Resolution Protocol (ARP) : see document

A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target node with which it wishes to communicate, and with that address the node responds by sending back its physical address so that packets can be transmitted to it.

A protocol used to obtain a node’s physical address. A client station broadcasts an ARP request onto the network with the Internet Protocol (IP) address of the target node it wishes to communicate with, and the node with that address responds by sending back its physical address so that packets can be transmitted to it.

Address Space IDentifier : see document
Address Space Layout Randomization : see document
addressable : see document

To meet the addressable implementation specifications, a covered entity or business associate must (i) assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the electronic protected health information; and (ii) as applicable to the covered entity or business associate - (A) Implement the implementation specification if reasonable and appropriate; or (B) if implementing the implementation specification is not reasonable and appropriate—(1) document why it would not be reasonable and appropriate to implement the implementation specification; and (2) implement an equivalent alternative measure if reasonable and appropriate.

Describing 21 of the HIPAA Security Rule’s 42 implementation specifications. To meet the addressable implementation specifications, a covered entity must (i) assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) as applicable to the entity - (A) Implement the implementation specification if reasonable and appropriate; or (B) if implementing the implementation specification is not reasonable and appropriate—(1) document why it would not be reasonable and appropriate to implement the implementation specification; and (2) implement an equivalent alternative measure if reasonable and appropriate.

ADDS : see document
adequate security : see document

Meets minimum tolerable levels of security as determined by analysis, experience, or a combination of both and is as secure as reasonably practicable (i.e., incremental improvement in security would require an intolerable or disproportionate deterioration of meeting other system objectives, such as those for system performance, or would violate system constraints).

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

Security commensurate with the risk resulting from the loss, misuse, or unauthorized access to or modification of information.

security commensurate with the risk and magnitude of the harmresulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, acquisition, development, installation, operational, and technical controls.

Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.

ADFR : see document
ADFS : see document
ADFSL : see document
adj-RIB-In : see document

Routes learned from inbound update messages from BGP peers.

adj-RIB-Out : see document

Routes that the BGP router will advertise, based on its local policy, to its peers.

Adjudicative Entity : see document

An agency authorized by law, Executive Order, designation by the Security Executive Agent, or delegation by the Suitability & Credentialing Executive Agent to make an adjudication. Adjudication has the meaning provided in [Executive Order 13764], “(a) ‘Adjudication’ means the evaluation of pertinent data in a background investigation, as well as any other available information that is relevant and reliable, to determine whether a covered individual is: (i) suitable for Government employment; (ii) eligible for logical and physical access; (iii) eligible for access to classified information; (iv) eligible to hold a sensitive position; or (v) fit to perform work for or on behalf of the Government as a Federal employee, contractor, or non-appropriated fund employee.”

ADK : see document
Administration Control Center : see document
Administrative domain : see document

A logical collection of hosts and network resources (e.g., department, building, company, organization) governed by common policies.

administrative incident (COMSEC) : see document

A violation of procedures or practices dangerous to security that is not serious enough to jeopardize the integrity of a controlled cryptographic item (CCI), but requires corrective action to ensure the violation does not recur or possibly lead to a reportable COMSEC incident.

ADP : see document
ADRSC : see document

Compressed Address

ADS : see document
Advanced Configuration and Power Interface : see document
advanced cyber threat : see document

See advanced persistent threat.

Advanced Encryption Standard : see document

A U.S. Government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.

Advanced Encryption Standard (as specified in FIPS 197).

Advanced Encryption Standard specified in [FIPS 197].

Advanced Encryption Standard Algorithm Validation Suite : see document
Advanced Encryption Standard-Cipher Block Chaining : see document
Advanced Encryption Standard-Cipher-based Message Authentication Code : see document
Advanced Encryption Standard-Counter Mode : see document
Advanced Encryption Standard–Counter with CBC-MAC : see document
Advanced Encryption Standard-eXtended Cipher Block Chaining : see document
Advanced Encryption Standard-Galois Counter Mode : see document
Advanced Encryption Standard-Galois Message Authentication Code : see document
advanced key processor : see document

A cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).

Advanced Malware Protection : see document
Advanced Multi-Layered Unification Filesystem : see document
Advanced Network Technologies Division : see document
advanced persistent threat : see document

An adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization, or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives which are typically to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization, or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.

Advanced Persistent Threats : see document

An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception) to generate opportunities to achieve its objectives, which are typically to establish and extend footholds within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Advanced Reduced Instruction Set Computing (RISC) Machine : see document
Advanced Research Project Agency : see document
Advanced Satellite Multimedia Systems Conference : see document
Advanced Technology Academic Research Center : see document
Advanced Technology Attachment : see document

Magnetic media interface specification. Also known as “IDE” –IntegratedDrive Electronics.

Advanced Threat Protection : see document
Advanced Threat Protection: Network : see document
Advancement of Medical Instrumentation : see document
adversarial example : see document

A modified testing sample that induces misclassification or misbehavior of a machine learning model at deployment time.

Adversarial Machine Learning : see document

Attacks that exploit the statistical, data-based nature of machine learning systems.

Adversarial Tactics, Techniques & Common Knowledge : see document
adversary : see document

A malicious entity whose goal is to determine, to guess, or to influence the output of an RBG.

Person, group, organization, or government that conducts or has the intent to conduct detrimental activities.

An entity that is not authorized to access or modify information, or who works to defeat any protections afforded the information.

adverse consequence : see document

An undesirable consequence associated with a loss.

adverse cybersecurity event : see document

Any event with a potentially negative impact on cybersecurity.

adversity : see document

The conditions that can cause a loss of assets (e.g., threats, attacks, vulnerabilities, hazards, disruptions, and exposures).

Adverse conditions, stresses, attacks, or compromises.

advisory : see document

Notification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems. Rationale: General definition of a commonly understood term.

A feature or function that mav be desired by a typical commercial or government organization. An Advisory represents a goal to be achieved. An Advisory may be reclassified as a Requirement at some future date. An advisory contains the word should and is identified by the letter "A."

AE : see document

The function of GCM in which the plaintext is encrypted into the ciphertext, and an authentication tag is generated on the AAD and the ciphertext.

AE Title : see document
AEAD : see document
AES : see document

Advanced Encryption Standard (as specified in FIPS 197).

Advanced Encryption Standard specified in [FIPS 197].

AES New Instructions : see document
AESAVS : see document
AES-CBC : see document
AES-CCM : see document
AES-CMAC : see document
AES-CTR : see document
AES-GCM : see document
AES-GMAC : see document
AES-NI : see document
AES-XCBC : see document
AF : see document
Affine Transformation : see document

A transformation consisting of multiplication by a matrix followed by the addition of a vector.

AFPM : see document
AFR : see document
AFRL : see document
After Action Report : see document

A document containing findings and recommendations from an exercise or a test.

AFW : see document
AGA : see document
agency : see document

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: (i) the Government Accountability Office; (ii) the Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

See Agency.

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include - (i) the General Accounting Office; (ii) Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities. See also executive agency.

Any executive agency or department, military department, Federal Government corporation, Federal Government-controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.

An executive department specified in 5 U.S.C. Sec. 101; a military department specified in 5 U.S.C. Sec. 102; an independent establishment as defined in 5 U.S.C. Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

Any executive agency or department, military department, Federal Government corporation, Federal Government- controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.

An executive Department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any department, subordinate element of a department, or independent organizational entity that is statutorily or constitutionally recognized as being part of the Executive Branch of the Federal Government.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

See executive agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President) or any independent regulatory agency, but does not include: 1) the General Accounting Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions; or 4) government-owned, contractor-operated facilities, including laboratories engaged in national defense research and production activities. Also referred to as Federal Agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec.102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Section 101; a military department specified in 5 U.S.C., Section 102; an independent establishment as defined in 5 U.S.C., Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

The term 'agency' means any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include (a) the General Accounting Office; (b) Federal Election Commission; (c) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (d) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

Any executive agency or department, military department, Federal Government corporation, Federal Government-controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency. See executive agency.

See Executive Agency

An executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Sec. 105; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Agency Dashboard : see document

An organizational-level dashboard that: a) collects data from a collection system; and b) shows detailed assessment object-level data and assessment object-level defects to organizationally authorized personnel.

See Agency Dashboard and Federal Dashboard.

Agency Financial Report : see document
Agency for Healthcare Research and Quality : see document
Agency-Wide Adaptive Risk Enumeration : see document
Agent : see document

Software programs that can interact with their environment, receive information, and undertake self-directed actions in service of a larger, externally-specified goal.

A program acting on behalf of a person or organization.

A host-based IPS program that monitors and analyzes activity and performs preventive actions; OR a program or plug-in that enables an SSL VPN to access non-Web-based applications and services.

A host-based intrusion prevention system program that monitors and analyzes activity and performs preventive actions; OR a program or plug-in that enables an SSL VPN to access non-Web-based applications and services.

Aggregate : see document

To combine several more-specific prefixes into a less-specific prefix.

Aggregated Information : see document

Information elements collated on a number of individuals, typically used for the purposes of making comparisons or identifying patterns.

Aggregation : see document

See “Event Aggregation”.

The consolidation of similar log entries into a single entry containing a count of the number of occurrences of the event.

The consolidation of similar or related information.

agility : see document

The property of a system or an infrastructure that can be reconfigured, in which resources can be reallocated, and in which components can be reused or repurposed so that cyber defenders can define, select, and tailor cyber courses of action for a broad range of disruptions or malicious cyber activities.

The property of a system or an infrastructure which can be reconfigured, in which resources can be reallocated, and in which components can be reused or repurposed, so that cyber defenders can define, select, and tailor cyber courses of action for a broad range of disruptions or malicious cyber activities.

agreement : see document

Mutual acknowledgement of terms and conditions under which a working relationship is conducted, or goods are transferred between parties. EXAMPLE: contract, memorandum, or agreement

Mutual acknowledgement of terms and conditions under which a working relationship is conducted (e.g., memorandum of agreement or contract).

Mutual acknowledgement of terms and conditions under which a working relationship is conducted.

AH : see document
AHA : see document
AHRQ : see document
AI : see document

(1) Any artificial system that performs tasks under varying and unpredictable circumstances without significant human oversight, or that can learn from experience and improve performance when exposed to data sets. (2) An artificial system developed in computer software, physical hardware, or other context that solves tasks requiring human-like perception, cognition, planning, learning, communication, or physical action. (3) An artificial system designed to think or act like a human, including cognitive architectures and neural networks. (4) A set of techniques, including machine learning, that is designed to approximate a cognitive task. (5) An artificial system designed to act rationally, including an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communicating, decision making, and acting.

A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.

SCAP constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.

The use of attributes and methods to uniquely identify an asset.

The attributes and methods necessary for uniquely identifying a given asset. A full explanation of asset identification is provided in [NISTIR 7693].

AI/ML : see document
AIA : see document
AIAA : see document
AIC : see document
AID : see document

A globally unique identifier of a card application as defined in ISO/IEC 7816-4.

AIDC : see document
AIK : see document
AIM : see document
Air Force Research Laboratory : see document
air gap : see document

An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).

Air Traffic Organization : see document

Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.

Airdrop : see document

A distribution of digital tokens to a list of blockchain addresses.

AIS : see document
AISS : see document
AIT : see document
AJAX : see document
AKA : see document
AKM : see document
AKP : see document
Alaris System Maintenance : see document
ALC : see document
ALE : see document
alert : see document

Notification that a specific attack has been directed at an organization’s information systems.

A brief, usually human-readable, technical notification regarding current vulnerabilities, exploits, and other security issues. Also known as an advisory, bulletin, or vulnerability note.

ALG : see document
Algorithm : see document

A clearly specified mathematical process for computation; a set of rules that, if followed, will give a prescribed result.

A clearly specified mathematical process for computation; a set of rules that, if followed, will give a prescribed result.

Algorithm originator-usage period : see document

The period of time during which a specific cryptographic algorithm may be used by originators to apply protection to data (e.g., encrypt or generate a digital signature).

The period of time during which a specific cryptographic algorithm may be used by originators to apply protection to data.

Algorithm security lifetime : see document

The estimated time period during which data protected by a specific cryptographic algorithm remains secure.

The estimated time period during which data protected by a specific cryptographic algorithm remains secure, given that the key has not been compromised.

algorithmic optimization : see document

The application of mathematical formulae to calculate the aggregate cost-benefit to the enterprise, given the estimated costs, in a purely mechanical approach.

Algorithms for Intrusion Measurement : see document
Allan deviation : see document

[See source document for the complete definition.]

Alliance for Telecommunications Industry Solutions : see document
allied nation : see document

A nation allied with the U.S. in a current defense effort and with which the U.S. has certain treaties. For an authoritative list of allied nations, contact the Office of the Assistant Legal Adviser for Treaty Affairs, Office of the Legal Adviser, U.S. Department of State, or see the list of U.S. Collective Defense Arrangements at https://www.state.gov.

A nation allied with the U.S. in a current defense effort and with which the U.S. has certain treaties. For an authoritative list of allied nations, contact the Office of the Assistant Legal Adviser for Treaty Affairs, Office of the Legal Adviser, U.S. Department of State, or see the list of U.S. Collective Defense Arrangements at www.state.gov.

allocation : see document

The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).

The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common. The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).

The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common.

The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (e.g., router, server, remote sensor).

allowed : see document

The algorithm and key length in a FIPS or SP is safe to use; no security risk is currently known when used in accordance with any associated guidance. The FIPS 140 Implementation Guideline may indicate additional algorithms that are acceptable for use, but not specified in a FIPS or SP.

allowlist : see document

A documented list of specific elements that are allowed, per policy decision. In federation contexts, this is most commonly used to refer to the list of RPs that are allowed to connect to an IdP without subscriber intervention. This concept has historically been known as a whitelist.

all-source intelligence : see document

In intelligence collection, a phrase that indicates that in the satisfaction of intelligence requirements, all collection, processing, exploitation, and reporting systems and resources are identified for possible use and those most capable are tasked.

2. The term 'intelligence' includes foreign intelligence and counterintelligence.

Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open source data in the production of finished intelligence.

1 a. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. b. The activities that result in the product. c. The organizations engaged in such activities.

Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open source data in the production of finished intelligence.

Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open-source data in the production of finished intelligence.

ALM/PLM : see document
Also Known As : see document
alternate COMSEC account manager : see document

The primary alternate COMSEC Account Manager is an individual designated by proper authority to perform the duties of the COMSEC Account Manager during the temporary authorized absence of the COMSEC Account Manager. Additional alternate COMSEC Account Managers may be appointed, as necessary, to assist the COMSEC Account Manager and maintain continuity of operations.

alternate COMSEC custodian : see document

Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian.

Alternate Data Stream : see document
Alternate Facility : see document
Alternate MAC/PHY : see document
Alternating Current : see document
AMA : see document
Amazon Web Services : see document
ambiguity rule : see document

It is assumed that out of publicly available information the contribution of one individual to the cell total can be estimated to within q per cent (q=error before publication); after the publication of the statistic the value can be estimated to within p percent (p=error after publication). In the (p,q) rule the ratio p/q represents the information gain through publication. If the information gain is unacceptable, the cell is declared as confidential. The parameter values p and q are determined by the statistical authority and, thus, define the acceptable level of information gain. In some [National Statistical Organizations] the values of p and q are confidential.

AMD Platform Secure Boot : see document
AMD PSB : see document
AMD Security Processor : see document
American Chemistry Council : see document
American Fuel and Petrochemical Manufacturers : see document
American Gas Association : see document
American Hospital Association : see document
American Hospital Association Preferred Cybersecurity Provider : see document
American Institute of Aeronautics and Astronautics : see document
American Medical Association : see document
American National Standard : see document
American National Standards Institute : see document
American National Standards Institute/International Committee for Information Technology Standards : see document
American Petroleum Institute : see document
American Public Power Association : see document
American Registry for Internet Numbers : see document

The American Registry for Internet Numbers for Canada, the United States of America, and many Caribbean and North Atlantic Islands.

American Standard Code for Information Interchange : see document
American Water Works Association : see document
American Association of Motor Vehicle Administrators : see document
American Society for Testing and Materials : see document
AMI TruE : see document
AMI Trusted Environment : see document
AML : see document

Attacks that exploit the statistical, data-based nature of machine learning systems.

AMM : see document
AMP : see document
AMWA : see document
Analysis : see document

The examination of acquired data for its significance and probative value to the case.

The third phase of the computer and network forensic process, which involves using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Analysis Approach : see document

The approach used to define the orientation or starting point of the risk assessment, the level of detail in the assessment, and how risks due to similar threat scenarios are treated.

Analytic Systems : see document

IT systems that process the information outputs produced by middleware. Analytic systems may be comprised of databases, data processing software, and Web services.

ANC : see document
Android for Work : see document
AN-ITL : see document
Announcement Traffic Indication Message : see document
Annual Conference on Digital Forensics, Security and Law : see document
Annualized Loss Expectancy : see document
Anomalous Event Response and Recovery Management : see document

See Capability, Anomalous Event Response and Recovery Management.

An ISCM capability that ensures that both routine and unexpected events that require a response to maintain functionality and security are responded to (once identified) within a time frame that prevents or reduces the impact (i.e., consequences) of the events to the extent possible.

anomaly : see document

Condition that deviates from expectations based on requirements specifications, design documents, user documents, or standards, or from someone’s perceptions or experiences.

ANonce : see document
anonymity : see document

Condition in identification whereby an entity can be recognized as distinct, without sufficient identity information to establish a link to a known identity.

condition in identification whereby an entity can be recognized as distinct, without sufficient identity information to establish a link to a known identity

anonymization : see document

A process that removes the association between the identifying dataset and the data subject.

process that removes the association between the identifying dataset and the data subject

anonymized data : see document

data from which the patient cannot be identified by the recipient of the information

Anonymized Information : see document

Previously identifiable information that has been de-identified and for which a code or other association for re-identification no longer exists.

anonymous identifier : see document

identifier of a person which does not allow the unambiguous identification of the natural person

ANS : see document
ANSI : see document
ANSI/INCITS : see document
ANSI/NIST-ITL : see document
Answer to Reset : see document
ANTD : see document
anticipated re-identification rate : see document

When an organization contemplates performing re-identification, the re-identification rate that the resulting de-identified data are likely to have.

Anti-Forensic : see document

A technique for concealing or destroying data so that others cannot access it.

anti-jam : see document

The result of measures to resist attempts to interfere with communications reception.

anti-signal fingerprint : see document

Result of measures used to resist attempts to uniquely identify a particular transmitter based on its signal parameters.

anti-signal spoof : see document

Result of measures used to resist attempts to achieve imitative or manipulative communications deception based on signal parameters.

anti-spoof : see document

Countermeasures taken to prevent the unauthorized use of legitimate identification & authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.

anti-tamper : see document

Systems engineering activities intended to prevent physical manipulation or delay exploitation of critical program information in U.S. defense systems in domestic and export configurations to impede countermeasure development, unintended technology transfer, or alteration of a system due to reverse engineering.

Anti-tampering : see document
Antivirus : see document
Antivirus Software : see document

A program specifically designed to detect many forms of malware and prevent them from infecting computers, as well as cleaning computers that have already been infected.

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.

AO : see document

A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

Senior federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

AODR : see document

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization or privacy authorization.

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.

AP : see document

A set of filter processes that are arranged in a linear order using one-way inter-process communications to transfer data between processes. The linear flow is enforced with mandatory and discretionary access control mechanisms.

APCO : see document
APCP : see document
APDU : see document

A part of the application layer in the Open Systems Interconnection Reference model that is used for communication between two separate device's applications. In the context of smart cards, an APDU is the communication unit between a smart card reader and a smart card. The structure of the APDU is defined by [ISO 7816-4].

APEC : see document
Aperiodic Templates Test : see document

The purpose of this test is to reject sequences that exhibit too many occurrences of a given non-periodic (aperiodic) pattern.

API : see document

A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.

APN : see document
APNIC : see document

The Regional Internet Registry for the Asia Pacific region that allocates and registers Internet resources in its region.

APNS : see document
App ID : see document
APPA : see document
AppAuth : see document
Apple Push Notification : see document
Apple Push Notification System : see document
Applicability Statement : see document

A complex logical expression to describe an IT platform, formed out of individual CPE names and references to checks. Applicability statements are used to designate which platforms particular guidance, policies, etc. apply to.

applicant : see document

An individual applying for a PIV Card or derived PIV credential. The applicant may be a current or prospective federal hire, a federal employee, or a contractor.

A subject undergoing the processes of identity proofing and enrollment.

An individual who has applied for, but has not yet been issued, a Derived PIV Credential.

The subscriber is sometimes also called an "applicant" after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.

A subject undergoing the processes of enrollment and identity proofing.

An individual applying for a PIV Card.

An individual who has applied for but has not yet been issued a Derived PIV Credential.

An entity (organization or individual) that requests the assignment of a name from a Registration Authority.

An individual applying for a PIV Card/credential. The Applicant may be a current or prospective Federal hire, a Federal employee, or a contractor.

A party undergoing the processes of registration and identity proofing.

applicant reference : see document

A representative of the applicant who can vouch for the identity of the applicant, specific attributes related to the applicant, or conditions relative to the context of the individual (e.g., emergency status, homelessness).

application : see document

A hardware/software system implemented to satisfy a particular set of requirements. In this context, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.

A software program hosted by an information system.

the system, functional area, or problem to which information technology isapplied. The application includes related manual procedures as well as automated procedures. Payroll, accounting, and management information systems are examples of applications.

The system, functional area, or problem to which information technology is applied. The application includes related manual procedures as well as automated procedures. Payroll, accounting, and management information systems are examples of applications.

A system for collecting, saving, processing, and presenting data by means of a computer. The term application is generally used when referring to a component of software that can be executed. The terms application and software application are often used synonymously.

A hardware/software system implemented to satisfy a particular set of requirements. In this context, an application incorporates a system used to satisfy a subset of requirements related to the verification or identification of an end user’s identity so that the end user’s identifier can be used to facilitate the end user’s interaction with the system.

application allowlisting : see document

A list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.

Application Authentication System : see document
Application Binary Interface : see document
application delivery controller : see document
Application Entity Title : see document
Application Firewall : see document

A firewall that uses stateful protocol analysis to analyze network traffic for one or more applications.

Application Identification : see document
application interconnection : see document

A logical communications link between two or more applications operated by different organizations or within the same organization but within different authorization boundaries used to exchange information or provide information services (e.g., authentication, logging).

Application Interface Capability : see document

The ability for other computing devices to communicate with an IoT device through an IoT device application.

Application Layer : see document

Layer of the TCP/IP protocol stack that sends and receives data for particular applications such as DNS, HTTP, and SMTP.

Application Level Gateway (ALG) : see document

Application Level Gateways (ALGs) are application specific translation agents that allow an application (like VOIP) on a host in one address realm to connect to its counterpart running on a host in different realm transparently. An ALG may interact with NAT to set up state, use NAT state information, modify application specific payload and perform whatever else is necessary to get the application running across disparate address realms.

Application Life cycle Management / Product Lifecycle Management : see document
Application Programming Interface (API) : see document

A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.

Application Property Template : see document
Application Protocol Data Unit : see document

A part of the application layer in the Open Systems Interconnection Reference model that is used for communication between two separate device's applications. In the context of smart cards, an APDU is the communication unit between a smart card reader and a smart card. The structure of the APDU is defined by [ISO 7816-4].

application security testing : see document
Application Specific Integrated Circuit : see document
Application Translation : see document

A function that converts information from one protocol to another.

Application virtualization : see document

A virtual implementation of the application programming interface (API) that a running application expects to use.

A form of virtualization that exposes a single shared operating system kernel to multiple discrete application instances, each of which is kept isolated from all others on the host.

Application-Proxy Gateway : see document

A firewall capability that combines lower-layer access control with upper layer-functionality, and includes a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other.

application-specific integrated circuits (ASICs) : see document

A digital or analog circuit, custom-designed and/or custom-manufactured to perform a specific function. An ASIC is not reconfigurable and cannot contain additional instructions.

Application-Specific Key Derivation Functions : see document
Applied Cybersecurity Division : see document
apply cryptographic protection : see document

Depending on the algorithm, to encrypt or sign data, generate a hash function or Message Authentication Code (MAC), or establish keys (including wrapping and deriving keys).

approach : see document

See cyber resiliency implementation approach.

approval status : see document

Used to designate usage by the U.S. Federal Government.

Approval to Connect : see document
approval to operate : see document

The official management decision issued by a designated accrediting authority (DAA) or principal accrediting authority (PAA) to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

seeCertificationandAccreditation.

Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.

Official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.

approved : see document

An algorithm or technique for a specific cryptographic use that is specified in a FIPS or NIST Recommendation, adopted in a FIPS or NIST Recommendation, or specified in a list of NIST-approved security functions.

An algorithm or technique that is either 1) specified in a Federal Information Processing Standard (FIPS) or NIST Recommendation, 2) adopted in a FIPS or NIST Recommendation, or 3) specified in a list of NIST-approved security functions.

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST recommendation, 2) adopted in a FIPS or NIST recommendation, or 3) specified in a list of NIST-approved security functions.

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST-approved security functions.

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either: 1) Specified in a FIPS or NIST Recommendation, 2) Adopted in a FIPS or NIST Recommendation, or 3) Specified in a list of NIST-approved security functions.

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST-approved security functions.

FIPS approved or NIST Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST Approved security functions.

FIPS-approved and/or NIST-recommended.

FIPS-approved or NIST-Recommended.

FIPS approved or NIST recommended: an algorithm or technique that is either 1) specified in a FIPS or a NIST Recommendation, or 2) adopted in a FIPS or a NIST Recommendation.

FIPS approved or NIST recommended: an algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.

FIPS-approved or NIST-recommended: an algorithm or technique that is either 1) specified in a FIPS or a NIST Recommendation, or 2) adopted in a FIPS or a NIST Recommendation.

FIPS-approved or NIST-Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation and specified either (a) in an appendix to the FIPS or NIST Recommendation, or (b) in a document referenced by the FIPS or NIST Recommendation.

FIPS approved or NIST Recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation or 3) specified in a list of NIST-approved security functions.

FIPS-approved or NIST-recommended: an algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.

FIPS-Approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation and specified in an appendix to the FIPS or NIST Recommendation.

FIPS-approved, NIST-Recommended and/or validated by the Cryptographic Algorithm Validation Program (CAVP).

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) specified elsewhere and adopted by reference in a FIPS or NIST Recommendation.

FIPS-Approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation and specified either in an appendix to the FIPS or NIST Recommendation, or in a document referenced by the FIPS or NIST Recommendation.

FIPS-Approved and/or NIST-recommended. An algorithm or technique that is either: 1) specified in a FIPS or NIST Recommendation or 2) specified elsewhere and adopted by reference in a FIPS or NIST Recommendation.

FIPS-approved and/or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation or 2) specified elsewhere and adopted by reference in a FIPS or NIST Recommendation.

FIPS-approved or NIST-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation or 2) adopted in a FIPS or NIST Recommendation and specified either (a) in an appendix to the FIPS or NIST Recommendation or (b) in a document referenced by the FIPS or NIST Recommendation.

FIPS approved or NIST recommended. An algorithm or technique that is either (1) specified in a FIPS or a NIST recommendation or (2) adopted in a FIPS or NIST recommendation.

Federal Information Processing Standards (FIPS)-approved or NIST-recommended. An algorithm or technique that meets at least one of the following: 1) is specified in a FIPS or NIST Recommendation, 2) is adopted in a FIPS or NIST Recommendation or 3) is specified in a list of NIST-approved security functions (e.g., specified as approved in the annexes of [FIPS 140]).

Federal Information Processing Standard (FIPS) approved or NIST recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.

approved cryptography : see document

An encryption algorithm, hash function, random bit generator, or similar technique that is Federal Information Processing Standards (FIPS)-approved or NIST-recommended. Approved algorithms and techniques are either specified or adopted in a FIPS or NIST recommendation.

Federal Information Processing Standard (FIPS)-approved or NIST recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.

Approved entropy source : see document

An entropy source that has been validated as conforming to [NIST SP 800-90B].

Approved hash algorithms : see document

Hash algorithms specified in FIPS 180-4.

Cryptographic hash algorithms specified in [FIPS 180-3].

Approved security function : see document

A security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either a) Specified in an Approved standard, b) Adopted in an Approved standard and specified either in an appendix of the Approved standard or in a document referenced by the Approved standard, or c) Specified in the list of Approved security functions.

Approximate Entropy Test : see document

The purpose of the test is to compare the frequency of overlapping blocks of two consecutive/adjacent lengths (m and m+1) against the expected result for a normally distributed sequence.

APS : see document
APT : see document

An adversary with sophisticated levels of expertise and significant resources, allowing it through the use of multiple different attack vectors (e.g., cyber, physical, and deception), to generate opportunities to achieve its objectives which are typically to establish and extend its presence within the information technology infrastructure of organizations for purposes of continually exfiltrating information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future; moreover, the advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

APU : see document
AQL : see document
AR : see document
Arbitrary Code Execution : see document
architecture : see document

A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).

Fundamental concepts or properties related to a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interaction between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans. See information security architecture.

A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).

A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution, while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability).

The design of the network of the hotel environment and the components that are used to construct it.

the design of the network of the hotel environment and the components that are used to construct it

complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.

Fundamental concepts or properties of a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.

A set of related physical and logical representations (i.e., views) of a system or a solution. The architecture conveys information about system/solution elements, interconnections, relationships, and behavior at different levels of abstractions and with different scopes. Refer to security architecture.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interactions between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interactions between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

Architecture and Infrastructure Committee : see document
Architecture Constructs : see document

Design structures that can serve as the basic building blocks for a Notional Architecture.

architecture description : see document

A work product used to express an architecture.

Architecture Design Principles : see document

Best practices derived from large-scale information-sharing implementations that serve as the overall guidance for building security and privacy services for HIEs.

architecture framework : see document

Conventions, principles, and practices for the description of architectures established within a specific domain of application and/or community of stakeholders.

architecture view : see document

A work product expressing the architecture of a system from the perspective of specific system concerns.

architecture viewpoint : see document

A work product establishing the conventions for the construction, interpretation, and use of architecture views to frame specific system concerns.

Archive : see document

Noun: See Archive facility.

Verb: To place a cryptographic key and/or metadata into long-term storage that will be maintained even if the storage technology changes.

A facility used for long-term key and/or metadata storage.

Long-term, physically separate storage.

1. To place information into long-term storage.

2. A location or media used for long-term storage.

See Key management archive.

1. To place information into long-term storage. 2. A locat ion or media ussed for long-term storage.

To place information into long-term storage. Also, see Key management archive.

A function in the lifecycle of keying material; a repository for the long- term storage of keying material.

Archive facility : see document

Noun: See Archive facility.

Verb: To place a cryptographic key and/or metadata into long-term storage that will be maintained even if the storage technology changes.

A facility used for long-term key and/or metadata storage.

Long-term, physically separate storage.

1. To place information into long-term storage.

2. A location or media used for long-term storage.

See Key management archive.

1. To place information into long-term storage. 2. A locat ion or media ussed for long-term storage.

To place information into long-term storage. Also, see Key management archive.

area under the curve : see document

A measure of the ability of a classifier to distinguish between classes in machine learning. A higher AUC means that a model performs better when distinguishing between the two classes. AUC measures the entire two-dimensional area under the receiver operating characteristic (ROC) curve.

ARF : see document
Ariel Query Language : see document
ARIN : see document

The American Registry for Internet Numbers for Canada, the United States of America, and many Caribbean and North Atlantic Islands.

ARM : see document
ARMP : see document
ARP : see document
ARPA : see document
Array : see document

A fixed-size data structure that stores a collection of elements, where each element is identified by its integer index or indices.

A fixed-length data structure that stores a collection of elements, where each element is identified by its integer index.

artificial intelligence : see document

(1) Any artificial system that performs tasks under varying and unpredictable circumstances without significant human oversight, or that can learn from experience and improve performance when exposed to data sets. (2) An artificial system developed in computer software, physical hardware, or other context that solves tasks requiring human-like perception, cognition, planning, learning, communication, or physical action. (3) An artificial system designed to think or act like a human, including cognitive architectures and neural networks. (4) A set of techniques, including machine learning, that is designed to approximate a cognitive task. (5) An artificial system designed to act rationally, including an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communicating, decision making, and acting.

A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.

artificial intelligence model : see document

A component of an information system that implements AI technology and uses computational, statistical, or machine-learning techniques to produce outputs from a given set of inputs.

artificial intelligence red-teaming : see document

A structured testing effort to find flaws and vulnerabilities in an AI system, often in a controlled environment and in collaboration with developers of AI.

artificial intelligence system : see document

Any data system, software, hardware, application, tool, or utility that operates in whole or in part using AI.

ARX : see document
AS : see document

An Autonomous System specifies a network, mostly an organization that can own or announce network addresses to the Internet.

As Secure As Reasonably Practicable : see document
AS&W : see document
ASA : see document
ASARP : see document
ASC : see document
ASCII : see document
ASDSO : see document
Asia-Pacific Economic Cooperation : see document
Asia-Pacific Network Information Centre : see document

The Regional Internet Registry for the Asia Pacific region that allocates and registers Internet resources in its region.

ASIC : see document
ASID : see document
ASKDF : see document
ASLR : see document
ASM : see document
ASMS : see document
ASN : see document
ASN.1 : see document
ASP : see document
aspect : see document

The parts, features, and characteristics used to describe, consider, interpret, or assess something.

The subject or topic of an assessment element that is associated with a portion of the ISCM program under assessment.

assembly : see document

An item forming a portion of an equipment, that can be provisioned and replaced as an entity and which normally incorporates replaceable parts and groups of parts.

assertion : see document

A verifiable statement from an IdP to an RP that contains information about an end user. Assertions may also contain information about the end user’s authentication event at the IdP.

A statement from an IdP to an RP that contains information about an authentication event for a subscriber. Assertions can also contain identity attributes for the subscriber in the form of attribute values, derived attribute values, and attribute bundles.

A statement from a verifier to an RP that contains information about a subscriber. Assertions may also contain verified attributes.

A statement from a Verifier to a Relying Party (RP) that contains identity information about a Subscriber. Assertions may also contain verified attributes.

assertion injection attack : see document

In the context of a federated protocol, consists of an attacker attempting to force an RP to accept or process an assertion or assertion reference in order to gain access to the RP or deny a legitimate subscriber access to the RP. The attacker does this by taking an assertion or assertion reference and injecting it into a vulnerable RP.

assertion presentation : see document

The method by which an assertion is transmitted to the RP.

assessment : see document

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. A part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

An evidence-based evaluation and judgement on the nature, characteristics, quality, effectiveness, intent, impact, or capabilities of an item, organization, group, policy, activity, or person.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The process of identifying risks to organizational operations (including mission, functions, images, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

The action of evaluating, estimating, or judging against defined criteria. Different types of assessment (i.e., qualitative, quantitative, and semi-quantitative) are used to assess risk. Some types of assessment yield results.

The process of identifying, estimating, and prioritizing risks to organizational operations (i.e., mission, functions, image, reputation), organizational assets, individuals, and other organizations that result from the operation of a system. A risk assessment is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls that are planned or in place. It is synonymous with “risk analysis.”

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

Overall process of risk identification, risk analysis, and risk evaluation.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.

The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

See Security Control Assessment.

See risk analysis

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

See Security Control Assessment or Privacy Control Assessment.

The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, resulting from the operation of a system. It is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Assessment in this context means a formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of [FIPS 201-2].

An evaluation of the amount of entropy provided by a (digitized) noise source and/or the entropy source that employs it.

See control assessment or risk assessment.

The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.

See security control assessment or risk assessment.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls or privacy controls planned or in place. Synonymous with risk analysis.

The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The testing or evaluation of privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements for an information system or organization.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

A completed or planned action of evaluation of an organization, a mission or business process, or one or more systems and their environments; or

The vehicle or template or worksheet that is used for each evaluation.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

Risk management includes threat and vulnerability analyses as well as analyses of adverse effects on individuals arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses and analyses of privacy problems arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

A value that defines an analyzer's estimated level of security risk for using an app. Risk assessments are typically based on the likelihood that a detected vulnerability will be exploited and the impact that the detected vulnerability may have on the app or its related device or network. Risk assessments are typically represented as categories (e.g., low-, moderate-, and high-risk).

See risk analysis.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.

Assessment and Authorization : see document
Assessment and Deployment Kit : see document
assessment approach : see document

The approach used to assess risk and its contributing risk factors, including quantitatively, qualitatively, or semi-quantitatively.

Assessment Boundary : see document

The scope of (assessment objects included in) an organization’s ISCM implementation to which assessment of objects is applied. Typically, assessment boundary includes an entire network to its outside perimeter.

Assessment Completeness : see document

The degree to which the continuous monitoring-generated, security-related information is collected on all assessment objects for all applicable defect checks within a defined period of time.

Assessment Criterion/Criteria : see document

A rule (or rules) of logic to allow the automated or manual detection of defects. Typically, the assessment criterion in ISCM defines what in the desired state specification is compared to what in the actual state and the conditions that indicate a defect.

assessment element : see document

A specific ISCM concept to be evaluated in the context of a specific ISCM Process Step.

assessment element attribute : see document

An item of information that is specifically applicable to an assessment element, such as the source for the assessment element or risk management level to which the element applies.

assessment element text : see document

A statement that should be true for a well-implemented ISCM program. This statement is the evaluation criteria part of an assessment element.

assessment findings : see document

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.

Assessment results produced by the application of an assessment procedure to a security control, privacy control, or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.

assessment method : see document

One of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.

One of three types of actions (examine, interview, test) taken by assessors in obtaining evidence during an assessment.

A focused activity or action employed by an Assessor for evaluating a particular issuer control.

assessment object : see document

The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

The item (specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

See Object, Assessment.

Assessment objects identify the specific items being assessed, and as such, can have one or more security defects. Assessment objects include specifications, mechanisms, activities, and individuals which in turn may include, but are not limited to, devices, software products, software executables, credentials, accounts, account-privileges, things to which privileges are granted (including data and physical facilities), etc. See SP 800-53A.

assessment objective : see document

A set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.

A set of determination statements that expresses the desired outcome for the assessment of a security control, privacy control, or control enhancement.

assessment plan : see document

The objectives for the control assessments and a detailed roadmap of how to conduct such assessments.

The objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.

assessment procedure : see document

A set of assessment objectives and an associated set of assessment methods and assessment objects.

A set of activities or actions employed by an Assessor to determine the extent that an issuer control is implemented.

assessment results : see document

The output or outcome of an assessment.

Assessment Timeliness : see document

The degree to which the continuous monitoring-generated, security-related information is collected within the specified period of time (or frequency).

assessor : see document

The individual, group, or organization responsible for conducting a security or privacy control assessment.

The individual, group, or organization responsible for conducting a risk assessment.

The individual, group, or organization responsible for conducting a security control assessment.

See Security Control Assessor.

See Security Control Assessor or Privacy Control Assessor.

The individual, group, or organization responsible for conducting a privacy control assessment.

The individual responsible for conducting assessment activities under the guidance and direction of a Designated Authorizing Official. The Assessor is a 3rd party.

The individual, group, or organization responsible for conducting a security or privacy assessment.

See security control assessor or risk assessor.

The individual, group, or organization responsible for conducting a security or privacy control assessment.

asset : see document

A distinguishable entity that provides a service or capability. Assets are people, physical entities, or information located either within or outside the United States and employed, owned, or operated by domestic, foreign, public, or private sector organizations.

Anything that has value to a person or organization.

A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.

An item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns.

Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).

Resources of value that an organization possesses or employs.

Anything that can be transferred.

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.

An item of value to achievement of organizational mission/business objectives. Note 1: Assets have interrelated characteristics that include value, criticality, and the degree to which they are relied upon to achieve organizational mission/business objectives. From these characteristics, appropriate protections are to be engineered into solutions employed by the organization. Note 2: An asset may be tangible (e.g., physical item such as hardware, software, firmware, computing platform, network device, or other technology components) or intangible (e.g., information, data, trademark, copyright, patent, intellectual property, image, or reputation).

An item of value to achievement of organizational mission/business objectives. Note 1: Assets have interrelated characteristics that include value, criticality, and the degree to which they are relied upon to achieve organizational mission/business objectives. From these characteristics, appropriate protections are to be engineered into solutions employed by the organization. Note 2: An asset may be tangible (e.g., physical item such as hardware, software, firmware, computing platform, network device, or other technology components) or intangible (e.g., information, data, trademark, copyright, patent, intellectual property, image, or reputation).

Asset Framework : see document
asset identification : see document

SCAP constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.

The use of attributes and methods to uniquely identify an asset.

The attributes and methods necessary for uniquely identifying a given asset. A full explanation of asset identification is provided in [NISTIR 7693].

Asset Identification Element : see document

A complete, bound expression of an asset identification using the constructs defined in this specification.

Asset Report : see document

A collection of content (or link to content) about an asset.

Asset Report Request : see document

A collection of structured information used as input to generate an asset report. An asset report request may be of any format and may have different contexts depending on the nature of the request. For instance, the request may be written in a control language that dictates how the request is to be propagated and executed. The request may also be written as a formal definition without reference to how the request is to be executed. The request may also be a prose description that must be interpreted and executed by a person. These examples are not exhaustive.

asset reporting format : see document

SCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.

A format for expressing the transport format of information about assets and the relationships between assets and reports.

Asset Reporting Format Report : see document

The collection of all assets, report requests, reports, and relationships for a given instance of ARF.

Asset Tag : see document

Simple key value attributes that are associated with a platform (e.g., location, company name, division, or department).

assignment operation : see document

See organization-defined parameters and selection operation.

A control parameter that allows an organization to assign a specific, organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be notified or a value for the frequency of testing).

See organization-defined control parameters and selection operation.

assignment statement : see document

A control parameter that allows an organization to assign a specific, organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be notified or a value for the frequency of testing). See organization-defined control parameters and selection statement.

Associated Data : see document

Data that is authenticated but not encrypted.

Input data to the CCM generation-encryption process that is authenticated but not encrypted.

Association : see document

A relationship for a particular purpose. For example, a key is associated with the application or process for which it will be used.

A relationship for a particular purpose; for example, a key is associated with the application or process for which it will be used.

Association for Advancing Automation : see document
Association for Automatic Identification and Mobility : see document
Association for the Advancement of Medical Instrumentation : see document
Association of Metropolitan Water Agencies : see document
Association of Public Safety Communications Officials : see document
Association of State Dam Safety Officials : see document
Assumption : see document

This term is used to indicate the conditions that are required to be true when an approved key-establishment scheme is executed in accordance with this Recommendation.

Used to indicate the conditions that are required to be true when an approved key-establishment scheme is executed in accordance with this Recommendation.

assurance : see document

Grounds for justified confidence that a [security or privacy] claim has been or will be achieved.

Grounds for justified confidence that a claim has been or will be achieved.

Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.

The grounds for confidence that the set of intended security controls in an information system are effective in their application.

Grounds for confidence that the set of intended security controls in an information system are effective in their application.

Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.

Grounds for confidence that the other four security objectives (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.

See Assurance.

The grounds for confidence that the set of intended security controls or privacy controls in an information system or organization are effective in their application.

Grounds for justified confidence that a [security or privacy] claim has been or will be achieved.

Grounds for justified confidence that a [security or privacy] claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

Grounds for justified confidence that a [security or privacy] claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims), and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

The grounds for confidence that an entity meets its security objectives.

In the context of OMB M-04-04 and this document, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.

Grounds for justified confidence that a claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

Grounds for justified confidence that a claim has been or will be achieved. Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated. Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

assurance case : see document

A structured set of arguments and a body of evidence showing that a system satisfies specific claims with respect to a given quality attribute.

A structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.

A reasoned, auditable artifact created that supports the contention that its top-level claim (or set of claims), is satisfied, including systematic argumentation and its underlying evidence and explicit assumptions that support the claim(s).

assurance evidence : see document

The information upon which decisions regarding assurance, trustworthiness, and risk of the solution are substantiated.

The information upon which decisions regarding assurance, trustworthiness, and risk of the solution are substantiated. Note: Assurance evidence is specific to an agreed-to set of claims. The security perspective focuses on assurance evidence for security-relevant claims whereas other engineering disciplines may have their own focus (e.g., safety).

The information upon which decisions regarding assurance, trustworthiness, and risk of the solution are substantiated. Note: Assurance evidence is specific to an agreed-to set of claims. The security perspective focuses on assurance evidence for security-relevant claims whereas other engineering disciplines may have their own focus (e.g., safety).

Assurance message : see document

See private-key-possession assurance message.

Assurance of domain parameter validity : see document

Confidence that the domain parameters are arithmetically correct.

Assurance of the arithmetic validity of the domain parameters.

assurance of integrity : see document

Quality of being complete and unaltered.

A measure of the trust that can be placed in the correctness of the information supplied by a PNT service provider. Integrity includes the ability of the system to provide timely warnings to users when the PNT data should not be used.

A measure of the trust that can be placed in the correctness of the information supplied by an HSN service provider. Integrity includes the ability of the system to provide timely warnings to users when the HSN data should not be used.

The property that data or information have not been altered or destroyed in an unauthorized manner.

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

The property that protected data has not been modified or deleted in an unauthorized and undetected manner.

Guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity.

Guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity.

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The security objective that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

Assurance of possession : see document

Confidence that an entity possesses a private key and any associated keying material.

Confidence that an entity possesses a private key and any associated keying material.

Assurance that the owner or claimed signatory actually possesses the private signature key.

Assurance of public key validity : see document

Confidence that the public key is arithmetically correct.

Assurance of the arithmetic validity of the public key.

Assurance of validity : see document

Confidence that either a key or a set of domain parameters is arithmetically correct.

Confidence that a public key or domain parameter is arithmetically correct.

Confidence that an RSA key pair is arithmetically correct.

Confidence that either a key or a key pair is arithmetically correct.

Assurance- signature : see document

A digital signature on a private-key-possession assurance message.

assurance_time : see document

The time at which assurance of possession is obtained.

assured information sharing : see document

The ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.

assured software : see document

Computer application that has been designed, developed, analyzed and tested using processes, tools, and techniques that establish a level of confidence in it.

AST : see document
ASTM : see document
asymmetric cryptography : see document

Cryptography that uses two separate keys to exchange data — one to encrypt or digitally sign the data and one to decrypt the data or verify the digital signature. Also known as public-key cryptography.

Encryption system that uses a public-private key pair for encryption and/or digital signature.

See public key cryptography (PKC).

Cryptography that uses separate keys for encryption and decryption; also known as public key cryptography.

Cryptography that uses two separate keys to exchange data, one to encrypt or digitally sign the data and one for decrypting the data or verifying the digital signature. Also known as public key cryptography.

Asymmetric-key cryptography : see document

A cryptographic system where users have a private key that is kept secret and used to generate a public key (which is freely provided to others). Users can digitally sign data with their private key and the resulting signature can be verified by anyone using the corresponding public key. Also known as a Public-key cryptography.

See Asymmetric-key cryptography.

Asymptotic Analysis : see document

A statistical technique that derives limiting approximations for functions of interest.

Asymptotic Distribution : see document

The limiting distribution of a test statistic arising when n approaches infinity.

Asynchronous Connection-Less : see document
Asynchronous JavaScript and XML : see document
Asynchronous Transfer Mode : see document
AT : see document

Systems engineering activities intended to prevent physical manipulation or delay exploitation of critical program information in U.S. defense systems in domestic and export configurations to impede countermeasure development, unintended technology transfer, or alteration of a system due to reverse engineering.

ATA : see document

Magnetic media interface specification. Also known as “IDE” –IntegratedDrive Electronics.

ATARC : see document
ATC : see document
ATIM : see document
ATIS : see document
ATM : see document
ATO : see document

The official management decision issued by a designated accrediting authority (DAA) or principal accrediting authority (PAA) to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

seeCertificationandAccreditation.

Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.

atomic clock : see document

A clock referenced to an atomic oscillator. Only clocks with an internal atomic oscillator qualify as atomic clocks.

atomic operation : see document

An atomic operation is effectively executed as a single step, no other process can read or modify the internal state while the atomic operation is executed.

atomic oscillator : see document

An oscillator that uses the quantized energy levels in atoms or molecules as the source of its resonance. The laws of quantum mechanics dictate that the energies of a bound system, such as an atom, have certain discrete values. An electromagnetic field at a particular frequency can boost an atom from one energy level to a higher one, or an atom at a high energy level can drop to a lower level by emitting energy. The resonance frequency, fo, of an atomic oscillator is the difference between the two energy levels divided by Planck’s constant, h. The principle underlying the atomic oscillator is that since all atoms of a specific element are identical, they should produce exactly the same frequency when they absorb or release energy. In theory, the atom is a perfect “pendulum” whose oscillations are counted to measure a time interval. The national frequency standards developed by NIST and other laboratories derive their resonance frequency from the cesium atom and typically use cesium fountain technology. Rubidium oscillators are the lowest priced and most common atomic oscillators, but cesium beam and hydrogen maser atomic oscillators are also sold commercially in much smaller quantities.

Atomic Swap : see document

An exchange of tokens that does not involve the intervention of any trusted intermediary and automatically reverts if all of the provisions are not met.

ATP : see document
ATP:N : see document
ATR : see document
ATT : see document
ATT&CK : see document
Attack Sensing and Warning : see document
attack sensing and warning : see document

Detection, correlation, identification, and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed.

attack signature : see document

A specific sequence of events indicative of an unauthorized access attempt.

attack surface : see document

The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from.

The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.

The set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment.

attack tree : see document

A branching, hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specified way.

attacker : see document

A person who seeks to exploit potential vulnerabilities of a system.

A party, including an insider, who acts with malicious intent to compromise a system.

person seeking to exploit potential vulnerabilities of a system

A party who acts with malicious intent to compromise an information system.

attended : see document

Under continuous positive control of personnel authorized for access or use.

attestation : see document

The issue of a statement, based on a decision, that fulfillment of specified requirements has been demonstrated.

The process of providing a digital signature for a set of measurements securely stored in hardware, and then having the requester validate the signature and the set of measurements.

Information conveyed to the CSP, generally at the time that an authenticator is bound, to describe the characteristics of a connected authenticator or the endpoint involved in an authentication operation.

Attestation Certificate Authority : see document
Attestation Identity Credential : see document
Attestation Identity Key : see document
Attestation Service : see document
attribute : see document

Characteristic or property of an entity that can be used to describe its state, appearance, or other aspect.

A quality or characteristic ascribed to someone or something. An identity attribute is an attribute about the identity of a subscriber (e.g., name, date of birth, address).

An attribute is any distinctive feature, characteristic, or property of an object that can be identified or isolated quantitatively or qualitatively by either human or automated means.

A distinct characteristic of an object often specified in terms of their physical traits, such as size, shape, weight, and color, etc., for real -world objects. Objects in cyberspace might have attributes describing size, type of encoding, network address, etc.

A quality or characteristic ascribed to someone or something.

characteristic or property of an entity that can be used to describe its state, appearance, or other aspect

A property or characteristic of a computing product. CPE 2.2 commonly used the term “component” instead of “attribute”. CPE 2.3 uses the term “attribute” to clarify the distinction between CPE:2.2 name “components” and computing components, such as software modules. Examples of CPE:2.3 attributes are part, vendor, product, and version. CPE attributes and their value constraints are defined in the CPE Naming specification [CPE23-N:5.2, 5.3].

Information associated with a key that is not used in cryptographic algorithms, but is required to implement applications and applications protocols.

See Attribute

A claim of a named quality or characteristic inherent in or ascribed to someone or something. (See term in [ICAM] for more information.)

Attribute Administration Point : see document
Attribute and Authorization Services Committee : see document
Attribute Authority : see document

An entity, recognized by the Federal PKI Policy Authority or comparable Agency body as having the authority to verify the association of attributes to an identity.

attribute inference attacks : see document

An attack against machine learning models that infers sensitive attributes of a training data record, given partial knowledge about the record.

Attribute Practice Statement : see document
Attribute Protocol : see document
attribute provider : see document

The provider of an identity API that provides access to a subscriber’s attributes without necessarily asserting that the subscriber is present to the RP.

Attribute Reference : see document

A statement asserting a property of a subscriber without necessarily containing identity information, independent of format. For example, for the attribute “birthday,” a reference could be “older than 18” or “born in December.”

attribute validation : see document

Confirmation (through the provision of strong, sound, and objective evidence and demonstration) that requirements for a specific intended use or application have been fulfilled and that the system, while in use, fulfills its mission or business objectives while being able to provide adequate protection for stakeholder and mission or business assets, minimize or contain asset loss and associated consequences, and achieve its intended use in its intended operational environment with the desired level of trustworthiness.

The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements (INCOSE).

The process or act of confirming that a set of attributes are accurate and associated with a real-life identity.

The process or act of confirming that a set of attributes are accurate and associated with a real-life identity.

The process or act of checking and confirming that the evidence and attributes supplied by an applicant are authentic, accurate, and associated with a real-life identity.

Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).

Confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.

Attribute Value : see document

A complete statement that asserts an identity attribute of a subscriber, independent of format. For example, for the attribute “birthday,” a value could be “12/1/1980” or “December 1, 1980.”

A complete statement asserting a property of a subscriber, independent of format. For example, for the attribute “birthday,” a value could be “12/1/1980” or “December 1, 1980.”

attribute-based access control (ABAC) : see document

An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

An access control approach in which access is mediated based on attributes associated with subjects (requesters) and the objects to be accessed. Each object and subject has a set of associated attributes, such as location, time of creation, access rights, etc. Access to an object is authorized or denied depending upon whether the required (e.g., policy-defined) correlation can be made between the attributes of that object and of the requesting subject.

Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place. See also identity, credential, and access management (ICAM).

an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, environment attribute etc.

attribute-based authorization : see document

A structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.

attribute-based encryption : see document
Attribute-Value Pair : see document

A tuple a=v in which a (the attribute) is an alphanumeric label representing a property or state, and v (the value) is the value assigned to the attribute.

AU : see document
AUC : see document

A measure of the ability of a classifier to distinguish between classes in machine learning. A higher AUC means that a model performs better when distinguishing between the two classes. AUC measures the entire two-dimensional area under the receiver operating characteristic (ROC) curve.

AuC : see document
Audience : see document

The intended audience that should be able to install, test, and use the checklist, including suggested minimum skills and knowledge required to correctly use the checklist.

audience restriction : see document

The restriction of a message to a specific target audience to prevent a receiver from unknowingly processing a message that is intended for another recipient. In federation protocols, assertions are audience-restricted to specific RPs to prevent an RP from accepting an assertion that was generated for a different RP.

audit : see document

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures.

An audit trail, which supports accountability, is required for a NE. Users should be prevented from modifying audit information.

The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures.

Audit administrator : see document

An FCKMS role that is responsible for establishing and reviewing an audit log, assuring that the log is reviewed periodically and after any security-compromise-relevant event, and providing audit reports to FCKMS managers.

See Audit administrator.

A member of the organization who inspects reports and risk assessments from one or more analyzers as well as organization-specific criteria to ensure that an app meets the security requirements of the organization.

Audit and Accountability : see document
audit log : see document

A chronological record of information system activities, including records of system accesses and operations performed in a given period.

A chronological record of system activities. Includes records of system accesses and operations performed in a given period.

A record providing documentary evidence of specific events.

A chronological record of system activities, including records of system accesses and operations performed in a given period.

audit record : see document

An individual entry in an audit log related to an audited event.

audit record reduction : see document

A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.

audit reduction tools : see document

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.

Preprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specific classes of events, such as records generated by nightly backups.

audit trail : see document

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.

A record showing who has accessed an information technology (IT) system and what operations the user has performed during a given period.

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.

A record showing who has accessed an IT system and what operations the user has performed during a given period.

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to result.

A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of events and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to results.

Auditor : see document

An FCKMS role that is responsible for establishing and reviewing an audit log, assuring that the log is reviewed periodically and after any security-compromise-relevant event, and providing audit reports to FCKMS managers.

See Audit administrator.

A member of the organization who inspects reports and risk assessments from one or more analyzers as well as organization-specific criteria to ensure that an app meets the security requirements of the organization.

AUFS : see document
augmented reality : see document
authenticate : see document

The process of establishing confidence of authenticity; in this case, the validity of a person’s identity and an authenticator (e.g., PIV Card or derived PIV credential).

The act of verifying that the subject has been authorized to use the presented identifier by a trusted identity provider organization.

measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability.

The corroboration that a person is the one claimed.

As used in this document, a process that provides assurance of the source and integrity of information that is communicated or stored, or that provides assurance of an entity’s identity.

The process by which a claimant proves possession and control of one or more authenticators bound to a subscriber account to demonstrate that they are the subscriber associated with that account.

The corroboration that a person is the one claimed.

A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing the validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information.

Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

To confirm the identity of an entity when that identity is presented.

Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

The process a VPN uses to limit access to protected services by forcing users to identify themselves.

For the purposes of this guide, the process of verifying the identity claimed by a WiMAX device. User authentication is also an option supported by IEEE 802.16e-2005.

Authentication is the process of verifying the claimed identity of a session requestor.

The process of verifying the authorization of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

A process that provides assurance of the source and integrity of information in communications sessions, messages, documents or stored data.

A process that establishes the origin of information, or determines an entity’s identity. In a general information security context: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

See Authentication.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.

Provides assurance of the authenticity and, therefore, the integrity of data.

A process that provides assurance of the source and integrity of information in communications sessions, messages, documents or stored data or that provides assurance of the identity of an entity interacting with a system.

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources

The process of establishing confidence of authenticity. In this case, it is the validity of a person’s identity and the PIV Card.

A process that provides assurance of the source and integrity of information that is communicated or stored or the identity of an entity interacting with a system.

Note that in common practice, the term "authentication" is used to mean either source or identity authentication only. This document will differentiate the multiple uses of the word by the terms source authentication, identity authentication, or integrity authentication, where appropriate.

A process that provides assurance of the source and integrity of information in communications sessions, messages, documents or stored data or that provides assurance of the identity of an entity interacting with a system. See Source authentication, Identity authentication, and Integrity authentication.

The process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

The process of establishing confidence in the identity of users or information systems.

The process of verifying a claimed identity of a user, device, or other entity in a computer system

the process of verifying the integrity of data that has been stored, transmitted, or otherwise exposed to possible unauthorized access.

The process of proving the claimed identity of an individual user, machine, software component or any other entity. Typical authentication mechanisms include conventional password schemes, biometrics devices, cryptographic methods, and onetime passwords (usually implemented with token based cards.)

The process of establishing confidence in the claimed identity of a user or system

Verifying the identity of a user, process, or device, often as a prerequisite for allowing access to resources in an information system.

The process of establishing confidence of authenticity; in this case, in the validity of a person’s identity and the PIV Card.

A process that establishes the source of information, provides assurance of an entity’s identity or provides assurance of the integrity of communications sessions, messages, documents or stored data.

Authenticated Ciphering Offset : see document
Authenticated Code Module : see document
Authenticated Code Random Access Memory : see document
Authenticated Configuration Scanner : see document

A product that runs with administrative or root privileges on a target system to conduct its assessment.

Authenticated Data : see document
Authenticated Decryption : see document

The function of GCM in which the ciphertext is decrypted into the plaintext, and the authenticity of the ciphertext and the AAD is verified.

Authenticated Encryption : see document

The function of GCM in which the plaintext is encrypted into the ciphertext, and an authentication tag is generated on the AAD and the ciphertext.

authenticated- encryption function : see document

A function that encrypts plaintext into ciphertext and provides a means for the associated authenticated-decryption function to verify the authenticity and, therefore, the integrity of the data.

authenticated encryption with associated data : see document
authenticated protected channel : see document

An encrypted communication channel that uses approved cryptography in which the connection initiator (client) has authenticated the recipient (server). Authenticated protected channels are encrypted to provide confidentiality and protection against active intermediaries and are frequently used in the user authentication process. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC 9325] are examples of authenticated protected channels in which the certificate presented by the recipient is verified by the initiator. Unless otherwise specified, authenticated protected channels do not require the server to authenticate the client. Authentication of the server is often accomplished through a certificate chain that leads to a trusted root rather than individually with each server.

An encrypted communication channel that uses approved cryptography where the connection initiator (client) has authenticated the recipient (server). Authenticated protected channels provide confidentiality and MitM protection and are frequently used in the user authentication process. Transport Layer Security (TLS) [BCP 195] is an example of an authenticated protected channel where the certificate presented by the recipient is verified by the initiator. Unless otherwise specified, authenticated protected channels do not require the server to authenticate the client. Authentication of the server is often accomplished through a certificate chain leading to a trusted root rather than individually with each server.

An encrypted channel that uses approved cryptography where the connection initiator (client) has authenticated the recipient (server).

Authenticated RFID : see document

The use of digital signature technology to provide evidence of the authenticity of a tag and possibly chain of custody events.

authenticated session : see document

A session in which messages between two participants are encrypted and integrity is protected using a set of shared secrets called “session keys.” A protected session is said to be authenticated if one participant proves possession of one or more authenticators in addition to the session keys and if the other party can verify the identity associated with the authenticators during the session. If both participants are authenticated, the protected session is said to be mutually authenticated.

authenticated-decryption function : see document

A function that decrypts purported ciphertext into corresponding plaintext and verifies the authenticity and, therefore, the integrity of the data. The output is either the plaintext or an indication that the plaintext is not authentic.

Authentication and Authorization Service : see document
Authentication and Key Agreement : see document
Authentication and Key Management : see document
authentication assurance level : see document

A category that describes the strength of the authentication process.

Authentication Center : see document
Authentication code : see document

A keyed cryptographic checksum based on an approved security function (also known as a Message Authentication Code).

A cryptographic checksum based on an approved security function (also known as a Message Authentication Code).

A keyed cryptographic checksum based on an approved security function; also known as a Message Authentication Code.

authentication event : see document

An attempt by a user to authenticate to an online service that ends in overall success or failure.

Authentication Factor : see document

The three types of authentication factors are something you know, something you have, and something you are. Every authenticator has one or more authentication factors.

The three types of authentication factors aresomething you know,something you have, andsomething you are. Every authenticator has one or more authentication factors.

The three types of authentication factors are something you know, something you have, and something you are. Every authenticator has one or more authentication factors.

Authentication Header (AH) : see document

A deprecated IPsec security protocol that provides integrity protection (but not confidentiality) for packet headers and data.

Authentication Information : see document

Information used to establish the validity of a claimed identity.

Authentication Key : see document

A private or symmetric key used by an authenticator to generate the authenticator output.

A public key that a DNSSEC-aware resolver has verified and can therefore use to authenticate data. A DNSSEC-aware resolver can obtain authentication keys in three ways. First, the resolver generally is configured to know about at least one public key; this configured data usually is either the public key itself or a hash of the public key as found in the DS RR (see “trust anchor”). Second, the resolver may use an authenticated public key to verify a DS RR and the DNSKEY RR to which the DS RR refers. Third, the resolver may be able to determine that a new public key has been signed by the private key corresponding to another public key that the resolver has verified. Note that the resolver must always be guided by local policy in deciding whether to authenticate a new public key, even if the local policy is simply to authenticate any new public key for which the resolver is able verify the signature.

authentication mechanism : see document

Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device.

authentication period : see document

The period between any initial authentication process and subsequent re-authentication processes during a single terminal session or during the period data is being accessed.

authentication protocol : see document

A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of one or more valid authenticators to establish their identity and, optionally, demonstrates that the claimant is communicating with the intended verifier.

2. A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.

1. A well specified message exchange process between a claimant and a verifier that enables the verifier to confirm the claimant’s identity.

A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of one or more valid authenticators to establish their identity, and, optionally, demonstrates that the claimant is communicating with the intended verifier.

A defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.

Authentication Server : see document
Authentication Tag : see document

A cryptographic checksum on data that is designed to reveal both accidental errors and the intentional modification of the data.

A cryptographic checksum on data that is designed to reveal both accidental errors and the intentional modification of the data.

An electronic device that communicates with RFID readers. A tag can function as a beacon or it can be used to convey information such as an identifier.

Authentication Token : see document
Authentication, Authorization, and Accounting : see document
Authentication, Authorization, and Accounting Key : see document
authenticator : see document

Something the cardholder possesses and controls (e.g., PIV Card or derived PIV credential) that is used to authenticate the cardholder’s identity.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric).

An entity that facilitates authentication of other entities attached to the same LAN using a public key certificate.

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

See authenticator type and multi-factor authenticator.

The means used to confirm the identity of a user, process, or device (e.g., user password or token).

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See authenticator.

Something that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim. See cryptographic token.

Something that the Claimant possesses and controls (typically a key or password) that is used to authenticate the Claimant’s identity.

The means used to confirm the identity of a user, processor, or device (e.g., user password or token).

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as atoken.

See Authenticator.

A portable, user-controlled, physical device (e.g., smart card or memory stick) used to store cryptographic information and possibly also perform cryptographic functions.

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.

See Authenticator

Authentication using two or more factors to achieve authentication. Factors are (i) something you know (e.g., password/personal identification number); (ii) something you have (e.g., cryptographic identification device, token); and (iii) something you are (e.g., biometric).

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). See authenticator.

Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

A physical object a user possesses and controls that is used to authenticate the user’s identity.

A representation of a particular asset that typically relies on a blockchain or other types of distributed ledgers.

Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). See also Authenticator.

Authenticator Assurance Level (AAL) : see document

A measure of the strength of an authentication mechanism and, therefore, the confidence in it, as defined in [NIST SP 800-63-3] in terms of three levels: AAL1 (Some confidence), AAL2 (High confidence), AAL3 (Very high confidence).

A category describing the strength of the authentication process.

authenticator binding : see document

The establishment of an association between a specific authenticator and a subscriber account that allows the authenticator to authenticate the subscriber associated with the account, possibly in conjunction with other authenticators.

Authenticator number once : see document
Authenticator-Specific Module : see document
authenticity : see document

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator

The property that data originated from its purported source.

The property that data originated from its purported source.

The property that data originated from its purported source. In the context of a key-wrap algorithm, the source of authentic data is an entity with access to an implementation of the authenticated-encryption function with the KEK.

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See Authentication.

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, message, or message originator. See authentication.

Author : see document

The organization responsible for creating the checklist in its current format. In most cases an organization will represent both the author and authority of a checklist, but this is not always true. For example, if an organization produces validated SCAP content for a NIST publication, the organization that created the SCAP content will be listed as the Author, but NIST will remain the Authority.

Authoritative RRSet : see document

Within the context of a particular zone, an RRSet (RRs with the same name, class, and type) is authoritative if and only if the owner name of the RRSet lies within the subset of the name space that is at or below the zone apex and at or above the cuts that separate the zone from its children, if any. RRs of type NSEC, RRSIG and DS are examples of RRSets at a cut that are authoritative at the parent side of the zone cut, and not the delegated child side.

authority : see document

Person(s) or established bodies with rights and responsibilities to exert control in an administrative sphere.

A privacy principle (FIPP) that limits an organization's creation, collection, use, processing, storage, maintaining, disseminating, or disclosing of PII to activities for which they have authority to do so, and identify this authority in appropriate notices.

The aggregate of people, procedures, documentation, hardware, and/or software necessary to authorize and enable security-relevant functions.

The organization responsible for producing the original security configuration guidance represented by the checklist.

Authority Information Access : see document
Authority to Operate : see document

Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.

Authority Type : see document

The type of organization that is the authority for the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations).

Type of organization that lends its authority to the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations).

authorization boundary : see document

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.

A discrete identifiable IT asset that represents a building block of an information system.

Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

See Authorization Boundary.

authorization package : see document

Documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls. Contains: (i) the security plan; (ii) the security assessment report (SAR); and (iii) the plan of action and milestones (POA&M). Note: Many departments and agencies may choose to include the risk assessment report (RAR) as part of the security authorization package. Also, many organizations use system security plan in place of the security plan.

See security authorization package

The results of assessment and supporting documentation provided to the Designated Authorizing Official to be used in the authorization decision process.

The essential information that an authorizing official uses to determine whether to authorize the operation of an information system or the provision of a designated set of common controls. At a minimum, the authorization package includes an executive summary, system security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.

Authorization Server : see document
authorization to use : see document

The official management decision given by an authorizing official to authorize the use of an information system, service, or application based on the information in an existing authorization package generated by another organization, and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of controls in the system, service, or application.

authorize processing : see document

The official management decision of the Designated Authorizing Official to permit operation of an issuer after determining that the issuer’s reliability has satisfactorily been established through appropriate assessment processes.

The right or a permission that is granted to a system entity to access a system resource.

The official management decision given by a senior organizational official to authorize the operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation, based on the implementation of an agreed-upon set of security controls.

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

The right or a permission that is granted to a system entity to access a system resource.

Access privileges granted to a user, program, or process or the act of granting those privileges.

The official management decision given by a senior official to authorize operation of a system or the common controls inherited by designated organizations systems and to explicitly accept the risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Also known as authorization to operate.

The process that takes place after authentication is complete to determine which resources/services are available to a WiMAX device.

The process of verifying that a requested action or service is approved for a specific entity.

also known as authorize processing (OMB Circular A-130, Appendix III),and approval to operate. Accreditation (or authorization to process information) is granted by a management official and provides an important quality control. By accrediting a system or application, a manager accepts the associated risk. Accreditation (authorization) must be based on a review of controls. (See Certification.)

See Accreditation.

The granting or denying of access rights to a user, program, or process.

Formal declaration by a Designated Approving Authority that an Information System is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

Access privileges that are granted to an entity; conveying an “official” sanction to perform a security function or activity.

Access privileges granted to an entity; conveys an “official” sanction to perform a security function or activity.

Access privileges granted to an entity; conveys an “official” sanction to perform a cryptographic function or other sensitive activity.

See authorization.

Access privileges that are granted to an entity that convey an “official” sanction to perform a security function or activity.

The process of initially establishing access privileges of an individual and subsequently verifying the acceptability of a request for access.

Authorized : see document

Entitled to a specific mode of access.

A system entity or actor that has been granted the right, permission, or capability to access a system resource. See also “Authorization”.

Authorized Data Publisher : see document
Authorized Entity : see document

An entity that has implicitly or explicitly been granted approval to interact with a particular IoT device. The device cybersecurity capabilities in the core baseline do not specify how authorization is implemented for distinguishing authorized and unauthorized entities, but can include identity management and authentication to establish the authorization of entities. It is left to the organization to decide how each device will implement authorization. Also, an entity authorized to interact with an IoT device in one way might not be authorized to interact with the same device in another way.

authorized ID : see document

The key management entity (KME) authorized to order against a traditional short title.

Authorized individuals, services, and other IoT product components : see document

An entity (i.e., a person, device, service, network, domain, developer, or other party who might interact with an IoT device) that has implicitly or explicitly been granted approval to interact with a particular IoT device.

Authorized Key : see document

A public key that has been configured as authorizing access to an account by anyone capable of using the corresponding private key (identity key) in the SSH protocol. An authorized key may be configured with certain restrictions, most notably a forced command and a source restriction.

Authorized Keys File : see document

The file associated with a specific account where one or more authorized keys and optional restrictions are stored. Each account for which public key authentication is allowed on an SSH server has a unique authorized keys file.

authorized party : see document

In federation, the organization, person, or entity that is responsible for making decisions regarding the release of information within the federation transaction, most notably subscriber attributes. This is often the subscriber (when runtime decisions are used) or the party operating the IdP (when allowlists are used).

authorized user : see document

Any appropriately cleared individual with a requirement to access an information system (IS) for performing or assisting in a lawful and authorized government function.

Any appropriately provisioned individual with a requirement to access an information system.

authorized vendor : see document

Manufacturer of information security (INFOSEC) equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. Government organizations or U.S. Government contractors.

authorizing official designated representative : see document

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization or privacy authorization.

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.

An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with the authorization process.

AUTN : see document
AUTO-ISAC : see document
Automated Access : see document

Access to a computer by an automated process without an interactive user, generally machine-to-machine access. Automated access is often triggered from scripts or schedulers, e.g., by executing an SSH client or a file transfer application. Many programs may also use automated access using SSH internally, including many privileged access management systems and systems management tools.

Automated Certificate : see document

A protocol defined in IETF RFC 8555 that provides for the automated enrollment of certificates.

Automated Certificate Management Environment : see document

A protocol defined in IETF RFC 8555 that provides for the automated enrollment of certificates.

Automated Checklist : see document

A checklist that is used through one or more tools that automatically alter or verify settings based on the contents of the checklist. Automated checklists document their security settings in a machine-readable format, either standard or proprietary.

Automated Combinatorial Testing : see document
Automated Combinatorial Testing for Software : see document
Automated Cryptographic Validation Protocol : see document
Automated Cryptographic Validation Test System : see document
Automated Indicator Sharing : see document
automated market maker : see document
Automated Process : see document

An application, script, or management system that leverages SSH to execute commands or transfer data to/from another system.

automated security monitoring : see document

Maintaining ongoing awareness to support organizational risk decisions. See information security continuous monitoring, risk monitoring, and status monitoring

Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.

Maintaining ongoing awareness to support organizational risk decisions.

Automatic Data Processing : see document
Automatic Identification and Data Capture : see document
Automatic Identification Technology : see document
Automatic Implementation of Secure Silicon : see document
automatic remote rekeying : see document

Procedure to rekey distant cryptographic equipment electronically without specific actions by the receiving terminal operator.

Automotive Information Sharing and Analysis Center : see document
Autonomous System (AS) : see document

An Autonomous System specifies a network, mostly an organization that can own or announce network addresses to the Internet.

One or more routers under a single administration operating the same routing policy.

Autonomous System Number (ASN) : see document

A two-byte number that identifies an AS.

Auxiliary Power Unit : see document
AV : see document
availability : see document

measures an attacker’s ability to disrupt or prevent access to services or data. Vulnerabilities that impact availability can affect hardware, software, and network resources, such as flooding network bandwidth, consuming large amounts of memory, CPU cycles, or unnecessary power consumption.

Property of being accessible and usable on demand by an authorized entity.

The property that data or information is accessible and usable upon demand by an authorized person.

Ensuring timely and reliable access to and use of information.

1. Ensuring timely and reliable access to and use of information.

As defined in FISMA, the term 'availability' means ensuring timely and reliable access to and use of information.

The property that data or information is accessible and usable upon demand by an authorized person.

2. Timely, reliable access to data and information services for authorized users.

The ability for authorized users to access systems as needed.

Timely, reliable access to information or a service.

the timely, reliable access to data and information services for authorized users.

The security objective that generates the requirement for protection against intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data.

Timely, reliable access to information by authorized entities.

The state that exists when data can be accessed or a requested service provided within an acceptable period of time.

The security goal that generates the requirement for protection against intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data.

Timely, reliable access to data and information services for authorized users.

Ensuring timely and reliable access to and use of information. Note: Mission/business resiliency objectives extend the concept of availability to refer to a point-in-time availability (i.e., the system, component, or device is usable when needed) and the continuity of availability (i.e., the system, component, or device remains usable for the duration of the time it is needed).

Ensuring timely and reliable access to and use of information. Note: Mission/business resiliency objectives extend the concept of availability to refer to a point-in-time availability (i.e., the system, component, or device is usable when needed) and the continuity of availability (i.e., the system, component, or device remains usable for the duration of the time it is needed).

availability (PNT) : see document

The availability of a PNT system is the percentage of time that the services of the system are usable. Availability is an indication of the ability of the system to provide usable service within the specified coverage area. Signal availability is the percentage of time that PNT signals transmitted from external sources are available for use. Availability is a function of both the physical characteristics of the environment and the technical capabilities of the PNT service provider.

availability breakdown : see document

In the AML context, a disruption of the ability of other users or processes to obtain timely and reliable access to an AI system’s outputs or functionality.

Availability Impact : see document

measures the potential impact to availability of a successfully exploited misuse vulnerability. Availability refers to the accessibility of information resources.

average query : see document

A query that determines the mean of some set of values.

Average Record Matching Probability : see document
Aviation Cyber Initiative : see document
AVP : see document

A tuple a=v in which a (the attribute) is an alphanumeric label representing a property or state, and v (the value) is the value assigned to the attribute.

AWARE : see document
Awareness : see document

The ability of the user to recognize and avoid behaviors that could compromise cybersecurity and to act wisely and cautiously to increase cybersecurity.

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.

a learning process that sets the stage for training by changing individual andorganizational attitudes to realize the importance of security and the adverse consequences of its failure.

Awareness and Training : see document
awareness content : see document

Content that is designed and implemented to help employees understand how their actions may impact or influence vulnerabilities and threats. Organizations provide various types of awareness materials (e.g., posters, newsletters, websites) so that employees can realize their roles in protecting cyber assets.

awareness training : see document

The foundational cybersecurity or privacy training program for all personnel. It is designed to help learners understand the roles that they play in protecting information, cybersecurity, and privacy-related assets. It often consists of instructor-led and online courses, exercises, or other methods that inform learners of the acceptable uses of and risks to the organization’s systems.

AWS : see document
AWWA : see document
AXFR : see document
B2B : see document
BA : see document
BAA : see document
backdoor : see document

An undocumented way of gaining access to computer system. A backdoor is a potential security risk.

An undocumented way of gaining access to a computer system. A backdoor is a potential security risk.

A malicious program that listens for commands on a certain Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port.

backdoor pattern : see document

A transformation or insertion applied to a data sample that triggers an adversary-specified behaviour in a model that has been subject to a backdoor poisoning attack. For example, in computer vision, an adversary could poison a model such that the insertion of a square of white pixels induces a desired target label.

backdoor poisoning attack : see document

A poisoning attack that causes a model to perform an adversary-selected behaviour in response to inputs that follow a particular backdoor pattern.

Backscatter Channel : see document

The type of back channel used by passive tags. Since passive tags do not have a local power source, they communicate by reflecting or backscattering electromagnetic signals received from a reader.

Backtracking Resistance : see document

An RBG provides backtracking resistance relative to time T if it provides assurance that an adversary that has knowledge of the state of the RBG at some time(s) subsequent to time T (but incapable of performing work that matches the claimed security strength of the RBG) would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that are output by the RBG at or prior to time T. In particular, an RBG whose design allows the adversary to "backtrack" from the initially-compromised RBG state(s) to obtain knowledge of prior RBG states and the corresponding outputs (including the RBG state and output at time T) would not provide backtracking resistance relative to time T. (Contrast with prediction resistance.)

backup : see document

A copy of files and programs made to facilitate recovery if necessary.

A copy of files and programs made to facilitate recovery, if necessary.

Copy of files and programs made to facilitate recovery if necessary.

A copy of information to facilitate recovery during the cryptoperiod of the key, if necessary.

A copy of information to facilitate recovery, if necessary.

Duplicating data onto another medium.

A copy of key information to facilitate recovery during the cryptoperiod of the key, if necessary.

Backup (key and/or metadata) : see document

To copy a key and/or metadata to a medium that is separate from that used for operational storage and from which the key and/or metadata can be recovered if the original values in operational storage are lost or modified.

Backup (system) : see document

The process of copying information or processing status to a redundant system, service, device or medium that can provide the needed processing capability when needed.

Backup facility : see document

A redundant system or service that is kept available for use in case of a failure of a primary facility.

BAD : see document

A mechanism providing a multifaceted approach to detecting cybersecurity attacks.

banner : see document

Display on an information system that sets parameters for system or data use.

Banner Grabbing : see document

The process of capturing banner information—such as application type and version— that is transmitted by a remote port when a connection is initiated.

BAS : see document
base assessment : see document

The ISCMAx assessment file from which a merge is initiated.

Base layer : see document

The underlying layer of an image upon which all other components are added.

base point : see document

A fixed elliptic curve point that generates the group used for elliptic curve cryptography.

Base Standards : see document

define fundamentals and generalized procedures. They provide an infrastructure that can be used by a variety of applications, each of which can make its own selection from the options offered by them.

Base Station Controller : see document
Base Transceiver Station : see document
Baseboard Management Controller : see document
Basel Committee on Banking Supervision : see document
baseline : see document

Hardware, software, databases, and relevant documentation for an information system at a given point in time.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item’s life cycle.

Hardware, software, databases, and relevant documentation for an information system at a given point in time.

Hardware, software, and relevant documentation for an information system at a given point in time.

See control baseline.

The set of controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk.

Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest. See privacy control baseline or security control baseline.

The set of security and privacy controls defined for a low-impact, moderate-impact, or high-impact system or selected based on the privacy selection criteria that provide a starting point for the tailoring process.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline.

baseline configuration : see document

A documented set of specifications for a system or a configuration item within a system that has been formally reviewed and agreed on at a given point in time and which can only be changed through change control procedures.

A documented set of specifications for a system or a configuration item within a system that has been formally reviewed and agreed upon at a given point in time, and that can only be changed through change control procedures.

A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

See Baseline Configuration.

A documented set of specifications for a system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

A documented set of specifications for a system or a configuration item within a system that has been formally reviewed and agreed on at a given point in time and which can be changed only through change control procedures.

basic assessment : see document

An assessment that includes only critical elements.

Basic Encoding Rules : see document
Basic Encoding Rules Tag-Length-Value : see document
Basic Input/Output System (BIOS) : see document

In this publication, refers collectively to boot firmware based on the conventional BIOS, Extensible Firmware Interface (EFI), and the Unified Extensible Firmware Interface (UEFI).

Refers collectively to boot firmware based on the conventional BIOS, Extensible Firmware Interface (EFI), and the Unified Extensible Firmware Interface (UEFI).

Basic Process Control System : see document
Basic Rate : see document
Basic Rate/Enhanced Data Rate : see document
Basic Service Set : see document
Basic Service Set Identifier : see document
basic testing : see document

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.

A method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance.

See basic testing.

Basis vector : see document

A vector consisting of a ―1‖ in the ithposition and ―0‖ in all of the other positions.

bastion host : see document

A special purpose computer on a network where the computer is specifically designed and configured to withstand attacks.

Battery Energy Storage System : see document
Battery Management System : see document
BBF : see document
BC : see document
BCBS : see document
BCD : see document
BCH : see document
BCP : see document
BD : see document

A Blu-ray Disc(BD) hasthe same shape and size as a CD or DVD,but has a higher density and gives the option for data to be multi-layered.

BDB : see document
BDS : see document
beacon : see document

Initial signal by satellite conducted when first put into mission operation in order to establish communications with command and control and report initial operating status.

BEAST : see document
Becton, Dickinson and Company : see document

A Blu-ray Disc(BD) hasthe same shape and size as a CD or DVD,but has a higher density and gives the option for data to be multi-layered.

behavior : see document

The way that an entity functions as an action, reaction, or interaction.

How a system element, system, or system of systems acts, reacts, and interacts.

behavior analysis : see document

The act of examining malware interactions within its operating environment including file systems, the registry (if on Windows), the network, as well as other processes and Operating System components.

Behavior Management : see document

See Capability, Behavior Management.

An ISCM capability that ensures that people are aware of expected security-related behavior and are able to perform their duties to prevent advertent and inadvertent behavior that compromises information.

Behavioral Anomaly Detection : see document

A mechanism providing a multifaceted approach to detecting cybersecurity attacks.

Benchmark : see document

The root node of an XCCDF benchmark document; may also be the root node of an XCCDF results document (the results of evaluating the XCCDF benchmark document).

Benchmark Consumer : see document

A product that accepts an existing XCCDF benchmark document, processes it, and produces an XCCDF results document.

Benchmark Producer : see document

A product that generates XCCDF benchmark documents.

Bend : see document

The use of a mechanicalprocess to physically transform the storage media to alter its shape and make reading the media difficult orinfeasible using state of the artlaboratory techniques.

benign environment : see document

A non-hostile location protected from external hostile elements by physical, personnel, and procedural security countermeasures.

BER : see document
Berkeley Internet Name Domain : see document
Berkeley Software Distribution : see document
Bernoulli Random Variable : see document

A random variable that takes on the value of one with probability p and the value of zero with probability 1-p.

BER-TLV : see document
BES : see document
BESS : see document
Best Current Practice : see document
Best Practice : see document

A procedure that has been shown by research and experience to produce optimal results and that is established or proposed as a standard suitable for widespread adoption.

BF : see document
BFT : see document
BGF : see document
BGP : see document

The Border Gateway Protocol is a protocol designed by the Internet Engineering Task Force (IETF) to exchange routing information between autonomous systems.

BGP Monitoring Protocol : see document
BGP Origin Validation : see document

BGP Origin Validation specifies a mechanism described in RFC 6811 where a BGP router can verify if a particular prefix was allowed to be announced by the route's originator.

BGP Path Validation : see document

BGP Path Validation specifies a mechanism described in RFC 8205 that allows verifying a path an UPDATE traversed by verifying the validity of the signatures over the relevant data.

BGP Peer : see document

A router running the BGP protocol that has an established BGP session active.

BGP Secure Routing Extension : see document

BGP Secure Routing Extension consisting of multiple software modules that implement Route Origin Validation as well as BGPsec Path Validation.

BGP security extension : see document

Security extension to the BGP protocol. It allows to digitally sign path information that can be independently verified and therefore eliminate the possibility to alter path information without notice.

BGP Session : see document

A TCP session in which both ends are operating BGP and have successfully processed an OPEN message from the other end.

BGP Speaker : see document

Any router running the BGP protocol.

BGP-4 : see document
BGP-OV : see document

BGP Origin Validation specifies a mechanism described in RFC 6811 where a BGP router can verify if a particular prefix was allowed to be announced by the route's originator.

BGP-PV : see document

BGP Path Validation specifies a mechanism described in RFC 8205 that allows verifying a path an UPDATE traversed by verifying the validity of the signatures over the relevant data.

BGPsec : see document

Security extension to the BGP protocol. It allows to digitally sign path information that can be independently verified and therefore eliminate the possibility to alter path information without notice.

BGPsec Input-Output : see document

BGPsec Input-Output (BIO) enables the generation and storage of precomputed reproducible BGPsec traffic for testing purposes.

BGPsec Path Validation : see document
BGPSEC-IO : see document
BGPsec-IO traffic generator : see document
BGP-SRx : see document

BGP Secure Routing Extension consisting of multiple software modules that implement Route Origin Validation as well as BGPsec Path Validation.

BIA : see document
Bias : see document

With respect to the uniform distribution on $[0,n-1]$, the bias is defined to be the maximum value of $\{probability(S) - (\frac{|S|}{n})\}$ taken over all subsets $S$ of $[0,n-1]$. This measures the maximum advantage that an adversary has in predicting any event.

Biased : see document

A value that is chosen from a sample space is said to be biased if one value is more likely to be chosen than another value. Contrast with unbiased.

A value that is chosen from an alphabet space is said to be biased if one value is more likely to be chosen than another value. (Contrast with unbiased.)

bi-directional (CDS) : see document

A cross domain device or system with the capability to provide both the transmission and reception of information or data between two or more different security domains (e.g., between TS/SCI and Secret or Secret and Unclassified).

bidirectional authentication : see document

The process of both entities involved in a transaction verifying each other. See bidirectional authentication.

The process of both entities involved in a transaction verifying each other.

Two parties authenticating each other at the same time. Also known as mutual authentication or two-way authentication.

BIKE : see document
Binary Coded Decimal : see document
binary label : see document

A single label indicating a product has met a baseline standard.

Binary Large Object : see document
Binary Sequence : see document

A sequence of zeroes and ones.

Bind : see document

To deterministically transform a logical construct into a machine-readable representation suitable for machine interchange and processing. The result of this transformation is called a binding. A binding may also be referred to as the “bound form” of its associated logical construct.

BIND : see document
binding : see document

Process of associating two related elements of information.

Assurance of the integrity of an asserted relationship between items of information that is provided by cryptographic means. Also see Trusted association.

An association between a subscriber identity and an authenticator or given subscriber session.

Binding Operational Directive : see document
Binomial Distribution : see document

A random variable is binomially distributed if there is an integer n and a probability p such that the random variable is the number of successes in n independent Bernoulli experiments, where the probability of success in a single experiment is p. In a Bernoulli experiment, there are only two possible outcomes.

BIO : see document

BGPsec Input-Output (BIO) enables the generation and storage of precomputed reproducible BGPsec traffic for testing purposes.

BioCTS : see document
Bioeconomy Information Sharing and Analysis Center : see document
BIO-ISAC : see document
biometric : see document

1. Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity of, an individual. Facial images, fingerprints, and handwriting samples are all examples of biometrics.

2. A physical or behavioral characteristic of a human being.

A physical or behavioral characteristic of a human being.

A measurable, physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an Applicant. Facial images, fingerprints, and iriscan samples are all examples of biometrics.

Biometric Authentication (BIO, BIO-A) : see document

A form of authentication in which authenticity is established by biometric verification of a new biometric sample from a cardholder to a biometric data record read from the cardholder’s activated PIV Card. In BIO, the biometric sample may be captured from the cardholder in isolation, while in BIO-A, an attendant must oversee the process of biometric capture.

Biometric Capture Device : see document

Device that collects a signal from a biometric characteristic and converts it to a captured biometric sample.

Biometric Characteristic : see document

Biological attribute of an individual from which distinctive and repeatable values can be extracted for the purpose of automated recognition. Fingerprint ridge structure and face topography are examples of biometric characteristics.

Biometric Conformance Test Software : see document
Biometric Data : see document

Biological attribute of an individual from which distinctive and repeatable values can be extracted for the purpose of automated recognition. Fingerprint ridge structure and face topography are examples of biometric characteristics.

Biometric Data Block : see document
Biometric Data Record : see document

Biometric sample or aggregation of biometric samples at any stage of processing.

Biometric Information Template : see document

Biometric Information Template – a [CARD-BIO] data structure indicating Card capability

Biometric On-Card Comparison (OCC) : see document

A one-to-one comparison of fingerprint biometric data records transmitted to the PIV Card with a biometric reference previously stored on the PIV Card. In this Standard, OCC is used as a means of performing card activation and as part of Biometric On- Card Comparison Authentication (OCC-AUTH).

Biometric On-Card Comparison Authentication (OCC-AUTH) : see document

An authentication mechanism where biometric on-card comparison (OCC) is used instead of a PIN to activate a PIV Card for authentication.

biometric reference : see document

One or more stored biometric samples, templates, or models attributed to an individual and used as the object of biometric comparison in a database, such as a facial image stored digitally on a passport, fingerprint minutiae template on a National ID card, or Gaussian Mixture Model for speaker recognition.

biometric sample : see document

An analog or digital representation of biometric characteristics prior to biometric feature extraction, such as a record that contains a fingerprint image.

Biometric Verification : see document

Automated process of confirming a biometric claim through biometric comparison.

Biometric Verification Decision : see document

A determination of whether biometric probe(s) and biometric reference(s) have the same biometric source based on comparison score(s) during a biometric verification transaction.

Biometrics : see document

Automated recognition of individuals based on their biological or behavioral characteristics. Biological characteristics include but are not limited to fingerprints, palm prints, facial features, iris and retina patterns, voice prints, and vein patterns. Behavioral characteristics include keystroke cadence, the angle of holding a smartphone, screen pressure, typing speed, mouse or mobile phone movements, and gyroscope position, among others.

A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.

Automated recognition of individuals based on their biological and behavioral characteristics.

The science and technology of measuring and statistically analyzing biological data. In information technology, biometrics usually refers to automated technologies for authenticating and verifying human body characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements.

Automated recognition of individuals based on their behavioral and biological characteristics. In this document, biometrics may be used to unlock authentication tokens and prevent repudiation of registration.

BIOS : see document
BIP : see document
bit : see document

A binary digit having a value of 0 or 1.

A binary digit:0or1.

A binary digit: 0 or 1.

A binary digit:0 or1.

A binary digit having a value of zero or one.

Biometric Information Template – a [CARD-BIO] data structure indicating Card capability

Bit Error : see document

The substitution of a ‘0’ bit for a ‘1’ bit, or vice versa.

The substitution of a ‘0’ bit for a ‘1’ bit, or vice versa.

bit error rate : see document

Ratio between the number of bits incorrectly received and the total number of bits transmitted through a communications channel. Also applies to storage.

Bit Length : see document

The number of bits in a bit string (e.g., the bit length of the string 0110010101000011 is sixteen bits). The bit length of the empty (i.e., null) string is zero.

The number of bits in a bit string.

The length in bits of a bit string.

A positive integer that expresses the number of bits in a bit string.

Bit Stream Imaging : see document

A bit-for-bit copy of the original media, including free space and slack space. Also known as disk imaging.

bit string : see document

An ordered sequence of bits (represented as 0s and 1s). Unless otherwise stated in this document, bit strings are depicted as beginning with their most significant bit (shown in the leftmost position) and ending with their least significant bit (shown in the rightmost position). For example, the most significant (leftmost) bit of 0101 is 0, and its least significant (rightmost) bit is 1. If interpreted as the 4-bit binary representation of an unsigned integer, 0101 corresponds to the number five.

An ordered sequence of zeros and ones. The leftmost bit is the most significant bit of the string. The rightmost bit is the least significant bit of the string.

An ordered sequence of zeros and ones.

A finite ordered sequence of bits.

An ordered sequence of 0 and 1 bits. In this Recommendation, the leftmost bit is the most significant bit of the string. The rightmost bit is the least significant bit of the string.

An ordered sequence of 0 and 1 bits.

A sequence of bits.

An ordered sequence of 0’s and 1’s.

A finite, ordered sequence of bits.

An ordered sequence of bits.

An ordered sequence of 0’s and 1’s. Also known as a binary string.

Bitcoin : see document
Bitcoin Cash : see document
Bitcoin Request for Comment : see document
Bit-Flipping Key Encapsulation : see document
Bitstring : see document

An ordered sequence (string) of 0s and 1s. The leftmost bit is the most significant bit.

A sequence of bits.

A bitstring is an ordered sequence of 0’s and 1’s.

See Bitstring.

An ordered sequence of 0’s and 1’s. The leftmost bit is the most significant bit.

Bitwise Exclusive-Or : see document

An operation on two bitstrings of equal length that combines corresponding bits of each bitstring using an exclusive-or operation.

BKZ : see document
BLACK : see document

Designation applied to information systems, and to associated areas, circuits, components, and equipment, in which national security information is encrypted or is not processed.

Designation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information.

black box testing : see document

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object.

A test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.

A method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance.

See basic testing.

black core : see document

A network environment (point-to-point and multi-point) supporting end-to-end encrypted information at a single classification level; networks within the environment are segmented by network technology with inspection points at the perimeter, boundary, or gateway. Encrypted traffic is routed, switched, or forwarded over an unclassified or untrusted network infrastructure.

A communication network architecture in which user data traversing a global internet protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.

BLACK data : see document

Data that is protected by encryption so that it can be transported or stored without fear of compromise. Also known as encrypted data.

Black-Gray-Flip : see document
BLE : see document
blended attack : see document

Deliberate, aggressive action that causes harm to both cyber and physical systems.

A type of attack that combines multiple attack methods against one or more vulnerabilities.

BLOB : see document
block : see document

A sequence of bits of a given fixed length. In this Standard, blocks consist of 128 bits, sometimes represented as arrays of bytes or words.

A binary vector. In this document, the input and output of encryption and decryption operation are 64-bit block. The bits are numbered from left to right. The plaintext and ciphertext are segmented to k-bit blocks, k = 1, 8, 64.

A subset of a bit string. A block has a predetermined length.

For a given block cipher, a bit string whose length is the block size of the block cipher.

A bit string whose length is the block size of the block cipher algorithm.

In this Recommendation, a binary string, for example, a plaintext or a ciphertext, is segmented with a given length. Each segment is called a block. Data is processed block by block, from left to right.

A data structure containing a block header and block data.

block cipher : see document

A family of permutations of blocks that is parameterized by the key.

A family of functions and their inverse functions that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length.

An invertible symmetric-key cryptographic algorithm that operates on fixed-length blocks of input using a secret key and an unvarying transformation algorithm. The resulting output block is the same length as the input block.

A family of functions and their inverse functions that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length.

An algorithm for a parameterized family of permutations on bit strings of a fixed length.

A parameterized family of permutations on bit strings of a fixed length; the parameter that determines the permutation is a bit string called the key.

A symmetric-key cryptographic algorithm that transforms one block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.

Block Cipher Algorithm : see document

A family of functions and their inverse functions that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length.

A family of functions and their inverses that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length.

A family of functions and their inverses that is parameterized by a cryptographic key; the function maps bit strings of a fixed length to bit strings of the same length.

A symmetric-key cryptographic algorithm that transforms one block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.

block cipher mode of operation : see document

The value of the random sample that occurs with the greatest frequency. This value is not necessarily unique.

An algorithm for the cryptographic transformation of data that is based on a block cipher.

See “block cipher mode of operation.”

Block Cipher-based Message Authentication Code : see document

Cipher-based Message Authentication Code (as specified in NIST SP 800-38B).

Block data : see document

The portion of a block that contains a set of validated transactions and ledger events.

Block Frequency Test : see document

The purpose of the block frequency test is to determine whether the number of ones and zeros in each of M non-overlapping blocks created from a sequence appear to have a random distribution.

Block header : see document

The portion of a block that contains information about the block itself (block metadata), typically including a timestamp, a hash representation of the block data, the hash of the previous block’s header, and a cryptographic nonce (if needed).

Block Korkine-Zolotarev algorithm : see document
Block reward : see document

A reward (typically cryptocurrency) awarded to publishing nodes for successfully adding a block to the blockchain.

block size : see document

The number of bits in an input (or output) block of the block cipher.

The number of bits in an input (or output) block of the block cipher.

For a given block cipher, the fixed length of the input (or output) bit strings.

The bit length of an input (or output) block of the block cipher.

For a given block cipher and key, the fixed length of the input (or output) bit strings.

Blockchain Explorer : see document

A software for visualizing blocks, transactions, and blockchain network metrics (e.g., average transaction fees, hashrates, block size, block difficulty).

Blockchain implementation : see document

a specific blockchain.

Blockchain network : see document

the network in which a blockchain is being used.

Blockchain network user : see document

Any single person, group, business, or organization which is using or operating a blockchain node.

Blockchain Subnetwork : see document

A blockchain network that is tightly coupled with one or more other blockchain networks, as found in sharding.

Blockchain technology : see document

a term to describe the technology in the most generic form.

blocklist : see document

A documented list of specific elements that are blocked, per policy decision. This concept has historically been known as a “blacklist.”

BLSR : see document
blue team : see document

The group responsible for defending an enterprise's use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).

A group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's CS readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.

Bluetooth : see document

A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.).

A wireless protocol that allows two Bluetooth enabled devices to communicate with each other within a short distance (e.g., 30 ft.).

Bluetooth Low Energy : see document
BMA : see document
BMC : see document
BMP : see document
BMS : see document
BNA : see document
Board Management Controller : see document
BOD : see document
Body : see document

The section of an email message that contains the actual content of the message.

body of evidence : see document

The set of data that documents the information system’s adherence to the security controls applied.

The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.

BoE : see document
BOF : see document

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

A condition at an interface under which more input can be placed into a buffer or data holding area than the intended capacity allocated (due to insecure or unbound allocation parameters), which overwrites other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

BOG : see document
Boil-Off Gas : see document
Boot Device Selection : see document
Bootstrapping Remote Security Key Infrastructure : see document
Border Gateway Protocol : see document

The Border Gateway Protocol is a protocol designed by the Internet Engineering Task Force (IETF) to exchange routing information between autonomous systems.

Border Gateway Protocol 4 : see document
Border Gateway Protocol Secure Routing Extension : see document
Border Gateway Protocol Security : see document
Border Gateway Protocol with Security Extensions : see document
BOSS : see document
Botnet : see document

The word “botnet” is formed from the words “robot” and ”network.” Cyber criminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer, and organize all the infected machines into a network of “bots” that the criminal can remotely manage.

bound authenticator : see document

An authenticator verified by the RP in addition to an assertion at FAL3. The bound authenticator is bound to the RP subscriber account.

boundary : see document

A physical or logical perimeter of a system.

See also authorization boundary and interface.

Physical or logical perimeter of a system.

Physical or logical perimeter of a system. See also authorization boundary and interface.

boundary protection : see document

Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g. gateways, routers, firewalls, guards, encrypted tunnels).

Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., gateways, routers, firewalls, guards, encrypted tunnels).

Monitoring and control of communications at the external interface to a system to prevent and detect malicious and other unauthorized communications using boundary protection devices.

boundary protection device : see document

A device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection.

A device (e.g., gateway, router, firewall, guard, or encrypted tunnel) that facilitates the adjudication of different system security policies for connected systems or provides boundary protection. The boundary may be the authorization boundary for a system, the organizational network boundary, or a logical boundary defined by the organization.

bounded differential privacy : see document

A unit of privacy variant that calls two datasets D1 and D2 neighbors if it is possible to construct D2 from D1 by changing one person’s data. Under bounded differential privacy, neighboring datasets have the same size. Bounded differential privacy allows for mechanisms that release the total size of the dataset with no noise.

BPCS : see document
BPML : see document
BPSS : see document
BR : see document
BR/EDR : see document
Branch Target Identification : see document
BRC : see document
BREACH : see document
breach : see document

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses personally identifiable information for an other than authorized purpose.

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses personally identifiable information for an other than authorized purpose.

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users, or where authorized users take actions for an other than authorized purposes, have access or potential access to sensitive information, whether physical or electronic.

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.

breadth : see document

An attribute associated with an assessment method that addresses the scope or coverage of the assessment objects included with the assessment.

The steps of the ISCM process covered by an ISCM assessment: Strategy only (ISCM Step 1), Through Design (ISCM Steps 1, 2), Through implementation (ISCM Steps 1-3), or Full (ISCM Steps 1-6).

breakdown structure : see document

Framework for efficiently controlling some aspect of the activities for a program or project.

Bring Your Own Device : see document
British Standards Institution : see document
BRM : see document
Broad network access : see document

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

Broadband Forum : see document
Broadcast Integrity Protocol : see document
Brokered Trust : see document

Describes the case where two entities do not have direct business agreements with each other, but do have agreements with one or more intermediaries so as to enable a business trust path to be constructed between the entities. The intermediary brokers operate as active entities, and are invoked dynamically via protocol facilities when new paths are to be established.

Browser Exploit Against SSL/TLS : see document
Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext : see document
browsing : see document

Act of searching through information system storage or active content to locate or acquire information, without necessarily knowing the existence or format of information being sought.

BRSKI : see document
Brute Force Password Attack : see document

In cryptography, an attack that involves trying all possible combinations to find a match.

A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords.

A method of accessing an obstructed device through attempting multiple combinations of numeric/alphanumeric passwords.

In cryptography, an attack that involves trying all possible combinations to find a match.

in cryptography, an attack that involves trying all possible combinations to find a match

BS2I : see document
BSC : see document
BSD : see document
BSI : see document
BSIMM : see document
BSS : see document
BSSID : see document
BTC : see document
BTI : see document
BTS : see document
Budget Year : see document
buffer overflow : see document

A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

A condition at an interface under which more input can be placed into a buffer or data holding area than the intended capacity allocated (due to insecure or unbound allocation parameters), which overwrites other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.

Buffer Overflow Attack : see document

A method of overloading a predefined amount of memory storage in a buffer, which can potentially overwrite and corrupt memory beyond the buffer’s boundaries.

A method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt memory in data.

bug bounty : see document

A method of compensating individuals for reporting software errors, flaws, or faults (“bugs”) that might allow for security exploitation or vulnerabilities.

Bugs Framework : see document
Building Automation System : see document
Building Management Systems : see document
Building Security In Maturity Model : see document
Bulk Electric System : see document
bulk encryption : see document

Simultaneous encryption of all channels of a multi-channel telecommunications link.

Business Areas : see document

“Business areas” separate government operations into high-level categories relating to the purpose of government, the mechanisms the government uses to achieve its purposes, the support functions necessary to conduct government operations, and resource management functions that support all areas of the government’s business. “Business areas” are subdivided into “areas of operation” or “lines of business.” The recommended information types provided in NIST SP 800-60 are established from the “business areas” and “lines of business” from OMB’s Business Reference Model (BRM) section of Federal Enterprise Architecture (FEA) Consolidated Reference Model Document Version 2.3

Business Associate Agreement : see document
Business Continuity : see document
business continuity plan (BCP) : see document

The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.

business impact analysis (BIA) : see document

Process of analyzing operational functions and the effect that a disruption might have on them.

Business Mission Area : see document
Business Operation Support Services : see document
Business Process Markup Language : see document
Business Process Specification Schema : see document
Business Reference Model : see document
Business/Mission Objectives : see document

Broad expression of business goals. Specified target outcome for business operations.

Business-To-Business : see document
Buyer : see document

The people or organizations that consume a given product or service.

BY : see document
BYOD : see document
Byte : see document

A sequence of eight bits.

An integer from the set {0, 1, 2, …, 255}.

A sequence of 8 bits.

A string of eight bits.

A sequence of 8 bits.

A group of eight bits that is treated either as a single entity or as an array of eight individual bits.

A bit string consisting of eight bits.

A bit string consisting of eight bits. A byte is represented by a hexadecimal string of length two. The right-most hexadecimal character represents the rightmost four bits of the byte, and the left-most hexadecimal character of the byte represents the left-most four bits of the byte. For example, 9d represents the bit string 10011101.

A bit string of length eight. A byte is represented by a hexadecimal string of length two. The rightmost hexadecimal character represents the rightmost four bits of the byte, and the leftmost hexadecimal character of the byte represents the leftmost four bits of the byte. For example, 9d represents the bit string 10011101.

Byte length : see document

The number of consecutive (non-overlapping) bytes in a byte string. For example, 0110010101000011 = 01100101 || 01000011 is two bytes long. The byte length of the empty string is zero.

A positive integer that expresses the number of bytes in a byte string.

Byte String : see document

An ordered sequence of bytes, beginning with the most significant (leftmost) byte and ending with the least significant (rightmost) byte. Any bit string whose bit length is a multiple of eight can be viewed as the concatenation of an ordered sequence of bytes (i.e., a byte string). For example, the bit string 0110010101000011 can be viewed as a byte string since it is the concatenation of two bytes: 01100101 followed by 01000011.

An ordered sequence of bytes.

An array of integers in which each integer is in the set {0, … , 255}.

A finite, ordered sequence of bytes.

An ordered sequence of bytes.

Byte String to Integer conversion routine : see document
Bytewise matching : see document

relies only on the sequences of bytes that make up a digital object, without reference to any structures within the data stream, or to any meaning the byte stream may have when appropriately interpreted. Such methods have the widest applicability as they can be applied to any piece of data; however, they also carry the implicit assumption that artifacts that humans perceive as similar have similar byte-level encodings. This assumption is not universally valid. Analyst expertise is necessary to evaluate the significance of a byte-level match.

Byzantine Fault Tolerant : see document
Byzantine fault tolerant proof of stake consensus model : see document

A proof of stake consensus model where the blockchain decides the next block by allowing all staked members to “vote” on which submitted block to include next.

C : see document

Ciphertext

The ciphertext.

In LMS, the n-byte randomizer used for randomized message hashing.

c : see document

Ciphertext (expressed as an integer).

Ciphertext; an integer.

C&A : see document
C&S : see document
C, CU, CV : see document

Ciphertext (expressed as a byte string).

C.F.D. : see document
C.F.R. : see document
C1,…,C64 : see document

Bits of the Ciphertext Block

C2 : see document

Command and Control' is the exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission.

The exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission.

C3 : see document
C3I : see document
C4 : see document
CA : see document

The entity in a public-key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance with a PKI policy.

An entity authorized to create, sign, issue, and revoke public key certificates.

A trusted entity that issues and revokes public key certificates.

Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection.

1. Operations performed to defeat cryptographic protection without an initial knowledge of the key employed in providing the protection.

2. The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

1. Operations performed to defeat cryptographic protection without an initial knowledge of the key employed in providing the protection. 2. The study of mathematical techniques for attempting to defeat cryptographic techniques and information-system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

CA Technologies : see document
CAA : see document

A record associated with a Domain Name Server (DNS) entry that specifies the CAs that are authorized to issue certificates for that domain.

CaaS : see document
CableLabs : see document
CAC : see document
CAD : see document
CAE : see document
CAESAR : see document
CAESARS : see document
CAG : see document
CAIS : see document

Any system incorporating critical software and in which failure can cause substantial harm to the public.

CAK : see document
calibration : see document

A comparison between a device under test and an established standard, such as UTC(NIST). When the calibration is finished, it should be possible to state the estimated time offset and/or frequency offset of the device under test with respect to the standard, as well as the measurement uncertainty. Calibrations can be absolute or relative. Absolute calibrations are not biased by the calibration reference and would, therefore, be more reproducible. However, absolute calibrations can be more complex to determine. The bias in relative calibrations would be consistent if all the devices in the system are calibrated against the same calibration reference. Calibrations may also be performed relative to other devices without reference to an absolute standard. Relative calibrations are generally simpler to perform than absolute calibrations.

call back : see document

Procedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.

Call Detail Record : see document
Call Oriented Programming : see document
Call Processor : see document

component that sets up and monitors the state of calls, and provides phone number translation, user authorization, and coordination with media gateways.

callibration : see document

A comparison between a device under test and an established standard, such as Coordinated Universal Time UTC (NIST). When the calibration is finished, it should be possible to state the estimated time offset and/or frequency offset of the device under test with respect to the standard, as well as the measurement uncertainty. Calibrations can be absolute or relative. Absolute calibrations are not biased by the calibration reference and would, therefore, be more reproducible. However, absolute calibrations can be more complex to determine. The bias in relative calibrations would be consistent if all the devices in the system are calibrated against the same calibration reference. Calibrations may also be performed relative to other devices without reference to an absolute standard. Relative calibrations are generally simpler to perform than absolute calibrations.

CAN : see document
Canadian Centre for Cyber Security : see document
Canadian Standards Association : see document
Candidate Checklist : see document

Checklist that has been screened and approved by NIST for public review.

Checklist approved by NIST for public review.

Candidate for Deletion : see document
canister (COMSEC) : see document

Type of physical protective packaging used to contain and dispense keying material in punched or printed tape form. Rationale: Although being phased out, canisters are still in circulation. However term is being marked C.F.D. in anticipation of removal in the future.

CAP : see document
Capabilities Catalog : see document

Comprehensive list of device cybersecurity capabilities derived from analysis of comprehensive list of source documents for the application or sector. For the federal sector, NIST SP 800-53 Rev. 5 provided the definition of controls used to create the NIST-generated capabilities catalog used for the Federal profile.

Comprehensive list of device cybersecurity capabilities derived from analysis of comprehensive list of source documents for the application or sector. For the federal sector, NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, provided the definition of controls used to generate the NIST generated capabilities catalog used for the federal profile.

capability : see document

A person’s potential to accomplish something.

A combination of mutually reinforcing controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose.

A combination of mutually reinforcing security and/or privacy controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security- or privacy-related purpose.

A combination of mutually reinforcing security and/or privacy controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security- or privacy-related purpose.

See Capability, Security.

A set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose.

A feature or function.

Capability Bases Access Control : see document
Capability Hardware Enhanced RISC Instructions : see document
Capability List : see document

A list attached to a subject ID specifying what accesses are allowed to the subject.

Capability Maturity Model Integration : see document
capability requirement : see document

A type of requirement describing the capability that the organization or system must provide to satisfy a stakeholder need. Note: Capability requirements relted to information security and privacy are derived from stakeholder protection needs and the corresponding security and privacy requirements.

Capability, Anomalous Event Detection Management : see document

An ISCM capability that identifies routine and unexpected events that can compromise security within a time frame that prevents or reduces the impact (i.e., consequences) of the events to the extent possible.

Capability, Anomalous Event Response and Recovery Management : see document

See Capability, Anomalous Event Response and Recovery Management.

An ISCM capability that ensures that both routine and unexpected events that require a response to maintain functionality and security are responded to (once identified) within a time frame that prevents or reduces the impact (i.e., consequences) of the events to the extent possible.

Capability, Behavior Management : see document

See Capability, Behavior Management.

An ISCM capability that ensures that people are aware of expected security-related behavior and are able to perform their duties to prevent advertent and inadvertent behavior that compromises information.

Capability, Boundary Management : see document

An ISCM capability that addresses the following network and physical boundary areas: Physical Boundaries – Ensure that movement (of people, media, equipment, etc.) into and out of the physical facility does not compromise security. Filters – Ensure that traffic into and out of the network (and thus out of the physical facility protection) does not compromise security. Do the same for enclaves that subdivide the network. Other – Ensure that information is protected (with adequate strength) when needed to protect confidentiality and integrity, whether that information is in transit or at rest.

See Capability, Boundary Management.

Capability, Configuration Settings Management : see document

An ISCM capability that identifies configuration settings (Common Configuration Enumerations [CCEs]) on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

See Capability, Configuration Settings Management.

Capability, Credentials and Authentication Management : see document

An ISCM capability that ensures that people have the credentials and authentication methods necessary (and only those necessary) to perform their duties, while limiting access to that which is necessary.

See Capability, Credentials and Authentication Management.

Capability, Event Preparation Management : see document

An ISCM capability that ensures that procedures and resources are in place to respond to both routine and unexpected events that can compromise security. The unexpected events include both actual attacks and contingencies (natural disasters) like fires, floods, earthquakes, etc.

See Capability, Event Preparation Management.

Capability, Hardware Asset Management : see document

An ISCM capability that identifies unmanaged devices that are likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated.

See Capability, Hardware Asset Management.

Capability, ISCM : see document

See ISCM Capability.

A security capability with the following additional traits: • The purpose (desired result) of each capability is to address specific kind(s) of attack scenarios or exploits. • Each capability focuses on attacks towards specific assessment objects. • There is a viable way to automate ISCM on the security capability. • The capability provides protection against current attack scenarios.

Capability, Manage and Assess Risk : see document

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.

The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

the on-going process of assessing the risk to IT resources andinformation, as part of a risk-based approach used to determine adequate security for a system, by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.

The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security and privacy state of the information system.

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

An ISCM capability that focuses on reducing the successful exploits of the other non-meta capabilities that occur because the risk management process fails to correctly identify and prioritize actions and investments needed to lower the risk profile.

See Capability, Manage and Assess Risk.

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.

The process of identifying, assessing, and responding to risk.

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation and includes (i) establishing the context for risk-related activities, (ii) assessing risk, (iii) responding to risk once determined, and (iv) monitoring risk over time.

Capability, Perform Resilient Systems Engineering : see document

An ISCM capability that • Focuses on reducing successful exploits of the other non-meta capabilities that occur because there was inadequate design, engineering, implementation, testing, and/or other technical issues in implementing and/or monitoring the controls related to the other non-meta capabilities. • Reducing the successful exploits of the other non-meta capabilities that occur because there was inadequate definition of requirements, policy, planning, and/or other management issues in implementing and/or monitoring the controls related to the other non-meta capabilities.

Capability, Privilege and Account Management : see document

An ISCM capability that ensures that people have the privileges necessary (and only those necessary) to perform their duties, to limit access to that which is necessary.

See Capability, Privilege and Account Management.

Capability, Security : see document

See capability.

A combination of mutually-reinforcing security controls (i.e., safeguards and countermeasures) implemented by technical means (i.e., functionality in hardware, software, and firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e., procedures performed by individuals).

See Capability, Security.

A set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose.

A feature or function.

Capability, Software Asset Management : see document

An ISCM capability that identifies unauthorized software on devices that is likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated.

See Capability, Software Asset Management.

Capability, Trust Management : see document

The willingness to take actions expecting beneficial outcomes, based on assertions by other parties.

The confidence one element has in another, that the second element will behave as expected.

A characteristic of an entity that indicates its ability to perform certain functions or services correctly, fairly and impartially, along with assurance that the entity and its identifier are genuine.

An ISCM capability that ensures that untrustworthy persons are prevented from being trusted with network access (to prevent insider attacks).

See Capability, Trust Management.

The confidence one element has in another that the second element will behave as expected.

Capability, Vulnerability Management : see document

An ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

See Capability, Vulnerability Management.

Capacity Planning : see document

Systematic determination of resource requirements for the projected output, over a specific period.

Systematic determination of resource requirements for the projected output, over a specific period.

CAPCO : see document
CAPEC : see document
CapEx : see document
CAPI : see document

An application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. While providing a consistent API for applications, API allows for specialized cryptographic modules (cryptographic service providers) to be provided by third parties, such as hardware security module (HSM) manufacturers. This enables applications to leverage the additional security of HSMs while using the same APIs they use to access built-in Windows cryptographic service providers. (Also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI)

Capital Expenditures : see document
Capstone Policies : see document

Those policies that are developed by governing or coordinating institutions of HIEs. They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.

Capture : see document

Series of actions undertaken to obtain and record, in a retrievable form, signals of biometric characteristics directly from individuals.

The method of taking a biometric sample from an end user.

CAPWAP : see document
card : see document

An integrated circuit card.

Card Authentication Key : see document
Card Capability Container : see document
Card Design Standard : see document
Card Holder Unique Identifier : see document
card interface device : see document

An electronic device that connects an integrated circuit card and the card applications therein to a client application.

An electronic device that connects an integrated circuit card and the card applications therein to a client application.

card management system : see document

The system that manages the lifecycle of a PIV Card application.

The system that manages the life cycle of a PIV Card application.

Card Not Present : see document
card reader : see document

An electronic device that connects an integrated circuit card and the card applications therein to a client application.

An electronic device that connects an integrated circuit card and the card applications therein to a client application.

Card Verifiable Certificate : see document

A certificate stored on the PIV Card that includes a public key, the signature of a certification authority, and further information needed to verify the certificate.

A certificate stored on the card that includes a public key, the signature of certification authority, and the information needed to verify the certificate.

A certificate stored on the card that includes a public key, the signature of a certification authority, and the information needed to verify the certificate.

Card Management System to Card : see document
cardholder : see document

An individual who possesses an issued PIV Card.

An individual possessing an issued PIV Card.

Cardholder to Card : see document
Cardholder to External System : see document
Cardholder Unique Identifier : see document
Career and Technical Education : see document
Career and Technical Student Organization : see document
Carrier Grade NAT : see document
CAS : see document
CASB : see document
Cascaded Style Sheet : see document
cascading : see document

An approach for deploying CDS where two identical CDSs are placed in series to transfer information across multiple different security domains.

CASSA : see document
catalog : see document

The collection of all assessment elements.

categorization : see document

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS PUB 199 for other than national security systems. See security category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSSI No.1253 for national security systems and in FIPS 199 for other than national security systems.

See security categorization.

The process of determining the security category for information or a system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See security category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See Security Category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in Committee on National Security Systems (CNSS) Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

Category : see document

Restrictive label applied to classified or unclassified information to limit access.

The subdivision of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.

The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.”

The subdivision of a Function into groups of privacy outcomes closely tied to programmatic needs and particular activities.

C-ATO : see document
CAVP : see document
CAVS : see document
CAW : see document
CBA : see document
CBAC : see document
CBC : see document
CBC-MAC : see document
CBD : see document
CBDC : see document
CBEFF : see document
CBEFF Basic Structure : see document

The basic CBEFF structure consists of a single Standard Biometric Header followed by a Biometric Data Block and an optional Signature Block

CBEFF Client : see document

An entity that defines a biometric data block (BDB) structure (e.g., a BDB format owner) that is CBEFF com pliant. This would include any vendor, standards body, working group, or industry consortium that has regis tered itself with IBIA and has defined one or more BDB format types.

CBEFF Nested Structure : see document

A CBEFF Nested Structure consists of a Root Header followed by Sub-Headers, one or more CBEFF Basic Structures, and an optional Signature Block

CBEFF Patron : see document

An organization that has defined a standard or specification incorporating biometric data objects that is CBEFF compliant

CBEFF Root Header : see document

The CBEFF Standard Biometric Header that precedes all others in a CBEFF nested structure

CBEFF Sub-Header : see document

Any CBEFF Standard Biometric Header in a CBEFF nested structure that follows the Root Header and pre cedes one or more Basic Data Structures. A CBEFF Sub-Header is not immediately followed by a Biometric Data Block.

CBOR : see document
CBP : see document
CC : see document

Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems.

A set of internationally accepted semantic tools and constructs for describing the security needs of customers and the security attributes of products.

CCA : see document
CCA with nonce misuse-resilience : see document
CCAm : see document
CCB : see document

A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.

CCC : see document
CCCS : see document
CCE : see document
CCE ID : see document

An identifier for a specific configuration defined within the official CCE Dictionary and that conforms to the CCE specification.

CCEB : see document
CCEP : see document
CCEVS : see document
CCI : see document
CCIPS : see document
CCM : see document
CCMP : see document
CCN : see document
CCoA : see document
CCRB : see document
CCSDS : see document
CCSS : see document
ccTLD : see document
CCTV : see document
CD : see document

A Compact Disc(CD)is a class of media from which data are readby optical means.

A class of media from which data are read by optical means.

CD File System : see document
CDC : see document
CDFS : see document
CDH : see document

The cofactor ECC Diffie-Hellman key-agreement primitive.

CDM : see document

See Continuous Diagnostics and Mitigation.

CDMA : see document

A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA).

CDMA Subscriber Identity Module (CSIM) : see document

CSIM is an application to support CDMA2000 phones that runs on a UICC, with a file structure derived from the R-UIM card.

CDN : see document
CDP : see document
CDR : see document
CD-R : see document

ACompact Disc Recordable(CD-R) is aCD thatcan be written on only once but read manytimes. Also known as WORM.

CD-Read Only Memory : see document
CD-Recordable : see document

ACompact Disc Recordable(CD-R) is aCD thatcan be written on only once but read manytimes. Also known as WORM.

CD-Rewritable : see document

ACompact Disc Read/Write(CD-RW) isaCD that can be Purged and rewritten multiple times.

CD-ROM : see document
CD-RW : see document

ACompact Disc Read/Write(CD-RW) isaCD that can be Purged and rewritten multiple times.

CDS : see document

A form of controlled interface that provides the ability to manually and/or automatically access and transfer information between different security domains. A CDS may consist of one or more devices.

CE : see document

See Cryptographic Erase.

A method of Sanitization in which the Media Encryption Key(MEK) for the encryptedTarget Data (or the KeyEncryption Key–KEK) is sanitized, making recovery of the decrypted Target Data infeasible.

CEA : see document
CED-DA : see document
CEDS : see document
CEF : see document
CeFi : see document
Cell on Wheels : see document
Cellular Network Isolation Card (CNIC) : see document

A SIM card that isolates the device from cell tower connectivity.

Cellular Telecommunications and Internet Association : see document
Center for Enterprise Dissemination-Disclosure Avoidance : see document
Center for Internet Security : see document
Centered Binomial Distribution : see document
Centers for Medicare and Medicaid Services : see document
Centers of Academic Excellence : see document
Centimeter : see document
CentOS : see document
Central Bank Digital Currency : see document
Central Facility Finksburg : see document
Central Limit Theorem : see document

For a random sample of size n from a population with meanm and variance s2, the distribution of the sample means is approximately normal with mean m and variance s2/n as the sample size increases.

central management : see document

The organization-wide management and implementation of selected security controls and related processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed security controls and processes.

The organization-wide management and implementation of selected security and privacy controls and related processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed security and privacy controls and processes.

central office of record : see document

The entity that keeps records of accountable COMSEC material held by COMSEC accounts subject to its oversight.

Central Oversight Authority : see document

The Key Management Infrastructure (KMI) entity that provides overall KMI data synchronization and system security oversight for an organization or set of organizations.

The cryptographic key management system (CKMS) entity that provides overall CKMS data synchronization and system security oversight for an organization or set of organizations.

Central Processing Unit : see document
Central Public Safety Service Provider : see document
Central Reservation System : see document
Central Security Service : see document
central services node : see document

The Key Management Infrastructure core node that provides central security management and data management services.

Central Verification System : see document

A system operated by the Office of Personnel Management that contains information on security clearances, investigations, suitability, fitness determinations, [HSPD-12] decisions, PIV credentials, and polygraph data.

centralized finance : see document
Centralized network : see document

A network configuration where participants must communicate with a central authority to communicate with one another. Since all participants must go through a single centralized source, the loss of that source would prevent all participants from communicating.

Centre for the Protection of National Infrastructure : see document
centric architecture : see document

A complex system of systems composed of subsystems and services that are part of a continuously evolving, complex community of people, devices, information and services interconnected by a network that enhances information sharing and collaboration. Subsystems and services may or may not be developed or owned by the same entity, and, in general, will not be continually present during the full life cycle of the system of systems. Examples of this architecture include service-oriented architectures and cloud computing architectures.

Centrum Wiskunde & Informatica : see document
CEO : see document
CEP : see document
CERG : see document
CERT : see document
CERT Coordination Center : see document
CERT/CC : see document
certificate : see document

A set of data that uniquely identifies a public key (which has a corresponding private key) and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.

A set of data that uniquely identifies a public key that has a corresponding private key and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information and is digitally signed by a certification authority (i.e., a trusted party), thereby binding the public key to the owner.

A digital document issued and digitally signed by the private key of a certificate authority that binds an identifier to a subscriber’s public key. The certificate indicates that the subscriber identified in the certificate has sole control of and access to the private key. See also [RFC5280].

A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. [ABADSG]. As used in this CP, the term “Certificate” refers to certificates that expressly reference the OID of this CP in the “Certificate Policies” field of an X.509 v.3 certificate.

A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies it’s Subscriber, (3) contains the Subscriber’s public key, (4) identifies it’s operational period, and (5) is digitally signed by the certification authority issuing it.

A digital representation of information which at least (1) identifies the certification authority (CA) issuing it, (2) names or identifies its subscriber, (3) contains the subscriber’s public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.

See certificate.

A digitally signed data structure defined in the X.509 standard [IS0 94-8] that binds the identity of a certificate holder (or subject) to a public key.

A data structure that contains an entity’s identifier(s), the entity's public key (including an indication of the associated set of domain parameters) and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e. a certificate authority, thereby binding the public key to the included identifier(s).

A set of data that uniquely identifies a key pair owner that is authorized to use the key pair, contains the owner’s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.

See public-key certificate.

See public key certificate.

A data structure that contains an entity’s identifier(s), the entity's public key (including an indication of the associated set of domain parameters) and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e., a certificate authority, thereby binding the public key to the included identifier(s).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity identified in the certificate. Additional information in the certificate could specify how the key is used and the validity period of the certificate.

A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period. (Certificates in this practice guide are based on IETF RFC 5280).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period. (Certificates in this practice guide are based on IETF RFC 5280.)

Also known as a digital certificate. A digital representation of information which at least 1. identifies the certification authority issuing it, 2. names or identifies its subscriber, 3. contains the subscriber's public key, 4. identifies its operational period, and 5. is digitally signed by the certification authority issuing it.

A data structure that contains an entity’s identifier(s), the entity's public key and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e. a certificate authority, thereby binding the public key to the included identifier(s).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its cryptoperiod.

Certificate Authority (CA) : see document

A trusted entity that issues and revokes public key certificates.

The entity in a Public Key Infrastructure (PKI) that is responsible for issuing public-key certificates and exacting compliance to a PKI policy. Also known as a Certification Authority.

Certificate Authority Authorization : see document

A record associated with a Domain Name Server (DNS) entry that specifies the CAs that are authorized to issue certificates for that domain.

certificate authority workstation (CAW) : see document

The computer system or systems that process certification authority (CA) software and/or have access to the CA private keys, end entity keys, or end entity public keys prior to certification.

Certificate Chain : see document

An ordered list of certificates that starts with an end-entity certificate, includes one or more certificate authority (CA) certificates, and ends with the end-entity certificate’s root CA certificate, where each certificate in the chain is the certificate of the CA that issued the previous certificate. By checking to see if each certificate in the chain was issued by a trusted CA, the receiver of an end-user certificate can determine whether or not it should trust the end-entity certificate by verifying the signatures in the chain of certificates.

Certificate class : see document

A CA-designation (e.g., "class 0" or "class 1") indicating how thoroughly the CA checked the validity of the certificate. Per X.509 rules, the "class" should be encoded in the certificate as a CP extension: the CA can insert an object identifier (OID) that designates the set of procedures applied for the issuance of the certificate. These OIDs are CA-specific and can be understood only by referring to the CA's Certification Practice Statement.

Certificate Enrollment Policy : see document
Certificate Enrollment Service : see document
certificate management : see document

Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed.

Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed. (In the context of this practice guide, it also includes inventory, monitoring, enrolling, installing, and revoking.)

Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed. (In the context of this practice guide, it also includes inventory, monitoring, enrolling, installing, and revoking).

Certificate Management Service : see document
Certificate owner : see document

The human(s) responsible for the management of a given certificate.

The entity that is responsible for managing the certificate, including requesting, replacing, and revoking the certificate if and when required. The certificate owner is not necessarily the subject entity associated with the public key in the certificate (i.e., the key pair owner).

A human entity that is identified as the subject in a public key certificate or is a sponsor of a non-human entity (e.g., device, application or process) that is identified as the certificate subject.

certificate revocation list (CRL) : see document

A list of revoked public key certificates created and digitally signed by a certification authority.

These are digitally signed “blacklists” of revoked certificates. Certification authorities (CAs) periodically issue certificate revocation lists (CRLs), and users can retrieve them on demand via repositories.

1. A list of revoked public key certificates created and digitally signed by a Certificate Authority.

A list of revoked public key certificates created and digitally signed by a Certification Authority.

a list of revoked but unexpired certificates issued by a CA.

A list maintained by a Certification Authority of the certificates which it has issued that are revoked prior to their stated expiration date.

A list of revoked public key certificates by certificate number that includes the revocation date and (possibly) the reason for their revocation.

A list of revoked but unexpired certificates issued by a Certification Authority.

A list of digital certificates that have been revoked by an issuing CA before their scheduled expiration date and should no longer be trusted.

A list of revoked public key certificates created and digitally signed by a Certificate Authority. See [RFC 5280].

Certificate Signing Request : see document

A request sent from a certificate requester to a certificate authority to apply for a digital identity certificate. The certificate signing request contains the public key as well as other information to be included in the certificate and is signed by the private key corresponding to the public key.

Certificate Status Authority : see document

A trusted entity that provides on-line verification to a relying party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.

certificate status server : see document

An authority that provides status information about certificates on behalf of the CA through online transactions (e.g., an online certificate status protocol (OCSP) responder).

Certificate Transparency : see document

A framework for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed in a manner that allows anyone to audit CA activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. (Experimental RFC 6962)

Certificate Usage Type : see document
Certificate-inventory management : see document

See Key-inventory management.

Establishing and maintaining records of the keys and/or certificates in use, assigning and tracking their owners or sponsors, monitoring key and certificate status, and reporting the status to the appropriate official for remedial action when required.

certificate-related information : see document

Information, such as subscriber’s postal address, that is not included in a certificate. May be used by a certification authority (CA) managing certificates.

certification : see document

Third-party attestation related to an object of conformity assessment, with the exception of accreditation.

A designation earned to ensure qualifications to perform a job or task. Often issued by a professional organization, industry vendor, or employer to signify an achievement following a course of study.

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Comprehensive evaluation of an information system component that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

a formal process for testing components or systems against a specified set ofsecurity requirements. Certification is normally performed by an independent reviewer rather than one involved in building the system. Certification can be part of the review of security controls identified in OMB Circular A-130, Appendix III, which calls for security reviews to assure that management, operational, and technical controls are appropriate and functioning effectively. (See Accreditation.)

The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.

Certification Agent : see document

The individual, group, or organization responsible for conducting a security certification.

certification analyst : see document

The independent technical liaison for all stakeholders involved in the certification and accreditation (C&A) process responsible for objectively and independently evaluating a system as part of the risk management process. Based on the security requirements documented in the security plan, performs a technical and non-technical review of potential vulnerabilities in the system and determines if the security controls (management, operational, and technical) are correctly implemented and effective.

certification authority : see document

The entity in a public-key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance with a PKI policy.

An entity authorized to create, sign, issue, and revoke public key certificates.

A trusted entity that issues and revokes public key certificates.

A trusted entity that issues certificates to end entities and other CAs. CAs issue CRLs periodically, and post certificates and CRLs to a repository.

An authority trusted by one or more users to issue and manage X.509 Public Key Certificates and CARLs or CRLs.

The entity in a Public-Key Infrastructure (PKI) that is responsible for issuing public key certificates and exacting compliance to a PKI policy.

The entity in a Public Key Infrastructure (PKI) that issues certificates to certificate subjects.

The entity in a Public Key Infrastructure (PKI) that is responsible for issuing certificates and exacting compliance with a PKI policy.

The entity in a Public Key Infrastructure (PKI) that is responsible for issuing certificates and exacting compliance to a PKI policy.

The entity in a public key infrastructure (PKI) that is responsible for issuing certificates to certificate subjects and exacting compliance to a PKI policy.

The entity in a Public Key Infrastructure (PKI) that is responsible for issuing public-key certificates and exacting compliance to a PKI policy.

Certification Authority System : see document
Certification Authority Workstation : see document

Commercial-off-the-shelf (COTS) workstation with a trusted operating system and special purpose application software that is used to issue certificates. Rationale: Term has been replaced by the term “certificate authority workstation (CAW)”.

certification package : see document

Product of the certification effort documenting the detailed results of the certification activities. Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called security assessment report (SAR).

certification practice statement (CPS) : see document

A statement of the practices that a certification authority (CA) employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).

A statement of the practices which a Certification Authority employs in issuing certificates.

A statement of the practices that a CA employs in issuing, suspending, revoking and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this CP, or requirements specified in a contract for services).

A statement of the practices that a certification authority employs in issuing certificates.

A statement of the practices that a Certification Authority employs in issuing and managing public key certificates.

certification test and evaluation : see document

Software, hardware, and firmware security tests conducted during development of an information system component.

certified TEMPEST technical authority : see document

An experienced, technically qualified U.S. Government employee who has met established certification requirements in accordance with CNSS approved criteria and has been appointed by a U.S. Government Department or Agency to fulfill CTTA responsibilities.

certifier : see document

Individual responsible for making a technical judgment of the system’s compliance with stated requirements, identifying and assessing the risks associated with operating the system, coordinating the certification activities, and consolidating the final certification and accreditation packages. Rationale: Term has been replaced by the term “security control assessor”.

CES : see document
CESER : see document
CF : see document
CFATS : see document
CFB : see document
CFC : see document
CFFB : see document
CFI : see document
CFO : see document

A senior member responsible for managing the financial actions of an agency or organization.

CFOC : see document
CFRDC : see document
CFReDS : see document
CFTT : see document
CGE : see document
CGI : see document
CGN : see document
cgroup : see document
chain : see document

Two or more assessment elements that are linked by a common aspect of ISCM. Each chain has an assessment element in Program Step 1, DEFINE, called the root, which has no predecessor or parent element.

A set of elements that represents a complete assessment concept and are related by their Parent attribute.

chain of custody : see document

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers.

chain of evidence : see document

A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner. Rationale: Sufficiently covered under chain of custody.

chain of trust : see document

An interoperable data format for PIV enrollment records that facilitates the import and export of records between PIV Card issuers.

A method for maintaining valid trust boundaries by applying a principle of transitive trust, where each software module in a system boot process is required to measure the next module before transitioning control.

See “authentication chain.”

A certain level of trust in supply chain interactions such that each participant in the consumer-provider relationship provides adequate protection for its component products, systems, and services.

Chain-based proof of stake consensus model : see document

A proof of stake consensus model where the blockchain network decides the next block through pseudo-random selection, based on a personal stake to overall system asset ratio.

Chained Secure Zone : see document

A DNS zone in which there is an authentication chain from the zone to a trust anchor.

chaining : see document

An approach for deploying CDS where two different CDS on different operating systems are placed in series to transfer information across multiple security domains.

Challenge : see document

For this paper, a currently difficult or impossible task that is either unique to cloud computing or exacerbated by it

challenge and reply authentication : see document

Prearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply.

Challenge-Handshake Authentication Protocol : see document
Challenge-Response Authentication Mechanism : see document
Challenge-Response Protocol : see document

An authentication protocol in which the verifier sends the claimant a challenge (e.g., a random value or nonce) that the claimant combines with a secret (e.g., by hashing the challenge and a shared secret together or by applying a private-key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the claimant (e.g., by recomputing the hash of the challenge and the shared secret and comparing it to the response or performing a public-key operation on the response) and establish that the claimant possesses and controls the secret.

An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.

An authentication protocol where the verifier sends the claimant a challenge (usually a random value or nonce) that the claimant combines with a secret (such as by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the claimant possesses and controls the secret.

An authentication protocol where the Verifier sends the Claimant a challenge (usually a random value or a nonce) that the Claimant combines with a secret (such as by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the Verifier. The Verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.

Change Control Board : see document
Change of Authorization : see document
Channel : see document

An information transfer path within a system. May also refer to the mechanism by which the path is effected.

CHAP : see document
characterization : see document

An extended test of the performance characteristics of a clock or oscillator. A characterization involves more work than a typical calibration. The device under test is usually measured for a long period of time (days or weeks), and sometimes, a series of measurements is made under different environmental conditions. A characterization is often used to determine the types of noise that limit the uncertainty of the measurement and the sensitivity of the device to environmental changes.

Chassis Management Controller : see document
Check Fact Reference : see document

An expression that refers to a check (e.g., OVAL check, OCIL check).

check word : see document

Cipher text generated by cryptographic logic to detect failures in cryptography.

Checking Disabled : see document

A Compact Disc(CD)is a class of media from which data are readby optical means.

Checklist : see document

A document that contains instructions or procedures for configuring an IT product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized configuration changes to the product. Also referred to as a security configuration checklist, lockdown guide, hardening guide, security guide, security technical implementation guide (STIG), or benchmark.

An organized collection of rules about a particular kind of system or platform.

Checklist Developer : see document

An individual or organization that develops and owns a checklist and submits it to the National Checklist Program.

Checklist Group : see document

Represents the grouping of checklists based on a common source material. Commonly used if an organization packages multiple sets of product guidance under the same name.

Checklist Revision : see document

Represents a change to the checklist content that does not affect the underlying rule/value configuration guidance put forth by the content. A scenario that would require a new checklist revision is when SCAP content is created for a prose checklist. This revision would change the checklist's content type from Prose to SCAP Content. A new checklist revision would be created to accommodate this change, while still maintaining the Prose checklist revision for interested parties.

Represents a change to the checklist content that does not affect the underlying rule/value configuration guidance put forth by the content. A scenario that would require a new checklist revision would be when SCAP content is created for a prose checklist. This revision would change the checklist's Tier status from Tier I to either Tier III or IV. A new checklist revision would be created to accommodate this change, while still maintaining the Tier I checklist revision for interested parties.

Checklist Role : see document

The primary use or function of the IT product as described by the checklist (e.g., client desktop host, web server, bastion host, network border protection, intrusion detection).

Checklist Type : see document

The type of checklist, such as Compliance, Vulnerability, and Specialized.

checksum : see document

A value computed on data to detect error or manipulation.

A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data.

A value that (a) is computed by a function that is dependent on the content of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data

Value computed on data to detect error or manipulation.

Chemical Facility Anti-Terrorism Standards : see document
CHERI : see document
Chief Artificial Intelligence Officer : see document

A senior executive responsible for coordinating their agency’s use of artificial intelligence (AI), promoting AI innovation in their agency, and managing risks from their agency’s use of AI.

Chief Data Officer : see document

A senior executive responsible for the utilization and governance of data across the agency or organization.

Chief Executive Officer : see document
Chief Financial Officer : see document

A senior member responsible for managing the financial actions of an agency or organization.

Chief Financial Officers Council : see document
chief information officer : see document

Executive agency official responsible for: (1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (2) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the executive agency; and (3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.

Agency official responsible for: (i) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities, including the reduction of information collection burdens on the public.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: 1) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; 2) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and 3) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.

Agency official responsible for: (1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information systems are acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (2) developing, maintaining, and facilitating the implementation of a sound and integrated information system architecture for the agency; and (3) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, executive orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Organization’s official responsible for: (i) Providing advice and other assistance to the head of the organization and other senior management personnel of the organization to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, directives, policies, regulations, and priorities established by the head of the organization; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the organization; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the organization, including improvements to work processes of the organization. Note: A subordinate organization may assign a chief information officer to denote an individual filling a position with security responsibilities with respect to the subordinate organization that are similar to those that the chief information officers fills for the organization to which they are subordinate.

Chief Information Officers (CIO) Council : see document

The CIO Council is the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, sharing, and performance of Federal information resources.

chief information security officer : see document

See Senior Agency Information Security Officer.

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. [Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

See senior agency information security officer (SAISO).

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Modernization Act FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Agency Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term senior information security officer or chief information security officer to denote individuals who fill positions with similar responsibilities to senior agency information security officers.

See Senior Agency Information Security Officer

Chief Learning Officer : see document

A senior-level executive who oversees all learning and employee development programs within an agency or organization.

Chief Operating Officer : see document
Chief Privacy Officer : see document

A senior official designated by the head of each agency to have agency-wide responsibilities for privacy, including the implementation of privacy protections; compliance with federal laws, regulations, and policies related to privacy; the management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

The senior official designated by the head of each agency who has agency-wide responsibility for privacy, including implementing privacy protections; ensuring compliance with federal laws, regulations, and policies related to privacy; managing privacy risks at the agency; and filling a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Person responsible for ensuring that an agency complies with privacy requirements, manages privacy risks, and considers the privacy impacts of all agency actions and policies that involve personal information.

See Senior Agency Official for Privacy.

The senior organizational official with overall organization-wide responsibility for information privacy issues.

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Chief Product Security Officer : see document
Chief Risk Officer : see document
Chief Security Officer : see document
Chief Technology Officer : see document
Children‘s Online Privacy Protection Act : see document
Chinese Remainder Theorem : see document
CHIPS : see document
Choose Your Own Device : see document
Choreography : see document

Defines the requirements and sequences through which multiple Web services interact.

Chosen Ciphertext Attack : see document
Chosen Plaintext Attack : see document
CHUID : see document
CHVP : see document
CI : see document

An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process.

An interval estimate [low, high] of a population parameter. If the population is repeatedly sampled, and confidence intervals are computed for each sample with significance level α, approximately 100(1− α) % of the intervals are expected to contain the true population parameter.

System and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Essential services and related assets that underpin American society and serve as the backbone of the nation's economy, security, and health.

An item or aggregation of hardware or software or both that is designed to be managed as a single entity. Configuration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module, a minor hardware component or a single software package.

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.

CI/CD : see document
CIA : see document

C = Confidentiality assurance, I = Integrity assurance, A = Availability assurance

CIDAR : see document
CIDR : see document
CIE : see document
CIF : see document
CIFS : see document
CIGRE : see document
CIK : see document
CIKR : see document
CIM : see document
CIMA : see document
Cin-Day : see document
CIO : see document

Executive agency official responsible for: (1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (2) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the executive agency; and (3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.

The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities, including the reduction of information collection burdens on the public.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Agency official responsible for: (i) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, executive orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.

Organization’s official responsible for: (i) Providing advice and other assistance to the head of the organization and other senior management personnel of the organization to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, directives, policies, regulations, and priorities established by the head of the organization; (ii) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the organization; and (iii) Promoting the effective and efficient design and operation of all major information resources management processes for the organization, including improvements to work processes of the organization. Note: A subordinate organization may assign a chief information officer to denote an individual filling a position with security responsibilities with respect to the subordinate organization that are similar to those that the chief information officers fills for the organization to which they are subordinate.

CIP : see document
CIPAC : see document
cipher : see document

Series of transformations that converts plaintext to ciphertext using the Cipher Key.

Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.

Cipher Block Chaining : see document
Cipher Block Chaining - Message Authentication Code (CMAC) : see document
Cipher Feedback : see document
cipher text : see document

Data in its encrypted form.

cipher text auto-key : see document

Cryptographic logic that uses previous cipher text to generate a key stream.

Cipher-based Message Authentication Code : see document

Cipher-based Message Authentication Code (as specified in NIST SP 800-38B).

Ciphering Offset Number : see document
ciphertext : see document

Data in its encrypted form.

The encrypted form of the plaintext.

Data in its encrypted form.

Encrypted (enciphered) data.

Encrypted data.

The output of the CCM encryption-generation process.

The encrypted form of the plaintext.

The confidential form of the plaintext that is the output of the authenticated-encryption function.

Data in its enciphered form.

Ciphertext Integrity : see document
Ciphertext Integrity with Misuse-resistance : see document
Ciphertext Stealing : see document
ciphertext-policy attribute-based encryption : see document
CIPSEA : see document
CIR : see document
CIRC : see document
Circuit : see document

A dedicated single connection between two endpoints on a network.

Circuit Switch Fallback : see document
CIRT : see document
CIS : see document
CISA : see document
Cisco Global Exploiter : see document
Cisco’s Internetwork Operating System : see document
CISO : see document

See Senior Agency Information Security Officer.

See Senior Agency Information Security Officer

CISQ : see document
Citect SCADA system : see document
CJA : see document
CJIS : see document
CK : see document
CKG : see document
CKL : see document
CKMS : see document

A Cryptographic Key Management System that conforms to the requirements of [NIST SP 800-130].

CKMS component : see document

Any hardware, software, or firmware that is used to implement a CKMS. In this Recommendation, the major CKMS components discussed are the Central Oversight Authority, Key Processing Facilities, Service Agents, Client Nodes and Tokens.

CKMS design : see document

The capabilities that were selected and specified by a CKMS designer to be implemented and supported in a CKMS product.

CKMS designer : see document

The entity that selects the capabilities to be included in a CKMS, documents the design in accordance with the requirements specified in [NIST SP 800-130], and specifies a CKMS Security Policy that defines the rules that are to be enforced in the CKMS.

CKMS developer : see document

The entity that assembles a CKMS as designed by the CKMS designer.

CKMS hierarchy : see document

A system of key processing facilities whereby a key center or certification authority may delegate the authority to issue keys or certificates to subordinate centers or authorities that can, in turn, delegate that authority to their subordinates.

CKMS implementer : see document

The entity that installs the CKMS for the FCKMS service provider.

CKMS module : see document

A device that performs a set of key and metadata-management functions for at least one CKMS.

CKMS product : see document

An implementation of a CKMS design produced by a vendor that conforms to the requirements of [NIST SP 800-130], provides a set of key-management services and cryptographic functions, and operates in accordance with the CKMS designer’s CKMS Security Policy.

CKMS PS : see document
CKMS Security Policy : see document

A security policy specific to a CKMS

CKMS SP : see document
CKMS vendor : see document

The entity that markets the CKMS to CKMS service providers.

CL : see document
claim : see document

A true-false statement about the limitations on the values of an unambiguously defined property called the claim’s property; and limitations on the uncertainty of the property’s values falling within these limitations during the claim’s duration of applicability under stated conditions.

claimant : see document

A subject whose identity is to be verified using one or more authentication protocols.

The Bluetooth device attempting to prove its identity to the verifier during the Bluetooth connection process.

A subject whose identity is to be verified using one or more authentication protocols.

The person who is asserting his or her identity

Claimed signatory : see document

From the verifier’s perspective, the claimed signatory is the entity that purportedly generated a digital signature.

From the verifier’s perspective, the claimed signatory is the entity that purportedly generated a digital signature.

classification : see document

The task of predicting which of a set of discrete categories an input belongs to.

classified information : see document

Classified information or classified national security information means information that has been determined pursuant to E. O. 12958 as amended by E.O. 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

Information that Executive Order 13526, "Classified National Security Information," December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.

Information that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13526, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).

Information that has been determined pursuant to Executive Order (E.O.) 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

classified national security information : see document

Information that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

Information that has been determined pursuant to Executive Order (E.O.) 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

Information that Executive Order 13526, "Classified National Security Information," December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.

Classless Inter-Domain Routing : see document
clean host : see document

A host with an operating system installation that has never been accessed by end users, such as a host freshly built from a fully-patched security baseline image.

clean word list : see document

List of words that are acceptable, but would normally be rejected because they contain a word on the dirty word list (e.g., secret within secretary).

clear : see document

A method of sanitization that applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

A method of Sanitization by applying logical techniques to sanitizedata in all user-addressable storage locations for protection againstsimple non-invasive data recovery techniques using the sameinterface available to the user; typicallyapplied through the standard read and write commands to the storage device, such as by rewritingwith a new value or using a menu option to reset the device to thefactory state(where rewriting is not supported).

clearance : see document

A formal security determination by an authorized adjudicative office that an individual is authorized access, on a need to know basis, to a specific level of classified information (TOP SECRET, SECRET, or CONFIDENTIAL).

cleartext : see document

Information that is not encrypted.

Unencrypted information that may be input to an encryption operation. Note: Plain text is not a synonym for clear text. See clear text.

Information that is not encrypted.

Information that is not encrypted.

Intelligible data, the semantic content of which is available.

CLI : see document
Client Backup-Archive Client : see document
Client Management Script Library : see document
client node : see document

Enables customers to access primary services nodes (PRSNs) to obtain key management infrastructure (KMI) products and services and to generate, produce, and distribute traditional (symmetric) key products. The management client (MGC) configuration of the client node allows customers to operate locally, independent of a PRSN.

An interface for human users, devices, applications and processes to access CKMS functions, including the requesting of certificates and keys.

Client-to-Authenticator Protocol : see document
Clinical and Laboratory Standards Institute : see document
clipping : see document

The general name for any algorithm that enforces a bound on the impact of one user’s data on an aggregate statistic. A common example is enforcing lower and upper bounds on values being summed in order to bound the global sensitivity of the sum.

clipping parameter : see document

The specific choice of lower and upper bounds that are used when an algorithm performs clipping. The utility of a differentially private algorithm is often dependent on choosing good clipping parameters. One must be careful not to compute the clipping parameter directly from the data, as doing so may lead to a violation of privacy.

CLO : see document

A senior-level executive who oversees all learning and employee development programs within an agency or organization.

clock : see document

A device that generates periodic, accurately spaced signals for timekeeping applications. A clock consists of at least three parts: an oscillator, a device that counts the oscillations and converts them to units of time interval (such as seconds, minutes, hours, and days), and a means of displaying or recording the results.

Cloned Tag : see document

A tag that is made to be a duplicate of a legitimate tag. A cloned tag can be created by reading data such as an identifier from a legitimate tag and writing that data to a different tag.

Closed Circuit Television : see document
closed security environment : see document

Environment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.

Closed Source Operating System : see document

Source code for an operating system is not publically available.

closed storage : see document

The storage of classified information in properly secured General Services Administration-approved security containers.

Closed System : see document

A system that is self-contained within an enterprise. Closed systems do not have an inter-enterprise subsystem.

cloud access security broker : see document
Cloud Auditor : see document

A party that can conduct an independent assessment of cloud services, information system operations, performance, and security of the cloud implementation

Cloud Broker : see document

An entity that manages the use, performance, and delivery of cloud services and negotiates relationships between Cloud Providers and Cloud Consumers

Cloud Carrier : see document

An intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers

cloud computing : see document

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service Provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models

Cloud Consumer : see document

A person or organization that maintains a business relationship with and uses service from Cloud Providers

cloud infrastructure : see document

the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.

Cloud Native Computing Foundation : see document
Cloud Provider : see document

The entity (a person or an organization) responsible for making a service available to interested parties

Cloud Security Alliance : see document
Cloud Security Policy Framework : see document
Cloud Security Rubik’s Cube : see document
cloud service customer : see document
Cloud Service Provider : see document
Cloud workload : see document

A logical bundle of software and data that is present in, and processed by, a cloud computing technology.

CloudSPF : see document
CLR : see document
CLSI : see document
Cluster : see document

A group of contiguous sectors.

Clustered Regularly Interspaced Short Palindromic Repeats : see document
CM : see document

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

cm : see document
CMaaS : see document

See Continuous Monitoring as a Service

CMAC : see document

Cipher-based Message Authentication Code (as specified in NIST SP 800-38B).

C-MAC : see document
CMC : see document
CMCS : see document
CMDAUTH : see document
CMDB : see document
CMIA : see document
CMMI : see document
CMOS : see document
CMRR : see document

The Center for Magnetic Recording Research, located at the University of California, San Diego,advances the state-of-the-art inmagnetic storageand trains graduate students and postdoctoralprofessionals(CMRR homepage:http://cmrr.ucsd.edu/).

CMS : see document
CMSL : see document
CMTC : see document
CMUF : see document
CMVP : see document
CMYK : see document
CN : see document

An attribute type that is commonly found within a Subject Distinguished Name in an X.500 directory information tree. When identifying machines, it is composed of a fully qualified domain name or IP address.

CNA : see document
CNAP : see document
CNCF : see document
CND : see document
CNE : see document
CNG : see document
CNI : see document
CNIC : see document
CNN : see document

A class of feed-forward neural networks that include at least one convolutional layer, referred to as CNNs. In convolutional layers, feature detectors (known as kernels or filters) detect specific features across the input data. CNNs are primarily used for processing grid-like data, such as images, and are particularly effective for tasks like image classification, object detection, and image segmentation.

CNO : see document
CNP : see document
CNSS : see document
CNSS Directive : see document
CNSSAM : see document
CNSSD : see document
CNSSI : see document
CNSSP : see document
CO : see document
COA : see document

The cryptographic key management system (CKMS) entity that provides overall CKMS data synchronization and system security oversight for an organization or set of organizations.

A time-phased or situation-dependent combination of risk response measures.

coalition partner : see document

A nation in an ad hoc defense arrangement with the United States.

CoAP : see document
COBIT : see document
code : see document

System of communication in which arbitrary groups of letters, numbers, or symbols represent units of plain text of varying length.

Computer instructions and data definitions expressed in a programming language or in a form output by an assembler, compiler, or other translator.

code analysis : see document

The act of reverse-engineering the malicious program to understand the code that implements the software behavior. For example, when looking at compiled programs, the process involves using a disassembler, a debugger, and perhaps a decompiler to examine the program’s low-level assembly or byte-code instructions. A disassembler converts the instructions from their binary form into the human-readable assembly form. A decompiler attempts to recreate the original source code of the program. A debugger allows the analyst to step through the code, interacting with it, and observing the effects of its instructions to understand its purpose.

Code Division Multiple Access (CDMA) : see document

A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA).

code group : see document

Group of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.

Code of Federal Regulations : see document
Code Signing Key : see document
code vocabulary : see document

Set of plain text words, numerals, phrases, or sentences for which code equivalents are assigned in a code system.

codebook : see document

Document containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique or algorithm that encrypts data in blocks of a specified length.

Codec : see document

coder/decoder, which converts analog voice into digital data and back again, and may also compress and decompress the data for more efficient transmission.

Coder-Decoder : see document

coder/decoder, which converts analog voice into digital data and back again, and may also compress and decompress the data for more efficient transmission.

COF : see document
Cofactor Diffie-Hellman : see document

The cofactor ECC Diffie-Hellman key-agreement primitive.

COFB : see document
COG : see document
Cognitive-based Approach to System Security Assessment : see document
cognizant security officer/authority : see document

An entity charged with responsibility for physical, technical, personnel, and information security affecting that organization.

The single principal designated by a Senior Official of the Intelligence Community (SOIC) to serve as the responsible official for all aspects of security program management concerning the protection of national intelligence, sources and methods, under SOIC responsibility.

COI : see document
cold site : see document

A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.

Collaborative Research and Development Agreement : see document
Collaborative Research Cycle : see document
Collaborative Robotic System : see document
Collateral Damage Potential : see document

measures the potential for loss of life or physical assets through damage or theft of property or equipment.

collateral information : see document

National security information (including intelligence information) classified Top Secret, Secret, or Confidential that is not in the Sensitive Compartmented Information (SCI) or Special Access Program (SAP) category.

Collecting and Communicating Audit Trails : see document

To define and identify security-relevant events and the data to be collected and communicated as determined by policy, regulation, or risk analysis to support identification of those security-relevant events.

Collection : see document

The first phase of the computer and network forensics process, which involves identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data.

Collection System : see document

A system that collects actual state data and compares the collected actual state data to the desired state specification to find security defects.

Collector : see document

Typically, an automated sensor that gathers actual state data. Part of the collection system.

collision : see document

For a given function, a pair of distinct input values that yield the same output value.

An event in which two different messages have the same message digest.

For a given function, a pair of distinct input values that yield the same output value.

In a given context, the equality of two values, usually out of a large number of possible values.

An instance of duplicate sample values occurring in a dataset.

Two or more distinct inputs produce the same output. Also see hash function.

Collision resistance : see document

An expected property of a cryptographic hash function whereby it is computationally infeasible to find a collision, See “Collision”.

An expected property of a hash function whereby it is computationally infeasible to find a collision, See “Collision”.

COM : see document
Combined Communications-Electronics Board : see document
Combined Feedback : see document
Command and Control : see document

Command and Control' is the exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission.

The exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission.

Command Authority : see document

The command authority is responsible for the appointment of user representatives for a department, agency, or organization and their key and granting of modern (electronic) key ordering privileges for those User Representatives.

Command Line Interface : see document
Command Message Authentication Code : see document
Command, Control, and Communications : see document
Command, Control, Communications and Computers : see document
Command, Control, Communications and Intelligence : see document
Comma-Separated Value : see document
commercial COMSEC evaluation program (CCEP) : see document

Relationship between National Security Agency (NSA) and industry, in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a NSA-approved product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.

Commercial Remote Sensing Regulatory Affairs : see document
commercial solutions for classified (CSfC) : see document

A COTS end-to-end strategy and process in which two or more COTS products can be combined into a solution to protect classified information.

commercial-off-the-shelf (COTS) : see document

Software and hardware that already exists and is available from commercial sources. It is also referred to as off-the-shelf.

A software and/or hardware product that is commercially ready-made and available for sale, lease, or license to the general public.

Hardware and software IT products that are ready-made and available for purchase by the general public.

Commit-Chain : see document

A scheme that enables the off-chain processing of transactions by one or more operators with on-chain state update commitments that do not contain per-transaction data.

Committee Draft : see document

A Compact Disc(CD)is a class of media from which data are readby optical means.

Committee of Sponsoring Organizations : see document
Committee of Sponsoring Organizations of the Treadway Commission : see document
Committee on National Security Systems : see document
Committee on National Security Systems Advisory Memorandum : see document
Committee on National Security Systems Directive : see document
Committee on National Security Systems Instruction : see document
Committee on National Security Systems Policy : see document
commodity service : see document

An information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.

A system service provided by a commercial service provider to a large and diverse set of consumers. The organization acquiring or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not able to require that the provider implement specific controls.

A system service provided by a commercial service provider to a large and diverse set of consumers. The organization acquiring or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not able to require that the provider implement specific security or privacy controls.

common access card (CAC) : see document

Standard identification/smart card issued by the Department of Defense (DoD) that has an embedded integrated chip storing public key infrastructure (PKI) certificates.

Common Attack Pattern Enumeration and Classification : see document
Common Biometric Exchange Formats Framework : see document
common carrier : see document

In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.

In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.

A telecommunications company that holds itself out to the public for hire to provide communications transmission services.

common configuration enumeration (CCE) : see document

A nomenclature and dictionary of software security configurations.

A SCAP specification that provides unique, common identifiers for configuration settings found in a wide variety of hardware and software products.

common configuration scoring system (CCSS) : see document

A SCAP specification for measuring the severity of software security configuration issues.

common control : see document

A security control that is inherited by one or more organizational information systems.

A security control that is inheritable by one or more organizational information systems. See Security Control Inheritance.

A security control or privacy control that is inherited by one or more organizational information systems. See Security Control Inheritance or Privacy Control Inheritance.

A security control that is inherited by one or more organizational information systems. See security control inheritance.

A security or privacy control that is inherited by multiple information systems or programs.

common control provider : see document

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems).

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inheritable by information systems).

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls and privacy controls inherited by information systems).

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., controls inheritable by organizational systems).

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security or privacy controls inheritable by systems).

common criteria : see document

Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems.

A set of internationally accepted semantic tools and constructs for describing the security needs of customers and the security attributes of products.

Common Criteria Evaluation and Validation Scheme : see document
Common Event Format : see document
common fill device (CFD) : see document

A COMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.

Common Gateway Interface : see document
Common Industrial Protocol : see document
Common Internet File System : see document
Common Language Runtime : see document
Common Name : see document

An attribute type that is commonly found within a Subject Distinguished Name in an X.500 directory information tree. When identifying machines, it is composed of a fully qualified domain name or IP address.

Common Object Request Broker Architecture : see document
common platform enumeration (CPE) : see document

A nomenclature and dictionary of hardware, operating systems, and applications.

A SCAP specification that provides a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names that can be shared by multiple parties and solutions to refer to the same specific platform type.

common secure configuration : see document

Recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. These benchmarks are also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, and security technical implementation guides.

A recognized standardized and established benchmark (e.g., National Checklist Program, DISA STIGs, CIS Benchmarks, etc.) that stipulates specific secure configuration settings for a given IT platform.

A recognized standardized and established benchmark that stipulates specific secure configuration settings for a given information technology platform.

Common Security Control : see document

Security control that can be applied to one or more agency information systems and has the following properties: (i) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and (ii) the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied.

common services provider (CSP) : see document

A federal organization that provides National Security System-Public Key Infrastructure (NSS-PKI) support to other federal organizations, academia and industrial partners requiring classified NSS-PKI support but without their own self-managed infrastructures.

Common Tier 1 : see document
common user application software (CUAS) : see document

User application software developed to run on top of the local COMSEC management software (LCMS) on the local management device/key processor (LMD/KP).

common vulnerabilities and exposures (CVE) : see document

A list of entries-each containing an identification number, a description, and at least one public reference-for publicly known CS vulnerabilities.

An SCAP specification that provides unique, common names for publicly known information system vulnerabilities.

A dictionary of common names for publicly known information system vulnerabilities.

A list of entries, each containing a unique identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities [CVENVD]. This list feeds the National Vulnerability Database (NVD).

Common Vulnerabilities and Exposures identifiers : see document

An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification.

Common Vulnerability Enumeration : see document
common vulnerability scoring system (CVSS) : see document

A system for measuring the relative severity of software flaw vulnerabilities.

An SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.

common weakness enumeration (CWE) : see document

A taxonomy for identifying the common sources of software flaws (e.g., buffer overflows, failure to check input data).

A list of known poor coding practices that may be present in software [CWE].

See also, weakness.

Common Weakness Scoring System : see document
Communicate-P (Function) : see document

Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.

Communicating group : see document

A set of communicating entities that employ cryptographic services and need cryptographic keying relationships to enable cryptographically protected communications.

Communications : see document

The actions and associated activities that are used to exchange information, provide instructions, give details, etc. In the context of this paper, communications refers to the full range of activities involved with providing information to support the secure use of IoT devices. Communications include using such tools as phone calls, emails, user guides, in-person classes, instruction manuals, webinars, written instructions, videos, quizzes, frequently asked questions (FAQ) documents, and any other type of tool for such information exchanges.

communications cover : see document

Result of measures used to obfuscate message externals to resist traffic analysis.

See cover (TRANSEC).

communications deception : see document

Deliberate transmission, retransmission, or alteration of communications to mislead an adversary's interpretation of the communications.

Communications Module : see document

The sub-component of a Smart Meter responsible for AMI communications between Smart Meters in the field and the Network Management System. The Communications Module may or may not be a separate electronic element, and/or may include the HAN Interface.

Communications Router : see document

A communications device that transfers messages between two networks. Common uses for routers include connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.

Communications Satellite : see document
communications security : see document

A component of Information Assurance that deals with measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material.

A component of CS that deals with measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material and information.

Communications Security Establishment : see document
Communications Security, Reliability and Interoperability Council : see document
Community cloud : see document

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Community Enterprise Operating System : see document
community of interest (COI) : see document

A collaborative group of users (working at the appropriate security level or levels) who exchange information in pursuit of their shared goals, interests, missions, or business processes, and must have a shared vocabulary for the information exchanged. The group exchanges information within and between systems.

Community of Practice : see document
community risk : see document

Probability that a particular vulnerability will be exploited within an interacting population and adversely impact some members of that population.

Compact Disc Read-Only Memory : see document
Compact Disc-Recordable : see document

ACompact Disc Recordable(CD-R) is aCD thatcan be written on only once but read manytimes. Also known as WORM.

Compact Flash : see document
Comparison : see document

Estimation, calculation, or measurement of similarity or dissimilarity between biometric probe(s) and biometric reference(s).

See also Identification.

The process of comparing a biometric with a previously stored reference. See also “Identification” and “Identity Verification”.

compartmentalization : see document

A nonhierarchical grouping of information used to control access to data more finely than with hierarchical security classification alone.

Compatible security domains : see document

Two Security Domains are compatible if they can exchange a key and its metadata without violating (or altering) either domain’s FCKMS security policy.

compensating controls : see document

Alternative controls to the normative controls for the assessed and selected xALs of an organization based on that organization’s mission, risk tolerance, business processes, risk assessments, and considerations for the privacy, usability, and customer experience of the populations served by the online service.

The security and privacy controls implemented in lieu of the controls in the baselines described in NIST Special Publication 800-53 that provide equivalent or comparable protection for a system or organization.

The security and privacy controls employed in lieu of the controls in the baselines described in NIST Special Publication 800-53B that provide equivalent or comparable protection for a system or organization.

compensating security control : see document

A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.

The security controls employed in lieu of the recommended controls in the security control baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization.

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST SP 800-53, that provide equivalent or comparable protection for an information system.

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.

Competency : see document

A mechanism for organizations to assess learners.

An individual’s ability to complete a task or tasks within the context of a work role.

A competency is a measurable pattern of knowledge, skills, abilities, behaviors, and other characteristics that an individual needs to perform work roles or occupational functions successfully. Competencies specify the “how” of performing job tasks, or what the person needs to do the job successfully.

defines a competency as the capability of applying or using knowledge, skills, abilities, behaviors, and personal characteristics to successfully perform critical work tasks, specific functions, or operate in a given role or position.

competency area : see document

A cluster of related Knowledge and Skill statements that correlates with one’s capability to perform Tasks in a particular domain. Competency Areas can help learners discover areas of interest, inform career planning and development, identify gaps for knowledge and skills development, and provide a means of assessing or demonstrating a learner’s capabilities in the domain.

competent security official : see document

Any cognizant security authority or person designated by the cognizant security authority.

Competition for Authenticated Encryption: Security, Applicability, and Robustness : see document
Complementary Error Function : see document

See Erfc.

The complementary error function erfc(z) is defined in Section 5.5.3. This function is related to the normal cdf.

Complementary Metal Oxide Semiconductor : see document
complex system : see document

A system in which there are non-trivial relationships between cause and effect: each effect may be due to multiple causes; each cause may contribute to multiple effects; causes and effects may be related as feedback loops, both positive and negative; and cause-effect chains are cyclic and highly entangled rather than linear and separable.

Compliance audit : see document

A comprehensive review of an organization's adherence to governing documents such as whether a Certification Practice Statement satisfies the requirements of a Certificate Policy and whether an organization adheres to its Certification Practice Statement.

Compliance Mapping : see document

The process of correlating CCE settings defined in a source data stream with the security control identifiers defined in [NIST SP 800-53 Rev. 4].

Component Object Model : see document
Component schema : see document

The schema for an SCAP component specification (e.g. XCCDF, CPE, CVSS). Within this document, this term is distinct from “OVAL component schema”, which is defined by the OVAL specification.

Component specification : see document

One of the individual specifications that comprises SCAP.

Component Test : see document

A test of individual hardware and software components or groups of related components.

composed commercial solution : see document

Two or more commercial Information Assurance (IA) products layered together to address the security requirements of an operational use case according to National Security Agency (NSA) guidance. A composed solution, once approved by NSA, may take the place of a single certified Government-off-the-Shelf (GOTS) IA product to provide the confidentiality and/or other security services necessary to protect National Security Systems.

Comprehensive Test : see document

A test of all systems and components that support a particular IT plan, such as a contingency plan or computer security incident response plan.

comprehensive testing : see document

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object.

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.

See Comprehensive Testing.

(also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).

Compressed File : see document

A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file makes it unreadable to most programs until the file is uncompressed.

A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP and WinZip with an extension of .zip.

Compression Ratio Info-leak Made Easy : see document
compromise : see document

A judgment, based on the preponderance of the evidence, that a disclosure of information to unauthorized persons or a violation of the security policy for a system in which unauthorized, intentional or unintentional disclosure, modification, destruction, or loss of an object has occurred.

The disclosure of classified data to persons not authorized to receive that data.

The unauthorized disclosure, modification or use of sensitive data (e.g., keying material and other security-related information).

The unauthorized disclosure, modification, substitution, or use of sensitive data (e.g., keys, metadata, or other security-related information) or the unauthorized modification of a security-related system, device or process in order to gain unauthorized access.

To reduce the trust associated with a key, its metadata, a system, device or process.

Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information).

The unauthorized disclosure, modification, substitution, or use of sensitive data (e.g., keying material and other security related information).

The unauthorized disclosure, modification, substitution, or use of sensitive information (e.g., a secret key, private key or secret metadata).

The unauthorized disclosure, modification, substitution, or use of sensitive data (e.g., a secret key, private key, or secret metadata).

The unauthorized disclosure, modification, substitution or use of sensitive key information (e.g., a secret key, private key, or secret metadata).

The unauthorized disclosure, modification, or use of sensitive data (e.g., keying material and other security-related information).

Compromise recovery : see document

The procedures and processes of restoring a system, device or process that has been compromised back to a secure or trusted state, including destroying compromised keys, replacing compromised keys (as needed), and verifying the secure state of the recovered system.

compromised key list (CKL) : see document

The set of Key Material Identification Numbers (KMIDs) of all keys in a universal that have been reported compromised. Cryptographic devices will not establish a secure connection with equipment whose KMID is on the CKL.

A list of named keys that are known or suspected of being compromised.

Compromised state : see document

A lifecycle state for a key that is known or suspected of being known by an unauthorized entity.

A key state to which a key is transitioned when there is a suspicion or confirmation of the key’s compromise.

compromising emanations : see document

Unintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by telecommunications or information systems equipment.

COMPUSEC : see document
computation tree logic : see document
Computed Tomography : see document
Computer : see document

A device that accepts digital data and manipulates the information based on a program or sequence of instructions for how data is to be processed.

computer abuse : see document

Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources.

Computer and Financial Investigations : see document
Computer Crime and Intellectual Property Section : see document
computer cryptography : see document

Use of a crypto-algorithm program by a computer to authenticate or encrypt/decrypt information.

Computer Emergency Readiness Team : see document
Computer Emergency Response Team : see document
Computer Emergency Response Team/Coordination Center : see document
Computer Forensic Reference Data Sets : see document
Computer Forensic Tool Testing : see document
computer forensics : see document

In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.

See digital forensics.

Computer Forensics Reference Data Sets : see document
Computer Forensics Research and Development Center : see document
Computer Forensics Tool Testing : see document
Computer Incident Response Capability : see document
Computer Incident Response Center : see document
computer incident response team (CIRT) : see document

Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team).

Group of individuals usually consisting of security analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Cyber Incident Response Team, Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center or Computer Incident Response Capability).

Computer Information Security Officer : see document
Computer Integrated Manufacturing : see document
computer network attack (CNA) : see document

An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Note: Within DoD, Joint Publication 3-13, "Information Operations, " 27 November 2012 approved the removal the terms and definitions of computer network attack (CNA), computer network defense (CND), computer network exploitation, and computer network operations (CNO) from JP -1-02, "Department of Defense Dictionary of Military Terms and Associated Terms." This term and definition is no longer published in JP 1-02. This publication is the primary terminology source when preparing correspondence, to include policy, strategy, doctrine, and planning documents. The terms are no longer used in issuances being updated within DoD. JP 1-02, following publication of JP 3-12, "Cyberspace Operations" provides new terms and definitions such as cyberspace, cyberspace operations, cyberspace superiority, defensive cyberspace operation response action, defensive cyberspace operations, Department of Defense information network operations, and offensive cyberspace operations.

computer network defense (CND) : see document

Actions taken within protected cyberspace to defeat specific threats that have breached or are threatening to breach cyberspace security measures and include actions to detect, characterize, counter, and mitigate threats, including malware or the unauthorized activities of users, and to restore the system to a secure configuration.

Actions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities. Note: Within DoD, term was approved for deletion from JP 1-02 (DoD Dictionary) by issuance of JP 3-13, "Information Operations". This term has been replaced by the use of “cyberspace defense" used in JP 3-12, "Cyberspace Operations." Original source of term was JP 1-02 (DoD Dictionary).

computer network exploitation (CNE) : see document

Actions taken in cyberspace to gain intelligence, maneuver, collect information, or perform other enabling actions required to prepare for future military operations.

Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks. Note: Within the Department of Defense (DoD), term was approved for deletion from JP 1-02 (DoD Dictionary). Original source of term was JP 1-02 (DoD Dictionary). The military no longer uses this term to describe these operations, but it is still used outside of military operations.

computer network operations (CNO) : see document

The employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.

Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations. Note: Within the Department of Defense (DoD), term was approved for deletion from JP 1-02 (DoD Dictionary). This term has been replaced by the use of " cyberspace operations" used in JP 3-12, "Cyberspace Operations." Original source of term was JP 1-02 (DoD Dictionary).

Computer Numerical Control : see document
Computer Security Division : see document
Computer Security Incident : see document

An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion.

See “incident.”

See incident.

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Anomalous or unexpected event, set of events, condition, or situation at any time during the life cycle of a project, product, service, or system.

Computer Security Log Management : see document

Log management for computer security log data only.

computer security object : see document

A resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.

Information object used to maintain a condition of security in computerized environments. Examples are: representations of computer or communications systems resources, security label semantics, modes of operation for cryptographic algorithms, and one-way hashing functions.

Computer Security Resource Center : see document
computer security subsystem : see document

Hardware/software designed to provide computer security features in a larger system environment.

Computer System Security and Privacy Advisory Board : see document
Computer-aided Dispatch : see document
computerized telephone system (CTS) : see document

A generic term used to describe any telephone system that uses centralized stored program computer technology to provide switched telephone networking features and/or VoIP services.

A generic term used to describe any telephone system that uses centralized stored program computer technology to provide switched telephone networking features and services. CTSs are referred to commercially, by such terms, as: computerized private branch exchange (CPBX); private branch exchange (PBX); private automatic branch exchange (PABX); electronic private automatic branch exchange (EABX); computerized branch exchange (CBX); computerized key telephone systems (CKTS); hybrid key systems; business communications systems; and office communications systems.

Computing Device : see document

A functional unit that can perform substantial computations, including numerous arithmetic operations and logic operations without human intervention. A computing device can consist of a standalone unit or several interconnected units. It can also be a device that provides a specific set of functions, such as a phone or a personal organizer, or more general functions such as a laptop or desktop computer.

A machine (real or virtual) for performing calculations automatically (including, but not limited to, computer, servers, routers, switches, etc.)

computing environment : see document

Workstation or server (host) and its operating system, peripherals, and applications.

COMSAT : see document
COMSEC : see document
COMSEC account : see document

An administrative entity identified by an account number, used to maintain accountability, custody and control of COMSEC material.

COMSEC account audit : see document

Inventory and reconciliation of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded. An audit must include an administrative review of procedures, a 100% sighting of all TOP SECRET keying material marked CRYPTO (both physical and electronic) to include hand receipt holders, and a random sampling of all other applicable material (including other keying material, classified and unclassified COMSEC equipment on hand in the account, and on hand receipt).

COMSEC account manager : see document

An individual designated by proper authority to be responsible for the receipt, transfer, accountability, safeguarding, and destruction of COMSEC material assigned to a COMSEC account. This applies to both primary accounts and subaccounts. The equivalent key management infrastructure (KMI) position is the KMI operating account (KOA) manager.

Individual designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding, and destruction of COMSEC material assigned to a COMSEC account. Rationale: Term has been replaced by the term “COMSEC account manager”.

Individual who manages the COMSEC resources of an organization. Rationale: The more accurate and used term is “COMSEC account manager”.

COMSEC aids : see document

All COMSEC material other than equipment or devices, which assist in securing telecommunications and is required in the production, operation, and maintenance of COMSEC systems and their components. Some examples are: COMSEC keying material, and supporting documentation, such as operating and maintenance manuals.

COMSEC assembly : see document

Group of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC boundary : see document

Definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC chip set : see document

Collection of NSA approved microchips. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC control program : see document

Computer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC custodian : see document

An individual designated by proper authority to be responsible for the receipt, transfer, accountability, safeguarding, and destruction of COMSEC material assigned to a COMSEC account. This applies to both primary accounts and subaccounts. The equivalent key management infrastructure (KMI) position is the KMI operating account (KOA) manager.

Individual designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding, and destruction of COMSEC material assigned to a COMSEC account. Rationale: Term has been replaced by the term “COMSEC account manager”.

COMSEC demilitarization : see document

The process of preparing National Security System equipment for disposal by extracting all CCI, classified, or CRYPTO-marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.

Process of preparing COMSEC equipment for disposal by extracting all controlled cryptographic item (CCI), classified, or CRYPTO marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk. Rationale: Demilitarize is the proper term and does not apply solely to COMSEC.

COMSEC element : see document

Removable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC emergency : see document

A tactical operational situation, as perceived by the responsible person/officer in charge, in which the alternative to strict compliance with procedural restrictions affecting use of a COMSEC equipment would be plain text communication.

COMSEC end-item : see document

Equipment or combination of components ready for use in a COMSEC application.

COMSEC equipment : see document

Equipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes cryptographic-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.

COMSEC facility : see document

The space used for generating, storing, repairing, or using COMSEC material. The COMSEC material may be in either physical or electronic form. Unless otherwise noted, the term "COMSEC facility" refers to all types of COMSEC facilities, including telecommunications facilities, and includes platforms such as ships, aircraft, and vehicles.

COMSEC incident : see document

Any occurrence that potentially jeopardizes the security of COMSEC material or the secure transmission of national security information. COMSEC Incident includes Cryptographic Incident, Personnel Incident, Physical Incident, and Protective Technology/Package Incident.

COMSEC Incident Monitoring Activity : see document

The office within a department or agency maintaining a record of COMSEC incidents caused by elements of that department or agency, and ensuring all actions required of those elements are completed.

COMSEC insecurity : see document

A COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.

COMSEC manager : see document

An individual designated by proper authority to be responsible for the receipt, transfer, accountability, safeguarding, and destruction of COMSEC material assigned to a COMSEC account. This applies to both primary accounts and subaccounts. The equivalent key management infrastructure (KMI) position is the KMI operating account (KOA) manager.

Individual who manages the COMSEC resources of an organization. Rationale: The more accurate and used term is “COMSEC account manager”.

COMSEC material : see document

Item(s) designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, modules, devices, documents, hardware, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions. This includes Controlled Cryptographic Item (CCI) equipment, Cryptographic High Value Products (CHVP) and other Commercial National Security Algorithm (CNSA) equipment, etc.

COMSEC material control system : see document

The logistics and accounting system through which COMSEC material marked CRYPTO is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record (COR), cryptologistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS. Electronic Key Management System (EKMS) and Key Management Infrastructure (KMI) are examples of tools used by the CMCS to accomplish its functions.

COMSEC module : see document

Removable component that performs COMSEC functions in a telecommunications equipment or system. Rationale: The term falls under the broader term “COMSEC material”.

COMSEC monitoring : see document

The act of listening to, copying, or recording transmissions of one's own official telecommunications to provide material for analysis in order to determine the degree of security being provided to those transmissions.

COMSEC profile : see document

Statement of COMSEC measures and materials used to protect a given operation, system, or organization. Rationale: No known reference for this term.

COMSEC service authority : see document

See service authority.

COMSEC software : see document

Includes all types of COMSEC material, except key, in electronic or physical form. This includes all classifications of unencrypted software, and all associated data used to design, create, program, or run that software. It also, includes all types of source/executable/object code and associated files that implement, execute, embody, contain, or describe cryptographic mechanisms, functions, capabilities, or requirements. COMSEC software also includes transmission security (TRANSEC) software and may include any software used for purposes of providing confidentiality, integrity, authentication, authorization, or availability services to information in electronic form.

COMSEC survey : see document

Organized collection of COMSEC and communications information relative to a given operation, system, or organization. Rationale: No known reference for this term.

COMSEC system data : see document

Information required by a COMSEC equipment or system to enable it to properly handle and control key. Rationale: No known reference for this term.

COMSEC training : see document

Teaching of skills relating to COMSEC accounting and the use of COMSEC aids.

CONAUTH : see document
Concatenation : see document

The concatenation of bit strings A and B.

As used in this Recommendation, the concatenation X || Y of bit string X followed by bit string Y is the ordered sequence of bits formed by appending Y to X in such a way that the leftmost (i.e., initial) bit of Y follows the rightmost (i.e., final) bit of X.

The concatenation of two bit strings X and Y.

The concatenation of bit strings X and Y.

Concatenation; e.g. A || B is the concatenation of bit strings A and B.

The concatenation of binary strings A and B.

Concatenation

Concatenation operation; for example, a || b means that string b is appended after string a.

For strings X and Y, X || Y is the concatenation of X and Y. For example, 11001 || 010 = 11001010.

Concatenation of two bit strings X and Y.

Concatenation of two strings X and Y.

Concatenation of two strings X and Y. X andYare either both bitstrings or both byte strings.

concept crosswalk : see document

A concept relationship style that identifies that a relationship exists between two concepts without any additional characterization of that relationship.

An OLIR that indicates relationships between pairs of elements without additional characterization of those relationships.

concept mapping : see document

An indication that one concept is related to another concept.

Depiction of how data from one information source maps to data from another information source.

concept of operations : see document

Verbal and graphic statement, in broad outline, of an organization’s assumptions or intent in regard to an operation or series of operations of new, modified, or existing organizational systems.

Verbal and graphic statement of an organization’s assumptions or intent in regard to an operation or series of operations of a specific system or a related set of specific new, existing, or modified systems.

See security concept of operations.

A security-focused description of a system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission. Note 1: The security concept of operations may address security for other life cycle concepts associated with the deployed system. These include, for example, concepts for sustainment, logistics, maintenance, and training. Note 2: Security concept of operations is not the same as concept for secure function. Concept for secure function addresses the design philosophy for the system and is intended to achieve a system that is able to be used in a trustworthy secure manner. The security concept of operations must be consistent with the concept for secure function.

A security-focused description of a system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission. Note 1: The security concept of operations may address security for other life cycle concepts associated with the deployed system. These include, for example, concepts for sustainment, logistics, maintenance, and training. Note 2: Security concept of operations is not the same as concept for secure function. Concept for secure function addresses the design philosophy for the system and is intended to achieve a system that is able to be used in a trustworthy secure manner. The security concept of operations must be consistent with the concept for secure function.

concept of secure function : see document

A strategy for the achievement of secure system function that embodies the preemptive and reactive protection capabilities of the system.

A strategy for achievement of secure system function that embodies proactive and reactive protection capability of the system. Note 1: This strategy strives to prevent, minimize, or detect the events and conditions that can lead to the loss of an asset and the resultant adverse impact; prevent, minimize, or detect the loss of an asset or adverse asset impact; continuously deliver system capability at some acceptable level despite the impact of threats or uncertainty; and recover from an adverse asset impact to restore full system capability or to recover to some acceptable level of system capability. Note 2: The concept of secure function is adapted from historical and other secure system concepts such as Philosophy of Protection, Theory of Design and Operation, and Theory of Compliance.

A strategy for achievement of secure system function that embodies proactive and reactive protection capability of the system. Note 1: This strategy strives to prevent, minimize, or detect the events and conditions that can lead to the loss of an asset and the resultant adverse impact; prevent, minimize, or detect the loss of an asset or adverse asset impact; continuously deliver system capability at some acceptable level despite the impact of threats or uncertainty; and recover from an adverse asset impact to restore full system capability or to recover to some acceptable level of system capability. Note 2: The concept of secure function is adapted from historical and other secure system concepts such as Philosophy of Protection, Theory of Design and Operation, and Theory of Compliance.

concept relationship style : see document

An explicitly defined convention for characterizing relationships for a use case.

An explicitly defined convention for characterizing relationships for a user case. OLIR supports three concept relationship styles: concept crosswalk, set theory relationship mapping, and supportive relationship mapping.

concept source : see document

A document or other resource that contains definitions of concepts.

concept system : see document

A “set of concepts structured in one or more related domains according to the concept relations among its concepts.”

concept type : see document

A category of concepts found within a particular domain.

concern : see document

Matter of interest or importance to a stakeholder.

concern (system) : see document

Interest in a system relevant to one or more of its stakeholders.

Concise Binary Object Representation : see document
Condition coverage : see document

The percentage of conditions within decision expressions that have been evaluated to both true and false. Note that 100% condition coverage does not guarantee 100% decision coverage. For example, “if (A || B) {do something} else {do something else}” is tested with [0 1], [1 0], then A and B will both have been evaluated to 0 and 1, but the else branch will not be taken because neither test leaves both A and B false.

conditioning function : see document

A deterministic function used to reduce bias and/or improve the entropy per bit.

Confidential Compute Architecture : see document
Confidential Computing : see document

Hardware-enabled features that isolate and process encrypted data in memory so that the data is at less risk of exposure and compromise from concurrent workloads or the underlying system and platform.

Confidentiality Impact : see document

measures the potential impact on confidentiality of a successfully exploited misuse vulnerability. Confidentiality refers to limiting information access and disclosure and system access to only authorized users, as well as preventing access by, or disclosure to, unauthorized parties.

Confidentiality Key : see document
Confidentiality Mode : see document

A mode that is used to encipher plaintext and decipher ciphertext. The confidentiality modes in this recommendation are the ECB, CBC, CFB, OFB, and CTR modes.

confidentiality, integrity, availability : see document

C = Confidentiality assurance, I = Integrity assurance, A = Availability assurance

Configurable : see document

A characteristic of a system, device, or software that allows it to be changed by an entity authorized to select or reject specific capabilities to be included in an operational, configured version.

configuration : see document

A collection of an item's descriptive and governing characteristics, which can be expressed in functional terms - i.e., what performance the item is expected to achieve - and in physical terms - i.e., what the item should look like and consist of when it is built. Represents the requirements, design, and implementation that define a particular version of a system or system component.

Step in system design; for example, selecting functional units, assigning their locations, and defining their interconnections.

The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged.

The selection of one of the sets of possible combinations of features of a system.

“The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged.” The Device Configuration capability does not define which configuration settings should exist, simply that a mechanism to manage configuration settings exists.

The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged. The Device Configuration capability does not define which configuration settings should exist, simply that a mechanism to manage configuration settings exists.

configuration baseline : see document

A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

See Baseline Configuration.

configuration control : see document

Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation.

Process for controlling modifications to hardware, firmware, software, and documentation to ensure that the information system is protected against improper modifications before, during, and after system implementation.

Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation.

Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications prior to, during, and after system implementation.

Process for controlling modifications to hardware, firmware, software, and documentation to protect the system against improper modifications before, during, and after system implementation.

configuration control board (CCB) : see document

A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.

A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.

Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems; may also be referred to as a change control board.

Configuration Control Review Board : see document
configuration item : see document

An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process.

An aggregation of system components that is designated for configuration management and treated as a single entity in the configuration management process.

An item or aggregation of hardware or software or both that is designed to be managed as a single entity. Configuration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module, a minor hardware component or a single software package.

Item or aggregation of hardware, software, or both, that is designated for configuration management and treated as a single entity in the configuration management process.

configuration management : see document

A management process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design and operational information throughout its life.

A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

A collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

A collection of activities focused on establishing and maintaining the integrity of information technology products and systems through the control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

Configuration Management Database : see document
configuration management plan : see document

A comprehensive description of the roles, responsibilities, policies, and procedures that apply when managing the configuration of products and systems.

Configuration Payload : see document
configuration settings : see document

The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the information system.

The set of parameters that can be changed in hardware, software, and/or firmware that affect the security posture and/or functionality of the information system.

The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the system.

The set of parameters that can be changed in hardware, software, or firmware that affect the security posture or functionality of the system.

Configuration Settings Management : see document

An ISCM capability that identifies configuration settings (Common Configuration Enumerations [CCEs]) on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

See Capability, Configuration Settings Management.

Confirmed : see document

State of a transaction or block when consensus has been reached about its status of inclusion into the blockchain.

Conflict : see document

One or more participants disagree on the state of the system.

conflict of interest : see document
Conflict resolution : see document

A predefined method for coming to a consensus on the state of the system. For example, when portions of the system participants claim there is State_A and the rest of the participants claim there is State_B, there is a conflict. The system will automatically resolve this conflict by choosing the “valid” state as being the one from whichever group adds the next block of data. Any transactions “lost” by the state not chosen are added back into the pending transaction pool.

Confluent Hypergeometric Function : see document

The confluent hypergeometric function is defined as Φ(a;b;z)=(Γ(b))/(Γ(a)Γ(b-a)) ∫_0^1〖e^zt t^(a-1) 〖(1-t)〗^(b-a-1) dt,0<a<b〗

Conformance Testing : see document

A process established by NIST within its responsibilities of developing, promulgating, and supporting a FIPS for testing specific characteristics of components, products, services, people, and organizations for compliance with the FIPS.

A process established by NIST within its responsibilities of developing, promulgating, and supporting FIPS for testing specific characteristics of components, products, and services, as well as people and organizations for compliance with a FIPS.

Conformance Testing Methodology : see document
Conformity Assessment : see document

Demonstration that specified requirements are fulfilled.

activity that provides demonstration that specified requirements relating to a product, process, system, person or body are fulfilled.

Connection Signature Resolving Key : see document
CONOP : see document
Consensus Audit Guidelines : see document
Consensus model : see document

A process to achieve agreement within a distributed system on the valid state. Also known as a consensus algorithm, consensus mechanish, consesus method.

A process to achieve agreement within a distributed system on the valid state.

consent banner : see document

See security banner (also known as notice and consent banners)

1. A persistent visible window on a computer monitor that displays the highest level of data accessible during the current session.

2. The opening screen that informs users of the implications of accessing a computer resource (e.g. consent to monitor).

consequence : see document

Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system.

Consequence-Driven Cyber-Informed Engineering : see document
Console : see document

A visually oriented input and output device used to interact with a computational resource.

A visually oriented input and output device used to interact with a computational resource

Consortium : see document

A group of organizations or individuals with the objective of mutualizing resources for achieving a common goal (e.g., operating a consortium blockchain).

Consortium for Information & Software Quality : see document
Constrained Application Protocol : see document
constraints : see document

Limitation on the system, its design, its implementation, or the process used to develop or modify a system.

Limitation that restricts the design solution, implementation, or execution of the system.

Access Control rules or confinements that describe the access privileges of resources for subjects.

Factors that impose restrictions and limitations on the system or actual limitations associated with the use of the system.

Consultative Committee for Space Data Systems : see document
Consumer Infrared : see document
consumer IoT product : see document

IoT products that are intended for personal, family, or household use.

Consumer Technology Association : see document
consumer-grade router device : see document

Networking devices that are primarily intended for residential use and can be installed by the customer. Routers forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.

consumer-grade router product : see document

Consumer-grade router device and any additional product components (e.g., backend, smartphone application) that are necessary to use the consumer-grade router device beyond basic operational features.

Consuming Application : see document

The application (including middleware) that uses random numbers or bits obtained from an approved random bit generator.

An application that uses the output from an approved random bit generator.

Contagion Research Center : see document
Container : see document

A method for packaging and securely running an application within an application virtualization environment. Also known as an application container or a server application container.

Container Network Interface : see document
Container runtime : see document

The environment for each container; comprised of binaries coordinating multiple operating system components that isolate resources and resource usage for running containers.

Container Runtime Interface : see document
Container Storage Interface : see document
Container-as-a-Service : see document
Container-specific operating system : see document

A minimalistic host operating system explicitly designed to only run containers.

contamination : see document

See spillage.

Security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.

Content Addressable Storage : see document
Content consumer : see document

A product that accepts existing SCAP source data stream content, processes it, and produces SCAP result data streams

Content Delivery Networks : see document
Content Generator : see document

A program on a Web server that will dynamically generate HyperText Markup Language (HTML) pages for users. Content generators can range from simple Common Gateway Interface (CGI) scripts executed by the Web server to Java EE or .NET application servers in which most—if not all—HTML pages served are dynamically generated.

Content producer : see document

A product that generates SCAP source data stream content.

content signing certificate : see document

A certificate issued for the purpose of digitally signing information (content) to confirm the author and guarantee that the content has not been altered or corrupted since it was signed by use of a cryptographic hash.

Content Type : see document

The form of the checklist content in terms of the degree of automation and standardization. Examples include Prose, Automated, and SCAP Content.

contested cyber environment : see document

An environment in which APT actors, competing entities, and entities with similar resource needs contend for control or use of cyber resources.

Context : see document

The circumstances surrounding the system's processing of PII.

The environment in which the enterprise operates and is influenced by the risks involved.

context handler : see document

Executes the workflow logic that defines the order in which policy and attributes are retrieved and enforced.

Context of Use : see document

The purpose for which PII is collected, stored, used, processed, disclosed, or disseminated.

Users, tasks, equipment (hardware, software and materials), and the physical and social environments in which a product is used.

contingency key : see document

Key held for use under specific operational conditions or in support of specific contingency plans.

contingency plan : see document

2. A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the continuity of operations plan (COOP) or disaster recovery plan (DRP) for major disruptions.

Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days.

A plan that is maintained for disaster response, backup operations, and post-disaster recovery to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation.

Contingency Planning : see document

See Information System Contingency Plan.

The development of a contingency plan.

continuity : see document

The probability that the specified PNT system performance will be maintained for the duration of a phase of operation, presuming that the PNT system was available at the beginning of that phase of operation.

continuity of government (COG) : see document

A coordinated effort within the Federal Government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.

Continuity of Operations : see document
continuity of operations plan (COOP) : see document

A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations.

2. A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days.

A predetermined set of instructions or procedures that describe how an organization’s mission essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations.

Continuous Asset Evaluation, Situational Awareness, and Risk Scoring : see document
continuous authority to operate : see document
Continuous Data Protection : see document
continuous delivery/continuous deployment : see document
Continuous Diagnostics and Mitigation (CDM) : see document

See Continuous Diagnostics and Mitigation.

A Congressionally established program to provide adequate, risk-based, and cost-effective cybersecurity assessments and more efficiently allocate cybersecurity resources targeted at federal civilian organizations.

continuous integration and continuous deployment : see document
continuous monitoring : see document

Maintaining ongoing awareness to support organizational risk decisions. See information security continuous monitoring, risk monitoring, and status monitoring

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.

Maintaining ongoing awareness to support organizational risk decisions. See Information Security Continuous Monitoring, Risk Monitoring, and Status Monitoring.

Maintaining ongoing awareness to support organizational risk decisions.

Continuous Monitoring as a Service : see document

See Continuous Monitoring as a Service

continuous monitoring program : see document

A program established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Note: Privacy and security continuous monitoring strategies and programs can be the same or different strategies and programs.

Continuous Threat Detection : see document
Contract : see document

A mutually binding legal relationship obligating the seller to furnish the supplies or services (including construction) and the buyer to pay for them. It includes all types of commitments that obligate the Government to an expenditure of appropriated funds and that, except as otherwise authorized, are in writing. In addition to bilateral instruments, contracts include (but are not limited to) awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; orders, such as purchase orders, under which the contract becomes effective by written acceptance or performance; and bilateral contract modifications. Contracts do not include grants and cooperative agreements covered by 31 U.S.C. 6301, et seq.

Contract administration office : see document

An office that performs— (1) Assigned post-award functions related to the administration of contracts; and (2) Assigned pre-award functions.

An office that performs— (1) Assigned post-award functions related to the administration of contracts; and (2) Assigned pre-award functions.

Contracting Officer Representative : see document
Control Algorithm : see document

A mathematical representation of the control action to be performed.

Control and Provisioning of Wireless Access Points : see document
Control and Status : see document
control assessment : see document

An evidence-based evaluation and judgement on the nature, characteristics, quality, effectiveness, intent, impact, or capabilities of an item, organization, group, policy, activity, or person.

The action of evaluating, estimating, or judging against defined criteria. Different types of assessment (i.e., qualitative, quantitative, and semi-quantitative) are used to assess risk. Some types of assessment yield results.

See Security Control Assessment.

See control assessment or risk assessment.

The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.

See security control assessment or risk assessment.

A completed or planned action of evaluation of an organization, a mission or business process, or one or more systems and their environments; or

The vehicle or template or worksheet that is used for each evaluation.

control assessment report : see document

Documentation of the results of security and privacy control assessments, including information based on assessor findings and recommendations for correcting deficiencies in the implemented controls.

See control assessment report.

control assessor : see document

The individual, group, or organization responsible for conducting a control assessment. See assessor.

See assessor.

control baseline : see document

Hardware, software, databases, and relevant documentation for an information system at a given point in time.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item’s life cycle.

Hardware, software, and relevant documentation for an information system at a given point in time.

See control baseline.

The set of controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk.

Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest. See privacy control baseline or security control baseline.

The set of security and privacy controls defined for a low-impact, moderate-impact, or high-impact system or selected based on the privacy selection criteria that provide a starting point for the tailoring process.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline.

Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline.

Control Cell : see document

A central location for exercise coordination, typically in a separate area from the exercise participants.

control correlation identifier (CCI) : see document

Decomposition of a National Institute of Standards and Technology (NIST) control into a single, actionable, measurable statement.

control designation : see document

The process of assigning a control to one of three control types: common, hybrid, or system-specific.

control effectiveness : see document

A measure of whether a given control is contributing to the reduction of information security or privacy risk.

A measure of whether a security or privacy control contributes to the reduction of information security or privacy risk.

control enhancement : see document

Augmentation of a control to build in additional, but related, functionality to the control; increase the strength of the control; or add assurance to the control.

Augmentation of a security or privacy control to build in additional but related functionality to the control, increase the strength of the control, or add assurance to the control.

Control Group : see document
control inheritance : see document

A situation in which a system or application receives protection from controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides.

A situation in which a system or application receives protection from security or privacy controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control.

Control Item : see document

See Security Control Item.

All or part of a SP 800-53 security control requirement, expressed as a statement for implementation and assessment. Both controls and control enhancements are treated as control items. Controls and control enhancements are further subdivided if multiple security requirements within the control or control enhancement in SP 800-53 are in listed format: a, b, c, etc.

Control Objectives for Information and Related Technologies : see document
Control of Interaction Frequency : see document
control parameter : see document

See organization-defined parameter.

See organization-defined control parameter.

The variable part of a control or control enhancement that can be instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a pre-defined list provided as part of the control or control enhancement.

The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement. See assignment operation and selection operation.

controlled : see document

The online repository of information and policy regarding how authorized holders of CUI should handle such information. Note: The Controlled Unclassified Information (CUI) Registry: (i) identifies all categories and subcategories of information that require safeguarding or dissemination controls consistent with law, regulation and Government-wide policies; (ii) provides descriptions for each category and subcategory; (iii) identifies the basis for safeguarding and dissemination controls;(iv) contains associated markings and applicable safeguarding, disseminating, and (v) specifies CUI that may be originated only by certain executive branch agencies and organizations. The CUI Executive Agent is the approval authority for all categories/subcategories of information identified as CUI in the CUI Registry and only those categories/subcategories listed are considered CUI.

controlled access area : see document

The complete building or facility area under direct physical control within which unauthorized persons are denied unrestricted access and are either escorted by authorized personnel or are under continuous physical or electronic surveillance.

Controlled Access Program Coordination Office : see document
controlled access protection : see document

Minimum set of security functionality that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

controlled area : see document

Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.

Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information or system.

Any area or space for which an organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.

controlled cryptographic item (CCI) : see document

Secure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC material control system (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item”, or, where space is limited, “CCI”.

controlled cryptographic item (CCI) assembly : see document

A device approved by the National Security Agency (NSA) as a controlled cryptographic item, that embodies a cryptographic logic or other cryptographic design, and performs the entire COMSEC function, but is dependent upon the host equipment to operate.

A device approved by the National Security Agency as a controlled cryptographic item that embodies a cryptographic logic or other cryptographic design. A CCI component does not perform the entire COMSEC function, and is dependent upon a host equipment or assembly to complete and operate the COMSEC function.

controlled cryptographic item (CCI) component : see document

A device approved by the National Security Agency (NSA) as a controlled cryptographic item, that embodies a cryptographic logic or other cryptographic design, and performs the entire COMSEC function, but is dependent upon the host equipment to operate.

A device approved by the National Security Agency as a controlled cryptographic item that embodies a cryptographic logic or other cryptographic design. A CCI component does not perform the entire COMSEC function, and is dependent upon a host equipment or assembly to complete and operate the COMSEC function.

controlled cryptographic item (CCI) equipment : see document

A telecommunications or information handling equipment that embodies a CCI component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.

controlled interface : see document

A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems.

An interface to a system with a set of mechanisms that enforces the security policies and controls the flow of information between connected systems.

controlled reception patterned antenna : see document
controlled space : see document

Three-dimensional space surrounding information system equipment, within which unauthorized individuals are denied unrestricted access and are either escorted by authorized individuals or are under continuous physical or electronic surveillance.

controlled unclassified information (CUI) : see document

Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.

Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces Sensitive But Unclassified (SBU).

Controlled Variable : see document

The variable that the control system attempts to keep at the set point value. The set point may be constant or variable.

Controller : see document

A device or program that operates automatically to regulate a controlled variable.

A functional exercise staff member who monitors, manages, and controls exercise activity to meet established objectives.

Controller Area Network : see document
controlling authority (CONAUTH) : see document

The official responsible for directing the operation of a cryptonet using traditional key and for managing the operational use and control of keying material assigned to the cryptonet.

controlling domain : see document

The domain that assumes the greater risk and thus enforces the most restrictive policy.

Control-P (Function) : see document

Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.

controls : see document

Policies, procedures, guidelines, practices, or organizational structures that manage security, privacy, and other risks.

Conventional BIOS : see document

Legacy boot firmware used in many x86-compatible computer systems. Also known as the legacy BIOS.

Conversation : see document

Where Web services maintain some state during an interaction that involves multiple messages or participants.

convolutional neural networks : see document

A class of feed-forward neural networks that include at least one convolutional layer, referred to as CNNs. In convolutional layers, feature detectors (known as kernels or filters) detect specific features across the input data. CNNs are primarily used for processing grid-like data, such as images, and are particularly effective for tasks like image classification, object detection, and image segmentation.

COO : see document
cookie : see document

A piece of state information supplied by a web server to a browser that is temporarily stored and returned to the server on any subsequent visits or requests.

A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests.

A small file that stores information for a Web site.

A small file that stores information for a Web site on a user’s computer.

A character string, placed in a web browser’s memory, which is available to websites within the same Internet domain as the server that placed them in the web browser. Cookies are used for many purposes and may be assertions or may contain pointers to assertions. See Section 9.1.1 for more information.

COOP : see document
cooperative key generation (CKG) : see document

Electronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See per-call key.

cooperative remote rekeying : see document

Synonymous with manual remote rekeying.

Procedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See automatic remote rekeying.

Cooperative Research and Development Agreement : see document
Coordinated Universal Time : see document
Coordination : see document

Refers to the building, from a set of Web services, of something at a higher level, typically itself exposed as a larger Web service. Also referred to as “Composability.” Choreography and orchestration are two approaches to coordination.

COP : see document
CoP : see document
COPE : see document
COPPA : see document
Copy (data) : see document

To replicate data in another location while maintaining it in its original location.

COR : see document

The entity that keeps records of accountable COMSEC material held by COMSEC accounts subject to its oversight.

CORBA : see document
Core : see document

A set of privacy protection activities and outcomes. The Framework Core comprises three elements: Functions, Categories, and Subcategories.

core attributes : see document

The set of identity attributes that the CSP has determined and documented to be required for identity proofing and to provide services.

Core Baseline : see document

A set of device cybersecurity capabilities and non-technical supporting capabilities needed to support common cybersecurity controls that protect the customer’s devices and device data, systems, and ecosystems.

A set of technical device capabilities needed to support common cybersecurity controls that protect the customer’s devices and device data, systems, and ecosystems.

Core Root of Trust for Measurement (CRTM) : see document

The first piece of BIOS code that executes on the main processor during the boot process. On a system with a Trusted Platform Module the CRTM is implicitly trusted to bootstrap the process of building a measurement chain for subsequent attestation of other firmware and software that is executed on the computer system.

Core Root of Trust for Verification : see document
Core Software : see document

An organizationally defined set of software that, at a minimum, includes firmware and root operating system elements used to boot the system. Core software merits specialized monitoring as it may be difficult for commonly used whitelisting software to check.

Core Specification Addendum : see document
Core Specification Addendum 5 : see document
Corporate-Owned Personally-Enabled (COPE) : see document

A device owned by an enterprise and issued to an employee. Both the enterprise and the employee can install applications onto the device.

correct re-identifications : see document

Putative re-identifications that correctly infer an individual's identity and associated data.

correctness proof : see document

Formal technique used to prove mathematically that a computer program satisfies its specified requirements.

Correlation : see document

See “Event Correlation”.

Finding relationships between two or more log entries.

Correlation Power Analysis : see document
CORS : see document
COSO : see document
Cost/Benefit Analysis : see document
CoT : see document

A method for maintaining valid trust boundaries by applying a principle of transitive trust, where each software module in a system boot process is required to measure the next module before transitioning control.

See “authentication chain.”

COTR : see document
COTS : see document

A product that is commercially available.

Software and hardware that already exists and is available from commercial sources. It is also referred to as off-the-shelf.

Hardware and software IT products that are ready-made and available for purchase by the general public.

Counter : see document
Counter Mode : see document
Counter mode for a block cipher algorithm : see document
Counter Mode with Cipher Block Chaining (CBC) Message Authentication Code (MAC) Protocol : see document
counterfeit : see document

An unauthorized copy or substitute that has been identified, marked, and/or altered by a source other than the item's legally authorized source and has been misrepresented to be an authorized item of the legally authorized source.

counterintelligence : see document

Information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.

Information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities.

The term 'counterintelligence' means information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities.

countermeasures : see document

Any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system.

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Protective measures prescribed to meet the security objectives (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management controls, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

The protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a system. Synonymous with security controls and safeguards.

counting query : see document

A query that counts the number of rows in a dataset with a particular property.

Country-code Top-level Domain : see document
courier : see document

A duly authorized and trustworthy individual who has been officially designated to transport/carry material, and if the material is classified, is cleared to the level of material being transported.

Course of Action : see document

A time-phased or situation-dependent combination of risk response measures.

A time-phased or situation-dependent combination of risk response measures.

cover (TRANSEC) : see document

Result of measures used to obfuscate message externals to resist traffic analysis.

See cover (TRANSEC).

coverage : see document

The surface area or space volume in which the signals are adequate to permit the user to determine a position to a specified level of accuracy. Coverage is influenced by system geometry, signal power levels, receiver sensitivity, atmospheric noise conditions, and other factors that affect signal availability.

An attribute associated with an assessment method that addresses the scope or breadth of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values for the coverage attribute, hierarchically from less coverage to more coverage, are basic, focused, and comprehensive.

The surface area or space volume in which the signals are adequate to permit the user to determine a position to a specified level of accuracy. Coverage is influenced by system geometry, signal power levels, receiver sensitivity, atmospheric noise conditions, and other factors that affect signal availability.

Cover-Coding : see document

A technique to reduce the risks of eavesdropping by obscuring the information that is transmitted. The EPCglobal Class- 1 Generation-2 and ISO/IEC 18000-6C standards use cover-coding to obscure certain transmissions from readers to tags. A more detailed description of how cover-coding is used in these two standards can be found in Section 5.3.2.1 on cover-coding.

covert channel : see document

An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations.

covert channel analysis : see document

Analysis of the ability of an insider to exfiltrate data based on the design of a security device.

Determination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.

covert storage channel : see document

Covert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.

A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity.

A system feature that enables one system entity to signal information to another entity by directly or indirectly writing to a storage location that is later directly or indirectly read by the second entity.

Covert Testing : see document

Testing performed using covert methods and without the knowledge of the organization’s IT staff, but with full knowledge and permission of upper management.

covert timing channel : see document

Covert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process.

A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity. See: covert channel.

A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity.

COW : see document
CP : see document

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular CP might indicate applicability of a type of certificate to the authentication of parties engaging in business-to-business transactions for the trading of goods or services within a given price range.

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a particular certificate policy might indicate applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range.

See Information System Contingency Plan.

A named set of rules that indicate the applicability of a certificate to a particular community and/or class of applications with common security requirements.

CP Assist for Cryptographic Functions : see document
CPA : see document
CP-ABE : see document
CPACF : see document
CPE : see document
CPE Attribute Comparison : see document

The first phase of CPE name matching, where a matching engine compares each of the A-V pairs of a source CPE name to the corresponding A-V pair of a target name in order to specify one of four possible logical attribute comparison relations for each attribute in a CPE name.

CPE Dictionary : see document

A repository of identifier CPE names (WFNs in bound form) and associated metadata.

CPE Name : see document

An identifier for a unique uniform resource identifier (URI) assigned to a specific platform type that conforms to the CPE specification.

CPE Name Comparison : see document

The second phase of CPE name matching, where the individual attribute comparison results from the first phase are analyzed as a collection to determine an overall comparison result for the two names. The result of a name comparison is the identification of the relationship between a source CPE name and target CPE name.

CPE Name Matching : see document

A one-to-one source-to-target comparison of CPE names. CPE name matching has two phases

CPIC : see document
CPLP : see document
CPNI : see document
CPO : see document

A senior official designated by the head of each agency to have agency-wide responsibilities for privacy, including the implementation of privacy protections; compliance with federal laws, regulations, and policies related to privacy; the management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

See Senior Agency Official for Privacy.

CPRT : see document
CPS : see document

A statement of the practices which a Certification Authority employs in issuing certificates.

A statement of the practices that a Certification Authority employs in issuing and managing public key certificates.

CPSO : see document
CPSSP : see document
CPU : see document
CR : see document
CRADA : see document
Cradle : see document

A docking station, which creates an interface between a user’s PC and PDA and enables communication and battery recharging.

A docking station, which creates an interface between a user’s PC and PDA, and enables communication and battery recharging.

CRAM : see document
CRC : see document

A method to ensure data has not been altered after being sent through a communication channel.

CRD : see document
Create, Read : see document
Create, Read, Update, Delete : see document
Creating Helpful Incentives to Produce Semiconductors : see document
CREDC : see document
credential : see document

Evidence attesting to one’s right to credit or authority. In this Standard, it is the PIV Card or derived PIV credential associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.

An object or data structure that authoritatively binds an identity - via an identifier or identifiers - and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber.

An object or data structure that authoritatively binds an identity — via an identifier — and (optionally) additional attributes to at least one authenticator that is possessed and controlled by a subscriber. A credential is issued, stored, and maintained by the CSP. Copies of information from the credential can be possessed by the subscriber, typically in the form of one or more digital certificates that are often contained in an authenticator along with their associated private keys.

2. 2. Evidence attesting to one’s right to credit or authority.

3. 3. An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token processed and controlled by a Subscriber.

1. 1. Evidence or testimonials that support a claim of identity or assertion of an attribute and usually are intended to be used more than once.

An object or data structure that authoritatively binds an identity - via an identifier or identifiers - and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber. While common usage often assumes that the subscriber maintains the credential, these guidelines also use the term to refer to electronic records maintained by the CSP that establish binding between the subscriber’s authenticator(s) and identity.

An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a card or token possessed and controlled by a cardholder or subscriber.

Evidence attesting to one’s right to credit or authority. In this standard, it is the PIV Card and data elements associated with an individual that authoritatively bind an identity (and, optionally, additional attributes) to that individual.

An object or data structure that authoritatively binds an identity—via an identifier or identifiers–and (optionally) additional attributes to at least one authenticator possessed and controlled by a subscriber While common usage often assumes that the subscriber maintains the credential, these guidelines also use the term to refer to electronic records maintained by the Credential Service Providers that establish binding between the subscriber’s authenticator(s) and identity.

An object or data structure that authoritatively binds an identity - via an identifier or identifiers - and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber. While common usage often assumes that the subscriber maintains the credential, these guidelines also use the term to refer to electronic records maintained by the CSP that establish binding between the subscriber’s authenticator(s) and identity.

An object or data structure that authoritatively binds an identity—via an identifier or identifiers–and (optionally) additional attributes to at least one authenticator possessed and controlled by a subscriber While common usage often assumes that the subscriber maintains the credential, these guidelines also use the term to refer to electronic records maintained by the Credential Service Providers that establish binding between the subscriber’s authenticator(s) and identity

An object or data structure that authoritatively binds an identity, via an identifier or identifiers, and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber.

An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to an authenticator possessed and controlled by a subscriber.

A set of attributes that uniquely identifies a system entity such as a person, an organization, a service, or a device.

Evidence attesting to one’s right to credit or authority; in this standard, it is the PIV Card and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.

An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. While common usage often assumes that the credential is maintained by the Subscriber, this document also uses the term to refer to electronic records maintained by the CSP which establish a binding between the Subscriber’s token and identity.

Credential Management : see document

To manage the life cycle of entity credentials used for authentication.

Credential Management System : see document
credential service provider (CSP) : see document

A trusted entity whose functions include identity proofing applicants to the identity service and registering authenticators to subscriber accounts. A CSP may be an independent third party.

A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass registration authorities (RAs) and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.

See Credential Service Provider.

A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

credible source : see document

An entity that can provide or validate the accuracy of identity evidence and attribute information. A credible source has access to attribute information that was validated through an identity proofing process or that can be traced to an authoritative source, or it maintains identity attribute information obtained from multiple sources that is checked for data correlation for accuracy, consistency, and currency.

Credit Card Number : see document
CRI : see document
CRIME : see document
Criminal Justice Information Services : see document
CRISP : see document
CRISPR : see document
CRISPR-Associated Protein : see document
CRISPR-Cas : see document
critical AI system : see document

Any system incorporating critical software and in which failure can cause substantial harm to the public.

critical component : see document

A component which is or contains information and communications technology (ICT), including hardware, software, and firmware, whether custom, commercial, or otherwise developed, and which delivers or protects mission critical functionality of a system or which, because of the system’s design, may introduce vulnerability to the mission critical functions of an applicable system.

A system element that, if compromised, damaged, or failed, could cause a mission or business failure.

critical infrastructure : see document

The essential services that support a society and serve as the backbone for the society's economy, security and health.

System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

System and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Essential services and related assets that underpin American society and serve as the backbone of the nation's economy, security, and health.

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.

Critical Infrastructure and Key Resources : see document
Critical Infrastructure Partnership Advisory Council : see document
Critical Infrastructure Protection : see document
Critical Infrastructure System : see document
critical program (or technology) : see document

A program which significantly increases capability, mission effectiveness or extends the expected effective life of an essential system/capability.

Critical Security Control : see document
Critical Services : see document

The subset of mission essential services required to conduct manufacturing operations. Function or capability that is required to maintain health, safety, the environment and availability for the equipment under control.

critical software : see document

Any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: · is designed to run with elevated privilege or manage privileges; · has direct or privileged access to networking or computing resources; · is designed to control access to data or operational technology; · performs a function critical to trust; or, · operates outside of normal trust boundaries with privileged access.

Critical Value : see document

The value that is exceeded by the test statistic with a small probability (significance level). A "look-up" or calculated value of a test statistic (i.e., a test statistic value) that, by construction, has a small probability of

criticality : see document

Degree of impact that a requirement, module, error, fault, failure, or other item has on the development or operation of a system.

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.

An attribute assigned to an asset that reflects its relative importance or necessity in achieving or contributing to the achievement of stated goals.

criticality analysis : see document

An end-to-end functional decomposition performed by systems engineers to identify mission critical functions and components. Includes identification of system missions, decomposition into the functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions. Criticality is assessed in terms of the impact of function or component failure on the ability of the component to complete the system missions(s).

criticality level : see document

Degree of impact that a requirement, module, error, fault, failure, or other item has on the development or operation of a system.

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.

An attribute assigned to an asset that reflects its relative importance or necessity in achieving or contributing to the achievement of stated goals.

Criticality Reviews : see document

A determination of the ranking and priority of manufacturing system components, services, processes, and inputs in order to establish operational thresholds and recovery objectives.

CRL : see document

A list of revoked public key certificates created and digitally signed by a certification authority.

A list maintained by a Certification Authority of the certificates which it has issued that are revoked prior to their stated expiration date.

A list of digital certificates that have been revoked by an issuing CA before their scheduled expiration date and should no longer be trusted.

A list of revoked public key certificates created and digitally signed by a Certification Authority.

CRO : see document
Cross Agency Priority : see document
cross domain : see document

The act of manually and/or automatically accessing and/or transferring information between different security domains.

A Compact Disc(CD)is a class of media from which data are readby optical means.

cross domain baseline list : see document

A list managed by the unified cross domain services management office (UCDSMO) that identifies CDSs that are available for deployment within the Department of Defense (DoD) and intelligence community (IC).

cross domain capabilities : see document

The set of functions that enable the transfer of information between security domains in accordance with the policies of the security domains involved.

cross domain enabled : see document

Applications/services that exist on and are capable of interacting across two or more different security domains.

cross domain portal : see document

A single web-site providing access to cross domain services.

cross domain solution (CDS) filtering : see document

The process of inspecting data as it traverses a cross domain solution and determining if the data meets pre-defined policy.

The process of inspecting data as it traverses a cross domain solution and determines if the data meets pre-defined policy.

cross domain sunset list : see document

A list managed by the unified cross domain services management office (UCDSMO) that identifies cross domain solutions (CDSs) that are or have been in operation, but are no longer available for additional deployment and need to be replaced within a specified period of time.

Cross-certification : see document

A process whereby two CAs establish a trust relationship between them by each CA signing a certificate containing the public key of the other CA.

Cross-certify : see document

The establishment of a trust relationship between two Certification Authorities (CAs) through the signing of each other's public key in certificates; referred to as a “cross-certificate.”

Cross-Domain Solutions : see document
crosslinks : see document

Communication between satellites.

Cross-Origin Resource Sharing : see document
Crown Jewels Analysis : see document
CRPA : see document
CRR : see document
CRS : see document
CRSRA : see document
CRT : see document
CRTM : see document
CRTV : see document
CRUD : see document
cryptanalysis : see document

2. The study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

1. Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection.

Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection.

1. Operations performed to defeat cryptographic protection without an initial knowledge of the key employed in providing the protection.

2. The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

1. Operations performed to defeat cryptographic protection without an initial knowledge of the key employed in providing the protection. 2. The study of mathematical techniques for attempting to defeat cryptographic techniques and information-system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or in the algorithm itself.

Cryptographic Accelerator : see document

A specialized separate coprocessor chip from the main processing unit where cryptographic tasks are offloaded to for performance benefits.

cryptographic alarm : see document

Circuit or device that detects failures or aberrations in the logic or operation of cryptographic equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.

Cryptographic algorithm : see document

1. A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

2. Well-defined procedure or sequence of rules or steps, or a series of mathematical equations used to describe cryptographic processes such as encryption/decryption, key generation, authentication, signatures, etc.

A well-defined computational procedure that takes variable inputs, often including a cryptographic key, and produces an output.

A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.

A well-defined computational procedure that takes variable inputs, including a cryptographic key (if applicable), and produces an output.

A well-defined computational procedure that takes variable inputs (often including a cryptographic key) and produces an output.

Cryptographic Algorithm Validation Program : see document
Cryptographic Algorithm Validation System : see document
Cryptographic and Security Testing : see document
Cryptographic and Security Testing Laboratory : see document
Cryptographic API: Next Generation : see document

The long-term replacement for the Cryptographic Application Programming Interface (CAPI).

Cryptographic application : see document

An application that performs a cryptographic function.

Cryptographic Application Programming Interface : see document

An application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. While providing a consistent API for applications, API allows for specialized cryptographic modules (cryptographic service providers) to be provided by third parties, such as hardware security module (HSM) manufacturers. This enables applications to leverage the additional security of HSMs while using the same APIs they use to access built-in Windows cryptographic service providers. (Also known variously as CryptoAPI, Microsoft Cryptography API, MS-CAPI or simply CAPI)

cryptographic binding : see document

Associating two or more related elements of information using cryptographic techniques.

Cryptographic checksum : see document

A mathematical value created using a cryptographic algorithm that is assigned to data and later used to test the data to verify that the data has not changed.

Cryptographic device : see document

A physical device that performs a cryptographic function (e.g., random number generation, message authentication, digital signature generation, encryption, or key establishment). A cryptographic device must employ one or more cryptographic modules for cryptographic operations. The device may also be composed from other applications and components in addition to the cryptographic module(s). A cryptographic device may be a stand-alone cryptographic mechanism or a CKMS component.

Cryptographic Engineering Research Group : see document
cryptographic erase : see document

A method of sanitization in which the media encryption key (MEK) for the encrypted Target Data is sanitized, making recovery of the decrypted Target Data infeasible.

See Cryptographic Erase.

A method of Sanitization in which the Media Encryption Key(MEK) for the encryptedTarget Data (or the KeyEncryption Key–KEK) is sanitized, making recovery of the decrypted Target Data infeasible.

Cryptographic function : see document

Cryptographic algorithms, together with modes of operation (if appropriate); for example, block ciphers, digital signature algorithms, asymmetric key-establishment algorithms, message authentication codes, hash functions, or random bit generators.

Cryptographic hash function : see document

A function that maps a bit string of arbitrary length to a fixed-length bit string. Depending upon the relying application, the security strength that can be supported by a hash function is typically measured by the extent to which it possesses one or more of the following properties1. (Collision resistance) It is computationally infeasible to find any two distinct inputs that map to the same output.2. (Preimage resistance) Given a randomly chosen target output, it is computationally infeasible to find any input that maps to that output. (This property is called the one-way property.)3. (Second preimage resistance) Given one input value, it is computationally infeasible to find a second (distinct) input value that maps to the same output as the first value.This Recommendation uses the strength of the preimage resistance of a hash function as a contributing factor when determining the security strength provided by a key-derivation method.Approved hash functions are specified in [FIPS 180] and [FIPS 202].

A function on bit strings in which the length of the output is fixed. Approved hash functions (such as those specified in FIPS 180 and FIPS 202) are designed to satisfy the following properties:1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed length bit string and is expected to have the following three properties: 1) Collision resistance (see Collision resistance), 2) Preimage resistance (see Preimage resistance) and 3) Second preimage resistance (see Second preimage resistance). Approved cryptographic hash functions are specified in [FIPS 180-3].

A function that maps a bit string of arbitrary length to a fixed-length bit string. The function is expected to have the following three properties: 1. Collision resistance (see Collision resistance), 2. Preimage resistance (see Preimage resistance) and 3. Second preimage resistance (see Second preimage resistance). Approved hash functions are specified in [FIPS 180-4].

A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180-3.

An algorithm that computes a numerical value (called the hash value) on a data file or electronic message that is used to represent that file or message, and depends on the entire contents of the file or message. A hash function can be considered to be a fingerprint of the file or message.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are expected to satisfy the following properties: 1. One-way: It is computationally infeasible to find any input that maps to any pre-specified output, and 2. Collision resistant: It is computationally infeasible to find any two distinct inputs that map to the same output.

See Hash function.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are expected to satisfy the following properties: 1. One-way: it is computationally infeasible to find any input that maps to any pre-specified output, and 2. Collision resistant: It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180.

A function that maps a bit string of arbitrary (although bounded) length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. One-way – It is computationally infeasible to find any input that maps to any pre-specified output. 2. Collision resistant – It is computationally infeasible to find any two distinct inputs that map to the same output.

See cryptographic hash function.

A function that maps a bit string of arbitrary (although bounded) length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output. 2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary lenth to a fixed-length bit string.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

Cryptographic Hash Value : see document

The result of applying a cryptographic hash function to data (e.g., a message).

Cryptographic Ignition Key : see document

Device or electronic key used to unlock the secure mode of cryptographic equipment.

cryptographic incident : see document

Any uninvestigated or unevaluated equipment malfunction or operator or COMSEC Account Manager error that has the potential to jeopardize the cryptographic security of a machine, off-line manual cryptosystem OR any investigated or evaluated occurrence that has been determined as not jeopardizing the cryptographic security of a cryptosystem.

cryptographic initialization : see document

Function used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode.

cryptographic key : see document

A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.

A bit string used as a secret parameter by a cryptographic algorithm. In this Recommendation, a cryptographic key is either a random bit string of a length specified by the cryptographic algorithm or a pseudorandom bit string of the required length that is computationally indistinguishable from one selected uniformly at random from the set of all bit strings of that length.

A parameter used with a cryptographic algorithm that determines its operation.

The parameter of a block cipher that determines the selection of a permutation from the block cipher family.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot.

A parameter used in the block cipher algorithm that determines the forward cipher operation and the inverse cipher operation.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of [SP 800-57 Part1].

A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.

A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Recommendation include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

A parameter used with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples applicable to this Recommendation include: 1. The computation of a keyed-hash message authentication code. 2. The verification of a keyed-hash message authentication code. 3. The generation of a digital signature on a message. 4. The verification of a digital signature.

A binary string used as a secret parameter by a cryptographic algorithm. In this Recommendation, a cryptographic key shall be either a truly random binary string of a length specified by the cryptographic algorithm or a pseudorandom binary string of the specified length that is computationally indistinguishable from one selected uniformly at random from the set of all binary strings of that length.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples of cryptographic operations requiring the use of cryptographic keys include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code, 7. The computation of a shared secret that is used to derive keying material. 8. The derivation of additional keying material from a key-derivation key (i.e., a pre-shared key).

A parameter used in conjunction with a cryptographic algorithm that determines the algorithm’s operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code.

A parameter that determines the transformation from plaintext to ciphertext and vice versa. (A DEA key is a 64-bit parameter consisting of 56 independent bits and 8 parity bits). Multiple (1, 2 or 3) keys may be used in the Triple Data Encryption Algorithm.

A parameter used in the block cipher algorithm that determines the forward cipher operation and the inverse cipher operation.

The parameter of the block cipher that determines the selection of the forward cipher function from the family of permutations.

A parameter used in the block cipher algorithm that determines the forward cipher function.

A parameter used with a cryptographic algorithm that determines its operation.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include: • the transformation of plaintext data into ciphertext data, • the transformation of ciphertext data into plaintext data, • the computation of a digital signature from data, • the verification of a digital signature, • the computation of an authentication code from data, • the computation of a shared secret that is used to derive keying material.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric Keys, Symmetric Key.

A parameter that determines the transformation using DEA and TDEA forward and inverse operations.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce the operation, while an entity without knowledge of the key cannot. Examples of the use of a key that are applicable to this Recommendation include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

A parameter that determines the operation of a cryptographic function, such as: 1. The transformation from plaintext to ciphertext and vice versa, 2. The generation of keying material, or 3. A digital signature computation or verification.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include: The transformation of plaintext data inot cipertext data, the transformation of ciphertext into plaintext data, The computation of a digital signautre from data, The verification of a digital signautre, The computation of an authentication code from data, The computation of a shared secret that is used to derive keying material.

See cryptographic key.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the correct key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples of cryptographic operations requiring the use of cryptographic keys include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code, 7. The computation of a shared secret that is used to derive keying material. 8. The derivation of additional keying material from a keyderivation key (i.e., a pre-shared key).

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce, reverse or verify the operation, while an entity without knowledge of the key cannot. Examples include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature on data, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code, 7. The computation of a shared secret that is used to derive keying material.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric Keys, Symmetric Key.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation while an entity without knowledge of the key cannot. Examples include 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of a message authentication code (MAC) from data, 6. The verification of a MAC received with data, 7. The computation of a shared secret that is used to derive keying material.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce, reverse or verify the operation while an entity without knowledge of the key cannot. Examples include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature on data, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received or retrieved authentication code, and 7. The computation of a shared secret that is used to derive keying material.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the correct key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples of cryptographic operations requiring the use of cryptographic keys include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of a message authentication code (MAC) from data, 6. The verification of a MAC from data and a received MAC, 7. The computation of a shared secret that is used to derive keying material, and 8. The derivation of additional keying material from a keyderivation key (e.g., a pre-shared key). The specification of a cryptographic algorithm (as employed in a particular application) typically declares which of its parameters are keys.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.

A cryptographic key. In this document, keys generally refer to public key cryptography key pairs used for authentication of users and/or machines (using digital signatures). Examples include identity key and authorized keys. The SSH protocol also uses host keys that are used for authenticating SSH servers to SSH clients connecting them.

See “Cryptographic Key”.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code, 7. The computation of a shared secret that is used to derive keying material.

A value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification. For the purposes of this document, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric keys, Symmetric key.

Cryptographic key component : see document

One of at least two parameters that have the same security properties (e.g., randomness) as a cryptographic key; parameters are combined in an approved security function to form a plaintext cryptographic key before use.

See Cryptographic key component.

One of at least two parameters that have the same format as a cryptographic key; parameters are combined in an Approved security function to form a plaintext cryptographic key before use.

One of at least two parameters that have the same security properties (e.g., randomness) as a cryptographic key; parameters are combined using an approved cryptographic function to form a plaintext cryptographic key before use.

Cryptographic Key Management System Practice Statement : see document
Cryptographic Key Management System Security Policy : see document
Cryptographic keying relationship : see document

Two or more entities share the same symmetric key.

The state existing between two entities such that they share at least one cryptographic key.

Cryptographic mechanism : see document

An element of a cryptographic application, process, module or device that provides a cryptographic service, such as confidentiality, integrity, source authentication, and access control (e.g., encryption and decryption, and digital signature generation and verification).

Cryptographic Message Syntax : see document
cryptographic module : see document

The set of hardware, software, and/or firmware that implements approved cryptographic functions (including key generation) that are contained within the cryptographic boundary of the module.

A set of hardware, software, or firmware that implements approved security functions, including cryptographic algorithms and key generation.

The set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.

A cryptographic module whose keys and/or metadata have been subjected to unauthorized access, modification, or disclosure while contained within the cryptographic module.

A set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation).

The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

Cryptographic module : see document

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic module boundary. See [FIPS 140].

See Cryptographic module.

The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic boundary.

The set of hardware, software, and/or firmware that implements approved cryptographic functions (including key generation) that are contained within the cryptographic boundary of the module.

The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic module boundary. See FIPS 140.

See Cryptographic module

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms), holds plaintext keys and uses them for performing cryptographic operations, and is contained within a cryptographic module boundary. This Profile requires the use of a validated cryptographic module as specified in [FIPS 140].

The set of hardware, software, and/or firmware that implements approved security functions and is contained within a cryptographic boundary.

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and keygeneration methods) and is contained within a cryptographic module boundary. See FIPS 140.

an embedded software component of a product or application, or a complete product in-and-of-itself that has one or more capabilities.

Cryptographic Module Security Policy : see document

A specification of the security rules under which a cryptographic module is designed to operate.

Cryptographic Module Validation Program : see document
Cryptographic Modules User Forum : see document
Cryptographic officer : see document

An FCKMS role that is responsible for and authorized to initialize and manage all cryptographic services, functions, and keys of the FCKMS.

Cryptographic operation : see document

The execution of a cryptographic algorithm. Cryptographic operations are performed in cryptographic modules.

Cryptographic primitive : see document

A low-level cryptographic algorithm used as a basic building block for higher-level cryptographic algorithms.

cryptographic product : see document

A cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product.

Software, hardware or firmware that includes one or more cryptographic functions. A cryptographic product is or contains a cryptographic module.

cryptographic randomization : see document

Function that randomly determines the transmit state of a cryptographic logic.

Cryptographic service : see document

A service that provides confidentiality, integrity, source authentication, entity authentication, non-repudiation support, access control and availability (e.g., encryption and decryption, and digital signature generation and verification).

cryptographic solution : see document

The generic term for a cryptographic device, COMSEC equipment, or combination of such devices/equipment containing either a classified algorithm or an unclassified algorithm.

cryptographic synchronization : see document

Process by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic.

cryptographic system analysis : see document

Process of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.

cryptographic system evaluation : see document

Process of determining vulnerabilities of a cryptographic system and recommending countermeasures.

cryptographic system review : see document

Examination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.

cryptographic system survey : see document

Management technique in which actual holders of a cryptographic system express opinions on the system's suitability and provide usage information for technical evaluations.

Cryptographic Technology Group : see document
cryptographic token : see document

2. A token where the secret is a cryptographic key.

1. A portable, user-controlled, physical device (e.g., smart card or PC card) used to store cryptographic information and possibly also perform cryptographic functions.

A token where the secret is a cryptographic key.

Cryptographic Validation Program : see document
cryptologic : see document

The term 'cryptologic' means of or pertaining to cryptology.

Of or pertaining to cryptology.

cryptology : see document

Originally the field encompassing both cryptography and cryptanalysis. Today, cryptology in the U.S. Government is the collection and/or exploitation of foreign communications and non- communications emitters, known as SIGINT; and solutions, products, and services, to ensure the availability, integrity, authentication, confidentiality, and non-repudiation of national security telecommunications and information systems, known as IA.

The mathematical science that deals with cryptanalysis and cryptography.

The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.

cryptonet evaluation report : see document

A free form message from the electronic key management system (EKMS) Tier 1 that includes the Controlling Authority’s ID and Name, Keying Material Information, Description/Cryptonet Name, Remarks, and Authorized User Information.

Cryptoperiod : see document

The time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect.

Time span during which each key setting remains in effect.

The time span during which a specific key is authorized for use or in which the keys for a given system may remain in effect.

CS3STHLM : see document
CSA : see document

A trusted entity that provides on-line verification to a relying party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.

CSA5 : see document
CSAM : see document
CSC : see document
C-SCRM : see document
CSD : see document
CSE : see document
CSF : see document
CSF Category : see document

A group of related cybersecurity outcomes that collectively comprise a CSF Function.

CSF Community Profile : see document

A baseline of CSF outcomes that is created and published to address shared interests and goals among a number of organizations. A Community Profile is typically developed for a particular sector, subsector, technology, threat type, or other use case. An organization can use a Community Profile as the basis for its own Target Profile.

CSF Core : see document

A taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. Its components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome.

CSF Current Profile : see document

A part of an Organizational Profile that specifies the Core outcomes that an organization is currently achieving (or attempting to achieve) and characterizes how or to what extent each outcome is being achieved.

CSF Function : see document

The highest level of organization for cybersecurity outcomes. There are six CSF Functions: Govern, Identify, Protect, Detect, Respond, and Recover.

CSF Implementation Example : see document

A concise, action-oriented, notional illustration of a way to help achieve a CSF Core outcome.

CSF Informative Reference : see document

A mapping that indicates a relationship between a CSF Core outcome and an existing standard, guideline, regulation, or other content.

CSF Organizational Profile : see document

A mechanism for describing an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.

CSF Quick Start Guide : see document

A supplementary resource that gives brief, actionable guidance on specific CSF-related topics.

CSF Subcategory : see document

A group of more specific outcomes of technical and management cybersecurity activities that comprise a CSF Category.

CSF Target Profile : see document

A part of an Organizational Profile that specifies the desired Core outcomes that an organization has selected and prioritized for achieving its cybersecurity risk management objectives.

CSF Tier : see document

A characterization of the rigor of an organization’s cybersecurity risk governance and management practices. There are four Tiers: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4).

CSFB : see document
CSfC : see document
cSHAKE : see document

The customizable SHAKE function.

CSI : see document
CSIA : see document
CSIM : see document
CSIP : see document
CSIRT : see document
CSK : see document
CSM : see document

See Capability, Configuration Settings Management.

CSMS : see document
CSN : see document

The Key Management Infrastructure core node that provides central security management and data management services.

CSO : see document
CSP : see document

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

CSR : see document

A request sent from a certificate requester to a certificate authority to apply for a digital identity certificate. The certificate signing request contains the public key as well as other information to be included in the certificate and is signed by the private key corresponding to the public key.

CSRC : see document
CSRDA : see document
CSRF : see document

A type of Web exploit where an unauthorized party causes commands to be transmitted by a trusted user of a Web site without that user’s knowledge.

CSRIC : see document
CSRK : see document
CSRM : see document
CSRR : see document
CSS : see document
CSSPAB : see document
CST : see document
CSTL : see document
CSV : see document
CT : see document

A framework for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed in a manner that allows anyone to audit CA activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. (Experimental RFC 6962)

CT&E : see document

Software, hardware, and firmware security tests conducted during development of an information system component.

CT1 : see document
CTA : see document
CTAK : see document
CTAP : see document
CTC : see document
CTD : see document
CTE : see document
CTG : see document
CTI : see document
CTIA : see document
CTL : see document
CTM : see document
CTO : see document
CTR : see document
CTR_DRBG : see document

A DRBG specified in SP 800-90A based on a block cipher algorithm.

CTS : see document
CTSO : see document
CTTA : see document

An experienced, technically qualified U.S. Government employee who has met established certification requirements in accordance with CNSS approved criteria and has been appointed by a U.S. Government Department or Agency to fulfill CTTA responsibilities.

CU : see document
CUAS : see document
CUI : see document

A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.

Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces Sensitive But Unclassified (SBU).

CUI categories : see document

Those types of information for which laws, regulations, or government-wide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.

Those types of information for which laws, regulations, or governmentwide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.

CUI Executive Agent : see document

The National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).

CUI program : see document

The executive branch-wide program to standardize CUI handling by all federal agencies. The program includes the rules, organization, and procedures for CUI, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.

CUI registry : see document

The online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

The online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI EA other than this part. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

The online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

Cumulative Sums Forward Test : see document

The purpose of the cumulative sums test is to determine whether the sum of the partial sequences occurring in the tested sequence is too large or too small.

Current Profile : see document

the ‘as is’ state of system cybersecurity

The ‘as is’ state of system cybersecurity.

Current Year : see document
Custodian : see document

A third-party entity that holds and safeguards a user’s private keys or digital assets on their behalf. Depending on the system, a custodian may act as an exchange and provide additional services, such as staking, lending, account recovery, or security features.

Custom Environment : see document

An environment containing systems in which the functionality and degree of security do not fit the other types of environments.

Specialized operational environment.

Custom Resource Definition : see document
customer : see document

Organization or person that receives a product.

The term customer applies to a person or organization who subscribes to a service offered by a telecommunications provider and is accountable for its use. A customer is permitted to use an NE to make calls and configure local line parameters (e.g., configure the numbers that should receive forwarded calls). In some circumstances a customer can also play the role of administrator, for example, when the customer has access to operations information that would permit him to reconfigure his circuits. Some service providers offer this service, as well as other OAM&P features, to customers for a fee.

The organization or person that receives a product or service.

Organization or person that receives a product or service.

Customer and Others in the IoT Product Ecosystem : see document

The person receiving a product or service and third-parties (e.g., other IoT product developers, independent researchers, media and consumer organizations) who have an interest in the IoT product, its components, data, use, assumptions, risks, vulnerabilities, assessments, and/or mitigations.

Customer-Specifiable : see document

The features of the MSR-compliant system that are set with a default value by the manufacturer, but can be reset after delivery by the customer to reflect the customer's security policy. These features are usually reset at the time of installation by an administrator or other customer authorized person and cannot be changed without the appropriate privilege at other times.

Customization : see document

The ability to control the appearance of the SSL VPN Web pages that the users see when they first access the VPN.

Customs and Border Patrol : see document
Cut : see document

The use of a tool or physical technique to causeabreak in thesurface of the electronic storage media, potentiallybreaking themedia into two or more pieces and making it difficult or infeasible torecover the data using state of the art laboratory techniques.

CVC : see document

A certificate stored on the PIV Card that includes a public key, the signature of a certification authority, and further information needed to verify the certificate.

A certificate stored on the card that includes a public key, the signature of certification authority, and the information needed to verify the certificate.

A certificate stored on the card that includes a public key, the signature of a certification authority, and the information needed to verify the certificate.

CVE : see document

A dictionary of common names for publicly known information system vulnerabilities.

CVE equivalent : see document

A vulnerability—known by someone—that has been found in specific software—irrespective of whether that vulnerability is publicly known. CVEs are a subset of CVE equivalents.

CVE ID : see document

An identifier for a specific software flaw defined within the official CVE Dictionary and that conforms to the CVE specification.

CVE Naming Authority : see document
CVE Numbering Authority : see document
CVE Record Metadata : see document

Information attached to the CVE by the NVD Analyst and/or CNA. Comprised of CVSS v3.1, CVSS v2, CWE, Reference Link Tags, and Configurations.

CVP : see document
CVSS : see document
CVSS Special Interest Group : see document
CVSS-SIG : see document
CWE : see document
CWI : see document
CWSS : see document
CY : see document
Cyan, Magenta, Yellow, and Key (or blacK) : see document
Cyber : see document

refers to both information and communications networks.

Cyber Attack : see document

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality.

Actions taken in cyberspace that create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fires.

Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Note: Within DoD, Joint Publication 3-13, "Information Operations, " 27 November 2012 approved the removal the terms and definitions of computer network attack (CNA), computer network defense (CND), computer network exploitation, and computer network operations (CNO) from JP -1-02, "Department of Defense Dictionary of Military Terms and Associated Terms." This term and definition is no longer published in JP 1-02. This publication is the primary terminology source when preparing correspondence, to include policy, strategy, doctrine, and planning documents. The terms are no longer used in issuances being updated within DoD. JP 1-02, following publication of JP 3-12, "Cyberspace Operations" provides new terms and definitions such as cyberspace, cyberspace operations, cyberspace superiority, defensive cyberspace operation response action, defensive cyberspace operations, Department of Defense information network operations, and offensive cyberspace operations.

Cyber Cincinnati-Dayton Cyber Corridor : see document
Cyber Courses of Action : see document
cyber ecosystem : see document

The aggregation and interactions of a variety of diverse participants (such as private firms, non‐profits, governments, individuals, and processes) and cyber devices (computers, software, and communications technologies).

cyber incident : see document

Any observable occurrence involving computing assets, including physical and virtual platforms, networks, services, and cloud environments.

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion.

Any observable occurrence in a network or system.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein. See incident. See also event, security-relevant event, and intrusion.

Any observable occurrence in a network or information system.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Any observable occurrence in a system.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Occurrence or change of a particular set of circumstances.

Anomalous or unexpected event, set of events, condition, or situation at any time during the life cycle of a project, product, service, or system.

Cyber Incident Data and Analysis Repository : see document
Cyber Incident Response Team : see document

Group of individuals usually consisting of security analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from CS incidents.

Cyber Mission Impact Analysis : see document
Cyber Observable eXpression : see document
cyber range : see document

This technique provides a safe environment (i.e., “sandbox”) to deliver hands-on realistic training, scenarios, challenges, and exercises in an easy-to-access web-based environment.

Cyber Resilience Review : see document
cyber resiliency : see document

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

Cyber Resiliency and Survivability : see document
cyber resiliency concept : see document

A concept related to the problem domain and/or solution set for cyber resiliency. Cyber resiliency concepts are represented in cyber resiliency risk models as well as by cyber resiliency constructs.

A concept related to the problem domain and/or solution set for cyber resiliency. Cyber resiliency concepts are represented I ncyber resiliency risk models as well as by cyber resiliency constructs.

cyber resiliency construct : see document

Element of the cyber resiliency engineering framework (i.e., a goal, objective, technique, implementation approach, or design principle). Additional constructs (e.g., sub-objectives or methods, capabilities or activities) may be used in some modeling and analytic practices.

cyber resiliency control : see document

A control (i.e., a base control or a control enhancement), as defined in [NIST SP 800-53], that applies one or more cyber resiliency techniques or approaches or that is intended to achieve one or more cyber resiliency objectives.

A security or privacy control as defined in [NIST SP 800-53] which requires the use of one or more cyber resiliency techniques or implementation approaches, or which is intended to achieve one or more cyber resiliency objectives.

cyber resiliency design principle : see document

A guideline for how to select and apply cyber resiliency analysis methods, techniques, approaches, and solutions when making architectural or design decisions.

A guideline for how to select and apply cyber resiliency techniques, approaches, and solutions when making architectural or design decisions.

cyber resiliency engineering practice : see document

A method, process, modeling technique, or analytical technique used to identify and analyze cyber resiliency solutions.

A method, process, modeling technique, or analytic technique used to identify and analyze cyber resiliency solutions.

Cyber Resilient Energy Delivery Consortium : see document
cyber risk : see document

The risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace).

The risk of depending on cyber resources, i.e., the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace.

Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.

Cyber Security : see document

The ability to protect or defend the use of cyberspace from cyber attacks.

Cyber Security Assessment and Management : see document
Cyber Security Evaluation Tool : see document
Cyber Security Research and Development Act of 2002 : see document
cyber survivability : see document

The ability of warfighter systems to prevent, mitigate, recover from and adapt to adverse cyber-events that could impact mission-related functions by applying a risk-managed approach to achieve and maintain an operationally relevant risk posture throughout its life cycle.

Cyber Survivability Attributes : see document
Cyber Testing for Resilient Industrial Control Systems : see document
Cyber Threat : see document

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Potential cause of unacceptable asset loss and the undesirable consequences or impact of such a loss.

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service; the potential for a threat source to successfully exploit a particular information system vulnerability.

Any circumstance or event with the potential to adversely impact agency operations (including safety, mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.

an activity, deliberate or unintentional, with the potential for causing harm to anautomated information system or activity.

A possible danger to a computer system, which may result in the interception, alteration, obstruction, or destruction of computational resources, or other disruption to the system.

The potential for a “threat source” (defined below) to exploit (intentional) or trigger (accidental) a specific vulnerability.

The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Any circumstance or event with the potential to adversely impact agency operations (including mission function, image, or reputation), agency assets or individuals through an information system via unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

The potential source of an adverse event.

Any circumstance or event with the potential to adversely impact operations (including mission function, image, or reputation), agency assets or individuals through an information system via unauthorized access, destruction, disclosure, modification of data, and/or denial of service.

An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.

Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat source to successfully exploit a particular information system vulnerability.

potential cause of an unwanted incident, which may result in harm to a system or organization

Any circumstance or event with the potential to cause the security of the system to be compromised.

the likelihood or frequency of a harmful event occurring

Any circumstance or event with the potential to adversely impact organizational operations (a negative risk).

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, or denial of service.

Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. Threats arise from human actions and natural events.

An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss. Note: The specific causes of asset loss, and for which the consequences of asset loss are assessed, can arise from a variety of conditions and events related to adversity, typically referred to as disruptions, hazards, or threats. Regardless of the specific term used, the basis of asset loss constitutes all forms of intentional, unintentional, accidental, incidental, misuse, abuse, error, weakness, defect, fault, and/or failure events and associated conditions.

An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss. Note: The specific causes of asset loss, and for which the consequences of asset loss are assessed, can arise from a variety of conditions and events related to adversity, typically referred to as disruptions, hazards, or threats. Regardless of the specific term used, the basis of asset loss constitutes all forms of intentional, unintentional, accidental, incidental, misuse, abuse, error, weakness, defect, fault, and/or failure events and associated conditions.

Cyber Threat Intelligence : see document

Cyber threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Cyber-Informed Engineering : see document
Cybersecurity and Information Assurance : see document
Cybersecurity and Infrastructure Security Agency : see document
Cybersecurity and Privacy Reference Tool : see document
Cybersecurity and/or Privacy Learning Program manager : see document

The person or people in the organization responsible for the development, procurement, integration, modification, operation, maintenance, or final disposition of the elements of the cybersecurity and/or privacy (CPLP) learning programs. In some organizations, there will be multiple iterations of learning programs in which cybersecurity and privacy are managed separately.

Cybersecurity Defense Community : see document
Cybersecurity Enhancement Act of 2014 : see document
cybersecurity event : see document

A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).

Cybersecurity for Energy Delivery Systems : see document
Cybersecurity for Smart Manufacturing Systems : see document
Cybersecurity for the Operational Technology Environment : see document
cybersecurity framework category : see document

The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities.

cybersecurity framework core : see document

A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.

cybersecurity framework function : see document

One of the main components of the Framework. Functions provide the highest level of structure for organizing basic cybersecurity activities into Categories and Subcategories. The five functions are Identify, Protect, Detect, Respond, and Recover.

cybersecurity framework profile : see document

A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.

cybersecurity framework subcategory : see document

The subdivision of a Category into specific outcomes of technical and/or management activities.

Cybersecurity Incident : see document

An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion.

See “incident.”

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.

An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Anomalous or unexpected event, set of events, condition, or situation at any time during the life cycle of a project, product, service, or system.

Cybersecurity National Action Plan : see document
cybersecurity outcome : see document

Statement of what is expected either from a product or from an organization in support of a product related to the cybersecurity of that product. Can be technical, in the form of product cybersecurity capabilities or non-technical, in the form of non-technical supporting capabilities.

Cybersecurity Risk : see document

An effect of uncertainty on or within information and technology. Cybersecurity risks relate to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation) and assets, individuals, other organizations, and the Nation. (Definition based on ISO Guide 73 [6] and NIST SP 800-60 Vol. 1 Rev. 1 [7])

Cybersecurity Risk Information Sharing Program : see document
Cybersecurity Risk Management : see document
Cybersecurity Risk Register : see document
cybersecurity risks throughout the supply chain : see document

The potential for harm or compromise arising from suppliers, their supply chains, their products, or their services. Cybersecurity risks throughout the supply chain arise from threats that exploit vulnerabilities or exposures within products and services traversing the supply chain as well as threats exploiting vulnerabilities or exposures within the supply chain itself.

Cybersecurity State : see document

The condition of a device’s cybersecurity expressed in a way that is meaningful and useful to authorized entities. For example, a very simple device might express its state in terms of whether or not it is operating as expected, while a complex device might perform cybersecurity logging, check its integrity at boot and report the results, and examine and report additional aspects of its cybersecurity state.

Cybersecurity Strategy and Implementation Plan : see document
Cybersecurity Supply Chain Risk Management : see document
Cybersecurity Virtual Machine : see document
CybersecVM : see document
cyberspace attack : see document

Cyberspace actions that create various direct denial effects (i.e., degradation, disruption, or destruction) and manipulation that leads to denial and that is hidden or that manifests in the physical domains.

Cyberspace actions that create various direct denial effects (i.e. degradation, disruption, or destruction) and manipulation that leads to denial that is hidden or that manifests in the physical domains.

cyberspace operations (CO) : see document

The employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.

Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations. Note: Within the Department of Defense (DoD), term was approved for deletion from JP 1-02 (DoD Dictionary). This term has been replaced by the use of " cyberspace operations" used in JP 3-12, "Cyberspace Operations." Original source of term was JP 1-02 (DoD Dictionary).

CybOX : see document
cyclic redundancy check (CRC) : see document

A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.

A method to ensure data has not been altered after being sent through a communication channel.

CYOD : see document
CyOTE : see document
CyTRICS : see document
D/A : see document
D/RTBH : see document
D/S : see document

A distributed database service capable of storing information, such as certificates and CRLs, in various nodes or servers distributed across a network. (In the context of this practice guide, a directory services stores identity information and enables the authentication and identification of people and machines.)

A distributed database service capable of storing information, such as certificates and CRLs, in various nodes or servers distributed across a network. (In the context of this practice guide, a directory services stores identity information and enables the authentication and identification of people and machines.)

D2D : see document
DA : see document
DAA : see document
DAC : see document

An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability.

A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

DACL : see document
DACUM : see document
DAD : see document
DAG : see document
damage : see document

Harm caused to something in such a way as to reduce or destroy its value, usefulness, or normal function.

damage-limiting operations : see document

Procedural and operational measures that use system capabilities to maximize the ability of an organization to detect successful system compromises by an adversary and to limit the effects of such compromises (both detected and undetected).

DAML : see document
DANE : see document
DAO : see document

Designated Authorizing Official; A senior organization official that has been given the authorization to authorize the reliability of an issuer.

DAPA : see document
DAR : see document
DARPA : see document
DARPA Agent Markup Language : see document
DAS : see document
DASH7 : see document
Dashboard : see document

See Agency Dashboard and Federal Dashboard.

DAST : see document
Data Access : see document
Data Access Object : see document

Designated Authorizing Official; A senior organization official that has been given the authorization to authorize the reliability of an issuer.

data action : see document

System operations that process PII.

A system operation that processes personally identifiable information.

A system/product/service data life cycle operation, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal.

Data Actions : see document

System operations that process PII.

data aggregation : see document

Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.

Data and Information Reference Model : see document
data asset : see document

1. Any entity that is comprised of data. For example, a database is a data asset that is comprised of data records. A data asset may be a system or application output file, database, document, or web page. A data asset also includes a service that may be provided to access data from an application. For example, a service that returns individual records from a database would be a data asset. Similarly, a web site that returns data in response to specific queries (e.g., www.weather.com) would be a data asset.

2. An information-based resource.

Data Block (Block) : see document

A sequence of bits whose length is the block size of the block cipher.

Data Center Group : see document
Data Center Security: Server Advanced : see document
Data Collector : see document

A person who records information about actions that occur during an exercise or test.

data consumer : see document

In a trust model for differential privacy, the data consumers are those who receive differentially private results.

data curator : see document

In a trust model for differential privacy, the data curator is where the data is aggregated.

Data Domain Virtual Edition : see document
data element : see document

A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.

The smallest named item of data that conveys meaningful information.

Data Encryption Algorithm : see document

The algorithm specified in FIPS PUB 46-3, Data Encryption Algorithm (DEA).

The Data Encryption Algorithm specified in FIPS 46-3

The DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).

Data Encryption Algorithm, previously specified in FIPS 46 (now withdrawn).

Data Encryption Standard : see document

The symmetric encryption algorithm defined by the Data Encryption Standard (FIPS 46-2).

Data Encryption Standard specified in FIPS 46-3

Data Execution Prevention : see document
data flow control : see document

See with information flow control.

data governance : see document

A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise.

Data Group : see document
Data Historian : see document

A centralized database supporting data analysis using statistical process control techniques.

Data in Transit : see document
data integrity : see document

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.

A property possessed by data items that have not been altered in an unauthorized manner since they were created, transmitted or stored.

A property whereby data has not been altered in an unauthorized manner since it was created, transmitted, or stored.

Assurance that the data are unchanged from creation to reception.

See Data integrity.

A property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored.

The property that data has not been altered by an unauthorized entity.

A property possessed by data items that have not been altered in an unauthorized manner since they were created, transmitted, or stored.

The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

A property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored. In this Recommendation, the statement that a cryptographic algorithm "provides data integrity" means that the algorithm is used to detect unauthorized alterations.

A property whereby data has not been altered in an unauthorized manner since it was created, transmitted or stored. In this Recommendation, the statement that a cryptographic algorithm "provides data integrity" means that the algorithm is used to detect unauthorized alterations.

Data integrity authentication : see document

The process of determining the integrity of the data; also called integrity authentication or integrity verification.

data intruder : see document

A data user who attempts to disclose information about a population through identification or attribution.

Data Link Layer : see document

Layer of the TCP/IP protocol stack that handles communications on the physical network components such as Ethernet.

data linking : see document

matching and combining data from multiple databases

data loss : see document

The exposure of proprietary, sensitive, or classified information through either data theft or data leakage.

data loss prevention : see document

A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information.

Data Management Officer : see document

An official responsible for overviewing and carrying out the data management tasks of research projects. Main duties and responsibilities include data collection or the formulation, implementation, and enforcement of proper data collection policies and procedures. Trains reporting agencies on data collection tools and equipment.

data mining : see document

An analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery.

data origin authentication : see document

The corroboration that the source of data received is as claimed. See also non-repudiation and peer entity authentication service

The verification that the source of data received is as claimed.

Corroborating that the source of the data is as claimed.

data poisoning : see document

A poisoning attack in which an adversary controls part of the training data.

data privacy : see document

A condition that safeguards human autonomy and dignity through various means, including confidentiality, predictability, manageability, and disassociability.

data privacy attacks : see document

Attacks against machine learning models that extract sensitive information about training data.

Data Processing : see document

The collective set of data actions (i.e., the complete data life cycle, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal).

Data Processing Ecosystem : see document

The complex and interconnected relationships among entities involved in creating or deploying systems, products, or services or any components that process data.

data provenance : see document

In the context of computers and law enforcement use, it is an equivalent term to chain of custody. It involves the method of generation, transmission and storage of information that may be used to trace the origin of a piece of information processed by community resources.

Data Radio Bearer : see document
data reconstruction : see document

Privacy attacks that reconstruct sensitive data in a model’s training data from aggregate information.

data science : see document

The field that combines domain expertise, programming skills, and knowledge of mathematics and statistics to extract meaningful insights from data.

Data Security Standard : see document
Data Security Standard Payment Card Industry : see document
Data Segment (Segment) : see document

In the CFB mode, a sequence of bits whose length is a parameter that does not exceed the block size.

data spillage : see document

See spillage.

Security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.

data tag : see document

A non-hierarchical keyword or term assigned to a piece of information which helps describe an item and allows it to be found or processed automatically.

Data Transfer Device : see document

Fill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.

data transfer solution : see document

Interconnect networks or information systems that operate in different security domains and transfer data between them.

data universe : see document

All possible data within a specified domain.

data use agreement : see document

executed agreement between a data provider and a data recipient that specifies the terms under which the data can be used.

data validation : see document

The process of determining that data or a process for collecting data is acceptable according to a predefined set of tests and the results of those tests.

Data-at-Rest : see document
Database Administrator : see document
Database Management System : see document
Database of Genotypes and Phenotypes : see document
Data-encryption key : see document

A key used to encrypt and decrypt information other than keys.

A key used to encrypt and decrypt data other than keys.

Datagram Congestion Control Protocol : see document
Datagram Transport Layer Security : see document
dataset with identifiers : see document

A dataset that contains information that directly identifies individuals.

dataset without identifiers : see document

A dataset that does not contain direct identifiers.

Date of Birth : see document
DATO : see document

Denial of Authorization to Operate; issued by a DAO to an issuer that is not authorized as being reliable for the issuance of PIV Cards or Derived PIV Credentials.

DB : see document

A repository of information that usually holds plant-wide information including process data, recipes, personnel data, and financial data.

A repository of information or data, which may or may not be a traditional relational database system.

DBA : see document
DbGaP : see document
DBL : see document
dBm : see document
DBMS : see document
DC : see document

A server responsible for managing domain information, such as login identification and passwords.

DC3 : see document
DCCP : see document
DCE : see document
DCG : see document
DCID : see document
DCISE : see document
DCMA : see document
DCMS : see document
DCO : see document
DCO-RA : see document
DCRTM : see document
DCS : see document

In a control system, refers to control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit.

DCS:SA : see document
dd : see document
DD VE : see document
DDIL : see document
DDMS : see document
DDNS : see document
DDoS : see document

A denial of service technique that uses numerous hosts to perform the attack.

DE : see document

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

DE.AE : see document
DEA : see document

The algorithm specified in FIPS PUB 46-3, Data Encryption Algorithm (DEA).

The Data Encryption Algorithm specified in FIPS 46-3

The DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).

Data Encryption Algorithm, previously specified in FIPS 46 (now withdrawn).

Deactivated state : see document

A lifecycle state of a key whereby the key is no longer to be used for applying cryptographic protection. Processing already protected information may still be performed.

A key state in which keys are not used to apply cryptographic protection (e.g., encrypt) but, in some cases, are used to process cryptographically protected information (e.g., decrypt).

Dead Peer Detection : see document
decapsulation : see document

The process of applying the Decaps algorithm of a KEM. This algorithm accepts a KEM ciphertext and the decapsulation key as input and produces a shared secret key as output.

decapsulation key : see document

A cryptographic key produced by a KEM during key generation and used during the decapsulation process. The decapsulation key must be kept private and must be destroyed after it is no longer needed.

Decentralized Autonomic Data : see document
Decentralized Autonomous Organization : see document

Designated Authorizing Official; A senior organization official that has been given the authorization to authorize the reliability of an issuer.

Decentralized Exchange : see document
decentralized finance : see document
Decentralized Identifier : see document
Decentralized network : see document

A network configuration where there are multiple authorities that serve as a centralized hub for a subsection of participants. Since some participants are behind a centralized hub, the loss of that hub will prevent those participants from communicating.

decertification : see document

Revocation of the certification of an information system item or equipment for cause.

Decibels referenced to one milliwatt : see document
decipher : see document

Convert enciphered text to plain text by means of a cryptographic system.

Decision or branch coverage : see document

The percentage of branches that have been evaluated to both true and false by a test set.

decision tree : see document
decode : see document

Convert encoded data back to its original form of representation.

decrypt : see document

A generic term encompassing decoding and deciphering.

Decryption : see document

The process of transforming ciphertext into plaintext.

The process of changing ciphertext into plaintext using a cryptographic algorithm and key.

The process of transforming ciphertext into plaintext.

The process of a confidentiality mode that transforms encrypted data into the original usable data.

The process of transforming ciphertext into plaintext using a cryptographic algorithm and key.

The process of changing ciphertext into plaintext.

Decryption Failure Rate : see document
decryption key : see document

A cryptographic key that is used with a PKE in order to decrypt ciphertexts into plaintexts. The decryption key must be kept private and must be destroyed after it is no longer needed.

The cryptographic key used to decrypt the encrypted payload. In asymmetric cryptography, the decryption key refers to the private key of the cryptographic key pair. In symmetric cryptography, the decryption key is the symmetric key.

Decryption-Verification : see document

The process of CCM in which a purported ciphertext is decrypted and the authenticity of the resulting payload and the associated data is verified.

Dedicated Proxy Server : see document

A form of proxy server that has much more limited firewalling capabilities than an application-proxy gateway.

Deep Packet Inspection : see document
default classification : see document

Classification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.

Defect : see document

An occurrence of a defect check that failed on an assessment object. It indicates a weakened state of security that increases risk.

Defect Check : see document

A defect check is a way to assess determination statements. It has the following additional properties. A defect check: • Is stated as a test (wherever appropriate); • Can be automated; • Explicitly defines a particular desired state specification that is then compared to the corresponding actual state to determine the test result; • Provides information that may help determine the degree of control effectiveness/level of risk that is acceptable; • Suggests risk response options; and • Assesses a corresponding sub-capability.

Defect Type : see document

A kind of defect that could occur on many assessment objects. Generally, a defect check tests for the presence or absence of a defect type.

Defense Contract Management Agency : see document
Defense Courier Service : see document
Defense Cyber Crime Center : see document
Defense Discovery Metadata Standard (DDMS) : see document

Defines discovery metadata elements for resources posted to community and organizational shared spaces throughout the DoD enterprise. Specifically DDMS defines a set of information fields that are to be used to describe any data or service asset that is made known to the enterprise.

Defense Federal Acquisition Regulations Supplement : see document
Defense Industrial Base : see document
Defense Industrial Base Cybersecurity Sharing : see document
Defense Information System Network : see document
Defense Information Systems Agency : see document
Defense Intelligence Agency : see document
Defense Science Board : see document
defense-in-depth : see document

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

An information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.

defensive cyberspace operation response action (DCO-RA) : see document

Deliberate, authorized defensive measures or activities taken outside of the defended network to protect and defend Department of Defense (DoD) cyberspace capabilities or other designated systems.

defensive cyberspace operations (DCO) : see document

Passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other designated systems.

Defensive Design : see document

Design techniques which explicitly protect supply chain elements from future attacks or adverse events. Defensive design addresses the technical, behavioral, and organizational activities. It is intended to create options that preserve the integrity of the mission and system function and its performance to the end user or consumer of the supply chain element.

DeFi : see document
degauss : see document

To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.

To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any current generation hard disk (including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will render the drive permanently unusable since these drives store track location information on the hard drive. Also called “demagnetizing.”

Degraded Cybersecurity State : see document

A cybersecurity state that indicates the device’s cybersecurity has been significantly negatively impacted, such as the device being unable to operate as expected, or the integrity of the device’s software being violated.

delay (path delay) : see document

The [signal] delay between a transmitter and a receiver. Path delay is often the largest contributor to time transfer uncertainty. For example, consider a radio signal broadcast over a 1000 km path. Since radio signals travel at the speed of light (with a delay of about 3.3 µs/km), we can calibrate the 1000 km path by estimating the path delay as 3.3 ms and applying a 3.3 ms correction to our measurement. Sophisticated time transfer systems, such as GPS, automatically correct for path delay. The absolute path delay is not important to frequency transfer systems because on-time pulses are not required, but variations in path delay still limit the frequency uncertainty.

Delegation Signer : see document
deleted file : see document

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

Delivery Status Notification : see document
delivery-only client (DOC) : see document

A configuration of a client node that enables a DOA agent to access a primary services node (PRSN) to retrieve KMI products and access KMI services. A DOC consists of a client platform but does not include an AKP. Rationale: Term is of limited use to information assurance community.

Dell Remote Access Controller : see document
Dell Trusted Device : see document
demilitarize : see document

The process of preparing National Security System equipment for disposal by extracting all CCI, classified, or CRYPTO-marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.

Process of preparing COMSEC equipment for disposal by extracting all controlled cryptographic item (CCI), classified, or CRYPTO marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk. Rationale: Demilitarize is the proper term and does not apply solely to COMSEC.

DeNB : see document
denial of service (DoS) : see document

The prevention of authorized access to a system resource or the delaying of system operations and functions.

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided).

The prevention of authorized access to resources or the delaying of time- critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)

The prevention of authorized access to a system resource or the delaying of system operations and functions.

actions that prevent the NE from fimctioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.

The prevention of authorized access to resources or the delaying of time-critical operations.

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)

Denied, Disrupted, Intermittent, and Limited Impact : see document
Deny by Default : see document

To block all inbound and outbound traffic that has not been expressly permitted by firewall policy.

Deoxyribonucleic acid : see document
DEP : see document
Department of Commerce : see document
Department of Defense : see document
Department of Defense Directive : see document
Department of Defense information network operations : see document

Operations to design, build, configure, secure, operate, maintain, and sustain Department of Defense networks to create and preserve information assurance on the Department of Defense information networks.

Department of Defense information networks (DODIN) : see document

The globally interconnected, end-to-end set of information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems.

Department of Defense Instruction : see document
Department of Defense Manual : see document
Department of Education Disclosure Review Board : see document
Department of Energy : see document
Department of Health and Human Services : see document
Department of Homeland Security : see document
Department of Transportation : see document
Department of Veterans Affairs : see document
Department/Agency : see document
deployment stage : see document

The stage of the machine learning pipeline in which a model is deployed into a live or real-world environment for use, such as being integrated into an enterprise application or made available to end users through an API.

deprecated : see document

The algorithm and key length may be used, but the user must accept some security risk. The term is used when discussing the key lengths or algorithms that may be used to apply cryptographic protection.

Deprecated Identifier Name : see document

An identifier name that is no longer valid because it has either been replaced by a new identifier name or set of identifier names or was created erroneously.

depth : see document

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive.

An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method.

The amount of detail covered by an assessment: basic (both critical and non-critical elements) or detailed (all elements).

DER : see document
De-registration (of a key) : see document

The inactivation of the records of a key that was registered by a registration authority.

derived attribute value : see document

A statement that asserts a limited identity attribute of a subscriber without containing the attribute value from which it is derived, independent of format. For example, instead of requesting the attribute “birthday,” a derived value could be “older than 18.” Instead of requesting the attribute for “physical address,” a derived value could be “currently residing in this district.” Previous versions of these guidelines referred to this construct as an “attribute reference.”

derived credential : see document

A credential issued based on proof of possession and control of a token associated with a previously issued credential, so as not to duplicate the identity proofing process.

A credential issued based on proof of possession and control of an authenticator associated with a previously issued credential, so as not to duplicate the identity proofing process.

Derived Personal Identity Verification (PIV) : see document

A credential issued based on proof of possession and control of the PIV Card, so as not to duplicate the identity proofing process as defined in [SP 800-63-2]. A Derived PIV Credential token is a hardware or software-based token that contains the Derived PIV Credential.

Derived Personal Identity Verification Credential : see document
Derived PIV Application : see document

A standardized application residing on a removable, hardware cryptographic token that hosts a Derived PIV Credential and associated mandatory and optional elements.

A standardized application residing on a removable hardware cryptographic token that hosts a Derived PIV Credential and associated mandatory and optional elements.

Derived PIV Credential : see document

A credential issued based on proof of possession and control of a PIV Card. Derived PIV credentials are typically used in situations that do not easily accommodate a PIV Card, such as in conjunction with mobile devices.

An X.509 Derived PIV Authentication certificate, which is issued in accordance with the requirements specified in this document where the PIV Authentication certificate on the Applicant’s PIV Card serves as the original credential. The Derived PIV Credential is an additional common identity credential under HSPD-12 and FIPS 201 that is issued by a Federal department or agency and that is used with mobile devices.

A credential issued based on proof of possession and control of the PIV Card, so as not to duplicate the identity proofing process as defined in [NIST SP 800-63-2]. A Derived PIV Credential token is a hardware or software based token that contains the Derived PIV Credential.

An X.509 Derived PIV Authentication certificate with associated public and private key that is issued in accordance with the requirements specified in this document where the PIV Authentication certificate on the applicant’s PIV Card serves as the original credential. The Derived PIV Credential (DPC) is an additional common identity credential under Homeland Security Presidential Directive-12 and Federal Information Processing Standards (FIPS) 201 that is issued by a federal department or agency and is used with mobile devices.

Derived PIV Credential Management System : see document
Derived PIV Credentials : see document
Derived Relationship Mapping : see document

A potential mapping between Reference Document Elements identified by finding elements from two or more Reference Documents that map to the same Focal Document Element.

derived requirement : see document

A requirement deduced or inferred from the collection and organization of requirements into a particular system configuration and solution.

A requirement that is implied or transformed from a higher-level requirement. Note 1: Implied requirements cannot be assessed since they are not contained in any requirement baseline. The decomposition of requirements throughout the engineering process makes the implicit requirements explicit, allowing them to be stated and captured in appropriate baselines and allowing associated assessment criteria to be stated. Note 2: A derived requirement must trace back to at least one higher-level requirement.

A requirement that is implied or transformed from a higher-level requirement. Note 1: Implied requirements cannot be assessed since they are not contained in any requirements baseline. The decomposition of requirements throughout the engineering process makes implicit requirements explicit, allowing them to be stated and captured in appropriate baselines and allowing associated assessment criteria to be stated. Note 2: A derived requirement must trace back to at least one higher-level requirement.

A requirement that is implied or transformed from a higher-level requirement. Note 1: Implied requirements cannot be assessed since they are not contained in any requirements baseline. The decomposition of requirements throughout the engineering process makes implicit requirements explicit, allowing them to be stated and captured in appropriate baselines and allowing associated assessment criteria to be stated. Note 2: A derived requirement must trace back to at least one higher-level requirement.

Derived Test Requirement : see document

A statement of requirement, needed information, and associated test procedures necessary to test a specific SCAP feature.

Derived PIV Credential Issuer : see document

Derived PIV Credential (and associated token) Issuer; an issuer of Derived PIV Credentials as defined in [NIST SP 800-63-2]and [NIST SP 800-157].

DES : see document

The symmetric encryption algorithm defined by the Data Encryption Standard (FIPS 46-2).

Data Encryption Standard specified in FIPS 46-3

descriptive label : see document

Provides facts about properties or features of a product without any grading or evaluation. Information may be displayed in a variety of ways, such as in tabular format or with icons or text.

design : see document

Process to define the architecture, system elements, interfaces, and other characteristics of a system or system element.

Result of the process to be consistent with the selected architecture, system elements, interfaces, and other characteristics of a system or system element.

Process of defining the system elements, interfaces, and other characteristics of a system of interest in accordance with the requirements and architecture.

design characteristics : see document

Design attributes or distinguishing features that pertain to a measurable description of a product or service.

design margin : see document

The margin allocated during design based on assessments of uncertainty and unknowns. This margin is often consumed as the design matures.

A spare amount or measure or degree allowed or given for contingencies or special situations. The allowances carried to account for uncertainties and risks.

design principle : see document

A distillation of experience designing, implementing, integrating, and upgrading systems that systems engineers and architects can use to guide design decisions and analysis. A design principle typically takes the form of a terse statement or a phrase identifying a key concept, accompanied by one or more statements that describe how that concept applies to system design (where “system” is construed broadly to include operational processes and procedures, and may also include development and maintenance environments).

Designated Accrediting Authority : see document

Synonymous with designated accrediting authority (DAA).

designated approval authority (DAA) : see document

Official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with authorizing official, designated accrediting authority, and delegated accrediting authority. Rationale: Term has been replaced by the term “authorizing official”.

designated cipher function : see document

As part of the choice of the underlying block cipher with a KEK, either the forward transformation or the inverse transformation.

designing for cyber resiliency and survivability : see document

Designing systems, missions, and business functions to provide the capability to prepare for, withstand, recover from, and adapt to compromises of cyber resources in order to maximize mission or business operations.

Desired State : see document

See Desired State Specification.

A defined value, list, or rule (specification) that a) states or b) allows the computation of the state that the organization desires in order to reduce information security risk. Desired state specifications are generally statements of policy.

Desired State Specification : see document

See Desired State Specification.

A defined value, list, or rule (specification) that a) states or b) allows the computation of the state that the organization desires in order to reduce information security risk. Desired state specifications are generally statements of policy.

Destination Address : see document
Destination Network Address Translation : see document
Destination-based Remotely Triggered Black-Holing : see document
destroy : see document

An action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered.

An action applied to a key or other piece of secret data. After a piece of secret data is destroyed, no information about its value can be recovered.

An action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered.

A method of erasing electronically stored data, cryptographic keys, and credentials service providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.

In this Recommendation, to destroy is an action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered.

In this Recommendation, an action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered. Also known as zeroization in FIPS 140.

A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

An action applied to a key or a piece of (secret) data. In this Recommendation, after a key or a piece of data is destroyed, no information about its value can be recovered.

Destroyed state : see document

A lifecycle state of a key whereby the key is no longer available and cannot be reconstructed.

A key state to which a key transitions when it is destroyed. Although the key no longer exists, its previous existence may be recorded (e.g., in metadata or audit logs).

DET : see document

Detection Error Tradeoff (characteristic) – A plot of FRR vs. FAR, or FNMR vs. FMR, used to inform security-convenience tradeoffs in (biometric) authentication processes

detailed assessment : see document

An assessment that contains all the elements (critical and non-critical) for a given breadth.

Detect : see document
detect (CSF function) : see document

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Detect, Anomalies and Events : see document
Deterministic Algorithm : see document

An algorithm that, given the same inputs, always produces the same outputs.

Deterministic Random Bit Generator : see document

An RBG that includes a DRBG mechanism and (at least initially) has access to a randomness source. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Contrast with NRBG.

An RBG that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.

See Deterministic random bit generator (DRBG).

See Deterministic Random Bit Generator.

A random bit generator that includes a DRBG algorithm and (at least initially) has access to a source of randomness. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A cryptographic DRBG has the additional property that the output is unpredictable, given that the seed is not known. A DRBG is sometimes also called a Pseudo-random Number Generator (PRNG) or a deterministic random number generator.

A random bit generator that includes a DRBG algorithm and (at least initially) has access to a source of randomness. The DRBG produces a sequence of bits from a secret initial value called a seed. A cryptographic DRBG has the additional property that the output is unpredictable given that the seed is not known. A DRBG is sometimes also called a pseudo-random number generator (PRNG) or a deterministic random number generator.

An algorithm that produces a sequence of bits that are uniquely determined from an initial value called a seed. The output of the DRBG “appears” to be random, i.e., the output is statistically indistinguishable from random values. A cryptographic DRBG has the additional property that the output is unpredictable, given that the seed is not known. A DRBG is sometimes also called a Pseudo Random Number Generator (PRNG) or a deterministic random number generator.

Developers Alliance for Standards Harmonization : see document
Developing the Curriculum : see document
Development Kit : see document
Development Operations (DevOps) : see document

A set of practices for automating the processes between software development and information technology operations teams so that they can build, test, and release software faster and more reliably. The goal is to shorten the systems development life cycle and improve reliability while delivering features, fixes, and updates frequently in close alignment with business objectives.

Development, Security, and Operations : see document
Device : see document

A combination of components that function together to serve a specific purpose.

In automated assessment, a type of assessment object that is either an IP addressable (or equivalent) component of a network or a removable component that is of security significance.

Device Cybersecurity Capability : see document

A cybersecurity feature or function provided by an IoT device through its own technical means (i.e., device hardware and software).

Cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software).

Device Cybersecurity Capability Core Baseline : see document

See core baseline.

device distribution profile : see document

An approval-based access control list (ACL) for a specific product that 1) names the user devices in a specific KMI operating account (KOA) to which primary services nodes (PRSNs) distribute the product and 2) states conditions of distribution for each device.

Device Identifier : see document

A context-unique value—a value unique within a specific context—that is associated with a device (for example, a string consisting of a network address).

Device Identifier Composition Engine : see document
Device Identity : see document
device registration manager : see document

The management role that is responsible for performing activities related to registering users that are devices.

Device Role : see document

A device role is a group of devices with the same rules. For example, the list of white-listed software for a server is likely different from that for a workstation. This would cause servers and devices to have separate device roles.

Device-To-Device : see document
DevID : see document
Devkit : see document
DevOps : see document
DevSecOps : see document
DEX : see document
DFA : see document
DFARS : see document
DFR : see document
DFW : see document
DG : see document
DH : see document

A method used to securely exchange or establish secret keys across an insecure network. Ephemeral Diffie-Hellman is used to create temporary or single-use secret keys.

The (non-cofactor) FFC Diffie-Hellman key-agreement primitive.

DHCP : see document
DHE : see document
DHHS : see document
DHK : see document
DHkey : see document
DHS : see document
DI : see document

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.

Assurance that the data are unchanged from creation to reception.

The property that data has not been altered by an unauthorized entity.

The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner.

DIA : see document
Diabetes Technology Social : see document
DIACAP : see document
Diagnostics : see document

Information concerning known failure modes and their characteristics. Such information can be used in troubleshooting and failure analysis to help pinpoint the cause of a failure and help define suitable corrective measures.

DIAS : see document

Documents the results of the digital identity risk management process. This includes the impact assessment, initial assurance level selection, and tailoring process.

DIB : see document
DIB CS : see document
DICE : see document
DICOM : see document
Dictionary Contributor : see document

An organization or person that submits new identifier CPE names to a dictionary for inclusion.

Dictionary Creator : see document

An organization that instantiates a CPE dictionary that conforms to the guidance within this specification. A dictionary creator is the organization that is ultimately responsible for the dictionary.

Dictionary Maintainer : see document

An organization that manages a CPE dictionary and all processes relating to that CPE dictionary. In the majority of cases, the organization that serves as the dictionary creator for a specific CPE dictionary will also serve as the dictionary maintainer. Otherwise, generally the dictionary maintainer is supporting the dictionary on behalf of the dictionary creator.

Dictionary Management Documents : see document

A set of documentation that captures the rules and processes specific to a CPE dictionary.

Dictionary Search : see document

The process of determining which identifier names within a CPE dictionary are members of a source name that represents a set of products.

Dictionary User : see document

An organization, individual, product, or service that consumes a CPE dictionary for any purpose.

DICWG : see document
DID : see document
Differential Analysis aided Power Attack : see document
Differential Fault Attack : see document
Differential Power Analysis : see document
differential privacy : see document

A rigorous mathematical definition of disclosure that considers the risk that an individual's confidential data may be learned as a result of a mathematical analysis based on that data being made publicly available.

A mathematical framework that quantifies privacy risk to individuals as a consequence of data collection and subsequent data release.

Differential Quaternary Phase Shift Keying : see document
differentially private Stochastic Gradient Descent : see document
differentially private synthetic dataset : see document

A synthetic dataset that is produced by mechanisms that satisfy differential privacy.

Differentiated Services Code Point : see document
Diffie Hellman (algorithm) : see document

The (non-cofactor) FFC Diffie-Hellman key-agreement primitive.

Diffie-Hellman : see document

A method used to securely exchange or establish secret keys across an insecure network. Ephemeral Diffie-Hellman is used to create temporary or single-use secret keys.

The (non-cofactor) FFC Diffie-Hellman key-agreement primitive.

Diffie-Hellman Key : see document
Diffie-Hellman key exchange : see document

The (non-cofactor) FFC Diffie-Hellman key-agreement primitive.

diffusion models : see document

A class of latent variable generative models consisting of three major components: a forward process, a reverse process, and a sampling procedure. The goal of the diffusion model is to learn a diffusion process that generates the probability distribution of a given dataset. It is widely used in computer vision on a variety of tasks, including image denoising, inpainting, super-resolution, and image generation.

Digest : see document

See hash digest

Digital : see document

The coding scheme generally used in computer technology to represent data.

Digital asset : see document

Any asset that is purely digital, or is a digital representation of a physical asset.

Digital Certificate : see document

Certificate (as defined above).

Digital Evidence : see document

Electronic information stored or transmitted in binary form.

Digital Fingerprint : see document

A hash that uniquely identifies data. Changing a single bit in the data stream used to generate the message digest will yield a completely different message digest.

A digital signature that uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.

A crytpographic checksum, typically generated for a file that can be used to detect changes to the file.. Synonyous with hash value/result.

A digital signature that uniquely identifes data and has the property that changing a single bit in the data will cause a completely different message diges to be generated.

See Digital Fingerprint

The result of applying a hash function to a message.

See message digest.

digital forensics : see document

In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony.

See digital forensics.

The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

The process used to acquire, preserve, analyze, and report on evidence using scientific methods that are demonstrably reliable, accurate, and repeatable such that it may be used in judicial proceedings

digital identity : see document

Unique group element $0$ for which $x+0=x$ for each group element $x$, relative to the binary group operator $+$.

The unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.

An attribute or set of attributes that uniquely describes a subject within a given context.

The set of physical and behavioral characteristics by which an individual is uniquely recognizable. Note: This also encompasses non-person entities (NPEs).

The set of physical and behavioral characteristics by which an individual is uniquely recognizable.

Information that is unique within a security domain and which is recognized as denoting a particular entity within that domain.

Digital Identity Acceptance Statement : see document

Documents the results of the digital identity risk management process. This includes the impact assessment, initial assurance level selection, and tailoring process.

Digital Imaging and Communications in Medicine : see document
digital infrastructure : see document

The ability to store and exchange data through a centralized communication system. Data communication and exchange are all simplified with the right software and hardware equipment.

Digital Instrumentation and Control Working Group : see document
digital media : see document

A form of electronic media where data are stored in digital (as opposed to analog) form.

A form of electronic media where data is stored in digital (as opposed to analog) form.

Digital Policy Management : see document
Digital Rights Management : see document
Digital Security by Design : see document
Digital Signal Processor : see document
digital signature : see document

The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity, and signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism to verify origin authenticity and data integrity and to enforce signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity, and signatory non-repudiation.

An asymmetric key operation in which the private key is used to digitally sign data, and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation support but not confidentiality or replay attack protection.

The result of a cryptographic transformation of data which, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation.

An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation, but not confidentiality protection.

The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity and signatory non-repudiation.

The output that results from the successful completion of a digital signature algorithm operating on data (e.g., a message) that is to be signed. When used appropriately, a digital signature can provide assurance of data integrity, origin authentication, and signatory non-repudiation. See [FIPS 186-3] for details.

The result of applying two cryptographic functions (a hash function, followed by a digital signature function; see FIPS 186-3 for details). When the functions are properly implemented, the digital signature provides origin authentication, data integrity protection and signatory non-repudiation.

a data unit that allows a recipient of a message to verify the identity of the signatory and integrity of the message.

The result of a cryptographic transformation of data that, when properly implemented with a supporting infrastructure and policy, provides the services of: 1. Origin authentication, 2. Data integrity, and 3. Signer non-repudiation.

The result of a transformation of a message by means of a cryptographic system using keys such that a Relying Party can determine: (1) whether the transformation was created using the private key that corresponds to the public key in the signer’s digital certificate; and (2) whether the message has been altered since the transformation was made.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of: 1. origin authentication 2. data integrity, and 3. signer non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, data integrity and signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of: 1. Source/entity authentication, 2. Data integrity authentication, and/or 3. Support for signer non-redudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity and supports signatory nonrepudiation.

The result of a cryptographic transformation of data that, when properly implemented with a supporting infrastructure and policy, provides the services of: 1. Origin (i.e., source) authentication, 2. Data integrity authentication, and 3. Support for signer non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of 1. Source authentication, 2. Data integrity, and 3. Support for signer non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented with a supporting infrastructure and policy, provides the services of: 1. Source/identity authentication, 2. Data integrity authentication, and/or 3. Support for signer non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides source authentication, assurance of data integrity, and supports signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity, and signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of origin authentication, data integrity, and signer nonrepudiation.

A cryptographic technique that utilizes asymmetric-keys to determine authenticity (i.e., users can verify that the message was signed with a private key corresponding to the specified public key), non-repudiation (a user cannot deny having sent a message) and integrity (that the message was not altered during transmission).

The result of a cryptographic transformation of data that, when properly implemented with a supporting infrastructure and policy, provides the services of: 1. Origin authentication, 2. Data integrity, and 3. Signer non-repudiation.

An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.

Digital Signature Algorithm : see document

the digital signature algorithm specified in FIPS PUB 186.

A public-key algorithm that is used for the generation and verification of digital signatures.

Digital Signature Algorithm specified in [FIPS 186].

A Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiations and the discrete logarithm problem.

Digital Signature Standard : see document
Digital Subscriber Line : see document
digital transaction : see document

A discrete digital event between a user and a system that supports a business or programmatic purpose.

A discrete event between a user and a system that supports a business or programmatic purpose. A government digital system may have multiple categories or types of transactions, which may require separate analysis within the overall digital identity risk assessment.

A discrete event between a user and a system that supports a business or programmatic purpose. A government digital system may have multiple categories or types of transactions, which may require separate analysis within the overall digital identity risk assessment.

A recording of an event, such as the transfer of assets (digital currency, units of inventory, etc.) between parties, or the creation of new assets.

A recording of an event, such as the transfer of tokens between parties, or the creation of new assets.

digital twin : see document

The virtual (i.e., digital) representation of a physical or perceived real-world entity, concept, or notion.

digital twin application software : see document

A software application that comprehends, manipulates, reads, writes, or modifies digital twin definitions and instances according to the digital twin standard.

digital twin definition : see document

A machine-readable specification that describes features that may be modeled for a particular type of real-world entity.

digital twin instance : see document

A digital data structure, object, or entity in a computer software environment that represents a specific physical instance of a real-world object whose type or class is given by an associated digital twin definition.

Digital Versatile Disc-Recordable : see document

A write-once (read only) DVD for both movies and data endorsed by the DVD Forum.

Digital Video Disc : see document

A Digital Video Disc (DVD) has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and/or double-layered.

Has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and/or double-layered.

Digital Video Recorder : see document
DIMA : see document
DIMM : see document
direct BLACK wireline : see document

A BLACK metallic wireline that directly leaves the inspectable space in a continuous electrical path with no signal interruption or isolation. Continuous wirelines may be patched or spliced. Examples of wirelines that directly leave the inspectable space are analog telephone lines, commercial television cables, and alarm lines. Wirelines that do not leave the inspectable space are wirelines that pass through a digital switch or converter that reestablishes the signal level or reformats the signaling. Examples of BLACK wirelines that do not directly leave the inspectable space are telephone lines that connect to digital telephone switches, Ethernet lines that connect to digital network routers and alarm lines that connect to an alarm panel.

Direct Current : see document
Direct Digital Manufacturing : see document

fabricating physical objects from a data file using computer-controlled processes with little to no human intervention. It includes Additive Manufacturing (AM), 3D printing, and rapid prototyping.

Direct Memory Access : see document
Direct Platform Data : see document
direct prompt injection : see document

A direct prompting attack in which the attacker exploits prompt injection.

direct prompting attack : see document

In the generative AI context, an attack conducted by the primary user of the system through query access (e.g., as opposed to through resource control).

Direct Random String : see document

In the RBG-based construction of IVs, an output string of an RBG that is used as the random field for an IV.

Directed Acyclic Graph : see document
Directly Attached Storage : see document
directly identifying variables : see document

a category of data that contains direct identifiers

Director Central Intelligence Directive : see document
Director of National Intelligence : see document
Directory : see document

Organizational structures that are used to group files together.

Directory Services Protector : see document
Directory Services Restore Mode : see document
Direct-Sequence Spread Spectrum : see document
Direct-To-Consumer : see document
dirty word list : see document

A list of discrete entities that have been previously determined to be associated with malicious activity.

A list of discrete entities, such as hosts, email addresses, network port numbers, runtime processes, or applications, that have been previously determined to be associated with malicious activity.

List of words that have been pre-defined as being unacceptable for transmission and may be used in conjunction with a clean word list to avoid false negatives (e.g., secret within secretary).

DIS : see document
DISA : see document
disallowed : see document

The algorithm or key length is no longer allowed for applying cryptographic protection.

Disaster Recovery : see document
disciplined oscillator : see document

An oscillator whose output frequency is continuously adjusted (often through the use of a phase locked loop) to agree with an external reference. For example, a GPS disciplined oscillator (GPSDO) usually consists of a quartz or rubidium oscillator whose output frequency is continuously adjusted to agree with signals broadcast by the GPS satellites.

Disclosure Review Board : see document
Discovery : see document

The act of locating a machine-processable description of a Web service-related resource that may have been previously unknown and that meets certain functional criteria. It involves matching a set of functional and other criteria with a set of resource descriptions. The goal is to find an appropriate Web service-related resource.

Discovery Service : see document

A service that enables agents to retrieve Web services-related resource description.

Discrete Fourier Transform Test : see document

The purpose of this test is to detect periodic features (i.e., repetitive patterns that are near each other) in the tested sequence that would indicate a deviation from the assumption of randomness.

Discrete Logarithm Cryptography : see document

Discrete Logarithm Cryptography, which is comprised of both Finite Field Cryptography (FFC) and Elliptic Curve Cryptography (ECC).

Discrete Process : see document

A type of process where a specified quantity of material moves as a unit (part or group of parts) between work stations and each unit maintains its unique identity.

discretionary access control (DAC) : see document

An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability.

leaves a certain amount of access control to the discretion of the object's owner, or anyone else who is authorized to control the object's access. The owner can determine who should have access rights to an object and what those rights should be.

A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

An access control policy that is enforced over all subjects and objects in a system where the policy specifies that a subject that has been granted access to information can do one or more of the following: pass the information to other subjects or objects; grant its privileges to other subjects; change the security attributes of subjects, objects, systems, or system components; choose the security attributes to be associated with newly-created or revised objects; or change the rules governing access control. Mandatory access controls restrict this capability.

Discretionary Access Control List : see document
discriminative : see document

A type of machine learning method that learns to discriminate between classes.

discussion : see document

Statements used to provide additional explanatory information for security controls or security control enhancements.

Disinfecting : see document

Removing malware from within a file.

disinformation : see document

The process of providing deliberately deceptive information to adversaries to mislead or confuse them regarding the security posture of the system or organization or the state of cyber preparedness.

Disintegration : see document

A physically Destructive method of sanitizing media; the act of separating into component parts.

Disk image : see document

A virtual representation of a real disk drive.

Disk Imaging : see document

Generating a bit-for-bit copy of the original media, including free space and slack space. Also known as a bit stream image.

Disk-to-Disk Copy : see document

Copying the contents of media directly to another media.

Disk-to-File Copy : see document

Copying the contents of media to a single logical data file.

DISN : see document
Disposal : see document

Disposal is a release outcome following the decision that media does not contain sensitive data. This occurs either because the media never contained sensitive data or because Sanitization techniques were applied and the media no longer contains sensitive data.

disruption : see document

An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).

An unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).

distinguishable information : see document

Information that can be used to identify an individual.

information that can be used to identify an individual

distinguished name (DN) : see document

An identifier that uniquely represents an object in the X.500 directory information tree.

distinguishing identifier : see document

Information which unambiguously distinguishes an entity in the authentication process.

Distributed Computing Environment : see document
distributed denial of service (DDoS) : see document

A denial of service technique that uses numerous hosts to perform the attack.

distributed energy resource : see document
Distributed Firewall : see document
Distributed Ledger Technology : see document
Distributed Logical Router : see document
Distributed network : see document

A network configuration where every participant can communicate with one another without going through a centralized point. Since there are multiple pathways for communication, the loss of any participant will not prevent communication. This is also known as peer-to-peer network.

Distributed Network Protocol : see document

DNP3 Distributed Network Protocol (published as IEEE 1815)

distributed self-assessment : see document

The least formal type of assessment; the element judgments are based on the evaluations by small groups that work in parallel.

The least formal type of assessment, the element judgments are based on the evaluations by small groups that work in parallel.

Distribution : see document

The transport of a key and other keying material from an entity that either owns or generates the key to another entity that is intended to use the key.

See Key transport.

The transport of a key and other keying material from an entity that either owns the key or generates the key to another entity that is intended to use the key.

See Key distribution.

The transport of key information from one entity (the sender) to one or more other entities (the receivers). The sender may have generated the key information or acquired it from another source as part of a separate process. The key information may be distributed manually or using automated key transport mechanisms.

The transport of a key and other keying material from an entity that either owns, generates or otherwise acquires the key to another entity that is intended to use the key.

Distribution System : see document
District of Columbia : see document
Disturbance : see document

An undesired change in a variable being applied to a system that tends to adversely affect the value of a controlled variable.

DIT : see document
DITSCAP : see document
DIV : see document
Diversifier : see document
Diversifier Hiding Key : see document
DKEYx(Y) : see document

Decrypt Y with the key KEYx

DKIM : see document
DLC : see document

Discrete Logarithm Cryptography, which is comprised of both Finite Field Cryptography (FFC) and Elliptic Curve Cryptography (ECC).

DLL : see document
DLO : see document
DLP : see document
DLR : see document
DLT : see document
DMA : see document
DMARC : see document
DMZ : see document

A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted.

A network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

DN : see document

An identifier that uniquely represents an object in the X.500 directory information tree.

DNA : see document
DNAT : see document
DNI : see document
DNP3 : see document

DNP3 Distributed Network Protocol (published as IEEE 1815)

DNS : see document

The system by which Internet domain names and addresses are tracked and regulated as defined by IETF RFC 1034 and other related RFCs.

DNS Administrator : see document

Used in this document to cover the person (or persons) tasked with updating zone data and operating an enterprise’s DNS server. This term may actually cover several official roles, but these roles are covered by one term here.

DNS Full Zone Transfer Query Type : see document
DNS Security Extensions : see document
DNS-Based Authentication of Named Entities : see document
DNSBL : see document
DNS-SD : see document
DNSSEC : see document
DNSSEC-Aware Name Server : see document

An entity acting in the role of a name server that understands the DNS security extensions defined in this document set. In particular, a DNSSEC-aware name server is an entity that receives DNS queries, sends DNS responses, supports the EDNS0 [RFC 2671] message size extension and the DO bit [RFC 4035], and supports the RR types and message header bits defined in this document set.

DNSSEC-Aware Recursive Name Server : see document

An entity that acts in both the DNSSEC-aware name server and DNSSEC-aware resolver roles. A more cumbersome equivalent phrase would be “a DNSSEC-aware name server that offers recursive service.” Also sometimes referred to as a “security-aware caching name server.”

DNSSEC-Aware Resolver : see document

An entity acting in the role of a resolver (defined in section 2.4 of [RFC 4033]) that understands the DNS security extensions. In particular, a DNSSEC-aware resolver is an entity that sends DNS queries, receives DNS responses, and understands the DNSSEC specification, even if it is incapable of performing validation.

DNSSEC-Aware Stub Resolver : see document

An entity acting in the role of a stub resolver that has an understanding of the DNS security extensions. DNSSEC-aware stub resolvers may be either “validating” or “nonvalidating,” depending on whether the stub resolver attempts to verify DNSSEC signatures on its own or trusts a friendly DNSSEC-aware name server to do so. See also “validating stub resolver” and “nonvalidating stub resolver.”

DOB : see document
DOC : see document
Document Type Definition (DTD) : see document

A document defining the format of the contents present between the tags in an XML or SGML document, and the way they should be interpreted by the application reading the XML or SGML document.

DoD : see document
DoD Cybersecurity Analysis and Review : see document
DoD Discovery Metadata Standard : see document
DoD information : see document

Any information that has not been cleared for public release in accordance with Department of Defense (DoD) Directive 5230.09, “Clearance of DoD Information for Public Release”, and that has been collected, developed, received, transmitted, used, or stored by DoD, or by a non-DoD entity in support of an official DoD activity.

DoD Information Assurance Certification and Accreditation Process : see document
DoD Information Technology Security Certification and Accreditation Process : see document
DoD portion of the Intelligence Mission Area : see document
DoD Strategy for Operating in Cyberspace : see document
DODCAR : see document
DoDD : see document
DoD-Defense Industrial Base Collaborative Information Sharing Environment : see document
DoDI : see document
DoDIN : see document
DoDM : see document
DOE : see document
DOI : see document
domain : see document

A set of elements, data, resources, and functions that share a commonality in combinations of (1) roles supported, (2) rules governing their use, and (3) protection needs.

Set of assets and resources subject to a common security policy.

A set of systems under common administrative and access control.

A domain that implements a security policy and is administered by a single authority.

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See Security Domain.

The term domain refers to a part of the network that is administered by a single authority.

See security domain.

A set of subjects, their information objects, and a common security policy.

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.

A distinct group of computers under a central administration or authority.

A logical structure, group or sphere of influence over which control is exercised.

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

Domain authority : see document

An FCKMS role that is responsible for determining whether another domain’s FCKMS Security Policy is equivalent to or compatible with its own domain policy. The FCKMS system authority often performs this role.

Domain Controller : see document

A server responsible for managing domain information, such as login identification and passwords.

Domain Keys Identified Mail : see document
Domain Name : see document

A label that identifies a network domain using the Domain Naming System.

Domain Name Server : see document

The internet's equivalent of a phone book. It maintains a directory of domain names, as defined by the Domain Name System, and translates them to Internet Protocol addresses.

Domain Name System (DNS) : see document

The system by which Internet domain names and addresses are tracked and regulated as defined by IETF RFC 1034 and other related RFCs.

Domain Name System Blacklist : see document
Domain Name System Security Extensions : see document
Domain Name System Service Discovery : see document
Domain of Interpretation : see document
Domain of Use : see document

The intended usage of a format

Domain parameter : see document

Parameters used with cryptographic algorithms that are usually common to a domain of users. An ECDSA or EdDSA cryptographic key pair is associated with a specific set of domain parameters.

The parameters used with a cryptographic algorithm that are common to a domain of users.

A parameter used in conjunction with some public-key algorithms to generate key pairs, to create digital signatures, or to establish keying material.

Parameters used with a cryptographic algorithm that are usually common to a domain of users.

Parameters used in conjunction with some public-key algorithms to generate key pairs, to create digital signatures, or to establish keying material.

A parameter used in conjunction with some public-key algorithms to generate key pairs or to perform cryptographic operations (e.g., to create digital signatures or to establish keying material).

Domain parameter seed : see document

A string of bits that is used as input for a domain parameter generation or validation process.

Domain Separation : see document

For a function, a partitioning of the inputs to different application domains so that no input is assigned to more than one domain.

Domain Services : see document
Domain-based Message Authentication, Reporting and Conformance : see document
DomainKeys Identified Mail : see document
dominance rule : see document

A cell is regarded as confidential, if the n largest units contribute more than k % to the cell total, e.g., n=2 and k=85 means that a cell is defined as risky if the two largest units contribute more than 85 % to the cell total. The n and k are given by the statistical authority. In some NSOs [national statistical office] the values of n and k are confidential.

Donor eNodeB : see document
DoS : see document

The prevention of authorized access to a system resource or the delaying of system operations and functions.

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided).

The prevention of authorized access to a system resource or the delaying of system operations and functions.

The prevention of authorized access to resources or the delaying of time-critical operations.

The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)

DoT : see document
Dots Per Inch : see document
Double spend (attack) : see document

An attack where a blockchain network user attempts to explicitly double spend a digital asset.

Double spend (problem) : see document

Transacting with the same set of digital assets more than once. This is a problem which has plagued many digital money systems, and a problem that most blockchain networks are designed to prevent.

Double-Block-Length : see document
Downgrading : see document

An authorized reduction in the level of protection to be provided to specified information, e.g., from a Moderate impact-level down to a Low impact-level.

downlink : see document

Communication that originates from the satellite to the ground.

DP : see document

A rigorous mathematical definition of disclosure that considers the risk that an individual's confidential data may be learned as a result of a mathematical analysis based on that data being made publicly available.

A mathematical framework that quantifies privacy risk to individuals as a consequence of data collection and subsequent data release.

Access control rules that compile directly into machine executable codes or signals. Subject/object attributes, operations, and environment conditions are the fundamental elements of digital policy, the building blocks of digital policy rules, which are enforced by an access control mechanism.

DPA : see document
DPC : see document

A credential issued based on proof of possession and control of a PIV Card. Derived PIV credentials are typically used in situations that do not easily accommodate a PIV Card, such as in conjunction with mobile devices.

An X.509 Derived PIV Authentication certificate, which is issued in accordance with the requirements specified in this document where the PIV Authentication certificate on the Applicant’s PIV Card serves as the original credential. The Derived PIV Credential is an additional common identity credential under HSPD-12 and FIPS 201 that is issued by a Federal department or agency and that is used with mobile devices.

A credential issued based on proof of possession and control of the PIV Card, so as not to duplicate the identity proofing process as defined in [NIST SP 800-63-2]. A Derived PIV Credential token is a hardware or software based token that contains the Derived PIV Credential.

An X.509 Derived PIV Authentication certificate with associated public and private key that is issued in accordance with the requirements specified in this document where the PIV Authentication certificate on the applicant’s PIV Card serves as the original credential. The Derived PIV Credential (DPC) is an additional common identity credential under Homeland Security Presidential Directive-12 and Federal Information Processing Standards (FIPS) 201 that is issued by a federal department or agency and is used with mobile devices.

DPCI : see document

Derived PIV Credential (and associated token) Issuer; an issuer of Derived PIV Credentials as defined in [NIST SP 800-63-2]and [NIST SP 800-157].

DPD : see document
DPI : see document
dpi : see document
DPM : see document
DP-SGD : see document
DQPSK : see document
DR : see document
Draft International Standard : see document
DRAM : see document
DRB : see document
DRBG : see document

An RBG that includes a DRBG mechanism and (at least initially) has access to a randomness source. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Contrast with NRBG.

An RBG that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.

DRBG mechanism : see document

The portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the the DRBG mechanism.

The portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the DRBG mechanism. Approved DRBG mechanisms are specified in SP 800-90A.

DRBG Mechanism Boundary : see document

A conceptual boundary that is used to explain the operations of a DRBG mechanism and its interaction with and relation to other processes. (See min-entropy.)

Driver Execution Environment : see document
DRM : see document

A potential mapping between Reference Document Elements identified by finding elements from two or more Reference Documents that map to the same Focal Document Element.

DRP : see document

A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

DS : see document
DSA : see document

the digital signature algorithm specified in FIPS PUB 186.

A public-key algorithm that is used for the generation and verification of digital signatures.

Digital Signature Algorithm specified in [FIPS 186].

A Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiations and the discrete logarithm problem.

DSB : see document
DSbD : see document
DSCP : see document
DSIG : see document

The result of a cryptographic transformation of data which, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation.

An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation, but not confidentiality protection.

The result of a transformation of a message by means of a cryptographic system using keys such that a Relying Party can determine: (1) whether the transformation was created using the private key that corresponds to the public key in the signer’s digital certificate; and (2) whether the message has been altered since the transformation was made.

The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity, and signatory non-repudiation.

The result of a cryptographic transformation of data that, when properly implemented, provides the services of origin authentication, data integrity, and signer nonrepudiation.

An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.

DSL : see document
DSN : see document
DSOC : see document
DSP : see document
DSRM : see document
DSS : see document
DSS PCI : see document
DT : see document

The virtual (i.e., digital) representation of a physical or perceived real-world entity, concept, or notion.

DTC : see document
DTD : see document
DTLS : see document
DTR : see document
DTS : see document
DUA : see document
dual authorization : see document

The system of storage and handling designed to prohibit individual access to certain resources by requiring the presence and actions of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed.

Dual In-Line Memory Module : see document
Dual_EC_DRBG : see document

A DRBG originally specified in SP 800-90A that has been withdrawn.

dual-use foundation model : see document

An AI model that is trained on broad data; generally uses self-supervision; contains at least tens of billions of parameters; is applicable across a wide range of contexts; and that exhibits, or could be easily modified to exhibit, high levels of performance at tasks that pose a serious risk to security, national economic security, national public health or safety, or any combination of those matters, such as by:(i) substantially lowering the barrier of entry for non-experts to design, synthesize, acquire, or use chemical, biological, radiological, or nuclear (CBRN) weapons;(ii) enabling powerful offensive cyber operations through automated vulnerability discovery and exploitation against a wide range of potential targets of cyber attacks; or(iii) permitting the evasion of human control or oversight through means of deception or obfuscation.Models meet this definition even if they are provided to end users with technical safeguards that attempt to prevent users from taking advantage of the relevant unsafe capabilities.

Duplicate Digital Evidence : see document

A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media (e.g., flash memory, RAM, ROM).

duplicate disk/data dump : see document
Duty Cycle : see document

The percentage of time that a device is operating over a specified period. For example, a reader that is emitting energy to communicate with tags for 15 seconds every minute has a duty cycle of 25%.

DVD : see document

A Digital Video Disc (DVD) has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and/or double-layered.

Has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and/or double-layered.

DVD+R : see document

A write-once (read only) version of the DVD+RW from the DVD+RW Alliance.

DVD+RW : see document

A rewritable (re-recordable) DVD for both movies and data from the DVD+RW Alliance.

DVD-R : see document

A write-once (read only) DVD for both movies and data endorsed by the DVD Forum.

DVD–Read Only Memory : see document
DVD-Recordable : see document

A write-once (read only) DVD for both movies and data endorsed by the DVD Forum.

DVD-Rewritable : see document

A rewritable (re-recordable) DVD for both movies and data from the DVD Forum.

DVD-ROM : see document
DVD-RW : see document

A rewritable (re-recordable) DVD for both movies and data from the DVD Forum.

DVR : see document
DXE : see document
Dynamic Access Control List : see document
dynamic application security testing : see document
dynamic code analyzer : see document

A tool that analyzes computer software by executing programs built from the software being analyzed on a real or virtual processor and observing its behavior, probing the application and analyzing application responses.

Dynamic Core Root of Trust for Measurement : see document
Dynamic Domain Name System : see document
Dynamic Host Client Protocol : see document
Dynamic Host Configuration Protocol : see document
Dynamic Link Library : see document
Dynamic Random-Access Memory : see document
dynamic subsystem : see document

A subsystem that is not continually present during the execution phase of an information system. Service-oriented architectures and cloud computing architectures are examples of architectures that employ dynamic subsystems.

Dynamically Linked Library : see document
E.O. : see document
E/W : see document
E3 : see document
EA : see document

The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

EaaS : see document
EAC : see document
EACMS : see document
EAL : see document
EAN : see document
EAP : see document
EAP-FAST : see document
EAP-MSCHAPv2 : see document
EAPOL : see document
EAPOL-KCK : see document
EAPOL-KEK : see document
EAP-SIM : see document
EAP-TLS : see document
EAP-TTLS : see document
EAS : see document
Ease-of-use : see document

A metric of satisfaction in using a product as established by one or more individuals using the product.

East/West : see document
EAT : see document
e-authentication assurance level : see document

A measure of trust or confidence in an authentication mechanism defined in publications Office of Management and Budget (OMB)-04-04 and NIST SP 800-63 in terms of four levels: 1: LITTLE OR NO confidence 2: SOME confidence 3: HIGH confidence 4: VERY HIGH confidence.

Eavesdropper : see document

A party that secretly receives communications intended for others.

eBACS : see document
eBAEAD : see document
eBASH : see document
eBGP : see document

A BGP operation communicating routing information between two or more ASes.

EBTS : see document
ebXML : see document
EC : see document

Any vulnerability disclosure entity that receives a vulnerability report that is not within the FCB or the VDPO; the EC may be a commercial vulnerability program with no relation to the Government or a separate VDPO within the Government, or it may be the developer of commercial or open-source software.

EC_CDH : see document
EC2 : see document
ECB : see document
ECC : see document

Elliptic Curve Cryptography, the public-key cryptographic methods using operations in an elliptic curve group.

Elliptic curve cryptography.

ECC Cofactor Diffie-Hellman : see document
ECC-CDH : see document
ECCM : see document
ECDH : see document
ECDHE : see document
ECDS : see document
ECDSA : see document

a digital signature algorithm that is an analog of DSA using elliptic curve mathematics and specified in ANSI draft standard X9.62.

A digital signature algorithm that is an analog of DSA using elliptic curves.

Elliptic Curve Digital Signature Algorithm specified in [ANS X9.62] and approved in [FIPS 186].

Elliptic Curve Digital Signature Algorithm specified in ANSI X9.62 and approved in FIPS 186.

ECM : see document
ECMA : see document
ECMP : see document
e-commerce : see document

The use of network technology (especially the internet) to buy or sell goods and services.

ECP : see document
ECRYPT Benchmarking of AEAD algorithms : see document
ECRYPT Benchmarking of All Submitted Hashes : see document
ECRYPT Benchmarking of Cryptographic Systems : see document
ECRYPT STREAM cipher project : see document
E-CSRR : see document
ECU : see document
EDDRB : see document
EdDSA : see document
EDGE : see document

An upgrade to GPRS to provide higher data rates by joining multiple time slots.

Edge Services Gateway : see document
EDI : see document
EDIV : see document
EDR : see document
Education : see document

The ‘Education’ level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.

IT security education focuses on developing the ability and vision to performcomplex, multi-disciplinary activities and the skills needed to further the IT security profession. Education activities include research and development to keep pace with changing technologies and threats.

Edwards Curve Digital Signature Algorithm : see document
EE : see document
E-E : see document
EEA : see document
EEMA : see document

www.eema.org (pka European Electronic Messaging Association)

EEPROM : see document
EFD : see document
Effective Isotropic Radiated Power : see document
effective period : see document

Time span during which each COMSEC key edition (i.e., multiple key segments) remains in effect.

EFI : see document
EFI System Partition Storage : see document
EFP : see document
EFP-uRPF : see document
EFS : see document
e-government (e-gov) : see document

The use by the U.S. Government of web-based Internet applications and other information technology. Rationale: General definition of a commonly understood term

Egress Filtering : see document

Filtering of outgoing network traffic.

EHR : see document
EIA : see document
EICAR : see document
EIEMA : see document
EIR : see document
EIRP : see document
EISA : see document
EISAC : see document
E-ISAC : see document
EIT : see document
EK : see document
EKEYx(Y) : see document

Encrypt Y with the key KEYx

EKMS : see document
EKU : see document
EL : see document
Elastic Compute Cloud : see document
Election Assistance Commission : see document
Electric Power Research Institute : see document
electric vehicle : see document
electric vehicle supply equipment : see document
Electric Vehicle Take-Off and Landing : see document
Electrically Erasable Programmable Read-Only Memory : see document
Electricity Information Sharing and Analysis Center : see document
Electricity ISAC : see document
Electromagnetic : see document
Electromagnetic Compatibility : see document
Electromagnetic Environmental Effects : see document
Electromagnetic Interference : see document

An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment.

Any electromagnetic disturbance that interrupts, obstructs, degrades, or otherwise limits the performance of user equipment.

Electromagnetic Pulse : see document
Electronic Access Control and Monitoring System : see document
Electronic Article Surveillance : see document
Electronic Biometric Transmission Specification : see document
electronic business (e-business) : see document

Doing business online. Rationale: Term is general and not specific to IA.

Electronic Business XML (ebXML) : see document

Sponsored by UN/CEFACT and OASIS, a modular suite of specifications that enable enterprises of any size and in any geographical location to perform business-to-business transactions using XML.

Electronic Code Book : see document
Electronic Commerce : see document
Electronic Control Unit : see document
Electronic Counter-Countermeasures : see document
Electronic Countermeasures : see document
electronic credentials : see document

Digital documents used in authentication that bind an identity or an attribute to a subscriber's authenticator.

Electronic Data Interchange : see document
Electronic Evidence : see document

Information and data of investigative value that is stored on or transmitted by an electronic device.

electronic fill device (EFD) : see document

A COMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.

Electronic Industries Alliance : see document
electronic key management system (EKMS) : see document

An interoperable collection of systems that automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material. See key management infrastructure (KMI).

Electronic Mail : see document
Electronic Media : see document

General term that refers to media on which data are recorded via an electrically based process.

electronic messaging services : see document

Services providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business- quality electronic mail service suitable for the conduct of official government business.

Electronic Patient Care Reporting : see document
Electronic Product Code : see document
Electronic Product Code (EPC) Identifier : see document

One of the available formats for encoding identifiers on RFID tags. The EPC is a globally unique number that identifies a specific item in the supply chain. This number may be used to identify a container, pallet, case or individual unit.

Electronic Product Code Information Services (EPCIS) : see document

An inter-enterprise subsystem that facilitates information sharing using the EPCglobal network. EPCISs provide information services necessary for the storage, communication and dissemination of EPC data in a secure environment.

Electronic Protected Health Information : see document

Information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section (see “protected health information”).

Information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information (see “protected health information”).

Electronic Serial Number (ESN) : see document

A unique 32-bit number programmed into CDMA phones when they are manufactured.

electronic signature : see document

See digital signature. Rationale: Deprecated Term: Given that there is no current consensus on its definition, it is recommended that "digital signature" be used instead, if that context is what is intended.

electronic/digital file transfer : see document

Transmission of a file (information) between two systems via a file transfer (communications) protocol.

electronically generated key : see document

Key generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.

Electrotechnical Commission : see document
element : see document

Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and/or disposal of systems and system components.

ICT system element is a member of a set of elements that constitutes a system.

A statement about an ISCM concept that is true for a well-implemented ISCM program.

Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components.

ICT system element member of a set of elements that constitutes a system.

Organizations, departments, facilities, or personnel responsible for a particular systems security engineering activity conducted within an engineering process (e.g., operations elements, logistics elements, maintenance elements, and training elements).

Element Processes : see document

A series of operations performed in the making or treatment of an element; performing operations on elements/data.

elephant diffuser : see document

A (now deprecated) component in BitLocker Drive Encryption to increase resistance against ciphertext modification.

Elliptic Curve : see document
Elliptic Curve Cryptography : see document

Elliptic Curve Cryptography, the public-key cryptographic methods using operations in an elliptic curve group.

Elliptic curve cryptography.

Elliptic Curve Cryptography Cofactor Diffie-Hellman : see document
Elliptic Curve Diffie-Hellman : see document
Elliptic Curve Digital Signature Algorithm : see document

a digital signature algorithm that is an analog of DSA using elliptic curve mathematics and specified in ANSI draft standard X9.62.

A digital signature algorithm that is an analog of DSA using elliptic curves.

Elliptic Curve Digital Signature Algorithm specified in [ANS X9.62] and approved in [FIPS 186].

Elliptic Curve Digital Signature Algorithm specified in ANSI X9.62 and approved in FIPS 186.

Elliptic Curve Groups Modulo a Prime : see document
EM : see document
e-mail : see document
eMASS : see document
embedded computer : see document

Computer system that is an integral part of a larger system. Rationale: Listed for deletion in 2010 version of CNSS 4009.

Embedded Control Unit : see document
Embedded Universal Integrated Circuit Card : see document
EMBS : see document
EMC : see document
emergence : see document

The behaviors and outcomes that result from how individual system elements compose to form the system as a whole.

emergency action plan (EAP) : see document

A plan developed to prevent loss of national intelligence; protect personnel, facilities, and communications; and recover operations damaged by terrorist attack, natural disaster, or similar events.

Emergency Medical Services : see document
Emergency Medical Technician : see document
Emergency Response Team : see document
Emergency revocation : see document

A revocation of keying material that is effected in response to an actual or suspected compromise of a key.

Emergency Shutdown : see document
EMET : see document
EMI : see document

An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment.

emission security (EMSEC) : see document

The component of communications security that results from all measures taken to deny unauthorized persons information of value that might be derived from intercept and analysis of compromising emanations from cryptoequipment and information systems. See TEMPEST.

Emissions Security : see document
EMM : see document

Enterprise Mobility Management (EMM) systems are a common way of managing mobile devices in the enterprise. Although not a security technology by itself, EMMs can help to deploy policies to an enterprise’s device pool and to monitor device state.

EMP : see document
Employment and Social Development Canada : see document
EMS : see document

an improved message system for GSM mobile phones allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages.

EMSEC : see document
EMSK : see document
EMT : see document
enabling system : see document

A system that provides support to the life cycle activities associated with the system of interest. Enabling systems are not necessarily delivered with the system of interest and do not necessarily exist in the operational environment of the system of interest.

System that supports a system of interest during its life cycle stages but does not necessarily contribute directly to its function during operation.

A system that provides support to the life cycle activities associated with the system-of-interest. Enabling systems are not necessarily delivered with the system-of-interest and do not necessarily exist in the operational environment of the system- of-interest.

System that supports a system-of-interest during its life cycle stages but does not necessarily contribute directly to its function during operation.

eNB : see document
Encapsulating Security Payload (ESP) : see document

The core IPsec security protocol; can provide integrity protection and (optionally) encryption protection for packet headers and data.

Encapsulating Security Payload without encryption : see document
encapsulation : see document

The process of applying the Encaps algorithm of a KEM. This algorithm accepts the encapsulation key as input, requires private randomness, and produces a shared secret key and an associated ciphertext as output.

encapsulation key : see document

A cryptographic key produced by a KEM during key generation and used during the encapsulation process. The encapsulation key can be made public.

encipher : see document

Cryptographically transform data to produce cipher text.

See encrypt. Rationale: Deprecated Term: Encrypt is the preferred term.

enclave : see document

A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.

enclave boundary : see document

Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a wide area network (WAN).

Enclave Page Cache : see document
encode : see document

Use a system of symbols to represent information, which might originally have some other representation. Example: Morse code.

Encoded Message : see document
encrypt : see document

Cryptographically transform data to produce cipher text.

See encrypt. Rationale: Deprecated Term: Encrypt is the preferred term.

Encrypted Diversifier : see document
Encrypted File System : see document
encrypted key : see document

Key that has been encrypted in a system approved by the National Security Agency (NSA) for key encryption.

A cryptographic key that has been encrypted using an approved security function in order to disguise the value of the underlying plaintext key.

A cryptographic key that has been encrypted using an Approved security function with a key encrypting key in order to disguise the value of the underlying plaintext key.

A cryptographic key that has been encrypted using an approved cryptographic algorithm in order to disguise the value of the underlying plaintext key.

A cryptographic key that has been encrypted using an approved security function with a key-encrypting key in order to disguise the value of the underlying plaintext key.

encryption : see document

The process of transforming plaintext into ciphertext for the purpose of security or privacy.

The process of transforming plaintext into ciphertext.

The cryptographic transformation of data to produce ciphertext.

Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption,” which is a transformation that restores encrypted data to its original state.

Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.

The process of changing plaintext into ciphertext using a cryptographic algorithm and key.

The process of transforming plaintext into ciphertext.

The process of a confidentiality mode that transforms usable data into an unreadable form.

The translation of data into a form that is unintelligible without a deciphering mechanism.

The process of transforming plaintext into ciphertext using a cryptographic algorithm and key.

The process of changing plaintext into ciphertext using a cryptographic algorithm for the purpose of security or privacy.

The process of changing plaintext into ciphertext.

encryption algorithm : see document

Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.

encryption certificate : see document

A certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing protecting and escrowing the private component of the key pair associated with the encryption certificate.

A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.

encryption key : see document

A cryptographic key that is used with a PKE in order to encrypt plaintexts into ciphertexts. The encryption key can be made public.

The cryptographic key used to encrypt a payload. In asymmetric cryptography, the encryption key refers to the public key of the cryptographic key pair. In symmetric cryptography, the encryption key is the symmetric key.

Encryption Root : see document
end cryptographic unit (ECU) : see document

Device that 1) performs cryptographic functions, 2) typically is part of a larger system for which the device provides security services, and 3) from the viewpoint of a supporting security infrastructure (e.g., a key management system) is the lowest level of identifiable component with which a management transaction can be conducted.

End of File : see document
End User License Agreement : see document
Endorsed TEMPEST Products List : see document
Endorsement Key : see document
endpoint : see document

Any device that is used to access a digital identity on a network, such as laptops, desktops, mobile phones, tablets, servers, Internet of Things devices, and virtual environments.

Endpoint Configuration Manager : see document
Endpoint Detection and Response : see document
Endpoint Protection Platform : see document

Safeguards implemented through software to protect end-user machines such as workstations and laptops against attack (e.g., antivirus, antispyware, antiadware, personal firewalls, host-based intrusion detection and prevention systems, etc.).

end-point protection platform : see document

Safeguards implemented through software to protect end-user machines such as workstations and laptops against attack (e.g., antivirus, antispyware, anti-adware, personal firewalls, host-based intrusion detection and prevention systems, etc.).

end-to-end encryption : see document

Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible.

end-to-end security : see document

Safeguarding information in an information system from point of origin to point of destination.

Energy Independence and Security Act : see document
Energy Management System : see document
Energy Sector Asset Management : see document
energy storage system : see document
energy-latency attack : see document

An attack that exploits the performance dependency on hardware and model optimizations to negate the effects of hardware optimizations, increase computational latency, increase hardware temperature, and massively increase the amount of energy consumed.

engineered system : see document

A system designed or adapted to interact with an anticipated operational environment to achieve one or more intended purposes while complying with applicable constraints.

engineered team : see document

The individuals on the systems engineering team with security responsibilities, systems security engineers that are part of the systems engineering team, or a combination thereof.

Engineering Laboratory : see document
Enhanced Data for GSM Evolution (EDGE) : see document

An upgrade to GPRS to provide higher data rates by joining multiple time slots.

Enhanced Data Rate : see document
Enhanced Feasible Path Unicast Reverse Path Forwarding : see document
Enhanced Messaging Service (EMS) : see document

An improved message system for GSM mobile devices allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages.

an improved message system for GSM mobile phones allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages.

Enhanced Mitigation Experience Toolkit : see document
enhanced security requirements : see document

Security requirements that are to be implemented in addition to the basic and derived security requirements in SP 800-171. The security requirements provide the foundation for a defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.

Security requirements that are to be implemented in addition to the basic and derived security requirements in NIST Special Publication 800-171. The additional security requirements provide the foundation for a defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.

Enhanced Shared Situational Awareness : see document
Enhanced Small Form-Factor Pluggable : see document
Enhanced Synchronous Connection Oriented : see document
ENISA : see document
eNodeB : see document
Enrollment : see document

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. In some other NIST documents, such as [NIST SP 800-63A], identity registration is referred to as enrollment.

The process through which a CSP/IdP provides a successfully identity-proofed applicant with a subscriber account and binds authenticators to grant persistent access.

The process through which an applicant applies to become a subscriber of a CSP and the CSP validates the applicant’s identity.

See Enrollment.

Making a person’s identity known to the enrollment/Identity Management System information system by associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the information system. Registration is necessary in order to initiate other processes, such as adjudication, card/token personalization and issuance and, maintenance that are necessary to issue and to re-issue or maintain a PIV Card or a Derived PIV Credential token.

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate.)

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate).

The process through which an applicant applies to become a subscriber of a CSP and an RA validates the identity of the applicant on behalf of the CSP. (NIST SP 800-63-3)

The process that a Certificate Authority (CA) uses to create a certificate for a web server or email user

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

See “Identity Registration”.

The process through which an Applicant applies to become a Subscriber of a CSP and an RA validates the identity of the Applicant on behalf of the CSP.

Enrollment Data Set : see document

A record that includes information about a biometric enrollment (i.e., name and role of the acquiring agent, office and organization, time, place, and acquisition method).

enrollment manager : see document

The management role that is responsible for assigning user identities to management and non-management roles.

ENS : see document
ensemble learning : see document

A type of a meta machine learning approach that combines the predictions of several models to improve performance.

enterprise : see document

An entity of any size, complexity, or position within a larger organizational structure (e.g., a federal agency or company).

A collaboration or federation among entities for which information sharing is required and managed.

An organization that coordinates the operation of one or more processing sites.

An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management.

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements).

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). See Enterprise.

An entity of any size, complexity, or positioning within an organizational structure.

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, private enterprises, academic institutions, state, local, or tribal governments, or as appropriate, any of its operational elements).

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). See enterprise.

An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management.

An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, and systems, information and mission management. See organization.

An entity of any size, complexity, or positioning within an organizational structure (e.g., federal agencies, private enterprises, academic institutions, state, local, or tribal governments, or as appropriate, any of their operational elements).

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). This publication is intended to provide recommendations for organizations that manage their own networks (e.g., that have a chief information officer).

An entity of any size, complexity, or positioning within an organizational structure, including federal agencies, private enterprises, academic institutions, state, local, or tribal governments, or as appropriate, any of their operational elements.

A top-level organization with unique risk management responsibilities based on its position in the hierarchy and the roles and responsibilities of its officers.

An entity of any size, complexity, or positioning within a larger organizational structure (e.g., a federal agency or a company).

Group of people and facilities with an arrangement of responsibilities, authorities, and relationships.

enterprise architecture (EA) : see document

The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.

A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

A strategic information asset base that defines the mission, the information necessary to perform the mission, the technologies necessary for performing the mission, and the transitional process for implementing new technologies in response to changing mission needs. The EA includes a baseline architecture, target architecture, and sequencing plan.

Enterprise Compliance Profile : see document
enterprise cross domain services (ECDS) : see document

A cross domain solution provided as a system across an enterprise infrastructure, fully integrated to provide the ability to access or transfer information between two or more security domains.

enterprise cross domain services (ECDS) provider : see document

An organization that establishes, manages and maintains the overall infrastructure and security posture offering automated capabilities to users and applications within an enterprise environment for information sharing across and among security domains.

Enterprise Ethereum Alliance : see document
Enterprise Information Environment Mission Area : see document
enterprise information technology : see document

The application of computers and telecommunications equipment to store, retrieve, transmit, and manipulate data, in the context of a business or other enterprise.

Enterprise Mission Assurance Support Service : see document
Enterprise Mobility Management : see document

Enterprise Mobility Management (EMM) systems are a common way of managing mobile devices in the enterprise. Although not a security technology by itself, EMMs can help to deploy policies to an enterprise’s device pool and to monitor device state.

enterprise patch management : see document

The process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

Enterprise Privacy Authorization Language : see document
Enterprise Resource Planning : see document
Enterprise Risk : see document

The effect of uncertainty on enterprise mission and objectives.

enterprise risk management : see document

The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.

An effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.

The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

Enterprise Risk Profile : see document
Enterprise Risk Register : see document

A risk register at the enterprise level that contains normalized and aggregated inputs from subordinate organizations’ risk registers and profiles.

Enterprise Risk Steering Committee : see document
Enterprise Security Manager : see document
enterprise service : see document

A set of one or more computer applications and middleware systems hosted on computer hardware that provides standard information systems capabilities to end users and hosted mission applications and services.

Enterprise Subsystem : see document

The portion of the RFID system that analyzes, processes, and stores information collected by the RF subsystem. The primary role of the enterprise subsystem is to make the data collected by the RF subsystem useful for a supporting business process. An enterprise subsystem is made up of middleware, analytic systems, and network infrastructure.

enterprise-hosted cross domain solutions : see document

A point-to-point cross domain solution (CDS) that is managed by an enterprise cross domain service (ECDS) provider that may be available to additional users within the enterprise with little or no modifications.

Enterprise-Level CSRR : see document
Entity Attestation Token : see document
Entity authentication : see document

The process of providing assurance about the identity of an entity interacting with a system (e.g., to access a resource). Also see Source authentication.

The process of providing assurance about the identity of an entity interacting with a system (e.g., to access a resource). Sometimes called identity authentication.

A process that establishes the origin of information, or determines an entity’s identity to the extent permitted by the entity’s identifier.

Entity registration : see document

A function in the lifecycle of a cryptographic key; a process whereby an entity becomes a member of a security domain.

Entropy : see document

A measure of the randomness or uncertainty of a random variable.

The amount of uncertainty that an attacker faces to determine the value of a secret. Entropy is usually stated in bits. A value with n bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.

The entropy of a random variable X is a mathematical measure of the expected amount of information provided by an observation of X. As such, entropy is always relative to an observer and his or her knowledge prior to an observation.

A measure of the disorder or randomness in a closed system. The entropy of uncertainty of a random variable X with probabilities pi, …, pn is defined to be H(X)=-∑_(i=1)^n 〖p_i log〖 p〗_i 〗

A measure of the amount of uncertainty an attacker faces to determine the value of a secret. Entropy is usually stated in bits. A value havingnbits of entropy has the same degree of uncertainty as a uniformly distributedn-bit random value.

A measure of the disorder, randomness or variability in a closed system. Min-entropy is the measure used in this Recommendation.

A measure of the disorder, randomness or variability in a closed system. See SP 800-90B.

A measure of the amount of uncertainty an attacker faces to determine the value of a secret. Entropy is usually stated in bits. A value having n bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.

A measure of the disorder, randomness, or variability in a closed system; see SP 800-90B.

A measure of the amount of uncertainty that an Attacker faces to determine the value of a secret. Entropy is usually stated in bits. See Appendix A.

Entropy as a Service : see document
Entropy Input : see document

An input bitstring that provides an assessed minimum amount of unpredictability for a DRBG mechanism. (See min-entropy.)

Entropy Source : see document

The combination of a noise source, health tests, and optional conditioning component that produce bitstrings containing entropy.

A physical source of information whose output either appears to be random in itself or by applying some filtering/distillation process. This output is used as input to either a RNG or PRNG.

A combination of a noise source (e.g., thermal noise or hard drive seek times), health tests, and an optional conditioning component. The entropy source produces random bitstrings to be used by an RBG.

The combination of a noise source, health tests, and an optional conditioning component that produce random bitstrings to be used by an RBG.

environment : see document

Context determining the setting and circumstances of all influences upon a system.

Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.

Context determining the setting and circumstances of all influences upon a system.

environment conditions : see document

Dynamic factors, independent of subject and object, that may be used as attributes at decision time to influence an access decision.

Environmental Failure Protection : see document
Environmental Failure Testing : see document
Environmental Protection Agency : see document
Environmental Support : see document

Any environmental factor for which the organization determines that it needs to continue to provide support in a contingency situation, even if in a degraded state. This could include factors such as power, air conditioning, humidity control, fire protection, lighting, etc. For example, while developing the contingency plan, the organization may determine that it is necessary to continue to ensure the appropriate temperature and humidity during a contingency situation so they would plan for the capacity to support that via supplemental/mobile air conditioning units, backup power, etc. and the associated procedures to ensure cutover operations. Such determinations are based on an assessment of risk, system categorization (impact level), and organizational risk tolerance.

Any environmental factor for which the organization determines that it needs to continue to provide support in a contingency situation, even if in a degraded state.

Environmental testing : see document

Evaluating the behavior of a device or system to obtain assurance that it will not be compromised by environmental conditions or fluctuations when operating outside the normal environmental operating range.

EO : see document
EO-critical software : see document

Any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: · is designed to run with elevated privilege or manage privileges; · has direct or privileged access to networking or computing resources; · is designed to control access to data or operational technology; · performs a function critical to trust; or, · operates outside of normal trust boundaries with privileged access.

EOF : see document
EOP : see document

The President's immediate staff, along with entities such as the Office of Management and Budget, the National Security Staff, the Office of Science and Technology Policy, and the Office of Personnel Management.

EOT : see document

A method for strengthening adversarial examples to remain adversarial under image transformations that occur in the real world, such as angle and viewpoint changes. EOT models these perturbations within the optimization procedure. Rather than optimizing the log-likelihood of a single example, EOT uses a chosen distribution of transformation functions that take an input controlled by the adversary to the “true” input perceived by the classifier.

EPA : see document
EPAL : see document
EPC : see document
EPCIS : see document
EPCR : see document
Ephemeral Diffie-Hellman key exchange : see document
Ephemeral Elliptic Curve Diffie-Hellman : see document
Ephemeral Key : see document

A cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type (e.g., unique to each message or session).

A cryptographic key that is generated for each execution of a key-establishment process and that meets other requirements of the key type (e.g., unique to each message or session). In some cases, ephemeral keys are used more than once within a single session (e.g., for broadcast applications) where the sender generates only one ephemeral key pair per message, and the private key is combined separately with each recipient’s public key.

A cryptographic key that is generated for each execution of a cryptographic process (e.g., key establishment) and that meets other requirements of the key type (e.g., unique to each message or session).

A cryptographic key that is generated for each execution of a key- establishment process and that meets other requirements of the key type (e.g., unique to each message or session). In some cases, ephemeral keys are used more than once within a single session (e.g., broadcast applications) where the sender generates only one ephemeral key pair per message, and the private key is combined separately with each recipient’s public key.

Ephemeral key pair : see document

A key pair, consisting of a public key (i.e., an ephemeral public key) and a private key (i.e., an ephemeral private key) that is intended for a very short period of use. The key pair is ordinarily used in exactly one transaction of a cryptographic scheme; an exception to this is when the ephemeral key pair is used in multiple transactions for a key-transport broadcast. Contrast with a static key pair.

A short-term key pair used with a public-key (asymmetric-key) algorithm that is generated when needed; the public key of an ephemeral key pair is not provided in a public key certificate, unlike static public keys which are often included in a certificate.

EPL : see document
EPP : see document
EPRI : see document
EPROM : see document
EPS : see document
EPS Encryption Algorithm : see document
EPS Integrity Algorithm : see document
EPSS : see document
EPT : see document
Equal-Cost Multi-Path : see document
Equipment Identity Register : see document
Equipment Radiation TEMPEST Zone : see document
Equivalent inverse cipher : see document

An alternative specification of the inverse of CIPHER() with a structure similar to that of CIPHER() and with a modified key schedule as input.

Equivalent Process : see document

Two processes are equivalent if the same output is produced when the same values are input to each process (either as input parameters, as values made available during the process, or both).

Two processes are equivalent if the same output is produced when the same values are input to each process (either as input parameters, as values made available during the process, or both).

Two processes are equivalent if, when the same values are input to each process, the same output is produced.

Equivalent security domains : see document

Two or more security domains that have FCKMS security policies that have been determined to provide equivalent protection for the information.

ER : see document
E-RAB : see document
erasure : see document

Process intended to render magnetically stored information irretrievable by normal means.

ERC : see document
Erfc : see document

See Erfc.

The complementary error function erfc(z) is defined in Section 5.5.3. This function is related to the normal cdf.

ERM : see document

The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.

An effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos.

The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

ERP : see document
ERR : see document

A risk register at the enterprise level that contains normalized and aggregated inputs from subordinate organizations’ risk registers and profiles.

error : see document

The difference between desired and actual performance or behavior of a system or system element.

error detection code : see document

A code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.

A code computed from data and comprised of redundant bits of information that have been designed to detect unintentional changes in the data.

ERSC : see document
ERT : see document
ERTZ : see document
ES(nBits) : see document

The estimated maximum security strength for an RSA modulus of length nBits (see Table 2).

ESAM : see document
Escape : see document

The act of breaking out of a guest OS to gain access to the hypervisor, other guest OSs, or the underlying host OS.

eSCO : see document
ESD : see document
ESDC : see document
ESG : see document
ESM : see document
ESMTP : see document
ESN : see document

A unique 32-bit number programmed into CDMA phones when they are manufactured.

ESP : see document
ESP encapsulated in UDP : see document
ESPinUDP : see document
ESP-NULL : see document
ESS : see document
ESSA : see document
ESSID : see document
Estimated maximum security strength : see document

An estimate of the largest security strength that can be attained by a cryptographic mechanism given the explicit and implicit assumptions that are made regarding its implementation and supporting infrastructure (e.g., the algorithms employed, the selection of associated primitives and/or auxiliary functions, the choices for various parameters, the methods of generation and/or protection for any required keys, etc.). The estimated maximum security strengths of various approved cryptographic mechanisms are provided in [SP 800-57].

eSTREAM : see document
ETA : see document
ETC : see document
ETH : see document
Ethereum : see document
Ethereum Classic : see document
Ethereum Name Service : see document
Ethereum Request for Comment : see document
Ethereum Virtual Machine : see document
Ethernet Virtual Private Network : see document
ETPL : see document
ETSI : see document
ETSI NFV SEC : see document
EUF-CMA : see document
eUICC : see document
EULA : see document
European Article Number : see document
European Computer Manufacturers Association : see document
European Economic Area : see document
European Institute for Computer Antivirus Research : see document
European Telecommunication Standardisation Institute : see document
European Telecommunications Standards Institute : see document
European Telecommunications Standards Institute Network Functions Virtualization Security : see document
European Union Agency for Cybersecurity : see document
E-UTRAN : see document
E-UTRAN Radio Access Bearer : see document
EV : see document
Evaluated Products List : see document

List of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS). Rationale: EPL is no longer used. Product compliant list (PCL) is the replacement term.

evaluating authority : see document

The official responsible for evaluating a reported COMSEC incident for the possibility of compromise.

Evaluation Assurance Level : see document

Set of assurance requirements that represent a point on the Common Criteria predefined assurance scale. Rationale: NIAP has switched to a “protection profile” program to secure devices.

evaluation criteria : see document

The standards by which accomplishments of technical and operational effectiveness or suitability characteristics may be assessed. Evaluation criteria are a benchmark, standard, or factor against which conformance, performance, and suitability of a technical capability, activity, product, or plan is measured.

event : see document

Any observable occurrence involving computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Any observable occurrence in an information system.

Any observable occurrence in a network or system.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein. See incident. See also event, security-relevant event, and intrusion.

Something that occurs within a system or network.

Any observable occurrence in a network or information system.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.

Any observable occurrence in a system.

Any observable occurrence on a manufacturing system. Events can include cybersecurity changes that may have an impact on manufacturing operations (including mission, capabilities, or reputation).

Occurrence or change of a particular set of circumstances.

Event Aggregation : see document

See “Event Aggregation”.

The consolidation of similar log entries into a single entry containing a count of the number of occurrences of the event.

The consolidation of similar or related information.

Event Correlation : see document

See “Event Correlation”.

Finding relationships between two or more log entries.

Event Filtering : see document

The suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest.

Event Processing Point : see document
Event Reduction : see document

Removing unneeded data fields from all log entries to create a new log that is smaller.

Event Tree Analysis : see document
event‐level privacy : see document

A unit of privacy that defines neighboring databases as those that differ in one event, for example, a single transaction, or a single row.

Events Per Second : see document
EVM : see document
Evolved Node B : see document
Evolved Packet Core : see document
Evolved Packet System : see document
Evolved Universal Terrestrial Radio Access Network : see document
EVPN : see document
EVSE : see document
EVTOL : see document
Examination : see document

A technical review that makes the evidence visible and suitable for analysis; as well as tests performed on the evidence to determine the presence or absence of specific data.

A technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.

The second phase of the computer and network forensics process, which involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data.

examine : see document

A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.

A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control or privacy control effectiveness over time.

Exception Level : see document
exclusive-OR : see document

The bitwise addition, modulo 2, of two bit strings of equal length.

Bitwise logical “exclusive-or”, where 0⊕ 0 = 0, 0⊕ 1 = 1, 1⊕ 0 = 1, and 1⊕ 1 = 0. For example: 01101⊕ 11010 = 10111.

Bit-wise exclusive-or. A mathematical operation that is defined as: 0⊕ 0 = 0 0⊕ 1 = 1 1⊕ 0 = 1 , and 1⊕ 1 = 0

A bitwise logical operation such that 1⊕ 1 = 0, 1⊕ 0 = 1, 0⊕ 0 = 0, and 0⊕ 1 = 1. For example, given a string A = 10 and a string B = 11, then A⊕ B = (1⊕ 1) || (0⊕ 1) = 01.

A XOR B is equivalent to A ⊕ B. See the definition of the bitwise logical operation ⊕ above.

The bit-by-bit modulo 2 addition of binary vectors of equal length.

The bitwise addition, modulo 2, of two bit strings of equal length.

Exclusive-OR.

A mathematical operation; the symbol⊕, defined as: 0⊕ 0 = 0 1⊕ 0 = 1 0⊕ 1 = 1 1⊕ 1 = 0 Equivalent to binary addition without carry.

Bit-wise exclusive-or. A mathematical operation that is defined as: 0 ⊕ 0 = 0, 0 ⊕ 1 = 1, 1 ⊕ 0 = 1, and 1 ⊕ 1 = 0

Exclusive-Or (XOR) operator, defined as bit-wise modulo 2 arithmetic with no carry.

Exculpatory Evidence : see document

Evidence that tends to decrease the likelihood of fault or guilt.

eXecute In Place : see document

A facility that allows code to be executed directly from flash memory without loading the code into RAM.

executive agency : see document

An executive department specified in 5 U.S.C., SEC. 101; a military department specified in 5 U.S.C., SEC. 102; an independent establishment as defined in 5 U.S.C., SEC. 104(1); and a wholly-owned Government corporation fully subject to the provisions of 31 U.S.C., CHAPTER 91.

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include - (i) the General Accounting Office; (ii) Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities. See also executive agency.

Any executive agency or department, military department, Federal Government corporation, Federal Government-controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.

An executive department specified in 5 U.S.C. Sec. 101; a military department specified in 5 U.S.C. Sec. 102; an independent establishment as defined in 5 U.S.C. Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

Any executive agency or department, military department, Federal Government corporation, Federal Government- controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.

An executive Department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any department, subordinate element of a department, or independent organizational entity that is statutorily or constitutionally recognized as being part of the Executive Branch of the Federal Government.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

See executive agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President) or any independent regulatory agency, but does not include: 1) the General Accounting Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions; or 4) government-owned, contractor-operated facilities, including laboratories engaged in national defense research and production activities. Also referred to as Federal Agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec.102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Section 101; a military department specified in 5 U.S.C., Section 102; an independent establishment as defined in 5 U.S.C., Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

The term 'agency' means any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include (a) the General Accounting Office; (b) Federal Election Commission; (c) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (d) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

Any executive agency or department, military department, Federal Government corporation, Federal Government-controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency. See executive agency.

See Executive Agency

An executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Sec. 105; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Executive Office of the President : see document

The President's immediate staff, along with entities such as the Office of Management and Budget, the National Security Staff, the Office of Science and Technology Policy, and the Office of Personnel Management.

Executive Order : see document

Legally binding orders given by the President, acting as the head of the Executive Branch, to Federal Administrative Agencies. Executive Orders are generally used to direct federal agencies and officials in their execution of congressionally established laws or policies.

Exercise : see document

A simulation of an emergency designed to validate the viability of one or more aspects of an IT plan.

Exercise Briefing : see document

Material that is presented to participants during an exercise to outline the exercise’s agenda, objectives, scenario, and other relevant information.

Exercise Director : see document

A person responsible for all aspects of an exercise, including staffing, development, conduct, and logistics.

exfiltration : see document

The unauthorized transfer of information from an information system.

The unauthorized transfer of information from a system.

Existential unforgeability under adaptive chosen message attacks : see document
Existential Unforgeability under Chosen-Message Attack : see document
expectation over transformation : see document

A method for strengthening adversarial examples to remain adversarial under image transformations that occur in the real world, such as angle and viewpoint changes. EOT models these perturbations within the optimization procedure. Rather than optimizing the log-likelihood of a single example, EOT uses a chosen distribution of transformation functions that take an input controlled by the adversary to the “true” input perceived by the classifier.

expected output : see document

Any data collected from monitoring and assessments as part of the information security continuous monitoring (ISCM) strategy.

Any data collected from monitoring and assessments as part of the ISCM strategy.

Expected result : see document
Expected Value : see document
experimentation : see document

A systematic approach to the process of testing new ideas, methods, or activities that applies principles and techniques at the data collection stage to ensure the generation of valid, defensible, and supportable conclusions.

expert determination : see document

Within the context of de-identification, refers to the Expert Determination method for de-identifying protected health information in accordance with the HIPAA Privacy Rule de-identification standard.

Exploit Prediction Scoring System : see document
exploitable channel : see document

Channel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base. See covert channel.

Exposure : see document

Extent to which an organization and/or stakeholder is subject to a risk.

The combination of likelihood and impact levels for a risk.

ext2fs : see document
ext3fs : see document
eXtendable-Output Function (XOF) : see document

A function on bit strings in which the output can be extended to any desired length. Approved XOFs (e.g., those specified in FIPS 202) are designed to satisfy the following properties as long as the specified output length is sufficiently long to prevent trivial attacks1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output.2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function on bit strings in which the output can be extended to any desired length. Approved XOFs (e.g., those specified in FIPS 202) are designed to satisfy the following properties as long as the specified output length is sufficiently long to prevent trivial attacks:1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output.2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function on bit strings in which the output can be extended to any desired length.

Extendable-Output Functions : see document
Extended Authentication : see document
eXtended Automation Engineering : see document
Extended CPE Dictionary : see document

A dictionary that an organization may create to house identifier names not found in the Official CPE Dictionary.

Extended Detection and Response : see document
Extended Key Usage : see document
Extended Master Session Key : see document
eXtended Merkle Signature Scheme : see document
eXtended Packet Number : see document
Extended Page Table : see document
Extended Sequence Number : see document
Extended Service Set : see document
Extended Service Set Identifier : see document
Extended Simple Mail Transfer Protocol : see document
Extended Validation : see document
Extended Validation Certificate : see document

A certificate used for HTTPS websites and software that includes identity information that has been subjected to an identity verification process standardized by the CA Browser Forum in its Baseline Requirements that verifies that the identified owner of the website for which the certificate has been issued has exclusive rights to use the domain; exists legally, operationally, and physically; and has authorized the issuance of the certificate.

A certificate used for https websites and software that includes identity information, subjected to an identity verification process standardized by the CA Browser Forum in its Baseline Requirements which verifies the identified owner of the website for which the certificate has been issued has exclusive rights to use the domain; exists legally, operationally, and physically; and has authorized issuance of the certificate.

A certificate used for https websites and software that includes identity information, subjected to an identity verification process standardized by the CA Browser Forum in its Baseline Requirements which verifies the identified owner of the website for which the certificate has been issued has exclusive rights to use the domain; exists legally, operationally, and physically; and has authorized the issuance of the certificate.

Extensible Authentication Protocol (EAP) : see document

A framework for adding arbitrary authentication methods in a standardized way to any protocol.

Extensible Authentication Protocol Flexible Authentication via Secure Tunneling : see document
Extensible Authentication Protocol over LAN : see document
Extensible Authentication Protocol Over LAN Key Confirmation Key : see document
Extensible Authentication Protocol Over LAN Key Encryption Key : see document
Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 : see document
Extensible Authentication Protocol-Subscriber Identity Module : see document
Extensible Authentication Protocol-Transport Layer Security : see document
Extensible Authentication Protocol-Tunneled Transport Layer Security : see document
extensible configuration checklist description format (XCCDF) : see document

SCAP language for specifying checklists and reporting checklist results.

Extensible Firmware Interface (EFI) : see document

A specification for the interface between the operating system and the platform firmware. Version 1.10 of the EFI specifications was the final version of the EFI specifications, and subsequent revisions made by the Unified EFI Forum are part of the UEFI specifications.

eXtensible HyperText Markup Language : see document

a unifying standard that brings the XML benefits of easy validation and troubleshooting to HTML.

eXtensible Rights Markup Language : see document
eXtensible Stylesheet Language Transformation : see document
Extension : see document

The set of individual products to which a WFN refers.

Extension Identifier : see document

Any piece of identifying information provided in an asset identification element that is not explicitly defined in the Asset Identification schema.

Exterior Border Gateway Protocol : see document

A BGP operation communicating routing information between two or more ASes.

external assessment engagement : see document

Formal engagement led by a third-party assessment organization.

Formal engagement led by a third-party assessment organization that determines element judgments.

External BGP : see document
external coordinator : see document

Any vulnerability disclosure entity that receives a vulnerability report that is not within the FCB or the VDPO; the EC may be a commercial vulnerability program with no relation to the Government or a separate VDPO within the Government, or it may be the developer of commercial or open-source software.

External Data Representation : see document
external information system (or component) : see document

An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

A system or component of a system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

A system or system element that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required controls or the assessment of control effectiveness.

A system or component of a system that is used by but is not a part of an organizational system and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.

external information system service : see document

A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by but not a part of the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

An information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.

A system service that is implemented outside of the authorization boundary of the organizational system (i.e., a service that is used by, but not a part of, the organizational system) and for which the organization typically has no direct control over the application of required controls or the assessment of control effectiveness.

System service that is provided by an external service provider and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.

external information system service provider : see document

A provider of external information system services to an organization through a variety of consumer-producer relationships, including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.

A provider of external system services to an organization through a variety of consumer-producer relationships including, but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.

A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.

A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain arrangements.

A provider of external system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.

Provider of external system services to an organization through a variety of consumer-producer relationships, including joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges.

External Key : see document

An authorized key that is used from outside the organization (or outside the environment considered for SSH user key management purposes), or an identity key that is used for authenticating to outside the organization (or outside the environment considered for SSH user key management purposes). Key rotation can break external keys, and therefore it must be ensured that the other side of trust relationships involving external keys is also properly updated as part of rotation. Alternatively, rotation of external keys may be prevented, but that is not a sustainable solution long-term.

external network : see document

A network not controlled by the organization.

external operational management role : see document

A role intended to be performed by a manager who is typically a member of a key management infrastructure (KMI) customer organization.

External Security Testing : see document

Security testing conducted from outside the organization’s security perimeter.

Extraction-then-Expansion : see document
extranet : see document

A computer network that an organization uses for application data traffic between the organization and its business partners.

extreme fast charging : see document
F.I.R.E. : see document
FAA : see document
FACCI : see document
Face Analysis Technology Evaluation : see document
Face Recognition Vendor Test : see document
facilitated self-assessment : see document

Less formal than an internal assessment engagement, the element judgments determined by participant consensus on each element for a given level.

Facilitator : see document

A person that leads a discussion among exercise participants.

Facilitator Guide : see document

A document for an exercise facilitator that includes the material the facilitator needs for the exercise, such as the exercise’s purpose, scope, objectives, and scenario; a list of questions regarding the scenario that address the exercise’s objectives; and a copy of the IT plan being exercised.

facility : see document

Physical means or equipment for facilitating the performance of an action (e.g., buildings, instruments, tools).

One or more physical locations containing systems or system components that process, store, or transmit information.

One or more CKMS devices contained within a physically protected enclosure that is portable (e.g., a mobile phone or a laptop computer). The user of the mobile facility may be required to guard and protect the contents of the facility itself.

One or more CKMS devices contained within a physically protected enclosure. A facility for a static device is typically a room or building (including their contents) with locks, alarms, and/or guards.

The message type for a syslog message.

Physical means or equipment for facilitating the performance of an action, e.g., buildings, instruments, tools.

Fact Reference : see document

An expression that refers to a bound CPE name.

factor : see document

The three types of authentication factors are something you know, something you have, and something you are. Every authenticator has one or more authentication factors.

Factor Analysis of Information Risk : see document
fail safe : see document

A mode of termination of system functions that prevents damage See fail secure and fail soft for comparison. to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise).

fail secure : see document

A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). See fail safe and fail soft for comparison.

fail soft : see document

Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system. See fail safe and fail secure for comparison.

Fail to Known State : see document

Upon a disruption event that causes the system to fail, it fails to a pre-determined state. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving manufacturing system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes.

failover : see document

The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system.

The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby system upon the failure or abnormal termination of the previously active system.

failure access : see document

Type of incident in which unauthorized access to data results from hardware or software failure.

failure control : see document

Methodology used to detect imminent hardware or software failure and provide fail safe or fail soft recovery.

Failure Mode Effects Analysis : see document
Failure Modes, Effects, and Criticality Analysis : see document
Failure to Enroll Rate : see document
FAIR : see document
Fair Evaluation of Lightweight Cryptographic Systems : see document
Fair Information Practice Principles : see document

Principles that are widely accepted in the United States and internationally as a general framework for privacy and that are reflected in various federal and international laws and policies. In a number of organizations, the principles serve as the basis for analyzing privacy risks and determining appropriate mitigation strategies.

a set of principles that have been developed world-wide since the 1970s that provide guidance to organizations in the handling of personal data

FAL : see document

A category describing the assertion protocol used by the federation to communicate authentication and attribute information (if applicable) to a relying party.

false accept rate (FAR) : see document

Proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed.

False Accept Rate (defined over an authentication transaction)

false acceptance : see document

When a biometric system incorrectly identifies a biometric subject or incorrectly authenticates a biometric subject against a claimed identity.

False Match Rate (FMR) : see document

False Match Rate (defined over single comparisons)

The proportion of zero-effort impostor attempt samples falsely declared to match the compared non-self template

False Negative : see document

An instance in which a security tool intended to detect a particular threat fails to do so.

Incorrectly classifying malicious activity as benign.

False Non-Match Rate : see document

False Non-Match Rate (defined over single comparisons)

False Positive : see document

An erroneous acceptance of the hypothesis that a statistically significant event has been observed.

An alert that incorrectly indicates that a vulnerability is present.

An alert that incorrectly indicates that malicious activity is occurring.

An instance in which a security tool incorrectly classifies benign content as malicious.

Incorrectly classifying benign activity as malicious.

An erroneous acceptance of the hypothesis that a statistically significant event has been observed. This is also referred to as a type 1 error. When “health-testing” the components of a device, it often refers to a declaration that a component has malfunctioned – based on some statistical test(s) – despite the fact that the component was actually working correctly.

false reject rate (FRR) : see document

Proportion of verification transactions with truthful claims of identity that are incorrectly denied.

False Reject Rate (defined over an authentication transaction)

false rejection : see document

The failure of a biometric system to identify a biometric subject or to verify the legitimate claimed identity of a biometric subject.

FAM : see document
Family and Educational Records Privacy Act : see document

the primary law in the United States that governs the privacy of student educational records

FAQ : see document
FAR : see document

False Accept Rate (defined over an authentication transaction)

The Federal Acquisition Regulations System is established for the codification and publication of uniform policies and procedures for acquisition by all executive agencies.

FASC : see document
FASC-N : see document

One of the primary identifiers on the PIV Card for physical access control, as required by FIPS 201. The FASC-N is a fixed length (25 byte) data object that is specified in [NIST SP 800-73-4] and included in several data objects on a PIV Card.

Fast Healthcare Interoperability Resources : see document
Fast IDentity Online : see document
Fast Initial Link Setup : see document
Fast Transition : see document
FASTER : see document
Faster Administration of S&T Education and Research : see document
FAT : see document
FATE : see document
Fault tolerance : see document

A property of a system that allows proper operation even if components fail.

fault tree analysis : see document

A top-down, deductive failure analysis in which an undesired state of a system (top event) is analyzed using Boolean logic to combine a series of lower-level events. An analytical approach whereby an undesired state of a system is specified and the system is then analyzed in the context of its environment of operation to find all realistic ways in which the undesired event (top event) can occur.

A top-down, deductive failure analysis in which an undesired state of a system (top event) is analyzed using Boolean logic to combine a series of lower-level events. An analytical approach whereby an undesired state of a system is specified and the system is then analyzed in the context of its environment of operation to find all realistic ways in which the undesired event (top event) can occur.

Faulty Operation : see document
FBCA : see document
FBE : see document
FBI : see document
FC : see document
FCB : see document

A group of cooperating entities that collectively provide high-level vulnerability disclosure coordination among government agencies; the FCB represents the primary mechanism by which vulnerabilities should be reported to the Government and for the Government to produce advisories about government vulnerabilities.

FCC : see document
FCC ID : see document
FCF : see document
FCIP : see document
FCKMS : see document

Federal Cryptographic Key Management System. A CKMS that conforms to the requirements of SP 800-152.

An FCKMS whose data have been subjected to unauthorized access, modification, or disclosure while contained within the FCKMS.

FCKMS architecture : see document

The structure of an operational FCKMS, including descriptions and diagrams of the types and locations of all its facilities, FCKMS modules, devices, support utilities, and communications.

FCKMS Component (Component) : see document

Any hardware, software, or firmware that is used to implement an FCKMS.

FCKMS Device (Device) : see document

Any combination of FCKMS components that serve a specific purpose (e.g., firewalls, routers, transmission devices, cryptographic modules, and data storage devices).

FCKMS documentation : see document

The documentation collected or produced by the FCKMS service-providing organization (including the design documentation of the CKMS that will be the foundation of the FCKMS) that states what services and functions are to be provided to FCKMS service-using organizations.

FCKMS functions : see document

Functions that perform cryptographic key and metadata management operations (see Section 6.4 for examples).

FCKMS module : see document

A device that performs a set of key and metadata-management functions for at least one FCKMS and is associated with a cryptographic module. The device may be implemented as hardware, software, and/or firmware.

FCKMS personnel : see document

The individuals of an FCKMS service-providing organization that are authorized to assume the supported roles of the FCKMS.

FCKMS Security Domain : see document

A collection of entities that share a common FCKMS Security Policy

FCKMS Security Policy : see document

A security policy specific to an FCKMS.

The security policy defined by an FCKMS service provider and the FCKMS service-using organization that specifies how the FCKMS will be operated.

FCKMS service provider (FCKMS service-providing organization) : see document

An entity that provides FCKMS key-management services to one or more FCKMS service-using organizations in accordance with their respective FCKMS Security Policies.

FCKMS services (protections) : see document

Protections provided to data, such as data integrity authentication, confidentiality, and source authentication.

FCKMS service-using organization : see document

A Federal organization or contractor that has selected an FCKMS service provider to provide key-management services.

FCL : see document
FCoE : see document
FCoE Forwarder : see document
FCoE Initialization Protocol : see document
FCS : see document
FCSM : see document

An interagency committee dedicated to improving the quality of Federal statistics. The FCSM was created by the Office of Management and Budget (OMB) to inform and advise OMB and the Interagency Council on Statistical Policy (ICSP) on methodological and statistical issues that affect the quality of Federal data.

FDA : see document
FDCC : see document
FDCE : see document
FDE : see document
FDIS : see document
FDNA : see document
FEA : see document

A business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

Feasible Path Unicast Reverse Path Forwarding : see document
FEA-SPP : see document
Feature extraction function : see document

identifies and extracts features/attributes from each digital artifact. The mechanism by which features are picked and interpreted depends on the approximate matching algorithm. The representation of this collection is the similarity digest of the object.

Feature Phone : see document

A mobile device that primarily provide users with simple voice and text messaging services.

Feature set : see document

The set of all features associated with a single artifact is its feature set. Each algorithm must include a criteria by which candidate features are selected for inclusion in this set. For example, an algorithm might select all the (byte, offset) pairs produced by reading every 16th byte in the artifact.

Features : see document

The basic elements through which artifacts are compared. Comparison of two features always yields a binary {0, 1} outcome indicating a match or non-match; because features are defined as the most basic comparison unit that the algorithm considers, partial matches are not permitted. Generally, a feature can be any value derived from an artifact. Each approximate matching algorithm must define the structure of its features and the method by which they are derived. For example, an algorithm might define a feature as a (byte, offset) pair produced by reading the value of a byte and storing it along with the offset at which it was read.

Federal Acquisition Security Council : see document
federal agency : see document

See Agency.

An executive department specified in 5 U.S.C. Sec. 101; a military department specified in 5 U.S.C. Sec. 102; an independent establishment as defined in 5 U.S.C. Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

An executive Department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any department, subordinate element of a department, or independent organizational entity that is statutorily or constitutionally recognized as being part of the Executive Branch of the Federal Government.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

See executive agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Any executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President) or any independent regulatory agency, but does not include: 1) the General Accounting Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States and their various subdivisions; or 4) government-owned, contractor-operated facilities, including laboratories engaged in national defense research and production activities. Also referred to as Federal Agency.

An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec.102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); or a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Section 101; a military department specified in 5 U.S.C., Section 102; an independent establishment as defined in 5 U.S.C., Section 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C. Chapter 91.

The term 'agency' means any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include (a) the General Accounting Office; (b) Federal Election Commission; (c) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (d) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

See Executive Agency

An executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

An executive department specified in 5 U.S.C., Sec. 105; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

Federal Agency Smart Credential Number : see document

One of the primary identifiers on the PIV Card for physical access control, as required by FIPS 201. The FASC-N is a fixed length (25 byte) data object that is specified in [NIST SP 800-73-4] and included in several data objects on a PIV Card.

Federal Aviation Administration : see document
federal bridge certification authority (FBCA) : see document

The Federal Bridge certification authority (CA) consists of a collection of public key infrastructure (PKI) components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer to peer interoperability among Agency Principal Certification Authorities.

The Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer to peer interoperability among Agency Principal Certification Authorities.

The FBCA is the entity operated by the Federal Public Key Infrastructure (FPKI) Management Authority that is authorized by the Federal PKI Policy Authority to create, sign, and issue public key certificates to Principal CAs.

Federal Bureau of Investigation : see document
Federal Committee on Statistical Methodology : see document

An interagency committee dedicated to improving the quality of Federal statistics. The FCSM was created by the Office of Management and Budget (OMB) to inform and advise OMB and the Interagency Council on Statistical Policy (ICSP) on methodological and statistical issues that affect the quality of Federal data.

Federal Communications Commission : see document
Federal Communications Commission identification number : see document

an identifier found on all wireless phones legally sold in the US, which is issued by the FCC.

Federal Computer Security Managers : see document
Federal Computer Security Program Managers : see document
federal coordination : see document

A set of aligned activities across the Federal Government, including identifying and engaging stakeholders, mediating, communicating, and other planning to support vulnerability disclosure.

Federal Coordination Body : see document

A group of cooperating entities that collectively provide high-level vulnerability disclosure coordination among government agencies; the FCB represents the primary mechanism by which vulnerabilities should be reported to the Government and for the Government to produce advisories about government vulnerabilities.

Federal Cryptographic Key Management System : see document

Federal Cryptographic Key Management System. A CKMS that conforms to the requirements of SP 800-152.

Federal Dashboard : see document

A dashboard instance that: • Collects summary data from the base-level dashboards across multiple organizations; and • Does not collect defects at the assessment object-level data or defects. It summarizes federal level defects and assessment object categories, but not local (base) level defects or local (base) categories.

Federal Desktop Core Configuration (FDCC) : see document

OMB-mandated set of security configurations for all federal workstation and laptop devices that run either Windows XP or Vista.

Federal Emergency Management Agency : see document
Federal Energy Regulatory Commission : see document
federal enterprise architecture (FEA) : see document

A business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

a framework that describes the relationship between business functions and the technologies and information that support them. Major IT investments will be aligned against each reference model within the FEA framework.

A business-based framework that the Office of Management and Budget (OMB) developed for government-wide improvement in developing enterprise architectures (EAs) by providing a common framework to identify opportunities for simplifying processes and unifying work across the Federal Government.

Federal Enterprise Architecture Security and Privacy Profile : see document
Federal Financial Institutions Examination Council : see document
Federal Financial Management Improvement Act : see document
Federal Highway Administration : see document
Federal Identity Credentialing Committee : see document
Federal Identity, Credential, and Access Management : see document
federal information processing : see document

A standard for adoption and use by Federal agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.

Federal Information Security : see document

Title III of the E-Government Act requiring each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

federal information system : see document

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

Federal Information System Controls Audit Manual : see document
Federal Information Systems Security Educators’ Association : see document

theFederal Information Systems Security Educator’s Association, an organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.

Federal Information Technology Security Assessment Framework : see document
Federal Law Enforcement Training Center : see document
Federal Managers Financial Integrity Act : see document
Federal Motor Carrier Safety Administration : see document
Federal Network Resiliency : see document
Federal Office for Information Security : see document
Federal Policy for the Protection of Human Subjects : see document
Federal Preparedness Circular : see document
Federal Profile : see document

Profile of the IoT device cybersecurity capability core baseline [NISTIR 8259A] and non-technical supporting capability core baseline [NISTIR 8259B] to provide security guidance provided to federal government organizations related to IoT devices.

Federal Railroad Administration : see document
Federal Register Notice : see document
Federal Resource Management Regulation : see document
Federal Risk and Authorization Management Program : see document
Federal Transit Administration : see document
Federally Funded Research and Development Center : see document
Federated Development and Certification Environment : see document
federated identifier : see document

The combination of a subject identifier within an assertion and an identifier for the IdP that issued that assertion. When combined, these pieces of information uniquely identify the subscriber in the context of a federation transaction.

Federated Identity Management : see document

A process that allows for the conveyance of identity and authentication information across a set of networked systems.

Federated Identity, Credential and Access Management : see document
federated learning : see document

A type of machine learning in which a model is trained in a decentralized fashion using multiple data sources without pooling or combining the data in any centralized location. Federated learning allows entities or devices to collaboratively train a global model by exchanging model updates without directly sharing the data that each entity controls.

Federated Trust : see document

Trust established within a federation, enabling each of the mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of the other mutually trusting realms.

federation : see document

A collection of realms (domains) that have established trust among themselves. The level of trust may vary but typically includes authentication and may include authorization.

A process that allows for the conveyance of identity and authentication information across a set of networked systems.

A process that allows for the conveyance of identity and authentication information across a set of networked systems.

A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.

A process that allows the conveyance of identity and authentication information across a set of networked systems.

Federation Administrators : see document

The entity responsible for the governance and administration of an identity federation.

See Federation Administrators.

Federation Assurance Level (FAL) : see document

A category that describes the federation protocol used to communicate an assertion containing authentication and attribute information (if applicable) to an RP, as defined in [NIST SP 800-63-3] in terms of three levels: FAL 1 (Some confidence), FAL 2 (High confidence), FAL 3 (Very high confidence).

A category that describes the process used in a federation transaction to communicate authentication events and subscriber attributes to an RP.

A category describing the assertion protocol used by the federation to communicate authentication and attribute information (if applicable) to an RP.

A category describing the assertion protocol used by the federation to communicate authentication and attribute information (if applicable) to a relying party.

federation authority : see document

A party that facilitates the establishment and management of one or more trust agreements between federated parties. The federation authority can also provide other services, such as a federation proxy, discovery and registration support, and conformance evaluation.

Federation Credential Service Provider : see document

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

See Credential Service Provider.

federation protocol : see document

A technical protocol that is used in a federation transaction between networked systems.

federation transaction : see document

A specific instance of processing an authentication using a federation process for a specific subscriber by conveying an assertion from an IdP to an RP.

FedRAMP : see document
feedforward neural networks : see document

Artificial neural networks in which the connections between nodes is from one layer to the next and do not form a cycle.

FELICS : see document
FEMA : see document
FERC : see document
FFC : see document

Finite Field Cryptography, the public-key cryptographic methods using operations in a multiplicative group of a finite field.

Finite field cryptography.

FFIEC : see document
FFMIA : see document
FFRDC : see document
FFT-Over-NTRU-Lattice-Based Digital Signature Algorithm : see document
FGS : see document
FHE : see document
FHIR : see document
FHSS : see document
FHWA : see document
FIB : see document
Fibre-Channel : see document
Fibre-Channel over Ethernet : see document
Fibre-Channel over IP : see document
FICAM : see document
FICC : see document
FIDO : see document
Field Device : see document

Equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications.

Field Programmable Gate Array : see document
Field Replacement Unit : see document
Field Site : see document

A subsystem that is identified by physical, geographical, or logical segmentation within the ICS. A field site may contain RTUs, PLCs, actuators, sensors, HMIs, and associated communications.

Field Tamper Recovery : see document
FIFO : see document
Fifth generation technology standard for broadband cellular networks : see document
File : see document

A collection of information logically grouped into a single entity and referenced by a unique name, such as a filename.

File Allocation Table : see document
File Allocation Unit : see document

A group of contiguous sectors, also known as a cluster.

File Header : see document

Data within a file that contains identifying information about the file and possibly metadata with information about the file contents.

File Integrity Checking : see document

Software that generates, stores, and compares message digests for files to detect changes made to the files.

File Integrity Monitoring : see document
File Name Anomaly : see document

A mismatch between the internal file header and it external extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension).

file protection : see document

Aggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents.

file sharing services : see document

Services that include but are not limited to information sharing and access to information via web-based file sharing or storage.

File Signature Anomaly : see document

A mismatch between the internal file header and its external file name extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension).

File Slack : see document

Space between the logical end of the file and the end of the last allocation unit for that file.

File System : see document

A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory.

File Transfer Protocol over TLS : see document
File Transfer Protocol Secure : see document
File-Based Encryption : see document
Filename : see document

A unique name used to reference a file.

Filesystem : see document

A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory.

A method for naming, storing, organizing, and accessing files on logical volumes.

Filesystem virtualization : see document

A form of virtualization that allows multiple containers to share the same physical storage without the ability to access or alter the storage of other containers.

fill device : see document

A COMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment. The “Common Fill Devices” are the KYK-13, and KYK-15. Electronic fill devices include, but are not limited to, the DTD, SKL, SDS, and RASKI.

FILS : see document
FIM : see document
Final Checklist : see document

A checklist that has completed public review, has had all issues addressed by the checklist developer and NIST, and has been approved by NIST for listing on the repository.

Checklist approved by NIST for placement on the repository.

Final Checklist List (FCL) : see document

The listing of all final checklists on the NIST repository.

Final Draft International Standard : see document
Financial Audit Manual : see document
Financial Sector : see document
fine‐tuning : see document

In machine learning, a training step that starts from a pre‐trained model (sometimes called a foundation model) and adds task‐or domain‐specific information.

The process of adapting a pre-trained model to perform specific tasks or specialize in a particular domain. This phase follows the initial pre-training phase and involves further training the model on task-specific data. This is often a supervised learning task.

fine-tuning circumvention : see document

Fine-tuning to remove model refusal behaviour or other model-level safety interventions.

Fingerprint : see document

A hash value of a (public) key encoded into a string (e.g., into hexadecimal). Several fingerprint formats are in use by different SSH implementations.

Fingerprint segmentation : see document

Segmentation is the automated (and often manually reviewed) separation of an image of N fingers into N images of individual fingers. N is usually four, for the index through little finger, and two for a capture of two thumbs.

Finite Field Cryptography : see document

Finite Field Cryptography, the public-key cryptographic methods using operations in a multiplicative group of a finite field.

Finite field cryptography.

Finite-State Machine : see document
FIP : see document
FIPPs : see document

Principles that are widely accepted in the United States and internationally as a general framework for privacy and that are reflected in various federal and international laws and policies. In a number of organizations, the principles serve as the basis for analyzing privacy risks and determining appropriate mitigation strategies.

a set of principles that have been developed world-wide since the 1970s that provide guidance to organizations in the handling of personal data

FIPS : see document

A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology to achieve a common level of quality or some level of interoperability.

A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.

Federal Information Processing Standard.

A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST. A standard in FIPS covers a specific topic in information technology to achieve a common level of quality or some level of interoperability.

FIPS 140 security level : see document

A metric of the security provided by a cryptographic module that is specified as Level 1, 2, 3, or 4, as specified in [FIPS 140], where Level 1 is the lowest level, and Level 4 is the highest level.

FIPS PUB : see document

Federal Information Processing Standard Publication

FIPS-validated cryptography : see document

A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.

A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-3 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.

Fire and Gas System : see document
FIREFLY : see document

Key management protocol based on public key cryptography.

FIREFLY credential manager : see document

The key management entity (KME) responsible for removing outdated modern key credentials from the directory servers.

Firepower Management Center : see document
Firepower Threat Defense : see document
firewall : see document

An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.

A gateway that limits access between networks in accordance with local security policy.

Gateway that limits access between networks in accordance with local security policy.

An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be “inside” the firewall) and thus protects that network’s system resources against threats from the other network (the one that is said to be “outside” the firewall).

A part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.

A firewall is a device that has a network protection application installed to safeguard the network from intentional or unintentional intrusion. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The term “firewall” is derived from the process in which, by segmenting a network into different physical subnetworks, the firewalls limit damage that could spread from one subnet to another, acting in the same manner as fire doors or firewalls in automobiles.

A system designed to prevent unauthorized accesses to or from a private network. Often used to prevent Internet users from accessing private networks connected to the Internet.

Firewall Control Proxy : see document

component that controls a firewall’s handling of a call. The firewall control proxy can instruct the firewall to open specific ports that are needed by a call, and direct the firewall to close these ports at call termination.

FIRMR : see document
firmware : see document

See hardware and software.

Computer programs and data stored in hardware – typically in read-only memory (ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.

Computer programs and associated data that may be dynamically written or modified during execution.

The material physical components of a system. See software and firmware.

The material physical components of an information system. See firmware and software.

Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution.

Software that is included in read-only memory (ROM).

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware—typically in read-only memory (ROM) or programmable read-only memory (PROM)—such that programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Software program or set of instructions programmed on the flash ROM of a hardware device. It provides the necessary instructions for how the device communicates with the other computer hardware.

The physical components of a system. See Software and Firmware.

FIRST : see document
First byte of a two-byte status word : see document

First byte of a two-byte status word

First In, First Out : see document
First responder : see document

A person who provides a rapid initial response to any IT incident or event that may require further investigation. Examples of such events include security threats, cyber-attacks and other illegal activities.

First Responder Network Authority : see document
FirstNet : see document
fiscal optimization : see document

A straightforward ranking of risks in descending order from most impactful to least. Risk managers tally the total risk response costs until funding is exhausted.

Fiscal Year : see document
FISCAM : see document
FISMA : see document
FISSEA : see document

theFederal Information Systems Security Educator’s Association, an organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.

Fit for purpose : see document

Used informally to describe a process, configuration item, IT service, etc., that is capable of meeting its objectives or service levels. Being fit for purpose requires suitable design, implementation, control, and maintenance.

Fit for purpose is used informally to describe a process, configuration item, IT service, etc., that is capable of meeting its objectives or service levels. Being fit for purpose requires suitable design, implementation, control, and maintenance.

FITSAF : see document
fixed COMSEC facility : see document

COMSEC facility located in an immobile structure or aboard a ship.

Fixed Dialing Numbers : see document

a set of phone numbers kept on the SIM that the phone can call exclusively of any others (i.e., all other numbers are disallowed).

Fixed Field : see document

In the deterministic construction of IVs, the field that identifies the device or context for the instance of the authenticated encryption function.

Fixed Virtual Platform : see document
Flapping : see document

A situation in which BGP sessions are repeatedly dropped and restarted, normally as a result of line or router problems.

Flash ROM : see document

Non-volatile memory that is writable.

flaw : see document

Imperfection or defect.

FLETC : see document
Flexible Open source workBench fOr Side-channel analysis : see document
flooding : see document

An attack that attempts to cause a failure in a system by providing more input than the system can process properly.

An attack in which an attacker sends large numbers of wireless messages at a high rate to prevent the wireless network from processing legitimate traffic.

Florida Association of Computer Crime Investigators : see document
Flow Specification : see document
Flowspec : see document
Fluhrer-Mantin-Shamir : see document
FM : see document
FMC : see document
FMCSA : see document
FMEA : see document
FMECA : see document
FMFIA : see document
FMR : see document

False Match Rate (defined over single comparisons)

FMS : see document
FN-DSA : see document
F-NFT : see document
FNMR : see document

False Non-Match Rate (defined over single comparisons)

FO : see document
FOBOS : see document
Focal Document : see document

A NIST document that is used as the basis for comparing its elements with elements from another document. Examples of Focal Documents include the Cybersecurity Framework version 2.0, the Privacy Framework version 1.0, and SP 800-53 Revision 5.

A source document that is used as the basis for comparing an element with an element from another document. As of this writing, the National OLIR Program has three Focal Documents: the Cybersecurity Framework version 1.1, the Privacy Framework version 1.0, and SP 800-53 Rev. 4.

A source document that is used as the basis for comparing an element with an element from another document. As of this writing, the OLIR Program has three Focal Documents: the Cybersecurity Framework version 1.1, the Privacy Framework version 1.0, and SP 800-53 Rev. 4.

Focal Document Element : see document

A discrete section, sentence, phrase, or other identifiable piece of content from a Focal Document.

Any number and combination of organizational concepts (e.g., Functions, Categories, Subcategories, Controls, Control Enhancements) of a Focal Document.

FOCI : see document
focused observation : see document

The act of directed (focused) attention to a party or parties alleged to have violated Department/Agency (D/A) acceptable use' policies and agreements for NSS. The alleged violation may be caused by the aggregation of triggers indicating anomalous activity on a National Security System (NSS). The violation thresholds are arrived at by trigger events that meet established thresholds of anomalous activity or the observed violation of 'acceptable use' policies.

focused testing : see document

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object.

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.

See focused testing.

FOIA : see document
Food and Drug Administration : see document
FOP : see document
For Official Use Only : see document
Forbidden PLMNs : see document

A list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the mobile phone cannot automatically contact, usually because service was declined by a foreign provider.

a list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the phone cannot automatically contact, usually because service was declined by a foreign provider.

Forced Command : see document

A restriction configured for an authorized key that prevents executing commands other than the specified command when logging in using the key. In some SSH implementations, forced command can be configured by using a "command=" restriction in an authorized keys file.

forced ranking optimization : see document

Prioritizing risks in the way that will best use available resources to achieve the maximum benefit given specific negative and positive consequences. Various business drivers and risk consequences have differing weights for developing a score, helping to move beyond the simplistic “threat multiplied by vulnerability” approach to build business objectives into that equation. Because these factors and their weights are based on business drivers, the factors should be defined by senior stakeholders but can be applied at all levels of the enterprise, subject to adjustment and refinement. Notably, while forced ranking is often the default method of optimization, the methods above are equally valid and beneficial to the enterprise.

Foreign Owned, Controlled or Influenced : see document
Foreign Ownership, Control, or Influence : see document
Forensic and Incident Response Environment : see document
Forensic Challenge : see document
forensic copy : see document

An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.

A bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.

Forensic examiner : see document

A person who is an expert in acquiring, preserving, analyzing, and presenting digital evidence from computers and other digital media. This evidence may be related to computer-based and non-cyber crimes, including security threats, cyber-attacks, and other illegal activities.

Forensic science : see document

The application of science to the law.

The use or application of scientific knowledge to a point of law, especially as it applies to the investigation of crime

Forensic Specialist : see document

Locates, identifies, collects, analyzes, and examines data, while preserving the integrity and maintaining a strict chain of custody of information discovered.

Locates, identifies, collects, analyzes and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered.

Forensically Clean : see document

Digital media that is completely wiped of all data, including nonessential and residual data, scanned for malware, and verified before use.

forensics : see document

The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

Forest of Random Subsets : see document
Fork : see document

A change to blockchain network’s software (usually the consensus algorithm). The changes may be backwards compatible - see Soft Fork, or the changes may not be backwards compatible - see Hard Fork.

Form Factor : see document

The physical characteristics of a device or object including its size, shape, packaging, handling, and weight.

formal access approval : see document

A formalization of the security determination for authorizing access to a specific type of classified or controlled unclassified information (CUI) categories or subcategories based on specified access requirements, a determination of the individual’s security eligibility, and a determination that the individual’s official duties require the individual be provided access to the information. Note: Providing access to, or transferring, CUI is based on Lawful Government Purpose unless such access is further restricted by law, regulation, or government wide policy.

formal method : see document

Software engineering method used to specify, develop, and verify the software through application of a rigorous mathematically based notation and language.

formal methods : see document

A mathematically rigorous technique for the specification, development, and verification of software systems.

formal verification : see document

A systematic process that uses mathematical reasoning and mathematical proofs (i.e., formal methods in mathematics) to verify that the system satisfies its desired properties, behavior, or specification (i.e., the system implementation is a faithful representation of the design).

Format : see document

Pre-established layout for data.

Format-Preserving Encryption : see document
Formatting Function : see document

The function that transforms the payload, associated data, and nonce into a sequence of complete blocks.

FORS : see document
Forum for Incident Response and Security Teams : see document
Forum for Incident Response Teams : see document
Forum of Incident Response and Security Teams : see document
Forward Channel : see document

The channel on which a reader transmits its signals.

Forward Cipher Function : see document

One of the two functions of the block cipher algorithm that is selected by the cryptographic key.

A permutation on blocks that is determined by the choice of a key for a given block cipher.

One of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key.

The permutation of blocks that is determined by the choice of a block cipher and a key.

One of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key. The term “forward cipher operation” is used for TDEA, while the term “forward transformation” is used for DEA.

Forwarding Information Base : see document
FOSS : see document
foundation model : see document

In generative AI, models trained on broad data using self-supervised learning that can be adapted such as through fine-tuning for a variety of downstream tasks.

Foundational Defect Checks : see document

Defect checks that expose ineffectiveness of controls that are fundamental to the purposes of the capability (e.g., HWAM, or SWAM, or Configuration Setting Management) in which the defect check appears.

Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services : see document
FOUO : see document
FPC : see document
FPE : see document
FPF : see document
FPGA : see document
FP-uRPF : see document
FQDN : see document

An unambiguous identifier that contains every domain level, including the top-level domain.

FRA : see document
Fractionalized non-Fungible Token : see document
Frame Check Sequence : see document
Framework Core : see document

A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.

Framework Implementation Tier : see document

A lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.

Framework Profile : see document

A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.

Free and Open-Source Software : see document
Free Field : see document

In the RBG-based construction of IVs, the field whose contents are not restricted.

Free Space : see document

An area on media or within memory that is not allocated.

Freedom of Information Act : see document
French Security Incident Response Team : see document
frequency : see document

The rate of a repetitive event. If T is the period of a repetitive event, then the frequency f is its reciprocal, 1/T. Conversely, the period is the reciprocal of the frequency, T = 1 / f. Because the period is a time interval expressed in seconds (s), it is easy to see the close relationship between time interval and frequency. The standard unit for frequency is the hertz (Hz), defined as the number of events or cycles per second. The frequency of electrical signals is often measured in multiples of hertz, including kilohertz (kHz), megahertz (MHz), or gigahertz (GHz).

frequency accuracy : see document

The degree of conformity of a measured or calculated frequency to its definition. Because accuracy is related to the offset from an ideal value, frequency accuracy is usually stated in terms of the frequency offset.

frequency drift : see document

An undesired progressive change in frequency with time. Frequency drift can be caused by instability in the oscillator and environmental changes, although it is often hard to distinguish between drift and oscillator aging. Frequency drift may be in either direction (resulting in a higher or lower frequency) and is not necessarily linear.

frequency hopping : see document

Repeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.

Frequency Hopping Spread Spectrum : see document
Frequency Modulation : see document
frequency offset : see document

[See source document for the complete definition.]

frequency stability : see document

The degree to which an oscillating signal produces the same frequency for a specified interval of time. It is important to note the time interval—some devices have good short-term stability while others have good long-term stability. Stability does not determine whether the frequency of a signal is right or wrong. It only indicates whether that frequency stays the same. The Allan deviation is the most common metric used to estimate frequency stability, but several similar statistics are also used.

Frequently Asked Questions : see document
Fresh : see document

For a newly generated key, the property of being unequal to any previously used key.

Newly established keying material is considered to be fresh if the probability of being equal to any previously established keying material is acceptably small. The “acceptably small probability” may be application specific.

Newly established secret keying material that is statistically independent of any previously established keying material.

Newly established keying material is considered to be fresh if the probability of being equal to any previously established keying material is acceptably small. The acceptably small probability may be application specific.

Fresh Entropy : see document

A bitstring output from an entropy source, an NRBG or a DRBG that has access to a Live Entropy Source that is being used to provide prediction resistance.

fresh random value : see document

An output that was produced by a random bit generator and has not been previously used.

A previously unused output of a random bit generator.

FRN : see document
FRR : see document

False Reject Rate (defined over an authentication transaction)

FrSIRT : see document
FRU : see document
FRVT : see document
FS : see document
FSM : see document
FT : see document
FTA : see document
FTD : see document
FTE : see document
FTP : see document

A standard for transferring files over the internet. FTP programs and utilities are used to upload and download web pages, graphics, and other files between local media and a remote server that allows FTP access.

FTPS : see document
FTR : see document
Fujisaki Okamoto : see document
Full Disk Encryption : see document
Full node : see document

A blockchain node that stores the blockchain data, passes along the data to other nodes, and ensures that newly added blocks are valid and authentic.

Full Tunneling : see document

A method that causes all network traffic to go through the tunnel to the organization.

full/depot maintenance (COMSEC) : see document

Complete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See limited maintenance.

full-entropy bitstring : see document

A bitstring with ideal randomness (i.e., the amount of entropy per bit is equal to 1). This publication proves that a bitstring satisfying a certain definition of full entropy has an entropy rate of at least $1-ε$, where $ε$ is at most $2^{-32}$.

Fully Qualified Domain Name : see document

An unambiguous identifier that contains every domain level, including the top-level domain.

Fully-Homomorphic Encryption : see document
Function : see document

Used interchangeably with algorithm in this document.

Primary unit within the Cybersecurity Framework. Exhibits basic cybersecurity activities at their highest level.

One of the main components of the Framework. Functions provide the highest level of structure for organizing basic cybersecurity activities into Categories and Subcategories. The five functions are Identify, Protect, Detect, Respond, and Recover.

A component of the Core that provides the highest level of structure for organizing basic privacy activities into Categories and Subcategories.

functional attack : see document

An adversarial attack that is optimized for a set of data in a domain rather than per data point.

Functional Dependency Network Analysis : see document
Functional Exercise : see document

An exercise that allows personnel with operational responsibilities to validate their IT plans and their operational readiness for emergencies in a simulated operational environment.

functional testing : see document

Segment of quality assurance testing in which advertised security mechanisms of an information system are tested against a specification.

Testing that verifies that an implementation of some function operates correctly.

Fungible : see document

Refers to something that is replaceable or interchangeable (i.e., not uniquely identifiable).

FuSE : see document
Future of Privacy Forum : see document
Future of Systems Engineering : see document
Fuzz Testing : see document

Similar to fault injection in that invalid data is input into the application via the environment, or input by one process into another process. Fuzz testing is implemented by tools called fuzzers, which are programs or script that submit some combination of inputs to the test target to reveal how it responds.

FVP : see document
FY : see document
G : see document
G2B : see document
G2G : see document
G8 : see document
GA4GH : see document
Galois Counter Mode (algorithm) : see document

Galois/Counter Mode

Galois Message Authentication Code : see document
Galois/Counter Mode : see document

Galois/Counter Mode

Galois/Counter Mode Protocol : see document
GAN : see document

A machine learning framework in which two neural networks contest with each other in the form of a zero-sum game, where one agent’s gain is another agent’s loss. A GAN learns to generate new data with the same statistics as the training set.

GAO : see document
gap analysis : see document

The process of comparing current learning program or activity performance with the desired, expected performance.

Gap Shortest Vector Problem : see document
gapSVP : see document
Gate Equivalents : see document
gateway : see document

An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks.

Gaussian Frequency-Shift Keying : see document
Gaussian mechanism : see document

An algorithmic primitive for differential privacy that adds random noise sampled from the Gaussian distribution to the output of a query.

GB : see document
Gb : see document
GbE : see document
Gbps : see document
GCA : see document
GCC : see document
GCIP : see document
GCM : see document

Galois/Counter Mode

GCMP : see document
GCSE : see document
GDGPS : see document
GDI : see document
GDOI : see document
GDPR : see document
GE : see document
GenAI : see document

The class of AI models that emulate the structure and characteristics of input data in order to generate derived synthetic content. This can include images, videos, audio, text, and other digital content.

General Data Protection Regulation : see document
General Exploit Level : see document

measures the prevalence of attacks against a misuse vulnerability—how often any vulnerable system is likely to come under attack.

General Packet Radio Service (GPRS) : see document

A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds.

General Public License : see document
General Records Schedule : see document
general reference monitor concept : see document

An abstract model of the necessary and sufficient properties that must be achieved by any mechanism that enforces a constraint.

General Remediation Level : see document

measures the availability of remediation measures that can mitigate the vulnerability other than rendering the misused software feature useless (e.g., disabling the affected feature, removing the software).

General Services Administration : see document
general support system (GSS) : see document

An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.

Generalized TTL Security Mechanism (GTSM) : see document

A configuration in which BGP peers set the TTL value to 255 as a means of preventing forged packets from distant attackers.

general-purpose IdP : see document

An IdP that is housed and executed separately from a subscriber’s device (e.g., a remote service). Often, a general-purpose IdP will be capable of representing multiple subscribers.

General-purpose operating system : see document

A host operating system that can be used to run many kinds of applications, not just applications in containers.

Generation-Encryption : see document

The process of CCM in which a MAC is generated on the payload and the associated data, and encryption is applied to the payload and the MAC.

generative adversarial networks : see document

A machine learning framework in which two neural networks contest with each other in the form of a zero-sum game, where one agent’s gain is another agent’s loss. A GAN learns to generate new data with the same statistics as the training set.

generative artificial intelligence : see document

The class of AI models that emulate the structure and characteristics of input data in order to generate derived synthetic content. This can include images, videos, audio, text, and other digital content.

generative pre-trained transformer : see document

A family of machine learning models based on the transformer architecture that are pre-trained through self-supervised learning on large data sets of unlabelled text. This is the current predominant architecture for large language models.

Generator ID : see document
Generic : see document
Generic Network Virtualization Encapsulation : see document
Generic Routing Encapsulation : see document
Generic Security Services Application Program Interface : see document
Generic Segmentation Offload : see document
Generic Token Card : see document
Generic Top-level Domain : see document
Genesis block : see document

The first block of a blockchain network; it records the initial state of the system.

Genetic Information Nondiscrimination Act : see document
GENEVE : see document
Genome-Wide Association Studies : see document
genomic information : see document

Information based on an individual's genome, such as a sequence of DNA or the results of genetic testing.

information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing

Geolocation : see document

Determining the approximate physical location of an object, such as a cloud computing server.

Geometric Random Variable : see document

A random variable that takes the value k, a non-negative integer with probability pk(1-p). The random variable x is the number of successes before a failure in an infinite series of Bernoulli trials.

George Mason University : see document
GFCE : see document
GFSK : see document
GHz : see document
GIAC : see document
GIAC Critical Infrastructure Protection : see document
GIAC Response and Industrial Defense : see document
GICSP : see document
GID : see document
GIDEP : see document
GIG : see document
Gigabit : see document
Gigabit(s) Ethernet : see document
Gigabits per second : see document
gigabyte : see document
Gigahertz : see document
GKH : see document
GLBA : see document
Global Alliance for Genomic Health : see document
Global Cyber Alliance : see document
Global Differential GPS System : see document
Global Forum for Cyber Expertise : see document
Global Industrial Cyber Security Professional : see document
Global Information Assurance Certification : see document
Global Information Grid : see document

The globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG information technology (IT) includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network. Rationale: Term has been replaced by the term “Department of Defense information networks (DODIN)”.

Global Name Server : see document
Global Navigation Satellite System : see document

GNSS collectively refers to the worldwide positioning, navigation, and timing (PNT) determination capability available from one or more satellite constellations. Each GNSS system employs a constellation of satellites that operate in conjunction with a network of ground stations. Receivers and system integrity monitoring are augmented as necessary to support the required position, navigation, and timing performance for the intended operation.

Global Positioning System : see document

The Global Positioning System (GPS) is a U.S.-owned utility that provides users with positioning, navigation, and timing (PNT) services. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Space Force develops, maintains, and operates the space and control segments.

A system for determining position by comparing radio signals from several satellites.

The Global Positioning System (GPS) is a U.S.-owned utility that provides users with positioning, navigation, and timing (PNT) services. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Space Force develops, maintains, and operates the space and control segments.

Global Positioning System Systems Engineering & Integration : see document
Global Standards One : see document
Global Structure/Global Value : see document

A structure/value that is available by all routines in the test code.

Global System for Mobile Communications (GSM) : see document

A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).

a set of standards for second generation cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).

Globally Unique Identifier : see document

An identifier formatted following special conventions to support uniqueness within an organization and across all organizations creating identifiers. See Section 3.1.3 for the conventions.

Globally Unique Temporary Identity : see document
GlobalSign Certificate Center : see document
GMAC : see document
GMK : see document
GMT : see document
GMU : see document
GNN : see document

A neural network designed to process graph-structured data. GNNs perform optimizable transformations on graph attributes (e.g., nodes, edges, global context) while preserving graph symmetries such as permutation invariance. GNNs utilize a “graph-in, graph-out” architecture that takes an input graph with information and progressively transforms it into an output graph with the same connectivity as that of the input graph.

GNS : see document
GNSS : see document

GNSS collectively refers to the worldwide positioning, navigation, and timing (PNT) determination capability available from one or more satellite constellations. Each GNSS system employs a constellation of satellites that operate in conjunction with a network of ground stations. Receivers and system integrity monitoring are augmented as necessary to support the required position, navigation, and timing performance for the intended operation.

Goal : see document

Intended outcome.

Goal Structuring Notation : see document
Good Known Host : see document
Google Cloud Messenger : see document

Galois/Counter Mode

GOTS : see document
governance, risk, and compliance : see document
Government : see document
Government Accountability Office : see document
Government Accounting Office : see document
Government Contracting Activity : see document
Government Coordinating Council : see document
Government Off-The-Shelf : see document

A software and/or hardware product that is developed by the technical staff of a Government organization for use by the U.S. Government. GOTS software and hardware may be developed by an external entity, with specification from the Government organization to meet a specific Government purpose, and can normally be shared among Federal agencies without additional cost. GOTS products and systems are not commercially available to the general public. Sales and distribution of GOTS products and systems are controlled by the Government.

Government Performance and Results Act : see document
Government Smart Card Interoperability Specification : see document
Government to Business (private industry) : see document
Government to Government : see document
Government-Industry Data Exchange Program : see document
Govern-P (Function) : see document

Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.

GOVT : see document
GPEA : see document
GPL : see document
GPMC : see document
GPO : see document
GPRA : see document
GPRS : see document

A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds.

GPRS Location Information : see document

the Routing Area Information (RAI), Routing Area update status, and other location information maintained on the SIM.

GPS : see document

The Global Positioning System (GPS) is a U.S.-owned utility that provides users with positioning, navigation, and timing (PNT) services. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Space Force develops, maintains, and operates the space and control segments.

A system for determining position by comparing radio signals from several satellites.

The Global Positioning System (GPS) is a U.S.-owned utility that provides users with positioning, navigation, and timing (PNT) services. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Space Force develops, maintains, and operates the space and control segments.

GPS SE&I : see document
GPT : see document

A family of machine learning models based on the transformer architecture that are pre-trained through self-supervised learning on large data sets of unlabelled text. This is the current predominant architecture for large language models.

GPU : see document
GR : see document
Graceful Restart : see document
graded label : see document

Indicates the degree to which a product has satisfied a specific standard, sometimes based on attaining increasing levels of performance against specified criteria. Tiers or grades are often represented by colors (e.g., red-yellow-green), numbers of icons (e.g., stars or security shields), or other appropriate metaphors (e.g., precious metals: gold-silver-bronze).

Gramm-Leach-Bliley Act : see document
graph neural network : see document

A neural network designed to process graph-structured data. GNNs perform optimizable transformations on graph attributes (e.g., nodes, edges, global context) while preserving graph symmetries such as permutation invariance. GNNs utilize a “graph-in, graph-out” architecture that takes an input graph with information and progressively transforms it into an output graph with the same connectivity as that of the input graph.

Graphical User Interface : see document
Graphics Device Interface : see document
Graphics Processing Unit : see document
Graphics, Windowing, and Events Subsystem : see document
gray box testing : see document

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object.

A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.

See focused testing.

gray market : see document

Distribution channels which, while legal, are unofficial, unauthorized, or unintended by the original manufacturer.

graylist : see document

A list of discrete entities that have not yet been established as benign or malicious; more information is needed to move graylist items onto a whitelist or a blacklist.

GRC : see document
GRE : see document
Greatest common divisor : see document

The largest positive integer that divides each of two or more positive integers without a remainder.

The largest positive integer that divides each of two positive integers without a remainder.

Greenwich Mean Time : see document
GRID : see document
Group : see document

A named collection of userIDs.

An item that can hold other items; allows an author to collect related items into a common structure and provide descriptive text and references about them.

group authenticator : see document

Used, sometimes in addition to a sign-on authenticator, to allow access to specific data or functions that may be shared by all members of a particular group.

Group Communication System Enablers : see document
Group Domain of Interpretation : see document
Group Identifier Level 1 : see document

an identifier for a particular SIM and handset association, which can be used to identify a group of SIMs involved in a particular application.

Group Identifier Level 2 : see document

a GID1-like identifier.

Group Main Key : see document
Group Master Key : see document
Group of Eight : see document
group order : see document

Cardinality of the group.

Group Policies Objects : see document
Group Policy Management Console : see document
Group Policy Object : see document
group privacy : see document

A property of differential privacy. It says that if a mechanism provides differential privacy for one person, then it also provides a weaker differential privacy guarantee for groups of people. The weakness of the guarantee depends on the size of the group, and the definition of one person depends on the unit of privacy used.

Group Security Association : see document
Group Temporal Key : see document
Groupe Speciale Mobile Association : see document
gRPC : see document
gRPC Remote Procedure Calls : see document
GRS : see document
GS1 : see document
GSA : see document
GSC-IS : see document
GSM : see document

a set of standards for second generation cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).

A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).

GSM Association : see document
GSMA : see document
GSN : see document
GSO : see document
GSS : see document

An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.

GSSAPI : see document
GTC : see document
GTK : see document
gTLD : see document
GTSM : see document
guard (system) : see document

A mechanism limiting the exchange of information between information systems or subsystems.

A computer system that (a) acts as gateway between two information systems operating under different security policies and (b) is trusted to mediate information data transfers between the two. See transfer cross domain solution.

Guest operating system : see document

A virtual machine that runs an instance of an OS and its applications.

The operating system component of the execution stack of a Virtual Machine (see below), others being Virtual Hardware, Middleware and Applications.

Guest tools : see document

Mechanisms within hosted virtualization solutions that allow a guest OS to access files, directories, the copy/paste buffer, and other resources on the host OS or another guest OS.

GUI : see document
GUID : see document
GUID Partition Table : see document
GUTI : see document
GW : see document

An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks.

GWAS : see document
GWES : see document
H.323 : see document

The International Telecommunications Union (ITU) standard for packet-switched network voice and video calling and signaling.

HA : see document

A failover feature to ensure availability during device or component interruptions.

hacker : see document

Unauthorized user who attempts to or gains access to an information system.

HACS : see document
HAIPE : see document
Hamming Quasi-Cyclic : see document
Hampton Roads Cybersecurity Education, Workforce and Economic Development Alliance : see document
hand receipt : see document

A document used to record temporary transfer of COMSEC material from a COMSEC Account Manager to a user or maintenance facility and acceptance by the recipient of the responsibility for the proper storage, control, and accountability of the COMSEC material.

hand receipt holder : see document

A user to whom COMSEC material has been issued a hand receipt. Known in EKMS and KMI as a Local Element.

See hand receipt holder.

handshake : see document

Protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other.

hard copy key : see document

Physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROMs).

Hard Disk : see document

A rigid magnetic disk fixed permanently within a drive unit and used for storing data. It could also be a removable cartridge containing one or more magnetic disks.

Hard Disk Drive : see document
Hard fork : see document

A change to a blockchain implementation that is not backwards compatible. Non-updated nodes cannot continue to transact with updated nodes.

Hardening : see document

A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services.

hardware : see document

See hardware and software.

Computer programs and data stored in hardware – typically in read-only memory (ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.

The physical components of an information system. See Software and Firmware.

Computer programs and associated data that may be dynamically written or modified during execution.

The material physical components of a system. See software and firmware.

The material physical components of an information system. See firmware and software.

Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution.

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware—typically in read-only memory (ROM) or programmable read-only memory (PROM)—such that programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

The physical components of a system. See Software and Firmware.

Hardware Asset Management : see document

An ISCM capability that identifies unmanaged devices that are likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated.

See Capability, Hardware Asset Management.

Hardware Description Language : see document
Hardware Device : see document

A discrete physical component of an information technology system or infrastructure. A hardware device may or may not be a computing device (e.g., a network hub, a webcam, a keyboard, a mouse).

Hardware Driver : see document

Applications responsible for establishing communication between hardware and software programs.

Hardware Enforced Security : see document
Hardware Mediated Execution Enclave : see document
Hardware root of trust : see document

An inherently trusted combination of hardware and firmware that maintains the integrity of information.

Hardware Security Module (HSM) : see document

A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing. An HSM is or contains a cryptographic module.

A physical computing device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other secrets, as well as crypto-processing. FIPS 140-2 specifies requirements for HSMs.

A physical computing device that provides tamper-evident and intrusion-resistant safeguarding and management of digital keys and other secrets, as well as crypto-processing. (FIPS 140-2) specifies requirements for HSMs.

Hardware-Enabled Security : see document

Security with its basis in the hardware platform.

hardwired key : see document

Key that is permanently installed.

harm : see document

Any adverse effects that would be experienced by an individual (i.e., that may be socially, physically, or financially damaging) or an organization if the confidentiality of PII were breached.

Any adverse effects that would be experienced by an individual (i.e., that may be socially, physically, or financially damaging) or an organization if the confidentiality of PII were breached.

any adverse effects that would be experienced by an individual (i.e., that may be socially, physically, or financially damaging) or an organization if the confidentiality of PII were breached

HART : see document
Hash algorithm : see document

See hash function. “Hash algorithm” and “hash function” are used interchangeably in this Recommendation.

Algorithm that creates a hash based on a message.

Hash chain : see document

An append-only data structure where data is bundled into data blocks that include a hash of the previous data block’s data within the newest data block. This data structure provides evidence of tampering because any modification to a data block will change the hash digest recorded by the following data block.

hash digest : see document

The result of applying a hash function to data.

The result of applying a cryptographic hash function to data (e.g., a message). Also known as a “message digest”.

See “message digest”.

The fixed-length bit string produced by a hash function.

The result of applying a hash function to information.

The result of applying a hash function to information; also called a message digest.

See hash digest

The output of a hash function (e.g., hash(data) = digest). Also known as a message digest, digest or harsh value. The number of cryptographic has functions a processor can calculate in a given time, usually denominated as hashes per second.

See Hash digest.

hash function : see document

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties:i. (Collision resistance) It is computationally infeasible to find any two distinct inputs that map to the same output.ii. (Preimage resistance) Given a randomly chosen target output, it is computationally infeasible to find any input that maps to that output. (This property is called the one-way property.)iii. (Second preimage resistance) Given one input value, it is computationally infeasible to find a second (distinct) input value that maps to the same output as the first value.This Recommendation uses the strength of the preimage resistance of a hash function as a contributing factor when determining the security strength provided by a key-derivation function.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Depending upon the relying application, the security strength that can be supported by a hash function is typically measured by the extent to which it possesses one or more of the following properties1. (Collision resistance) It is computationally infeasible to find any two distinct inputs that map to the same output.2. (Preimage resistance) Given a randomly chosen target output, it is computationally infeasible to find any input that maps to that output. (This property is called the one-way property.)3. (Second preimage resistance) Given one input value, it is computationally infeasible to find a second (distinct) input value that maps to the same output as the first value.This Recommendation uses the strength of the preimage resistance of a hash function as a contributing factor when determining the security strength provided by a key-derivation method.Approved hash functions are specified in [FIPS 180] and [FIPS 202].

A function on bit strings in which the length of the output is fixed. Approved hash functions (such as those specified in FIPS 180 and FIPS 202) are designed to satisfy the following properties:1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function on bit strings in which the length of the output is fixed. Approved hash functions (such as those specified in FIPS 180 and FIPS 202) are designed to satisfy the following properties:1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output.2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties1. One-way — It is computationally infeasible to find any input that maps to any pre-specified output.2. Collision-resistant — It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed length bit string and is expected to have the following three properties: 1) Collision resistance (see Collision resistance), 2) Preimage resistance (see Preimage resistance) and 3) Second preimage resistance (see Second preimage resistance). Approved cryptographic hash functions are specified in [FIPS 180-3].

A function that maps a bit string of arbitrary length to a fixed-length bit string. The function is expected to have the following three properties: 1. Collision resistance (see Collision resistance), 2. Preimage resistance (see Preimage resistance) and 3. Second preimage resistance (see Second preimage resistance). Approved hash functions are specified in [FIPS 180-4].

A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180-3.

An algorithm that computes a numerical value (called the hash value) on a data file or electronic message that is used to represent that file or message, and depends on the entire contents of the file or message. A hash function can be considered to be a fingerprint of the file or message.

A function on bit strings in which the length of the output is fixed. The output often serves as a condensed representation of the input.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are expected to satisfy the following properties: 1. One-way: It is computationally infeasible to find any input that maps to any pre-specified output, and 2. Collision resistant: It is computationally infeasible to find any two distinct inputs that map to the same output.

See Hash function.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: One-way - It is computationally infeasible to find any input that maps to any pre-specified output; and Collision resistant - It is computationally infeasible to find any two distinct inputs that map to the same output.

A (mathematical) function that maps values from a large (possibly very large) domain into a smaller range. The function satisfies the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output; 2. (Collision free) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are expected to satisfy the following properties: 1. One-way: it is computationally infeasible to find any input that maps to any pre-specified output, and 2. Collision resistant: It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. Approved hash functions are specified in FIPS 180.

A function that maps a bit string of arbitrary (although bounded) length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: One-way - It is computationally infeasible to find any input that maps to any pre-specified output; and Collision resistant - It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. One-way – It is computationally infeasible to find any input that maps to any pre-specified output. 2. Collision resistant – It is computationally infeasible to find any two distinct inputs that map to the same output.

See cryptographic hash function.

A function that maps a bit string of arbitrary (although bounded) length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output. 2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary lenth to a fixed-length bit string.

A function that maps a bit string of arbitrary length to a fixed-length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties: 1. One-Way. It is computationally infeasible to find any input that maps to any pre-specified output. 2. Collision Resistant. It is computationally infeasible to find any two distinct inputs that map to the same output.

A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

Hash Message Authentication Code : see document

Keyed-hash Message Authentication Code (as specified in FIPS 198-1).

Keyed-Hash Message Authentication Code specified in [FIPS198].

hash output : see document

The result of applying a hash function to a message. Also known as a "hash value."

The result of applying a hash function to a message. Also known as a “hash value.”

The result of applying a hash function to a message. Also known as a “hash value” or “hash output”.

See “message digest”.

the fixed size result of hashing a message.

The result of applying a hash function to a message

Hash rate : see document

The number of cryptographic hash functions a processor can calculate in a given time, usually denominated as hashes per second.

hash value/result : see document

The result of applying a hash function to a message. Also known as a “hash value.”

The result of applying a hash function to a message. Also known as a "hash value."

The result of applying a hash function to a message. Also known as a “hash value.”

The result of applying a hash function to a message. Also known as a “hash value” or “hash output”.

The result of applying a hash function to data.

The result of applying a cryptographic hash function to data (e.g., a message). Also known as a “message digest”.

See “Hash value”.

See “message digest”.

the fixed size result of hashing a message.

The fixed-length bit string produced by a hash function.

The result of applying a hash function to information.

See message digest.

The result of applying a hash function to information; also called a message digest.

See hash value.

The result of applying a hash function to a message

The output of a hash function (e.g., hash(data) = digest). Also known as a message digest, digest or harsh value. The number of cryptographic has functions a processor can calculate in a given time, usually denominated as hashes per second.

See Hash digest.

Hash_DRBG : see document

A DRBG specified in SP 800-90A based on a hash function.

Hash-based Key Derivation Function : see document
Hash-based signature : see document
Hashed : see document

The process whereby data (e.g., a message) was input to a cryptographic hash function (see Cryptographic hash function) to produce a hash value (see Hash value).

Hashed Next Secure : see document
Hashed Timelock Contract : see document
hashing : see document

The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.

A method of calculating a relatively unique output (called a hash digest) for an input of nearly any size (a file, text, image, etc.) by applying a cryptographic hash function to the input data.

Hashing algorithm : see document

A sequence of steps to execute a cryptographic hash function (see Cryptographic hash function).

hashword : see document

Memory address containing hash total. Rationale: Listed for deletion in 2010 version of CNSS 4009.

HAVA : see document
Hazards of Electromagnetic Radiation to Fuel : see document
Hazards of Electromagnetic Radiation to Ordnance : see document
Hazards of Electromagnetic Radiation to People : see document
HBA : see document
HBS : see document
HC3 : see document
HCI : see document
HD : see document
HDD : see document
HDL : see document
HDO : see document
Header : see document

A portion of a packet that contains layer-specific information such as addresses.

The section of an email message that contains vital information about the message, including origination date, sender, recipient(s), delivery path, subject, and format information. The header is generally left in clear text even when the body of the email message is encrypted.

Health and Human Services : see document
Health Industry Cybersecurity – Securing Telehealth and Telemedicine : see document
Health Industry Cybersecurity Information Sharing Best Practices : see document
Health Industry Cybersecurity Matrix of Information Sharing Organizations : see document
Health Industry Cybersecurity Practices : see document
Health Industry Cybersecurity Supply Chain Risk Management : see document
Health Industry Cybersecurity Tactical Crisis Response : see document
Health Information System : see document
Health Information Technology : see document
Health Information Technology for Economic and Clinical Health Act : see document

a 2009 law designed to stimulate the adoption of electronic health records (HER) in the United States

Health Information Trust Alliance : see document
Health Insurance Portability and Accountability Act : see document

A federal statute that called on the federal Department of Health and Human Services to establish regulatory standards to protect the privacy and security of individually identifiable health information.

the primary law in the United States that governs the privacy of healthcare information

Health Level 7 : see document
Health Sector Cybersecurity Coordination Center : see document
Health Testing : see document

Testing within an implementation immediately prior to or during normal operation to determine that the implementation continues to perform as implemented and as validated.

Health, Education and Welfare : see document
Healthcare and Public Health : see document
Healthcare Delivery Organization : see document
healthcare identifier : see document

identifier of a person for exclusive use by a healthcare system

Healthcare Information and Management Systems Society : see document
Healthcare Technology Management : see document
Heap : see document

A software data structure used for dynamic allocation of memory.

Heating, Ventilation, and Air Conditioning : see document
Help America Vote Act : see document
HeNB : see document
HeNB Gateway : see document
HeNB-GW : see document
HERF : see document
HERO : see document
HERP : see document
Hertz : see document
HES : see document
HEW : see document
Hewlett Packard Enterprise : see document
HF : see document
HFE : see document
HFEv : see document
HFS : see document
HHS : see document
HIC-ISBP : see document
HIC-MISO : see document
HICP : see document
HIC-SCRiM : see document
HIC-STAT : see document
HIC-TCR : see document
Hidden Field Equation : see document
hidden Markov model : see document

A Markov model in which the system being modeled is assumed to be a Markov process with unobservable states. The model provides an observable process whose outcomes are influenced by the outcomes of a Markov model in a known way. An HMM can be used to describe the evolution of observable events that depend on internal factors that are not directly observable. In machine learning, it is assumed that the internal state of a model is hidden but not its hyperparameters.

Hidden Medium Field Equation : see document
HIDS : see document
Hierarchical Deterministic : see document
Hierarchical File System : see document
Hierarchical Signature Scheme : see document
High Assurance Internet Protocol Encryptor (HAIPE) : see document

Device that provides networking, traffic protection, and management features that provide information assurance (IA) services in an IPv4/IPv6 network.

High Assurance Internet Protocol Encryptor Interoperability Specification (HAIPE-IS) : see document

Suite of documents containing the traffic protection, networking, and interoperability functional requirements necessary to ensure the interoperability of HAIPE compliant devices. This policy applies to HAIPE-IS Version 3.0.2 and all subsequent HAIPE-IS versions.

High Availability : see document

A failover feature to ensure availability during device or component interruptions.

High Frequency : see document
high impact : see document

The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.)

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries).

High Performance Computing Modernization Program : see document
High Performance Radio Local Area Network : see document
High Speed : see document
High Speed Packet Access : see document
High Technology Crime Investigation Association : see document
High-Availability Seamless Redundancy : see document
high‐dimensional : see document

A statistic composed of many numbers—e.g. a histogram with 50,000 bins, or a vector with 1 million elements.

high-impact system : see document

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.

An information system in which at least one security objective (confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of high.

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of high. Note: For National Security Systems, CNSSI No. 1253 does not adopt this FIPS PUB 200 high water mark across security objectives.

A system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of high.

Highly Adaptive Cybersecurity Services : see document
High-Performance File System : see document
high-power transmitter : see document

For the purposes of determining separation between RED equipment/lines and RF transmitters, high-power is that which exceeds 100 m Watt (20dBm) emitted isotropic radiated power (EIRP). See low-power transmitter.

High-Value Asset : see document

Information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impacts on the organization’s ability to perform its mission or conduct business.

A designation of federal information or a federal information system when it relates to one or more of the following categories: -  Informational Value – The information or information system that processes, stores, or transmits the information is of high value to the Government or its adversaries. -  Mission Essential – The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions (PMEF), as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system. -  Federal Civilian Enterprise Essential (FCEE) – The information or information system serves a critical function in maintaining the security and resilience of the federal civilian enterprise.

Those information resources, mission/business processes, and/or critical programs that are of particular interest to potential or actual adversaries.

A designation of Federal information or a Federal information system when it relates to one or more of the following categories: - Informational Value – The information or information system that processes, stores, or transmits the information is of high value to the Government or its adversaries. - Mission Essential – The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions (PMEF), as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system. - Federal Civilian Enterprise Essential (FCEE) – The information or information system serves a critical function in maintaining the security and resilience of the Federal civilian enterprise.

Those assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States' national security interests, foreign relations, economy – or to the public confidence, civil liberties, or public health and safety of the American people.

Highway Addressable Remote Transducer : see document
HIMSS : see document
HINFO : see document
HIP : see document
HIPAA : see document

A federal statute that called on the federal Department of Health and Human Services to establish regulatory standards to protect the privacy and security of individually identifiable health information.

the primary law in the United States that governs the privacy of healthcare information

HIPERLAN : see document
HIPS : see document
HIRS : see document
HIS : see document
HIT : see document
HITRUST : see document
HKDF : see document
HL7 : see document
HLAT : see document
HMAC : see document

A message authentication code that uses a cryptographic key in conjunction with a hash function.

Keyed-hash Message Authentication Code (as specified in FIPS 198-1).

Keyed-Hash Message Authentication Code specified in [FIPS198].

HMAC_DRBG : see document

A DRBG specified in SP 800-90A based on HMAC.

HMAC-based Extract-and-Expand Key Derivation Function : see document
HMAC-Based Key Derivation Function : see document
HMAC-MD5 : see document
HMAC-PRF : see document

The HMAC function being used as a PRF.

HMAC-SHA : see document
HMEE : see document
HMFEv : see document
HMI : see document

The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software.

holdover : see document

An operating condition of a clock which has lost its controlling reference input, is using its local oscillator, and can be augmented with stored data acquired while locked to the reference input or a frequency reference to control its output.

Home eNodeB : see document
Home Subscriber Server : see document
Homeland Security Information Network : see document
Homeland Security Information Network - Critical Infrastructure : see document
Homeland Security Presidential Directive : see document
Homeland Security Presidential Directive-12 : see document

Homeland Security Presidential Directive; HSPD-12 established the policy for which FIPS 201-2 was developed.

honeypot : see document

A system (e.g., a web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears.

host : see document

A host is any hardware device that has the capability of permitting access to a network via a user interface, specialized software, network address, protocol stack, or any other means. Some examples include, but are not limited to, computers, personal electronic devices, thin clients, and multi-functional devices.

Almost any kind of computer, including a centralized mainframe that is a host to its terminals, a server that is host to its clients, or a desktop personal computer (PC) that is host to its peripherals. In network architectures, a client station (user’s machine) is also considered a host because it is a source of information to the network, in contrast to a device, such as a router or switch, that directs traffic.

Host Bus Adapter : see document
Host Controller Interface : see document
Host Identity Protocol : see document
Host Information : see document
Host Integrity at Runtime and Start-Up : see document
Host Intrusion Detection System : see document
Host Intrusion Prevention System : see document
Host Key : see document

A public key used for authenticating a host in the SSH protocol to hosts that want to communicate with it (each host also generally has its own private host key). Some hosts may have more than one host key (e.g., one for each algorithm). Host keys are used for authenticating hosts (machines) themselves, not users or accounts, whereas identity keys and authorized keys relate to authenticating users/accounts and authorizing access to accounts on hosts.

Host Name : see document

Host names are most commonly defined and used in the context of DNS. The host name of a system typically refers to the fully qualified DNS domain name of that system.

Host operating system : see document

In a hosted virtualization solution, the OS that the hypervisor runs on top of.

The operating system kernel shared by multiple applications within an application virtualization architecture.

Host Protected Area : see document
Host Verification Service : see document
Host-Based Firewall : see document

A software-based firewall installed on a server to monitor and control its incoming and outgoing network traffic.

host-based intrusion detection and prevention system : see document

A program that monitors the characteristics of a single host and the events occurring within that host to identify and stop suspicious activity.

host-based security : see document

A set of capabilities that provide a framework to implement a wide-range of security solutions on hosts. This framework includes a trusted agent and a centralized management function that together provide automated protection to detect, respond, and report host-based vulnerabilities and incidents.

Hosted virtualization : see document

A form of full virtualization where the hypervisor runs on top of a host OS.

Hostname : see document

Hostnames are most commonly defined and used in the context of DNS. The hostname of a system typically refers to the fully qualified DNS domain name of that system.

hot site : see document

A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption.

Hotfix : see document

Microsoft’s term for “patch.”

Updated code from Microsoft that addresses a specific security problem.

Hotwash : see document

A debrief conducted immediately after an exercise or test with the staff and participants.

HPA : see document
HPC : see document
HPCMP : see document
HPE : see document
HPFS : see document
HPH : see document
HQC : see document
HR : see document
HRCyber : see document
HS : see document
HSIN : see document
HSIN-CI : see document
HSM : see document
HSN : see document

An integrated terrestrial and space infrastructure comprised of independently owned and operated segments, parts, or systems that collectively create or perform as a singular space system.

HSPA : see document
HSPD : see document
HSPD-12 : see document

Homeland Security Presidential Directive; HSPD-12 established the policy for which FIPS 201-2 was developed.

HSR : see document
HSS : see document
HSTS : see document
HTBC : see document
HTCA : see document
HTCC : see document
HTCIA : see document
HTDC : see document
HTKC : see document
HTLC : see document
HTM : see document
HTML : see document
HTML5 : see document
HTTP : see document

A standard method for communication between clients and Web servers.

HTTP Strict-Transport-Security : see document
HTTPD : see document
HTTPS : see document

A standard method for communication between clients and Web servers.

human bias : see document

A form of bias that results from failures in the heuristics humans use to make decisions.

Human Resources : see document
Human User Interface Capability : see document

The ability for an IoT device to communicate directly with people.

HVA : see document

Information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impacts on the organization’s ability to perform its mission or conduct business.

Those assets, federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States' national security interests, foreign relations, economy – or to the public confidence, civil liberties, or public health and safety of the American people.

HVAC : see document
HVS : see document
HWAM : see document

See Capability, Hardware Asset Management.

Hybrid cloud : see document

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

hybrid control : see document

A security control or privacy control that is implemented in an information system in part as a common control and in part as a system-specific control. See Common Control and System-Specific Security Control.

A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control. See common control and system-specific control.

A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control.

A security or privacy control that is implemented for an information system, in part as a common control and in part as a system-specific control.

hybrid security control : see document

A security control that is implemented in an information system in part as a common control and in part as a system-specific control. See Common Control and System-Specific Security Control.

A security control that is implemented in an information system in part as a common control and in part as a system-specific control.See Common Control and System-Specific Security Control.

A security control that is implemented in an information system in part as a common control and in part as a system-specific control.

Hyper-Converged Infrastructure : see document
hyperparameter : see document

In a differential privacy mechanism, a setting or parameter that controls a portion of the mechanism’s behavior or execution. The best setting may be data‐dependent, and a method that uses the confidential data as the basis for these parameters would not satisfy differential privacy. Examples include the clipping parameter for mechanisms that perform clipping, the number of iterations for iterative algorithms, and the learning rate or minibatch size for machine learning algorithms.

HyperText Markup Language : see document
Hypertext Markup Language version 5 : see document
Hypertext Preprocessor : see document
Hypertext Transfer Protocol (HTTP) : see document

A standard method for communication between clients and Web servers.

Hypertext Transfer Protocol Daemon : see document
Hypertext Transfer Protocol over Transport Layer Security : see document

HTTP transmitted over TLS.

Hypertext Transfer Protocol Secure (HTTPS) : see document

HTTP transmitted over TLS.

Hyper-V virtual hard disk : see document
hypervisor : see document

The virtualization component that manages the guest OSs on a host and controls the flow of instructions between the guest OSs and the physical hardware.

See “hypervisor”.

A software built using a specialized kernel of an OS, along with supporting kernel modules that provides isolation for various execution stacks represented by Virtual Machines (see below).

Hypervisor Managed Linear Address Translation : see document
Hypothesis (Alternative) : see document

A statement Ha that an analyst will consider as true (e.g., Ha: the sequence is non-random) if and when the null hypothesis is determined to be false.

Hypothesis (Null) : see document

A statement H0 about the assumed default condition/property of the observed sequence. For the purposes of this document, the null hypothesis H0 is that the sequence is random. If H0 is in fact true, then the reference distribution and critical values of the test statistic may be derived.

HyTrust BoundaryControl : see document
HyTrust CloudAdvisor : see document
HyTrust CloudControl : see document
HyTrust DataControl : see document
HyTrust KeyControl : see document
Hz : see document
I : see document

Input Block

A 16-byte string used in LMS as a key pair identifier.

I&A : see document

The process of establishing the identity of an entity interacting with a system.

I&T : see document
I&W : see document
I/O : see document

A general term for the equipment that is used to communicate with a computer as well as the data involved in the communications.

I1, …, I64 : see document

Bits of the Input Block

I2BS : see document

Integer to Byte String conversion routine.

I2C : see document
I2P : see document
I3P : see document
IA : see document

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

The process of establishing the identity of an entity interacting with a system.

IA architecture : see document

A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub- units, showing their alignment with the enterprise’s mission and strategic plans. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

IA infrastructure : see document

The underlying security framework that lies beyond an enterprise’s defined boundary, but supports its information assurance (IA) and IA-enabled products, its security posture and its risk management plan. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

IA product : see document

Product whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

IAARC : see document
IaaS : see document
IAB : see document
IAC : see document

The process of managing and provisioning an organization’s IT infrastructure using machine-readable configuration files, rather than employing physical hardware configuration or interactive configuration tools.

IACD : see document
IACIS : see document
IACS : see document
IAD : see document
IAEA : see document
IA-enabled information technology product : see document

Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms. Rationale: Listed for deletion in 2010 version of CNSS 4009.

IA-enabled product : see document

Product whose primary role is not security, but provides security services as an associated feature of its intended operating capabilities. Note: Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security enabling messaging systems. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

IAK : see document
IAL : see document

A category that conveys the degree of confidence that the applicant’s claimed identity is their real identity.

IAM : see document
IANA : see document
IAO : see document
IAPP : see document
IARPA : see document
IASAE : see document
IAST : see document
IATAC : see document
IATF : see document
IATO : see document

Interim Authorization to Operate; issued by a DAO to an issuer who is not satisfactorily performing PIV Card and/or Derived PIV Credential specified services (e.g., identity proofing/registration (if applicable)), card/token production, activation/issuance and maintenance).

IATT : see document
IAVA : see document
IAVB : see document
IBAC : see document
IBB : see document
IBC : see document
IBE : see document
iBGP : see document

A BGP operation communicating routing information within an AS.

IBM Cloud Secure Virtualization : see document
IBSS : see document
IC : see document

The term 'intelligence community' refers to the following agencies or organizations: (1) The Central Intelligence Agency (CIA); (2) The National Security Agency (NSA); (3) The Defense Intelligence Agency (DIA); (4) The offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (5) The Bureau of Intelligence and Research of the Department of State; (6) The int elligence elements of the Army, Navy, Air Force, and Marine Corps, the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Department of Energy; and (7) The staff elements of the Director of Central Intelligence.

The term 'intelligence community' refers to the following agencies or organizations: (i) The Central Intelligence Agency (CIA); (ii)The National Security Agency (NSA); (iii) The Defense Intelligence Agency (DIA); (iv) The offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (v) The Bureau of Intelligence and Research of the Department of State; (vi) The intelligence elements of the Army, Navy, Air Force, and Marine Corps, the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Department of Energy; and (vii) The staff elements of the Director of Central Intelligence.

ICA : see document
ICAM : see document
ICANN : see document
ICAO : see document
ICB : see document

Initial Counter Block

The initial counter block

ICC : see document
ICCD : see document
ICCID : see document

a unique and immutable identifier maintained within the SIM.

ICCP : see document
ICD : see document
ICMC : see document
ICMP : see document
ICS : see document

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution.

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.

General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations that are often found in the industrial sectors and critical infrastructures, such as programmable logic controllers (PLC). An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes.

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes.

General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) found in the industrial sectors and critical infrastructures. An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures.

ICS-CERT : see document
ICSP : see document
icss : see document
ICSV : see document
ICT : see document

Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

ICT ROF : see document
ICT Supply Chain : see document

Linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of ICT products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer. Note: An ICT supply chain can include vendors, manufacturing facilities, logistics providers, distribution centers, distributors, wholesalers, and other organizations involved in the manufacturing, processing, design and development, handling and delivery of the products, or service providers involved in the operation, management, and delivery of the services.

Linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of ICT products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer.

ICT Supply Chain Risk : see document

Risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

ICT Supply Chain Risk Management : see document

The process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.

ICT/OT-related service providers : see document

Any organization or individual providing services which may include authorized access to an ICT or OT system.

ICTRM : see document
ICU : see document
ICV : see document

See checksum.

A fixed string that is prepended to the plaintext within the authenticated-encryption function of a key-wrap algorithm, in order to enable the verification of the integrity of the plaintext within the authenticated-decryption function.

ID : see document

The process of discovering the identity (i.e., origin or initial history) of a person or item from the entire collection of similar persons or items.

Unique group element $0$ for which $x+0=x$ for each group element $x$, relative to the binary group operator $+$.

The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.

The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

The set of physical and behavioral characteristics by which an individual is uniquely recognizable. Note: This also encompasses non-person entities (NPEs).

The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers.

The set of physical and behavioral characteristics by which an individual is uniquely recognizable.

Information that is unique within a security domain and which is recognized as denoting a particular entity within that domain.

The bit string denoting the identifier associated with an entity.

A bit string that is associated with a person, device or organization. It may be an identifying name or a nickname, or may be something more abstract (for example, a string consisting of an IP address).

A bit string that is associated with a person, device or organization. It may be an identifying name, or may be something more abstract (for example, a string consisting of an IP address and timestamp), depending on the application.

The distinguishing character or personality of an entity.

An attribute or set of attributes that uniquely describe a subject within a given context.

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

A bit string that is associated with a person, device or organization. It may be an identifying name, or may be something more abstract (for example, a string consisting of an Internet Protocol (IP) address).

A bit string that is associated with a person, device, or organization. It may be an identifying name or may be something more abstract (e.g., a string consisting of an IP address and timestamp), depending on the application.

A set of attributes that uniquely describe a person within a given context.

A unique, auditable representation of identity within the system usually in the form of a simple character string for each individual user, machine, software component or any other entity.

Something (data) that identifies an assessment object or other entity of interest (like a defect check). In database terms, it is a primary or candidate key that can be used to uniquely identify the assessment object so it is not confused with other objects.

A bit string that is associated with a person, device or organization. It may be an identifying name, or may be something more abstract (for example, a string consisting of an Internet Protocol (IP) address and timestamp).

IDA : see document
IDaaS : see document
Idaho National Laboratory : see document
IdAM : see document
IDART : see document
iDASH : see document
IDE : see document
Ideal Random Bitstring : see document

See Ideal Random Sequence.

Each bit of an ideal random sequence is unpredictable and unbiased, with a value that is independent of the values of the other bits in the sequence. Prior to the observation of the sequence, the value of each bit is equally likely to be 0 or 1, and the probability that a particular bit will have a particular value is unaffected by knowledge of the values of any or all of the other bits. An ideal random sequence of n bits contains n bits of entropy.

ideal randomness source : see document

The source of an ideal random sequence of bits. Each bit of an ideal random sequence is unpredictable and unbiased, with a value that is independent of the values of the other bits in the sequence. Prior to an observation of the sequence, the value of each bit is equally likely to be 0 or 1, and the probability that a particular bit will have a particular value is unaffected by knowledge of the values of any or all of the other bits. An ideal random sequence of $n$ bits contains $n$ bits of entropy.

iDEN : see document

a proprietary mobile communications technology developed by Motorola that combine the capabilities of a digital cellular telephone with two-way radio.

identifiable person : see document

one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

Identification and Authentication : see document

The process of establishing the identity of an entity interacting with a system.

identified information : see document

information that explicitly identifies an individual

Identifier CPE Name : see document

A bound representation of a CPE WFN that uniquely identifies a single product class. Also referred to as an “identifier name”.

Identifier Lookup : see document

The process of determining if a single identifier name exists in a CPE dictionary.

Identify : see document

The bit string denoting the identifier associated with an entity.

identify (CSF function) : see document

The bit string denoting the identifier associated with an entity.

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Identifying Information : see document

Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Information that could be used to identify a specific individual, such as name, address, phone number, or identification number.

The set of an asset's attributes that may be useful for identifying that asset, including discoverable information about the asset and identifiers assigned to the asset.

Identify-P (Function) : see document

Develop the organizational understanding to manage privacy risk for individuals arising from data processing.

identity : see document

Unique group element $0$ for which $x+0=x$ for each group element $x$, relative to the binary group operator $+$.

The unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.

An attribute or set of attributes that uniquely describes a subject within a given context.

The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.

The set of physical and behavioral characteristics by which an individual is uniquely recognizable. Note: This also encompasses non-person entities (NPEs).

The set of physical and behavioral characteristics by which an individual is uniquely recognizable.

Information that is unique within a security domain and which is recognized as denoting a particular entity within that domain.

The bit string denoting the identifier associated with an entity.

The distinguishing character or personality of an entity.

An attribute or set of attributes that uniquely describe a subject within a given context.

A set of attributes that uniquely describe a person within a given context.

Identity and access management : see document

Broadly refers to the administration of individual identities within a system, such as a company, a network or even a country. In enterprise IT, identity management is about establishing and managing the roles and access privileges of individual network users.

Identity and Credential Management System : see document
identity API : see document

A protected API that is accessed by an RP to retrieve the attributes of a specific subscriber.

Identity as a Service : see document
Identity Assurance Level (IAL) : see document

A category that conveys the degree of confidence that a person’s claimed identity is their real identity, as defined in [NIST SP 800-63-3] in terms of three levels: IAL 1 (Some confidence), IAL 2 (High confidence), IAL 3 (Very high confidence).

A category that conveys the degree of confidence that the subject’s claimed identity is their real identity.

A category that conveys the degree of confidence that the applicant’s claimed identity is their real identity.

Identity authentication : see document

The process of providing assurance about the identity of an entity interacting with a system; also see Source authentication.

The process of providing assurance about the identity of an entity interacting with a system (e.g., to access a resource). Sometimes called entity authentication.

The process of providing assurance about the identity of an entity interacting with a system (e.g., to access a resource). Sometimes called entity authentication. Compare with source authentication.

identity certificate : see document

A certificate that provides authentication of the identity claimed. Within the National Security System (NSS) public key infrastructure (PKI), identity certificates may be used only for authentication or may be used for both authentication and digital signatures.

Identity Defined Networking : see document
Identity Ecosystem : see document

An online environment where individuals can choose from a variety of credentials to use in lieu of passwords for interactions conducted across the internet.

Identity Ecosystem Steering Group : see document
Identity Federation : see document

A group of organizations that agree to follow the rules of a trust framework.

Identity Federation Framework : see document
Identity Fraud and Identity Theft : see document

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another personʼs personal data in some way that involves fraud or deception, typically for economic gain.

Identity Guard : see document
Identity Key : see document

A private key that is used for authentication in the SSH protocol; grants access to the accounts for which the corresponding public key has been configured as an authorized key.

Identity Management and Governance : see document
Identity Management System (IDMS) : see document

One or more systems or applications that manage the identity proofing, registration, and issuance processes.

One or more systems or applications that manage the identity verification, validation, and issuance process.

Identity management system comprised of one or more systems or applications that manages the identity verification, validation, and issuance process.

Identity management system comprised of one or more systems or applications that manages the identity verification, validation and issuance process.

identity proofing : see document

The process of providing sufficient information (e.g., identity history, credentials, documents) to establish an identity.

The processes used to collect, validate, and verify information about a subject to establish assurance in the subject’s claimed identity.

The process by which a CSP collects, validates, and verifies information about a person.

Verifying the claimed identity of an applicant by authenticating the identity source documents provided by the applicant.

The process of providing sufficient information (e.g., identity history, credentials, documents) to establish an identity.

The process by which a CSP or Registration Authority (RA) collect, validate and verify information about a person for the purpose of issuing credentials to that person.

The process of providing sufficient information (e.g., identity history, credentials, documents) to a PIV Registrar when attempting to establish an identity.

The process by which a CSP and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.

Identity Provider (IdP) : see document

The party in a federation transaction that creates an assertion for the subscriber and transmits the assertion to the RP.

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

The party that manages the subscriber’s primary authentication credentials and issues assertions derived from those credentials. This is commonly the CSP as discussed within this document suite.

See Credential Service Provider.

identity registration : see document

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. In some other NIST documents, such as [NIST SP 800-63A], identity registration is referred to as enrollment.

The process of making a person’s identity known to the personal identity verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

The process through which an applicant applies to become a subscriber of a CSP and the CSP validates the applicant’s identity.

See Enrollment.

Making a person’s identity known to the enrollment/Identity Management System information system by associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the information system. Registration is necessary in order to initiate other processes, such as adjudication, card/token personalization and issuance and, maintenance that are necessary to issue and to re-issue or maintain a PIV Card or a Derived PIV Credential token.

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate.)

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate).

The process through which an applicant applies to become a subscriber of a CSP and an RA validates the identity of the applicant on behalf of the CSP. (NIST SP 800-63-3)

The process that a Certificate Authority (CA) uses to create a certificate for a web server or email user

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

See “Identity Registration”.

The process through which an Applicant applies to become a Subscriber of a CSP and an RA validates the identity of the Applicant on behalf of the CSP.

identity resolution : see document

The process of collecting information about an applicant to uniquely distinguish an individual within the context of the population that the CSP serves.

Identity Resolving Key : see document
Identity Root : see document
Identity Service Provider (ISP) : see document

A trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or issue credentials for its own use.

See Credential Service Provider.

Identity Services Engine : see document
identity token : see document

Smart card, metal key, or other physical object used to authenticate identity.

identity verification : see document

The process of confirming or denying that a claimed identity is correct by comparing the credentials of a person requesting access with those previously proven and associated with the PIV Card or a derived PIV credential associated with the identity being claimed.

The process of producing objective evidence that sufficiently demonstrates that the system satisfies its security requirements and security characteristics with the level of assurance that applies to the system.

Process of producing objective evidence that sufficiently demonstrates that the system satisfies its security requirements and security characteristics with the level of assurance that applies to the system.

The process of evaluating a system or component to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase (INCOSE).

The process or act of confirming that the applicant undergoing identity proofing holds the claimed real-life identity represented by the validated identity attributes and associated evidence. Synonymous with identity verification.

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome.

The process of testing the media to ensure the information cannot be read.

The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those credentials previously proven and stored in the PIV Card or system and associated with the identity being claimed.

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome). Adapted from Verification.

Internal phase within the NVD where a second, usually more experienced, NVD Analyst verifies the work completed during the Initial Analysis.

Process of producing objective evidence that sufficiently demonstrates that the system satisfies its security requirements and security characteristics with the level of assurance that applies to the system.

The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card or system and associated with the identity being claimed.

See “Identity Verification”.

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.

Identity Web Services Framework : see document
Identity, Credential, and Access Management (ICAM) : see document

Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an agency‘s resources. See also attribute-based access control (ABAC).

identity-based access control : see document

Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.

Identity-based authentication : see document

A process that provides assurance of an entity’s identity by means of an authentication mechanism that verifies the identity of the entity. Contrast with role-based authentication

Identity-Based Encryption : see document
IDESG : see document
IDevID : see document
IDFF : see document
IDG : see document
IDIQ : see document
IDM : see document
IDMEF : see document
IDMS : see document
IDMS/CMS : see document
IDN : see document
IdP : see document
IDPS : see document
iDRAC : see document
IDS : see document

Software that looks for suspicious activity and alerts administrators.

ID-WSF : see document
IEA : see document
IEC : see document
IED : see document

Any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers).

IEEE : see document
IEEE Engineering in Medicine and Biology Society : see document
IEEE Industrial Electronics Society : see document
IEEE Power & Energy Society : see document
IEEE Power System Communications and Cybersecurity : see document
IEEE Robotics and Automation Society : see document
IEEE Vehicular Technology Society : see document
IERS : see document
IES : see document
IETF : see document

The Internet Engineering Task Force is the premier Internet standards body that develops open Internet standards.

The internet standards organization made up of network designers, operators, vendors, and researchers that defines protocol standards (e.g., IP, TCP, DNS) through process of collaboration and consensus.

IFC : see document

Integer factorization cryptography

Integer Factorization Cryptography.

iFCP : see document
IFIP : see document
IG : see document
igamc : see document

The incomplete gamma function Q(a,x) is defined in Section 5.5.3.

See the definition for igamc.

IGMP : see document
IGP : see document
IHE : see document
IHSN : see document
IIC : see document
IICS WG : see document
IICSWG : see document
IID : see document
IIF : see document
IIHI : see document
IIoT : see document
IIP : see document
IIS : see document
IK : see document
IKE : see document
IKE version 1 : see document
IKE version 2 : see document
ILK : see document
ILTK : see document
IM : see document

a facility for exchanging messages in real-time with other people over the Internet and tracking the progress of the conversation.

IMA : see document
Image : see document

An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered.

A file or directory that contains, at a minimum, the encapsulated components of a guest OS.

A package that contains all the files required to run a container.

Imaging : see document

The process used to obtain a bit by bit copy of data residing on the original electronic media; allows the investigator to review a duplicate of the original evidence while preserving that evidence

IMAP : see document

a method of communication used to read electronic mail stored in a remote server.

A method of communication used to read electronic messages stored in a remote server.

IMDA : see document
IMEI : see document

a unique number programmed into GSM and UMTS mobile phones.

IMG : see document
I-MLWE : see document
Immutable : see document

Data that can only be written, not modified or deleted.

IMO : see document
impact level : see document

The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

Refers to the three broadly defined impact-levels in [FIPS 200] that categorize the impact of a security breach as Low, Moderate or High.

High, Moderate, or Low security categories of an information system established in FIPS 199 which classify the intensity of a potential impact that may occur if the information system is jeopardized.

See impact value.

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate, or high.

The assessed potential impact resulting from a compromise of the confidentiality of information (e.g., CUI) expressed as a value of low, moderate, or high.

impact value : see document

The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

See impact value.

The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate, or high.

The assessed potential impact resulting from a compromise of the confidentiality of information (e.g., CUI) expressed as a value of low, moderate, or high.

implant : see document

Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.

Implementation : see document

An implementation of an RBG is a cryptographic device or portion of a cryptographic device that is the physical embodiment of the RBG design, for example, some code running on a computing platform.

Implementation Guidance : see document
Implementation Guide : see document
Implementation Testing for Validation : see document

Testing by an independent and accredited party to ensure that an implementation of this Recommendation conforms to the specifications of this Recommendation.

Implementation Tier : see document

Provides a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk.

Implementation Under Test : see document

Implementation Under Test

Import : see document

A process available to end users by which an SCAP source data stream can be loaded into the vendor’s product. During this process, the vendor process may optionally translate this file into a proprietary format.

IMS : see document
IMSI : see document

a unique number associated with every GSM mobile phone user.

IMU : see document
IN : see document

The single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

The single interconnected world-wide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the Internet Architecture Board (IAB) and the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

inadvertent disclosure : see document

Type of incident involving accidental exposure of information to an individual not authorized access.

Incentive Mechanism : see document

See Incentive Mechanism

See Reward system

A means of providing blockchain network users an award for activities within the blockchain network (typically used as a system to reward successful publishing of blocks). Also known as incentive systems.

incident : see document

An occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein. See incident. See also event, security-relevant event, and intrusion.

See “incident.”

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

See incident.

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Anomalous or unexpected event, set of events, condition, or situation at any time during the life cycle of a project, product, service, or system.

incident handling : see document

The remediation or mitigation of violations of security policies and recommended practices.

The mitigation of violations of security policies and recommended practices.

See incident handling.

An IT security incident is an adverse event in a computer system or network caused by the failure of a security mechanism or an attempted or threatened breach of these mechanisms

See “incident handling.”

Incident Object Description Exchange Format : see document
incident response : see document

The remediation or mitigation of violations of security policies and recommended practices.

The mitigation of violations of security policies and recommended practices.

See incident handling.

See “incident handling.”

incident response plan : see document

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s).

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).

Incineration : see document

A physically Destructive method of sanitizing media; the act of burning completely to ashes.

INCITS : see document
Incomplete Gamma Function : see document

The incomplete gamma function Q(a,x) is defined in Section 5.5.3.

See the definition for igamc.

INCOSE : see document
Incremental testing : see document

Testing a system or device to determine that minor changes have not affected its security and intended functionality.

Inculpatory Evidence : see document

Evidence that tends to increase the likelihood of fault or guilt.

IND-CCA : see document
IND-CCA2 : see document
IND-CPA : see document
Indefinite Delivery/Indefinite Quantity : see document
Independent and Identically Distributed : see document

A quality of a sequence of random variables for which each element of the sequence has the same probability distribution as the other values, and all values are mutually independent.

Independent Basic Service Set : see document
Independent Qualified Reviewer : see document

A Reviewer tasked by NIST with making a recommendation to NIST regarding public review or listing of the checklist.

Reviewer tasked by NIST to make a recommendation about a checklist.

Independent Regulatory Agency : see document

The term 'independent regulatory agency' means the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Consumer Product Safety Commission, the Federal Communications Commission, the Federal Deposit Insurance Corporation, the Federal Energy Regulatory Commission, the Federal Housing Finance Board, the Federal Maritime Commission, the Federal Trade Commission, the Interstate Commerce Commission, the Mine Enforcement Safety and Health Review Commission, the National Labor Relations Board, the Nuclear Regulatory Commission, the Occupational Safety and Health Review Commission, the Postal Rate Commission, the Securities and Exchange Commission, and any other similar agency designated by statute as a Federal independent regulatory agency or commission.

The Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Consumer Product Safety Commission, the Federal Communications Commission, the Federal Deposit Insurance Corporation, the Federal Energy Regulatory Commission, the Federal Housing Finance Board, the Federal Maritime Commission, the Federal Trade Commission, the Interstate Commerce Commission, the Mine Enforcement Safety and Health Review Commission, the National Labor Relations Board, the Nuclear Regulatory Commission, the Occupational Safety and Health Review Commission, the Postal Rate Commission, the Securities and Exchange Commission, and any other similar agency designated by statute as a Federal independent regulatory agency or commission.

independent validation authority (IVA) : see document

Entity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the authorizing official as needed.

independent verification & validation (IV&V) : see document

A comprehensive review, analysis, and testing, (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements.

Verification and validation (V&V) performed by an organization that is technically, managerially, and financially independent of the development organization.

Indications and Warnings : see document
indicator : see document

Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack.

A technical artifact or observable that suggests an attack is imminent or is currently underway, or that a compromise may have already occurred.

A sign that an incident may have occurred or may be currently occurring.

Indicator of Compromise : see document

Technical artifacts or observables that suggest that an attack is imminent or is currently underway or that a compromise may have already occurred.

indirect identifier : see document

information that can be used to identify an individual through association with other information

indirect prompt injection : see document

A type of prompt injection executed through resource control rather than through user-provided input as in a direct prompt injection.

Indistinguishability under Adaptive Chosen-Ciphertext Attack : see document
Indistinguishability under Chosen-Ciphertext Attack : see document
Indistinguishability under Chosen-Plaintext Attack : see document
Individual : see document

A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.

A single person or a group of persons, including at a societal level.

individual accountability : see document

Ability to associate positively the identity of a user with the time, method, and degree of access to an information system.

Individual Privacy : see document
individuals : see document

An assessment object that includes people applying specifications, mechanisms, or activities.

Industrial Automation and Control System : see document
Industrial Automation and Control Systems : see document
industrial control system (ICS) : see document

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution.

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems used to control geographically dispersed assets, as well as distributed control systems and smaller control systems using programmable logic controllers to control localized processes.

General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations that are often found in the industrial sectors and critical infrastructures, such as programmable logic controllers (PLC). An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes.

General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes.

General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) found in the industrial sectors and critical infrastructures. An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures.

Industrial Control System Joint Working Group : see document
Industrial Internet Consortium : see document
Industrial Internet of Things : see document

The sensors, instruments, machines, and other devices that are networked together and use Internet connectivity to enhance industrial and manufacturing business processes and applications.

Industrial Internet of Things Consortium : see document
Industrial Personal Computer : see document
Industrial Security : see document

The portion of internal security that refers to the protection of industrial installations, resources, utilities, materials, and classified information essential to protect from loss or damage.

Industrial, Scientific, and Medical : see document
Industry IoT Consortium : see document
Inertial Measurement Units : see document
Inertial Navigation Systems : see document
Infocomm Media Development Authority : see document
Information Access Division : see document
information and communications technology (ICT) : see document

Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

Encompasses the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.

Includes all categories of ubiquitous technology used for the gathering, storing, transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks).

encompasses all technologies for the capture, storage, retrieval, processing, display, representation, organization, management, security, transfer, and interchange of data and information.

Information and Communications Technology Risk Management : see document
Information and Communications Technology Risk Outcomes Framework : see document
Information and Technology : see document
Information Assessment Methodology : see document
information assurance (IA) : see document

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

information assurance (IA) professional : see document

Individual who works IA issues and has real world experience plus appropriate IA training and education commensurate with their level of IA responsibility. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms. Rationale: Term is self-describing and generic.

information assurance component (IAC) : see document

An application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

Information Assurance Manager : see document

See information systems security manager (ISSM).

Information Assurance Officer : see document

See information systems security officer (ISSO). Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms. Rationale: Term is deprecated in favor of ISSO.

Information Assurance Technical Framework : see document
Information Assurance Technology Analysis Center : see document
information assurance vulnerability alert (IAVA) : see document

Notification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

information assurance vulnerability bulletin (IAVB) : see document

Addresses new vulnerabilities that do not pose an immediate risk to DoD systems, but are significant enough that noncompliance with the corrective action could escalate the risk. Note: DoDI 8500.01 has transitioned from the term information assurance (IA) to the term cybersecurity. This could potentially impact IA related terms.

Information Assurance Workforce System Architecture : see document
Information Centric Analytics : see document
Information Design Assurance Red Team : see document
information domain : see document

A three-part concept for information sharing, independent of, and across information systems and security domains that 1) identifies information sharing participants as individual members, 2) contains shared information objects, and 3) provides a security policy that identifies the roles and privileges of the members and the protections required for the information objects.

information environment : see document

The aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.

information exchange : see document

Access to or the transfer of data outside of system authorization boundaries in order to accomplish a mission or business function.

information exchange agreement : see document

A document specifying protection requirements and responsibilities for information being exchanged outside of system authorization boundaries. Similar to the interconnection security agreement but does not include technical details associated with an interconnection.

information flow control : see document

Procedure to ensure that information transfers within a system do not violate the security policy.

Procedure to ensure that information transfers within an information system are not made in violation of the security policy.

Procedure to ensure that information transfers within a system are not made in violation of the security policy.

Controls to ensure that information transfers within a system or organization are not made in violation of the security policy.

information item : see document

Separately identifiable body of information that is produced, stored, and delivered for human use.

information leakage : see document

The intentional or unintentional release of information to an untrusted environment.

information life cycle : see document

The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion.

information management : see document

The planning, budgeting, manipulating, and controlling of information throughout its life cycle.

Information Management Policy : see document

The high-level policy of an organization that specifies what information is to be collected or created, and how it is to be managed.

information object : see document

A well-defined piece of information, definition, or specification that requires a name to identify its use in an instance of communication.

information operations (IO) : see document

The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own. Also called IO.

information owner : see document

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal.

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal. See information steward. Note: Information steward is a related term, but it is not identical to information owner.

Information Relevant to Cybersecurity : see document

Information describing use of, assumptions, risks, vulnerabilities, assessments, and/or mitigations related to the IoT product, its components, and data.

Information Resource Management : see document
information resources : see document

Information and related resources, such as personnel, equipment, funds, and information technology.

The term 'information resources' means information and related resources, such as personnel, equipment, funds, and information technology.

information resources management (IRM) : see document

The planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by agencies.

information security : see document

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and(C) availability, which means ensuring timely and reliable access to and use of information.

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security and Privacy Advisory Board : see document
information security architect : see document

Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

information security architecture : see document

A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans.

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans. See security architecture.

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans.

information security continuous monitoring (ISCM) : see document

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. See organizational information security continuous monitoring and automated security monitoring.

Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.

See information security continuous monitoring (ISCM).

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.]

information security continuous monitoring (ISCM) process : see document

A process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.

information security continuous monitoring (ISCM) program : see document

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

A program established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls.

A program established to collect information in accordance with organizational strategy, policies, procedures, and pre-established metrics, utilizing readily available information in part through implemented security controls.

information security continuous monitoring (ISCM) strategy : see document

A strategy that establishes an ISCM program.

Information Security Continuous Monitoring Target Network : see document
Information Security Management Systems : see document
Information Security Marketing : see document
information security officer : see document

See Senior Agency Information Security Officer.

Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Information Security Oversight Office : see document
information security policy : see document

Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Aggregate of directives, regulations, and rules that prescribe how an organization manages, protects, and distributes information.

A high-level policy of an organization that is created to support and enforce portions of the organization’s Information Management Policy by specifying in more detail what information is to be protected from anticipated threats and how that protection is to be attained.

information security program plan : see document

Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.

information security risk : see document

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See risk.

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and /or information systems. See Risk.

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or a system.

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or systems.

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.

Information Security Risk Management : see document
Information Security Testing : see document

The process of validating the effective implementation of security controls for information systems and networks, based on the organization’s security requirements.

Information Set Decoding : see document
Information Sharing and Analysis Center : see document
Information Sharing and Analysis Organization : see document

An ISAO is any entity or collaboration created or employed by public- or private sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, so as to ensure their availability, integrity, and reliability.

Information Sharing Architecture : see document
information sharing environment (ISE) : see document

1. An approach that facilitates the sharing of terrorism and homeland security information.

2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.

information steward : see document

An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Individual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of the Federal Information Security Management Act (FISMA) and any associated security-related federal policies, directives, regulations, standards, and guidance.

Individual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.

Information System Administrator : see document

Individual who implements approved secure baseline configurations, incorporates secure configuration settings for IT products, and conducts/assists with configuration monitoring activities as needed.

information system boundary : see document

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

See Authorization Boundary.

information system component : see document

An element of a large system—such as an identity card, issuer, card reader, or identity verification support—within the PIV system.

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.

A software object, meant to interact with other components, encapsulating certain functionality or a set of functionalities. A component has a clearly defined interface and conforms to a prescribed behavior common to all components within an architecture.

A discrete identifiable IT asset that represents a building block of an information system.

A system, component, application, etc., that is based upon technology which is used to electronically process, store, or transmit information.

Any hardware, software, and/or firmware required to construct a CKMS.

An element such as a fingerprint capture station or card reader used by an issuer, for which [FIPS 201-2] has defined specific requirements.

See system component.

See Authorization Boundary.

See information system component.

An entity with discrete structure, such as an assembly or software module, within a system considered at a particular level of analysis. Component refers to a part of a whole, such as a component of a software product, a component of a software identification tag, etc.

A hardware, software, firmware part or element of a larger PNT system with well-defined inputs and outputs and a specific function.

An element of a large system, such as an identity card, PIV Issuer, PIV Registrar, card reader, or identity verification support, within the PIV system.

information system component inventory : see document

A descriptive record of components within an information system.

Information System Contingency Plan (ISCP) : see document

See Information System Contingency Plan.

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.

information system life cycle : see document

The phases through which an information system passes, typically characterized as initiation, development, operation, and termination (i.e., sanitization, disposal and/or destruction).

information system owner (or program manager) : see document

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.

information system resilience : see document

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

The ability of an information system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack.

The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.

See Information System Resilience.

The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

can also be defined as the adaptive capability of an organization in a complex and changing environment.

The ability to reduce the magnitude and/or duration of disruptive events to critical infrastructure. The effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event.

The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

Information System Security Engineer : see document

Individual assigned responsibility for conducting information system security engineering activities.

Information System Security Engineering : see document

Process that captures and refines information security requirements and ensures that their integration into information technology component products and information systems through purposeful security design or configuration.

Process that captures and refines information security requirements and ensures their integration into information technology component products and information systems through purposeful security design or configuration.

Information System Security Manager : see document
information system security officer : see document

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

See information systems security officer (ISSO).

Person responsible to the designated approving authority for ensuring the security of an information system throughout its lifecycle, from design through disposal.

See system security officer (SSO).

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program. [Note: ISSO responsibility may be assigned by the senior agency information security officer, authorizing official, management official, or information system owner.]

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program

Individual with assigned responsibility for maintaining the appropriate operational security posture for a system or program.

information system security plan : see document

A document that describes how an organization meets or plans to meet the security requirements for a system. In particular, the system security plan describes the system boundary, the environment in which the system operates, how security requirements are implemented, and the relationships with or connections to other systems.

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

A document that describes how an organization meets or plans to meet the security requirements for a system. In particular, the system security plan describes the system boundary, the environment in which the system operates, how the security requirements are satisfied, and the relationships with or connections to other systems.

A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

See System Security Plan.

See information system security plan.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See system security plan or information security program plan.

A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.

A formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.

See security plan.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.

A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary, the environment in which the system operates, how security requirements are implemented, and the relationships with or connections to other systems.

information system service : see document

A capability provided by an information system that facilitates information processing, storage, or transmission.

Information System User : see document

A person, team, or organization that accesses or otherwise uses an OLIR.

A person or entity with authorized access.

Individual or (system) process authorized to access an information system.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. See Organizational User and Non-Organizational User.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. See Organizational User and Non-Organizational User.

See Information System User

The term user refers to an individual, group, host, domain, trusted communication channel, network address/port, another netwoik, a remote system (e.g., operations system), or a process (e.g., service or program) that accesses the network, or is accessed by it, including any entity that accesses a network support entity to perform OAM&Prelated tasks. Regardless of their role, users must be required to successfully pass an identification and authentication (I&A) mechanism. For example, I&A would be required for a security or system administrator. For customers, I&A could be required for billing purposes. For some services (e.g.. Emergency Services) a customer may not need to be authenticated by the system.

An FCKMS role that utilizes the key-management services offered by an FCKMS service provider.

See Entity.

A human entity.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. [Note: With respect to SecCM, an information system user is an individual who uses the information system functions, initiates change requests, and assists with functional testing.]

An individual (person). Also see Entity.

Person who interacts with the product.

A person, organization, or other entity which requests access to and uses the resources of a computer system or network.

The entity, human or machine, that is identified by the userID, authenticated prior to system access, the subject of all access control decisions, and held accountable via the audit reporting system.

the set of people, both trusted (e.g., administrators) and untrusted, who use the system.

A consumer of the services offered by an RP.

A person, team, or organization that accesses or otherwise uses an Online Informative Reference.

information system-related security risks : see document

The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation.

Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation. A subset of information security risk. See risk.

Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See Risk.

Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation.See Risk.

Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and that considers impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See Risk.

Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See Risk.

Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See Risk.

Information Systems Audit and Control Association : see document
information systems security (INFOSEC) : see document

The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. See information assurance (IA).

synonymous withIT Security.

information systems security (INFOSEC) boundary : see document

An imaginary definable perimeter encompassing all the critical functions in an INFOSEC product and separating them from all other functions within the product. Note: INFOSEC Boundary is in terms of a product assessment; not to be confused with authorization boundary.

information systems security manager (ISSM) : see document

Individual responsible for the information assurance of a program, organization, system, or enclave.

Information Systems Security Program Manager : see document
Information Technology Asset Management : see document
Information Technology Infrastructure Library : see document
Information Technology Laboratory (of NIST) : see document
Information Technology Operation and Support : see document
information technology product : see document

A discrete identifiable information or operational technology asset that represents a building block of a system and may include hardware, software, and firmware.

A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.

A discrete identifiable IT asset that represents a building block of an information system.

A system, component, application, etc., that is based upon technology which is used to electronically process, store, or transmit information.

See system component.

See Authorization Boundary.

See information system component.

Discrete identifiable information technology assets that represent a building block of a system and include hardware, software, firmware, and virtual machines.

A discrete, identifiable information technology asset (hardware, software, firmware) that represents a building block of a system. System components include commercial information technology products.

information type : see document

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order (E.O.), directive, policy, or regulation.

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.

information value : see document

A qualitative measure of the importance of the information based upon factors such as the level of robustness of the information assurance (IA) controls allocated to the protection of information based upon: mission criticality, the sensitivity (e.g., classification and compartmentalization) of the information, releasability to other countries, perishability/longevity of the information (e.g., short life data versus long life intelligence source data), and potential impact of loss of confidentiality and integrity and/or availability of the information.

informational label : see document

Provides facts about properties or features of a product without any grading or evaluation. Information may be displayed in a variety of ways, such as in tabular format or with icons or text.

Informative Reference Developer : see document

A person, team, or organization that creates an OLIR and submits it to the National OLIR Program.

A person, team, or organization that creates an Informative Reference and submits it to the National OLIR Program.

A person, team, or organization that creates an Informative Reference and submits it to the OLIR Program.

Informative References : see document

Relationships between elements of two documents that are recorded in a NIST IR 8278A-compliant format and shared by the OLIR Catalog. There are three types of OLIRs: concept crosswalk, set theory relationship mapping, and supportive relationship mapping.

Specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory in the Cybersecurity Framework.

A relationship between a Reference Document and the NIST Cybersecurity Framework, using the OLIR Template.

A specific section of standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory. An example of an Informative Reference is ISO/IEC 27001 Control A.10.8.3, which supports the “Data-in-transit is protected” Subcategory of the “Data Security” Category in the “Protect” function.

A relationship between a Focal Document Element and a Reference Document Element.

INFORMS : see document
INFOSEC : see document

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

synonymous withIT Security.

Infra Red Data Association : see document
Infrared : see document
Infrastructure as a Service (IaaS) : see document

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

infrastructure as code : see document

The process of managing and provisioning an organization’s IT infrastructure using machine-readable configuration files, rather than employing physical hardware configuration or interactive configuration tools.

Ingress Filtering : see document

Filtering of incoming network traffic.

Ingress Protection : see document
Inherent Risk : see document

The risk to an entity in the absence of any direct or focused actions by management to alter its severity.

inheritance : see document

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control.

See security control inheritance.

Initial Analysis : see document

Internal phase within the NVD where an NVD Analyst begins to review a CVE and adds the appropriate metadata.

Initial Attestation Key : see document
Initial Boot Block : see document
Initial Device Identity : see document
Initial Privacy Assessment : see document
Initial Program Load : see document
Initialization Vector (IV) : see document

A bit string that is used as an initial value in computing the first iteration of the PRF in feedback mode. It may be an empty string.

A binary string that is used as an initial value in computing the first iteration in feedback mode. It may be an empty string.

A binary vector used as the input to initialize the algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. The initialization vector need not be secret. Some of the Triple Data Encryption Algorithm Modes of Operation require 3 initialization vectors.

Initialization Vector

A data block that some modes of operation require as an additional initial input.

The initialization vector.

A nonce that is associated with an invocation of authenticated encryption on a particular plaintext and AAD.

A vector used in defining the starting point of a cryptographic process.

A vector used in defining the starting point of an encryption process within a cryptographic algorithm.

A vector used in defining the starting point of a cryptographic process (e.g., encryption and key wrapping).

INJ : see document
Injection : see document
injection attack : see document

An attack in which an attacker supplies untrusted biometric information or media into a program or process. For example, this could include injecting a falsified image of identity evidence, a forged video of a user, or a morphed image to defeat evidence validation technology or biometric and visual comparisons for user verification.

INL : see document
Input Block : see document

A data block that is an input to either the forward cipher function or the inverse cipher function of the block cipher algorithm.

input checking : see document

Examination of a potential input to an algorithm for the purpose of determining whether it conforms to certain requirements.

Input/Output Operations Per Second : see document
INR : see document
INS : see document
insider : see document

Any person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks, or systems.

Any person with authorized access to any U.S. Government resource, to include personnel, facilities, information, equipment, networks, or systems.

An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization.

Any person with authorized access to any organizational resource, to include personnel, facilities, information, equipment, networks, or systems.

Any person with authorized access to business resources, including personnel, facilities, information, equipment, networks, or systems.

insider threat : see document

The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.

An entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.

An entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.

The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of organizational resources or capabilities.

The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.

insider threat program : see document

A coordinated collection of capabilities authorized by the Department/Agency (D/A) that is organized to deter, detect, and mitigate the unauthorized disclosure of sensitive information.

A coordinated group of capabilities under centralized management that is organized to detect and prevent the unauthorized disclosure of sensitive information. At a minimum, for departments and agencies that handle classified information, an insider threat program shall consist of capabilities that provide access to information; centralized information integration, analysis, and response; employee insider threat awareness training; and the monitoring of user activity on government computers. For department and agencies that do not handle classified information, these can be employed effectively for safeguarding information that is unclassified but sensitive.

A coordinated group of capabilities under centralized management that is organized to detect and prevent the unauthorized disclosure of sensitive information. At a minimum, for departments and agencies that handle classified information, an insider threat program shall consist of capabilities that provide access to information; centralized information integration, analysis, and response; employee insider threat awareness training; and the monitoring of user activity on government computers. For department and agencies that do not handle classified information, these can be employed effectively for safeguarding information that is unclassified but sensitive.

A coordinated collection of capabilities authorized by the organization and used to deter, detect, and mitigate the unauthorized disclosure of information.

inspectable space : see document

Three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.

Inspection : see document

Examination of an object of conformity assessment and determination of its conformity with detailed requirements or, on the basis of professional judgement, with general requirements.

Inspector General : see document
Installation (as used herein) : see document

Any of the following actions: - Executing an installer to load software. - Listing Software in the operating system software directory. - (Merely) placing executable software on a medium from which it can be executed, even if no installer software is run and there is no listing for it in the operating system software directory. - Any other action that allows an executable software file to be loaded into the CPU (e.g., browsing a website that downloads software; opening an e-mail (or attachment) that downloads software; etc.).

Installation (of keying material) : see document

The process of making keying material available for establishing and maintaining cryptographic relationships.

Instant Messaging (IM) : see document

A facility for exchanging messages in real-time with other people over the Internet and tracking the progress of a given conversation.

a facility for exchanging messages in real-time with other people over the Internet and tracking the progress of the conversation.

Instantiation of an RBG : see document

An instantiation of an RBG is a specific, logically independent, initialized RBG. One instantiation is distinguished from another by a “handle” (e.g., an identifying number).

Institute for Defense Analyses : see document
Institute for Information Infrastructure Protection : see document
Institute for Operations Research and the Management Sciences : see document
Institute for Testing and Certification : see document
Institute of Electrical and Electronics Engineers : see document
Instruction Set Architecture : see document
Instruction Set Extension : see document
Instructional System Methodology : see document
INT-CTXT : see document
Integer Factorization Cryptography : see document

Integer factorization cryptography

Integer Factorization Cryptography.

Integer Module Learning With Errors : see document
Integer to Byte String conversion routine : see document

Integer to Byte String conversion routine.

Integrated Adaptive Cyber Defense : see document
integrated CCI (controlled cryptographic items) component : see document

A CCI component that is designed to be incorporated into an otherwise unclassified communication or information processing equipment or system to form a CCI equipment or CCI system. Note: The integrated CCI component cannot perform any function by itself. It obtains power from the host equipment. An integrated CCI component may take a variety of forms (see paragraph 8 of the basic Instruction regarding the terminology for CCI component).

integrated circuit : see document
Integrated Circuit Card : see document
Integrated Circuit Card ID (ICCID) : see document

The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM.

Integrated Circuit Card Identification : see document

a unique and immutable identifier maintained within the SIM.

Integrated Circuit Chip : see document
Integrated Circuit(s) Card Device : see document
Integrated Control and Safety Systems : see document
Integrated Development Environment : see document
Integrated Digital Enhanced Network (iDEN) : see document

A proprietary mobile communications technology developed by Motorola that combines the capabilities of a digital cellular telephone with two-way radio.

a proprietary mobile communications technology developed by Motorola that combine the capabilities of a digital cellular telephone with two-way radio.

Integrated Drive Electronics : see document
Integrated Risk Management : see document
Integrating Data for Analysis, Anonymization, and Sharing : see document
Integrator : see document

An organization that customizes (e.g., combines, adds, optimizes) elements, processes, and systems. The integrator function can be performed by acquirer, integrator, or supplier organizations.

A value-added engineering organization that focuses on industrial control and information systems, manufacturing execution systems, and plant automation, that has application knowledge and technical expertise, and provides an integrated solution to an engineering problem. This solution includes final project engineering, documentation, procurement of hardware, development of custom software, installation, testing, and commissioning.

A value-added engineering organization that focuses on industrial control and information systems, manufacturing execution systems, and workcell automation, that has application knowledge and technical expertise, and provides an integrated solution to an engineering problem. This solution includes final project engineering, documentation, procurement of hardware, development of custom software, installation, testing, and commissioning.

Integrity authentication : see document

A physical or cryptographic means of providing assurance that information has not been altered in an unauthorized manner since it was created, transmitted, or stored.

The process of providing assurance that data has not been modified since an authentication code was created for that data.

See Integrity authentication.

The process of providing assurance that data has not been modified since a message authentication code or digital signature was created for that data.

The process of determining the integrity of the data; also called data integrity authentication.

The process of obtaining assurance that data has not been modified since an authentication code or digital signature was created for that data.

The protection obtained for transmitted or stored data using an authentication code (e.g., MAC) or digital signature computed on that data. See Integrity authentication.

integrity check value : see document

See checksum.

A fixed string that is prepended to the plaintext within the authenticated-encryption function of a key-wrap algorithm, in order to enable the verification of the integrity of the plaintext within the authenticated-decryption function.

Integrity Impact : see document

measures the potential impact to integrity of a successfully exploited misuse vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information.

Integrity Key : see document
Integrity Measurement Architecture : see document
Integrity of Ciphertexts : see document
Integrity protection : see document

A physical or cryptographic means of providing assurance that information has not been altered in an unauthorized manner since it was created, transmitted, or stored.

The process of providing assurance that data has not been modified since an authentication code was created for that data.

See Integrity authentication.

The process of providing assurance that data has not been modified since a message authentication code or digital signature was created for that data.

The process of obtaining assurance that data has not been modified since an authentication code or digital signature was created for that data.

The protection obtained for transmitted or stored data using an authentication code (e.g., MAC) or digital signature computed on that data. See Integrity authentication.

INTegrity under RUP : see document
Integrity verification : see document

Obtaining assurance that information has not been altered in an unauthorized manner since it was created, transmitted or stored.

integrity violation : see document

In the AML context, an AI system being forced to misperform against its intended objectives, producing outputs or predictions that align with the attacker’s objective.

Intel Advanced Encryption Standard New Instructions : see document
Intel AES-NI : see document
Intel CET : see document
Intel CIT : see document
Intel Cloud Integrity Technology : see document
Intel Control-Flow Enforcement Technology : see document
Intel MKTME : see document
Intel Multi-Key Total Memory Encryption : see document
Intel Security Libraries : see document
Intel Security Libraries for Data Center : see document
Intel TDX : see document
Intel TME : see document
Intel Total Memory Encryption : see document
Intel TPM : see document
Intel Transparent Supply Chain : see document
Intel Trust Domain Extensions : see document
Intel Trusted Execution Technology : see document
Intel Trusted Platform Module : see document
Intel TSC : see document
Intel TXT : see document
Intel Virtualization Technology : see document
Intel Virtualization Technology for Directed I/O : see document
Intel VT : see document
Intel VT-d : see document
Intel VT-x : see document
intellectual property : see document

Creations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.

Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation.

intelligence : see document

In intelligence collection, a phrase that indicates that in the satisfaction of intelligence requirements, all collection, processing, exploitation, and reporting systems and resources are identified for possible use and those most capable are tasked.

2. The term 'intelligence' includes foreign intelligence and counterintelligence.

Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open source data in the production of finished intelligence.

The term 'intelligence' means (1) the product resulting from the collection, processing, integration, analysis, evaluation, and interpretation of available information concerning foreign countries or areas; or (2) information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding. The term 'intelligence' includes foreign intelligence and counterintelligence.

1 a. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. b. The activities that result in the product. c. The organizations engaged in such activities.

(i) the product resulting from the collection, processing, integration, analysis, evaluation, and interpretation of available information concerning foreign countries or areas; or (ii) information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding. The term 'intelligence' includes foreign intelligence and counterintelligence.

Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open-source data in the production of finished intelligence.

intelligence activities : see document

All activities that agencies within the Intelligence Community are authorized to conduct pursuant to Executive Order (E.O.) 12333, United States Intelligence Activities.

The term 'intelligence activities' includes all activities that agencies within the Intelligence Community are authorized to conduct pursuant to Executive Order 12333, United States Intelligence Activities.

Intelligence Advanced Research Projects Activity : see document
intelligence community (IC) : see document

Intelligence Community and elements of the Intelligence Community refers to: (1) The Office of the Director of National Intelligence; (2) The Central Intelligence Agency; (3) The National Security Agency; (4) The Defense Intelligence Agency; (5) The National Geospatial-Intelligence Agency; (6) The National Reconnaissance Office; (7) The other offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (8) The intelligence and counterintelligence elements of the Army, the Navy, the Air Force, and the Marine Corps; (9) The intelligence elements of the Federal Bureau of Investigation; (10) The Office of National Security Intelligence of the Drug Enforcement Administration; (11) The Office of Intelligence and Counterintelligence of the Department of Energy; (12) The Bureau of Intelligence and Research of the Department of State; (13) The Office of Intelligence and Analysis of the Department of the Treasury; (14) The Office of Intelligence and Analysis of the Department of Homeland Security; (15) The intelligence and counterintelligence elements of the Coast Guard; and (16) Such other elements of any department or agency as may be designated by the President, or designated jointly by the Director and the head of the department or agency concerned, as an element of the Intelligence Community.

The term 'intelligence community' refers to the following agencies or organizations: (1) The Central Intelligence Agency (CIA); (2) The National Security Agency (NSA); (3) The Defense Intelligence Agency (DIA); (4) The offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (5) The Bureau of Intelligence and Research of the Department of State; (6) The int elligence elements of the Army, Navy, Air Force, and Marine Corps, the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Department of Energy; and (7) The staff elements of the Director of Central Intelligence.

The term 'intelligence community' refers to the following agencies or organizations: (i) The Central Intelligence Agency (CIA); (ii)The National Security Agency (NSA); (iii) The Defense Intelligence Agency (DIA); (iv) The offices within the Department of Defense for the collection of specialized national foreign intelligence through reconnaissance programs; (v) The Bureau of Intelligence and Research of the Department of State; (vi) The intelligence elements of the Army, Navy, Air Force, and Marine Corps, the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Department of Energy; and (vii) The staff elements of the Director of Central Intelligence.

Intelligence Community Directive : see document
Intelligence Community Standard : see document
Intelligent Transportation System Joint Program Office : see document
Intelligent Virtual Assistant : see document
Intended owner : see document

An entity that intends to act as a signatory but has not yet obtained a private key that will be used to generate digital signatures.

Intended signatory : see document

An entity that intends to generate digital signatures in the future.

Inter Switch Link : see document
interactive application security testing : see document
Interactive User : see document

A person who uses an SSH client to access one or more SSH servers, typically to perform administrative operations, transfer data, or access applications.

Interagency Council on Standards Policy : see document
Interagency Council on Statistical Policy : see document
Interagency International Cybersecurity Standardization Working Group : see document
Interagency Working Group : see document
interchangeable : see document

The ability to combine signals from multiple PNT data sources into a single PNT solution, as well as the ability to provide a solution from an alternative source when a primary source is not available.

interconnection : see document

See system interconnection.

interconnection security agreement (ISA) : see document

A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in management of a cross-domain connection.

In this guide, an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.

A document specifying information security requirements for system interconnections, including the security requirements expected for the impact level of the information being exchanged for all participating systems.

Interconnection Service Agreement : see document
Inter-control Center Communications Protocol : see document
Inter-Enterprise Subsystem : see document

The portion of the RFID system that connects multiple enterprise subsystems together. The inter-enterprise subsystem consists of network infrastructure, a naming service, and possibly a discovery service. Inter-enterprise subsystems are most commonly associated with supply chain applications.

interface : see document

A boundary between the IoT device and entities where interactions take place. There are two types of interfaces: network and local.

Wherever two or more logical, physical, or both system elements or software system elements meet and act on or communicate with each other.

In a service-oriented architecture, a specification of the operations that a service offers its clients. In WSDL 2.0 an interface component describes sequences of messages that a service sends or receives. In WSDL 1.1 an interface is specified in a portType element.

Common boundary between independent systems or modules where interactions take place.

A boundary between the IoT device and entities where interactio

Interface Capabilities : see document

Capabilities which enable interactions involving IoT devices (e.g., device-to-device communications, human-to-device communications). The types of interface capabilities are application, human user, and network.

Interface Configuration Utility : see document
interface device : see document

An electronic device that connects an integrated circuit card and the card applications therein to a client application.

interference detection and mitigation : see document
Interim Approval to Operate : see document

Temporary authorization granted by principal accrediting authority (PAA) or authorizing official (AO) for an information system to process information based on preliminary results of a security evaluation of the system.

Interim Authorization to Operate; issued by a DAO to an issuer who is not satisfactorily performing PIV Card and/or Derived PIV Credential specified services (e.g., identity proofing/registration (if applicable)), card/token production, activation/issuance and maintenance).

interim authorization to test (IATT) : see document

Temporary authorization to test an information system in a specified operational information environment within the timeframe and under the conditions or constraints enumerated in the written authorization.

Inter-Integrated Circuit : see document
Interior Border Gateway Protocol : see document
Interior Gateway Protocol : see document
Intermediary Service : see document

A component that lies between the Service Client (subscriber) and the Service Provider (publisher). It intercepts the request from the Service Client, provides the service (functionality), and forwards the request to the Service Provider. Similarly, it intercepts the response from the Service Provider and forwards it to the Service Client.

Intermediate Certification Authority (CA) : see document

A CA that is signed by a superior CA (e.g., a Root CA or another Intermediate CA) and signs CAs (e.g., another Intermediate or Subordinate CA). The Intermediate CA exists in the middle of a trust chain between the Trust Anchor, or Root, and the subscriber certificate issuing Subordinate CAs.

A CA that is subordinate to another CA, and has a CA subordinate to itself.

Intermediate Link Key : see document
Intermediate Long Term Key : see document
intermittent ad-hoc connection : see document

A needs-based connection initiated for a specific time or purpose after which the connection is terminated. Intermittent connections are most often made via virtual connection.

internal assessment engagement : see document

Formal engagement led by a team within the organization that determines element judgments.

Internal BGP : see document
Internal Border Gateway Protocol : see document

A BGP operation communicating routing information within an AS.

Internal Control : see document

An overarching mechanism that an enterprise uses to achieve and monitor enterprise objectives.

Internal Gateway Protocol : see document
internal network : see document

A network in which the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors or in which the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (with regard to confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.

A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology provides the same effect. An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.

A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.

A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.

A network where the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors. Cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least regarding confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.

A network where the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors, or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (with regard to confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.

internal security controls : see document

Hardware, firmware, or software features within an information system that restrict access to resources to only authorized subjects.

Internal Security Testing : see document

Security testing conducted from inside the organization’s security perimeter.

Internal State : see document

The collection of stored information about a DRBG instantiation. This can include both secret and non-secret information. Compare to working state.

Internal Trusted Storage : see document
International Association for Automation and Robotics in Construction : see document
International Association of Computer Investigative Specialists : see document
International Association of Privacy Professionals : see document
International Atomic Energy Agency : see document
International Atomic Time : see document
International Civil Aviation Organization : see document
InterNational Committee for Information Technology Standards : see document
International Council on Large Electric Systems : see document
International Council on Systems Engineering : see document
International Criminal Police Organization : see document
International Cryptographic Module Conference : see document
International Earth Rotation and Reference Systems Service : see document
International Electrotechnical Commission : see document
International Federation for Information Processing : see document
International Household Survey Network : see document
International Maritime Organization : see document
International Mobile Equipment Identifier : see document
International Mobile Equipment Identity (IMEI) : see document

A unique identification number programmed into GSM and UMTS mobile devices.

a unique number programmed into GSM and UMTS mobile phones.

International Mobile Subscriber Identity (IMSI) : see document

A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM.

a unique number associated with every GSM mobile phone user.

International Organization for Standardization : see document
International Organization for Standardization/International Electrotechnical Commission : see document
International Society of Automation : see document
International Telecommunication Union - Telecommunication : see document
International Terrestrial Reference Frame : see document
International Terrestrial Reference System : see document
International Traffic in Arms Regulation : see document
Internet Architecture Board : see document
Internet Assigned Number Authority : see document
Internet Assigned Numbers Authority : see document
Internet Control Message Protocol : see document
Internet Corporation for Assigned Names and Numbers : see document
Internet Engineering Task Force (IETF) : see document

The Internet Engineering Task Force is the premier Internet standards body that develops open Internet standards.

The internet standards organization made up of network designers, operators, vendors, and researchers that defines protocol standards (e.g., IP, TCP, DNS) through process of collaboration and consensus.

Internet Exchange Point : see document
Internet Fibre-Channel Protocol : see document
Internet Group Management Protocol : see document
Internet Information Server : see document
Internet Information Services : see document
Internet Infrastructure Protection : see document
Internet Key Exchange : see document
Internet Key Exchange (IKE) : see document

The Internet Engineering Task Force (IETF) protocol (RFC 5996) that is used to set up a security association in the Internet Protocol Security (IPsec) protocol suite.

A protocol used to negotiate, create, and manage its own (IKE) and IPsec security associations.

Internet Message Access Protocol (IMAP) : see document

A mailbox access protocol defined by IETF RFC 3501. IMAP is one of the most commonly used mailbox access protocols. IMAP offers a much wider command set than POP.

a method of communication used to read electronic mail stored in a remote server.

A method of communication used to read electronic messages stored in a remote server.

Internet Number Resource : see document
Internet of Medical Things : see document
internet of things : see document

As used in this publication, user or industrial devices that are connected to the internet. IoT devices include sensors, controllers, and household appliances.

The network of devices that contain the hardware, software, firmware, and actuators which allow the devices to connect, interact, and freely exchange data and information.

Internet Protocol : see document

Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.

The Internet Protocol, as defined in IETF RFC 6864, which is the principal communications protocol in the IETF Internet protocol suite for specifying system address information when relaying datagrams across network boundaries.

Internet Protocol (IP) addresses : see document

Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.

Internet Protocol Security : see document

An OSI Network layer security protocol that provides authentication and encryption over IP networks.

A protocol that adds security features to the standard IP protocol to provide confidentiality and integrity services.

Internet Protocol version : see document
Internet Protocol version 4 : see document
Internet Protocol version 6 : see document
Internet Relay Chat : see document
Internet Research Task Force : see document
Internet Router Discover Protocol : see document
Internet Routing Registry : see document
Internet Security Association and Key Management Protocol : see document
Internet Server Application Programming Interface : see document
Internet Service Provider : see document
Internet Small Computer Systems Interface : see document
Internet Storage Name Service : see document
Internet Systems Consortium : see document
Internetwork Operating System : see document
Internetwork Packet Exchange : see document
Interoperability : see document

The ability of one entity to communicate with another entity.

For the purposes of this standard, interoperability allows any government facility or information system, regardless of the PIV Issuer, to verify a cardholder’s identity using the credentials on the PIV Card.

Interoperability Test : see document

Interoperability tests measure the performance associated with the use of standardized biometric data records in a multiple vendor environment. It involves the production of the templates by N enrollment products and authentication of these against images processed by M others.

interoperating system : see document

System that exchanges information with the system of interest and uses the information that has been exchanged.

InterPlanetary File System : see document
INTERPOL : see document
Interpreter : see document

A program that processes a script or other program expression and carries out the requested action, in accordance with the language definition.

Inter-process Communication : see document
Inter-range Instrumentation Group Time Code : see document
Inter-range Instrumentation Group Time Code B : see document
Interrupt Request Line : see document
interview : see document

A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.

A type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control and privacy control effectiveness over time.

Intra-site Automatic Tunnel Addressing Protocol : see document
INT-RUP : see document
intrusion : see document

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

See intrusion.

any set of actions that attempts to compromise the integrity, confidentiality, or availability of a resource

intrusion detection : see document

The process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents.

Intrusion Detection Message Exchange Format : see document
intrusion detection system (IDS) : see document

A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

IDSs which detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment.

Software that automates the intrusion detection process.

A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

A software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both.

IDSs which operate on information collected from within an individual computer system. This vantage point allows host-based IDSs to determine exactly which processes and user accounts are involved in a particular attack on the Operating System. Furthermore, unlike network-based IDSs, host- based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks.

Software that looks for suspicious activity and alerts administrators.

intrusion prevention : see document

The process of monitoring the events occurring in a computer system or network, analyzing them for signs of possible incidents, and attempting to stop detected possible incidents.

intrusion prevention system (IPS) : see document

A system that can detect an intrusive activity and also attempt to stop the activity, ideally before it reaches its targets.

Intrusion Prevention System: Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.

A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

System which can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

Invalidate : see document

To render a credential or authenticator incapable of being used for authentication by causing its authenticator output to no longer be accepted by relying parties.

inventory : see document

(b) A listing of each item of material charged to a COMSEC account.

(a) The physical or virtual verification of the presence of each item of COMSEC material charged to a COMSEC account.

A listing of items including identification and location information.

Inventory management : see document

As used in this Recommendation, the management of keys and/or certificates to monitor their status (e.g., expiration dates and whether compromised); assign and track their owners or sponsors (who/what they are and where they are located or how to contact them); and report the status to the appropriate official for remedial action, when required.

inverse : see document

For some group element $x$, the unique element $y$ for which $x+y$ is the identity element relative to the binary group operator $+$ ($y$ is usually denoted as $-x$).

Inverse Cipher Function (Inverse Cipher Operation) : see document

The function that reverses the transformation of the forward cipher function when the same cryptographic key is used.

The inverse function of the forward cipher function for a given block cipher key.

The inverse function of the forward cipher function for a given cryptographic key.

The function that is the inverse of the forward cipher function for a given key.

Inverse Cipher Operation/Inverse Transformation : see document

The block cipher algorithm function that is the inverse of the forward cipher function. The term “inverse cipher operation” is used for TDEA, while the term “inverse transformation” is used for DEA.

inverse transformation : see document

The inverse of the permutation of blocks that is determined by the choice of a block cipher and a key.

Investment Review Board : see document
Invisible Internet Project : see document
Invocation Field : see document

In the deterministic construction of IVs, the field that identifies the sets of inputs to the authenticated encryption function in a particular device or context.

IO : see document

A general term for the equipment that is used to communicate with a computer as well as the data involved in the communications.

IoC : see document
IODEF : see document
IoMT : see document
IOPS : see document
iOS : see document
IOS : see document
IoT : see document
IoT device : see document

Devices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world.

IoT Platform : see document

A piece of IoT device hardware with supporting software already installed and configured for a manufacturer’s use as the basis of a new IoT device. An IoT platform might also offer third-party services or applications, or a software development kit to help expedite IoT application development.

An IoT platform is typically a third-party vendor provided/hosted SaaS-based tool that is used to support IoT device and endpoint management, connectivity and network management, data management, processing and analysis, application development, cybersecurity, access control, monitoring, event processing, and interfacing/integration. Documentation about such a third party can provide important information about supply chain cybersecurity practices and vulnerabilities to allow for the IoT user to more accurately determine risks related to the use of an IoT platform.

IoT Product : see document

An IoT device and any other product components necessary to use the IoT device.

An IoT device or IoT devices and any additional product components (e.g., backend, mobile app) that are necessary to use the IoT device beyond basic operational features.

IoT Product Component : see document

Equipment (i.e., hardware and software) other than the primary device that can be hosted remotely, locally, or on other equipment (e.g., a mobile app on the customer’s smartphone) that supports the IoT device in its functionality.

An IoT device or other digital equipment or service (e.g., backend, mobile app) used to create IoT products.

IoT Product Developer : see document

The entity that creates an assembled final IoT product. Some cybersecurity outcomes may be supported by the IoT product developer’s suppliers or other contracted third-parties with support responsibilities related to the IoT product or its components.

IP : see document

Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation.

The Internet Protocol, as defined in IETF RFC 6864, which is the principal communications protocol in the IETF Internet protocol suite for specifying system address information when relaying datagrams across network boundaries.

IP Multimedia Subsystem : see document
IP Payload Compression Protocol : see document

Protocol used to perform lossless compression for packet payloads.

A protocol used to perform lossless compression for packet payloads.

IP Security : see document

Provide(s) interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, detection and rejection of replays (a form of partial sequence integrity), confidentiality (via encryption), and limited traffic flow confidentiality.

IPA : see document
IPC : see document
IPComp : see document

Protocol used to perform lossless compression for packet payloads.

A protocol used to perform lossless compression for packet payloads.

IPFS : see document
iPhone Operating System : see document
IPL : see document
IPS : see document

System which can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

IPsec : see document

An OSI Network layer security protocol that provides authentication and encryption over IP networks.

Provide(s) interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, detection and rejection of replays (a form of partial sequence integrity), confidentiality (via encryption), and limited traffic flow confidentiality.

A protocol that adds security features to the standard IP protocol to provide confidentiality and integrity services.

IPv : see document
IPv4 : see document
IPv6 : see document
IPv6 over Low-Power Wireless Personal Area Networks : see document
IPX : see document
IR : see document

The remediation or mitigation of violations of security policies and recommended practices.

See incident handling.

See “incident handling.”

A specific section of standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory. An example of an Informative Reference is ISO/IEC 27001 Control A.10.8.3, which supports the “Data-in-transit is protected” Subcategory of the “Data Security” Category in the “Protect” function.

A relationship between a Focal Document Element and a Reference Document Element.

IRB : see document
IRC : see document
IrDA : see document
IRDP : see document
IREX : see document

Iris Exchange – the NIST program supporting iris-based biometrics

IRIG : see document
IRIG-B : see document
Iris segmentation : see document

Segmentation is the automated (and possibly manually reviewed) detection of the iris-sclera and iris-pupil boundaries. This localizes the iris texture that is used for actual recognition.

IRK : see document
IRM : see document
IRP : see document

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s).

IRQ : see document
IRR : see document
IRS : see document
IRTF : see document
IS : see document

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

A discrete set of resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

The term 'information system' means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.

An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

A computer-based system used by an issuer to perform the functions necessary for PIV Card or Derived PIV Credential issuance as per [FIPS 201-2].

Discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems, telephone switching/private branch exchange (PBX) systems, and environmental control systems.

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]

ISA : see document

Individual who implements approved secure baseline configurations, incorporates secure configuration settings for IT products, and conducts/assists with configuration monitoring activities as needed.

ISAC : see document
ISACA : see document
ISAKMP : see document
ISAO : see document

An ISAO is any entity or collaboration created or employed by public- or private sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, so as to ensure their availability, integrity, and reliability.

ISAPI : see document
ISATAP : see document
ISC : see document

A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.

A discrete identifiable IT asset that represents a building block of an information system.

See Authorization Boundary.

ISCM : see document
ISCM Capability : see document

See ISCM Capability.

A security capability with the following additional traits: • The purpose (desired result) of each capability is to address specific kind(s) of attack scenarios or exploits. • Each capability focuses on attacks towards specific assessment objects. • There is a viable way to automate ISCM on the security capability. • The capability provides protection against current attack scenarios.

ISCM Dashboard : see document

A hierarchy of dashboards to facilitate reporting of appropriate security-related information at multiple organizational levels.

ISCM program assessment : see document
ISCMA : see document
ISCMA tool : see document
ISCMAx : see document
ISCM-TN : see document
iSCSI : see document
ISD : see document
ISDN : see document
ISE : see document
ISecL : see document
ISecL-DC : see document
Ishai-Sahai-Wagner : see document
ISL : see document
Island of Security : see document

A signed, delegated zone that does not have an authentication chain from its delegating parent. That is, there is no DS RR containing a hash of a DNSKEY RR for the island in its delegating parent zone. An island of security is served by DNSSEC-aware name servers and may provide authentication chains to any delegated child zones. Responses from an island of security or its descendents can be authenticated only if its authentication keys can be authenticated by some trusted means out of band from the DNS protocol.

ISM : see document
ISMS : see document
iSNS : see document
ISO : see document

Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.]

ISO Technical Standard : see document
ISO/IEC : see document
ISO/ITU-T : see document
ISO/TS : see document
isogeny : see document

A (non-constant) mapping from an elliptic curve to a second elliptic curve, which preserves point addition and fixes the identity point.

Isolation : see document

The ability to keep multiple instances of software separated so that each instance only sees and can affect itself.

isomorphism (of elliptic curves) : see document

A bijective mapping from one elliptic curve to another, which maps addition (on the first curve) to addition (on the image curve).

ISOO : see document
ISP : see document
ISPAB : see document
ISRM : see document
ISSE : see document
ISSM : see document
ISSO : see document

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

See system security officer (SSO).

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program. [Note: ISSO responsibility may be assigned by the senior agency information security officer, authorizing official, management official, or information system owner.]

ISSPM : see document
Issuance : see document

Agreeing on the type of token that will be used for future authentication

issuer : see document

The organization that is issuing the PIV Card to an applicant. Typically, this is an organization for which the applicant is working.

An entity that performs functions required to produce, issue, and maintain PIV Cards or Derived PIV Credentials for an organization

The organization that is issuing the PIV Card (or DPC) to an applicant. Typically, this is an organization for which the applicant is working.

The organization that is issuing the PIV Card to an Applicant. Typically this is an organization for which the Applicant is working.

Issuing Facility : see document

A physical site or location—including all equipment, staff, and documentation—that is responsible for carrying out one or more of the following PIV functions: identity proofing and registration; card and token production; activation and issuance; post-issuance binding of derived PIV credentials; and maintenance.

A physical site or location–including all equipment, staff, and documentation–that is responsible for carrying out one or more of the PIV functions.

ISU : see document

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. [Note: With respect to SecCM, an information system user is an individual who uses the information system functions, initiates change requests, and assists with functional testing.]

ISW : see document
IT : see document

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency.

Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use (i) of that equipment or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product. Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. Does not include any equipment acquired by a federal contractor incidental to a federal contract.

(A) with respect to an executive agency means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use— (i) of that equipment; or (ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product; (B) includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but (C) does not include any equipment acquired by a federal contractor incidental to a federal contract.

The term 'information technology', with respect to an executive agency means any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term ''information technology'' includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. The term ''information technology'' does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.

Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use.

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.

The art and applied sciences that deal with data and information. Examples are capture, representation, processing, security, transfer, interchange, presentation, management, organization, storage, and retrieval of data and information.

IT security awareness and training program : see document

Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50)

IT security objective : see document

See “Security objective”.

IT System : see document

Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

A combination of interacting elements organized to achieve one or more stated purposes.

a collection of computing and/or communications components and otherresources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected.

See information system.

A discrete set of resources that are organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Combination of interacting elements organized to achieve one or more stated purposes.

A specific IT installation, with a particular purpose and operational environment.

Discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

See Information System

A discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

ITAM : see document
Itanium Architecture : see document
ITAR : see document
ITC : see document
Item : see document

A named constituent of a benchmark. The three types of items are groups, rules, and values.

item accounting : see document

Accounting for all the accountable components of a COMSEC equipment configuration by a single short title.

Iterated Block Cipher : see document
ITIL : see document
ITL : see document
ITL Advanced Network Technologies Division : see document
ITL Applied Cybersecurity Division : see document
ITL Computer Security Division : see document
ITL Information Access Division : see document
ITL Software and Systems Division : see document

A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.

ITOS : see document
ITRF : see document
ITRS : see document
ITS : see document
ITS JPO : see document
ITU : see document
ITU - Telecommunication Standardization Sector : see document
ITU-T : see document
IUT : see document

Implementation Under Test

IV : see document

A bit string that is used as an initial value in computing the first iteration of the PRF in feedback mode. It may be an empty string.

A binary string that is used as an initial value in computing the first iteration in feedback mode. It may be an empty string.

A binary vector used as the input to initialize the algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. The initialization vector need not be secret. Some of the Triple Data Encryption Algorithm Modes of Operation require 3 initialization vectors.

Initialization Vector

The initialization vector.

A nonce that is associated with an invocation of authenticated encryption on a particular plaintext and AAD.

IV&V : see document
IVA : see document
Ivn : see document

Block of data representing IV n

IWG : see document
IXP : see document
jailbreak : see document

A direct prompting attack intended to circumvent restrictions placed on model outputs, such as circumventing refusal behaviour to enable misuse.

jamming : see document

A deliberate communications disruption meant to degrade the operational performance of the RF subsystem. Jamming is achieved by interjecting electromagnetic waves on the same frequency that the reader to tag uses for communication.

The deliberate radiation, reradiation, or reflection of electromagnetic energy for the purpose of preventing or reducing the effective use of a signal.

An attack that attempts to interfere with the reception of broadcast communications.

An attack in which a device is used to emit electromagnetic energy on a wireless network’s frequency to make it unusable.

A deliberate communications disruption meant to degrade the operational performance of the RF subsystem. Jamming is achieved by interjecting electromagnetic waves on the same frequency that the reader to tag uses for communication.

The deliberate radiation, reradiation, or reflection of electromagnetic energy for the purpose of preventing or reducing the effective use of a signal.

Java API for XML Registries : see document
Java Cryptography Extension : see document
Java Development Kit : see document
Java EE : see document
Java Enterprise Edition : see document
Java Keystore : see document
Java Platform, Enterprise Edition : see document
Java Runtime Environment : see document
Java Security Manager : see document
Java Server Pages : see document
Java Tool Kit : see document
Java Virtual Machine : see document
JavaScript Object Notation : see document
JAXR : see document
JCE : see document
JDK : see document
JFFS2 : see document
JIT : see document
jitter : see document

As it relates to queuing, the difference in latency of packets.

non-uniform delays that can cause packets to arrive and be processed out of sequence

The time or phase difference between the data signal and the ideal clock.

The short-term variations of the significant instants of a timing signal from their ideal positions in time (where short-term implies that these variations are of frequency greater than or equal to 10 Hz).

JKS : see document
joint authorization : see document

Security authorization involving multiple authorizing officials.

Authorization involving multiple authorizing officials.

Joint Photographic Experts Group : see document

A standardized image compression function originally established by the Joint Photographic Experts Group.

Joint Publication : see document
Joint Task Force : see document
Joint Technical Committee : see document
Joint Technical Committee 1 : see document
Joint Test Action Group : see document
JOP : see document
Journaling Flash File System, Version 2 : see document
JP : see document
JPEG : see document

A standardized image compression function originally established by the Joint Photographic Experts Group.

JRE : see document
JSM : see document
JSON : see document
JSON Web Encryption : see document
JSON Web Token : see document

A data exchange format made of a header, payload, and signature where the header and the payload take the form of JSON objects. They are encoded and concatenated with the aggregate being signed to generate a signature.

JSP : see document
JSS : see document
JTAG : see document
JTC : see document
JTC 1 : see document
JTF : see document
JTK : see document
judgment : see document

The association of one of the preconfigured evaluation choices with an element from the context of a specific organizational level.

The association of an evaluation choice with an element, from the context of a specific risk management level.

judgment value : see document

Predefined values that represent the possible choices that an assessor makes in judging whether or how well the gathered information satisfies an assessment element.

Jump Oriented Programming : see document
Juniper Operating System : see document
JUNOS : see document
Just-in-time : see document
JVM : see document
JWE : see document
JWT : see document

A data exchange format made of a header, payload, and signature where the header and the payload take the form of JSON objects. They are encoded and concatenated with the aggregate being signed to generate a signature.

JWT Signing Service : see document
K&S : see document
KAK : see document
KAS : see document
KAS1-basic : see document

The basic form of Key-Agreement Scheme 1.

KAS1-Party_V-confirmation : see document

Key-Agreement Scheme 1 with confirmation by party V. Previously known as KAS1-responder-confirmation.

KAS2-basic : see document

The basic form of Key-Agreement Scheme 2.

KAS2-bilateral-confirmation : see document

Key-Agreement Scheme 2 with bilateral confirmation.

KAS2-Party_U-confirmation : see document

Key-Agreement Scheme 2 with confirmation by party U. Previously known as KAS2-initiator-confirmation.

KAS2-Party_V-confirmation : see document

Key-Agreement Scheme 2 with confirmation by party V. Previously known as KAS2-responder-confirmation.

KAT : see document
KB : see document
KBA : see document
KBits : see document

The bit length of the secret keying material.

KBKDF : see document
Kbps : see document

Length in bits of the keying material.

KBV : see document
KC : see document
KDC : see document
KDF : see document

Key Derivation Function.

KDI : see document
KDK : see document

A key used as an input to a key-derivation function to derive additional keying material.

As used in this Recommendation, either a one-step key-derivation method or a key-derivation function based on a pseudorandom function as specified in [SP 800-108].

A function by which keying material is derived from a shared secret (or a key) and other information.

A function that, with the input of a cryptographic key or shared secret, and possibly other data, generates a binary string, called keying material.

As used in this Recommendation, a function used to derive secret keying material from a shared secret (or a key) and other information.

A function that − with the input of a cryptographic key or shared secret and possibly other data − generates a binary string, called keying material.

As used in this Recommendation, either a one-step key-derivation method or a key-derivation function based on a pseudorandom function as specified in SP 800-108.

A function used to derive keying material from a shared secret (or a key) and other information.

KDM : see document
KE : see document

The process of exchanging public keys in order to establish secure communications.

KECCAK : see document

The family of all sponge functions with a KECCAK-f permutation as the underlyinng function and multi-rate padding as the padding rule. KECCAK was originally specified in [G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, The KECCAK reference, version 3.0], and standardized in FIPS 202.

KECCAK Message Authentication Code : see document

KECCAK Message Authentication Code.

KEK : see document

The key for the underlying block cipher of KW, KWP, or TKW. May be called a key-wrapping key in other documents.

KEM : see document
Kerberos : see document

An authentication system developed at the Massachusetts Institute of Technology (MIT). Kerberos is designed to enable two parties to exchange private information across a public network.

A widely used authentication protocol developed at MIT. In “classic” Kerberos, users share a secret password with a Key Distribution Center (KDC). The user (Alice) who wishes to communicate with another user (Bob) authenticates to the KDC and the KDC furnishes a “ticket” to use to authenticate with Bob. See SP 800-63C Section 11.2 for more information.

A network authentication protocol that is designed to provide strong authentication for client/server applications by using symmetric-key cryptography.

A means of verifying the identities of principals on an open network. Kerberos accomplishes this without relying on the authentication, trustworthiness, or physical security of hosts while assuming all packets can be read, modified and inserted at will. Kerberos uses a trust broker model and symmetric cryptography to provide authentication and authorization of users and systems on the network.

A widely used authentication protocol developed at MIT. In “classic” Kerberos, users share a secret password with a Key Distribution Center (KDC). The user, Alice, who wishes to communicate with another user, Bob, authenticates to the KDC and is furnished a “ticket” by the KDC to use to authenticate with Bob.

Kernel-Based Virtual Machine : see document
KEV : see document
key : see document

A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.

A bit string used as a secret parameter by a cryptographic algorithm. In this Recommendation, a cryptographic key is either a random bit string of a length specified by the cryptographic algorithm or a pseudorandom bit string of the required length that is computationally indistinguishable from one selected uniformly at random from the set of all bit strings of that length.

A parameter used with a cryptographic algorithm that determines its operation.

The parameter of a block cipher that determines the selection of a permutation from the block cipher family.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot.

A bit string that is used in conjunction with a cryptographic algorithm, such as the encapsulation and decapsulation keys (of a KEM), the shared secret key (produced by a KEM), and the encryption and decryption keys (of a PKE).

A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples of cryptographic algorithms applicable to this standard include:1. The computation of a digital signature from data2. The verification of a digital signature

A parameter used in conjunction with a cryptographic algorithm that deter-mines its operation. Examples of cryptographic algorithms applicable to this standard include:1. The computation of a digital signature from data2. The verification of a digital signature

A parameter used in the block cipher algorithm that determines the forward cipher operation and the inverse cipher operation.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of [SP 800-57 Part1].

A numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. Usually a sequence of random or pseudorandom bits used initially to set up and periodically change the operations performed in cryptographic equipment for the purpose of encrypting or decrypting electronic signals, or for determining electronic counter-countermeasures (ECCM) patterns, or for producing other key.

A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Recommendation include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

A parameter used with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples applicable to this Recommendation include: 1. The computation of a keyed-hash message authentication code. 2. The verification of a keyed-hash message authentication code. 3. The generation of a digital signature on a message. 4. The verification of a digital signature.

A binary string used as a secret parameter by a cryptographic algorithm. In this Recommendation, a cryptographic key shall be either a truly random binary string of a length specified by the cryptographic algorithm or a pseudorandom binary string of the specified length that is computationally indistinguishable from one selected uniformly at random from the set of all binary strings of that length.

A cryptographic key that can be directly used by a cryptographic algorithm to perform a cryptographic operation.

A parameter that determines the transformation from plaintext to ciphertext and vice versa. (A DEA key is a 64-bit parameter consisting of 56 independent bits and 8 parity bits). Multiple (1, 2 or 3) keys may be used in the Triple Data Encryption Algorithm.

A parameter used in the block cipher algorithm that determines the forward cipher operation and the inverse cipher operation.

The parameter of the block cipher that determines the selection of the forward cipher function from the family of permutations.

A parameter used in the block cipher algorithm that determines the forward cipher function.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric Keys, Symmetric Key.

A parameter that determines the transformation using DEA and TDEA forward and inverse operations.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce the operation, while an entity without knowledge of the key cannot. Examples of the use of a key that are applicable to this Recommendation include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.

See cryptographic key.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the correct key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Examples of cryptographic operations requiring the use of cryptographic keys include: 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of an authentication code from data, 6. The verification of an authentication code from data and a received authentication code, 7. The computation of a shared secret that is used to derive keying material. 8. The derivation of additional keying material from a keyderivation key (i.e., a pre-shared key).

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. For the purposes of these guidelines, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric Keys, Symmetric Key.

A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation while an entity without knowledge of the key cannot. Examples include 1. The transformation of plaintext data into ciphertext data, 2. The transformation of ciphertext data into plaintext data, 3. The computation of a digital signature from data, 4. The verification of a digital signature, 5. The computation of a message authentication code (MAC) from data, 6. The verification of a MAC received with data, 7. The computation of a shared secret that is used to derive keying material.

A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.

A cryptographic key. In this document, keys generally refer to public key cryptography key pairs used for authentication of users and/or machines (using digital signatures). Examples include identity key and authorized keys. The SSH protocol also uses host keys that are used for authenticating SSH servers to SSH clients connecting them.

See “Cryptographic Key”.

A value used to control cryptographic operations, such as decryption, encryption, signature generation or signature verification. For the purposes of this document, key requirements shall meet the minimum requirements stated in Table 2 of NIST SP 800-57 Part 1. See also Asymmetric keys, Symmetric key.

Key (or key pair) owner : see document

One or more entities that are authorized to use a symmetric key or the private key of an asymmetric key pair.

key administration : see document

Functions of loading, storing, copying, and distributing the keys and producing the necessary audit information to support those functions. (System Unique).

key agreement : see document

A key-establishment procedure where resultant keying material is a function of information contributed by two or more participants, so that no party can predetermine the value of the keying material independently of the other party’s contribution.

A (pair-wise) key-establishment procedure in which the resultant secret keying material is a function of information contributed by both participants, so that neither party can predetermine the value of the secret keying material independently from the contributions of the other party. Contrast with key transport.

A key-establishment procedure where the resultant keying material is a function of information contributed by two or more participants, so that an entity cannot predetermine the resulting value of the keying material independently of any other entity’s contribution.

A (pair-wise) key-establishment procedure in which the resultant secret keying material is a function of information contributed by both participants, so that neither party can predetermine the value of the secret keying material independently from the contributions of the other party. Contrast with key-transport.

A key-establishment procedure where resultant keying material is a function of information contributed by two or more participants, so that no party can predetermine the value of the keying material independently of any other party’s contribution.

A (pair-wise) key-establishment procedure in which the resultant secret keying material is a function of information contributed by both participants so that neither party can predetermine the value of the secret keying material independently from the contributions of the other party. Key agreement includes the creation (i.e., generation) of keying material by the key-agreement participants. A separate distribution of the generated keying material is not performed. Contrast with Key transport.

A (pair-wise) key-establishment procedure where the resultant secret keying material is a function of information contributed by two participants so that no party can predetermine the value of the secret keying material independently from the contributions of the other party. Contrast with key-transport.

A (pair-wise) key-establishment procedure in which the resultant secret keying material is a function of information contributed by both participants, so that neither party can predetermine the value of the secret keying material independently of the contributions of the other party. Contrast with key transport.

A (pair-wise) key-establishment procedure where secret keying material is generated from information contributed by two participants so that no party can predetermine the value of the secret keying material independently from the contributions of the other party. Contrast with key-transport.

A key-establishment procedure where keying material is generated from information contributed by two or more participants so that no party can predetermine the value of the keying material independently of any other party’s contribution.

A (pair-wise) key-establishment procedure in which the resultant secret keying material is a function of information contributed by both participants so that neither party can predetermine the value of the secret keying material independently of the contributions of the other party; contrast with key transport.

A (pair-wise) key-establishment procedure where the resultant secret keying material is a function of information contributed by two participants, so that no party can predetermine the value of the secret keying material independently from the contributions of the other party. Contrast with key-transport.

Key agreement primitive : see document

A primitive algorithm used in a key-agreement scheme specified in [NIST SP 800-56A], or in [NIST SP 800-56B].

A DLC primitive specified in [SP 800-56A] or an RSA Secret Value Encapsulation (RSASVE) operation specified in [NIST SP 800-56B].

A primitive algorithm used in a key-agreement scheme specified in SP 800-56A, 3 or in SP 800-56B.

A primitive algorithm used in a key-agreement scheme specified in SP 800-56A or SP 800-56B.

Key and metadata management functions : see document

Functions performed by a CKMS or FCKMS in order to manage keys and metadata.

Key Bundle : see document

The three DEA cryptographic keys (Key1, Key2, Key3) that are used with a TDEA mode.

The three cryptographic keys (Key1, Key2, Key3) that are used with a TDEA mode.

Key center : see document

A common central source of the keys or key components that are necessary to support cryptographically protected exchanges within one or more communicating groups.

Key certification : see document

In a Public Key Infrastructure (PKI), a process that permits keys or key components to be unambiguously associated with their certificate sources (e.g., using digital signatures to associate public-key certificates with the certification authorities that issued them).

Key Chords : see document

Specific hardware keys pressed in a particular sequence on a mobile device.

Key component : see document

See Cryptographic key component.

One of at least two parameters that have the same security properties (e.g., randomness) as a cryptographic key; parameters are combined using an approved cryptographic function to form a plaintext cryptographic key before use.

Key custodian : see document

An FCKMS role that is responsible for distributing keys or key splits and/or entering them into a cryptographic module.

Key de-registration : see document

A function in the lifecycle of keying material; the marking of all keying material records and associations to indicate that the key is no longer in use.

A stage in the lifecycle of keying material; the removal of all records of keying material that was registered by a registration authority.

A function in the lifecycle of a cryptographic key; the marking of a key or the information associated with it (e.g., metadata) to indicate that the key is no longer in use.

Key derivation : see document

The process by which keying material is derived from 1) either a cryptographic key or a shared secret produced during a key-agreement scheme and 2) other data. This Recommendation specifies key derivation from an existing cryptographic key and other data.

The process that derives keying material from a key.

1. A process by which one or more keys are derived from a shared secret and other information during a key agreement transaction.

2. A process that derives new keying material from a key (i.e., a key-derivation key) that is currently available.

The process of deriving a key in a non-reversible manner from shared information, some of which is secret.

A process that derives keying material from a key or a shared secret.

The process by which one or more keys are derived from either a pre-shared key or a shared secret (from a key-agreement scheme), along with other information.

As used in this Recommendation, a method of deriving keying material from a pre-shared key and possibly other information. See NIST SP 800-108.

A process by which one or more keys are derived from a shared secret and other information during a key-agreement transaction.

A process that derives new keying material from a key (i.e., a key-derivation key) that is currently available.

The process by which keying material is derived from either a pre-shared key or a shared secret produced during a key-agreement scheme along with other information.

The process by which keying material is derived from either a pre-shared key or a shared secret (from a key-agreement scheme), along with other information.

A function in the lifecycle of keying material; the process by which one or more keys are derived from either a pre-shared key, or a shared secret and other information.

Key destruction : see document

To remove all traces of keying material so that it cannot be recovered by either physical or electronic means.

To remove all traces of a cryptographic key so that it cannot be recovered by either physical or electronic means.

Key Device Cybersecurity Requirement : see document

A device cybersecurity requirement that if lacking from an IoT device (in the case of a device cybersecurity capability) or manufacturer or supporting entity (in the case of a non-technical supporting capability) will result in unacceptable risk to the organization.

key distribution : see document

The transport of a key and other keying material from an entity that either owns or generates the key to another entity that is intended to use the key.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver) using an asymmetric algorithm.

See Key transport.

A manual or automated key-establishment procedure whereby one entity (the sender) selects and distributes the key to another entity (the receiver).

A (pair-wise) key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver). Contrast with key agreement.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver). Contrast with key agreement.

The transport of a key and other keying material from an entity that either owns the key or generates the key to another entity that is intended to use the key.

Secure transport of cryptographic keys from one cryptographic module to another module. When used in conjunction with a public key (asymmetric) algorithm, keying material is encrypted using a public key and subsequently decrypted using a private key. When used in conjunction with a symmetric algorithm, key transport is known as key wrapping.

See Key distribution.

The transport of key information from one entity (the sender) to one or more other entities (the receivers). The sender may have generated the key information or acquired it from another source as part of a separate process. The key information may be distributed manually or using automated key transport mechanisms.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver).

A key-establishment procedure whereby one party (the sender) selects and encrypts (or wraps) the keying material and then distributes the material to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the keying material is encrypted using the public key of the receiver and subsequently decrypted using the private key of the receiver. When used in conjunction with a symmetric algorithm, the keying material is encrypted with a key-wrapping key shared by the two parties.

The transport of a key and other keying material from an entity that either owns, generates or otherwise acquires the key to another entity that is intended to use the key.

A key-establishment procedure whereby one party (the sender) selects and encrypts (or wraps) the key and then distributes it to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the key is encrypted using the public key of the receiver and subsequently decrypted using the receiver’s private key. When used in conjunction with a symmetric algorithm, the key is encrypted with a key-wrapping key shared by the sending and receiving parties and decrypted using the same key.

A key-establishment procedure whereby one party (the sender) selects and encrypts the keying material and then distributes the material to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the keying material is encrypted using the public key of the receiver and subsequently decrypted using the private key of the receiver. When used in conjunction with a symmetric algorithm, the keying material is encrypted with a key-encrypting key shared by the two parties.

key distribution center (KDC) : see document

COMSEC facility generating and distributing key in electronic form.

A key center that generates keys for distribution to subscriber entities.

key encryption key (KEK) : see document

A key that encrypts other key (typically traffic encryption keys (TEKs)) for transmission or storage.

A key derived from the authorization key that is used to encrypt traffic encryption keys (TEK) during the TEK exchange.

A cryptographic key that is used for the encryption or decryption of other keys.

key escrow : see document

A deposit of the private key of a subscriber and other pertinent information pursuant to an escrow agreement or similar contract binding upon the subscriber, the terms of which require one or more agents to hold the subscriber's private key for the benefit of the subscriber, an employer, or other party, upon provisions set forth in the agreement.

The retention of the private component of the key pair associated with a subscriber’s encryption certificate to support key recovery.

key escrow system : see document

The system responsible for storing and providing a mechanism for obtaining copies of private keys associated with encryption certificates, which are necessary for the recovery of encrypted data.

key establishment : see document

A procedure conducted by two or more participants, after which the resultant keying material is shared by all participants.

The procedure that results in keying material that is shared among different parties.

A procedure that results in secret keying material that is shared among different parties.

A function in the lifecycle of keying material; the process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key-transport and/or key-agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).

A procedure, conducted by two or more participants, after which the resultant keying material is shared by all participants.

A procedure that results in secret keying material that is shared among different parties.

The process that results in the sharing of a key between two or more entities, either by transporting a key from one entity to another (key transport) or generating a key from information shared by the entities (key agreement).

The procedure that results in keying material that is shared among different parties.

A procedure that results in generating shared keying material among different parties.

A procedure that results in establishing secret keying material that is shared among different parties.

The process that results in the sharing of a key between two or more entities, either by manual distribution, using automated key transport or key agreement mechanisms or by using key derivation that employs an already-shared key between or among those entities. Key establishment may include the creation of a key.

A function in the lifecycle of keying material; the process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key-transport and/or key-agreement protocols), or a combination of automated and manual methods.

A stage in the lifecycle of keying material; the process by which cryptographic keys are securely distributed among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).

The procedure that results in keying material that is shared among different entities.

A function in the lifecycle of a cryptographic key; the process by which cryptographic keys are securely established among entities using manual transport methods (e.g., key loaders), automated methods (e.g., key-transport and/or key-agreement protocols), or a combination of automated and manual methods.

The procedure that results in keying material that is shared between the participating parties in a key-establishment transaction.

Key Exchange Key : see document
Key expansion : see document

The second step in the key-derivation procedure specified in this Recommendation in which a key-derivation key is used to derive secret keying material having the desired length.

The second step in the key derivation procedure specified in this Recommendation to derive keying material with the desired length.

The second step in the key-derivation procedure in which a key-derivation key is used to derive secret keying material having the desired length(s). The first step in the procedure is randomness extraction.

Key extraction : see document

See Randomness extraction.

Key format : see document

The data structure of a cryptographic key.

Key generation : see document

The process of generating keys for cryptography.

The generation of a cryptographic key either as a single process using a random bit generator and an approved set of rules, or as created during key agreement or key derivation.

Key Generation and Distribution : see document
key generation material : see document

Random numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.

Key Generator : see document
Key information : see document

Information about a key that includes the keying material and associated metadata relating to the key. See Keying material and Metadata.

Information about a key that includes the keying material and associated metadata relating to that key.

Information about a key that includes the keying material and associated metadata relating to that key. See Keying material and Metadata.

Key inventory : see document

Information about each key that does not include the key itself (e.g., the key owner, key type, algorithm, application and expiration date).

Key length : see document

The length of a key in bits; used interchangeably with “Key size”.

The length of a key in bits; used interchangeably with “Key size.”

Used interchangeably with “Key size”.

Key life cycle : see document

The period of time between the creation of the key and its destruction.

key list : see document

A printed series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.

key loader : see document

A self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or key component that can be transferred, upon request, into a cryptographic module.

key management : see document

The activities involving the handling of cryptographic keys and other related security parameters (e.g., counters) during the entire life cycle of the keys, including the generation, storage, establishment, entry and output, and destruction.

The activities involving the handling of cryptographic keys and other related security parameters (e.g. passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.

The activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.

The activities involved in the handling of cryptographic keys and other related parameters (e.g., IVs and domain parameters) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output into cryptographic modules, use and destruction.

The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.

The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and counters) during the entire life cycle of the keys, including their generation, storage, establishment, entry, output, use, and destruction.

The activities involving the handling of cryptographic keys and other related key information during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use, and destruction.

The activities involved in the handling of cryptographic keys and other related security parameters (e.g., initialization vectors (IVs) and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction.

The activities involving the handling of cryptographic keys and other related security parameters (e.g., passwords) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.

Key Management Center : see document
Key management components : see document

The software module applications and hardware security modules (HSMs) that are used to generate, establish, distribute, store, account for, suspend, revoke, or destroy cryptographic keys and metadata.

key management device : see document

A unit that provides for secure electronic distribution of encryption keys to authorized users.

key management entity (KME) : see document

Any activity/organization that performs key management related functionality and has been assigned an electronic key management system (EKMS) ID.

Key management function : see document

Functions used 1) to establish cryptographic keys, certificates and the information associated with them; 2) for the accounting of all keys and certificates; 3) for key storage and recovery; 4) for revocation and replacement (as needed); and 5) for key destruction.

Key Management Identification Number : see document
key management infrastructure (KMI) : see document

The framework and services that provide the generation, production, storage, protection, distribution, control, tracking, and destruction for all cryptographic keying material, symmetric keys as well as public keys and public key certificates.

The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of all cryptographic material, including symmetric keys, as well as public keys and public key certificates. It includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that distributes, manages, and supports the delivery of cryptographic products and services to end users.

Key Management Interoperability Protocol : see document
Key Management Plan : see document

Documents how key management for current and/or planned cryptographic products and services will be implemented to ensure lifecycle key management support for cryptographic processes.

The Key Management Plan is the document that describes for a cryptographic device or application the management of all key management products and services distributed by the Key Management Infrastructure and employed by that cryptographic device or application. The Key Management Plan documents how current and/or planned key management products and services will be supplied by the Key Management Infrastructure and used by the cryptographic application to ensure that lifecycle key management support is available.

Key management planning documentation : see document

The Key Management Specification, CKMS Security Policy and CKMS Practice Statement

Key Management Policy : see document

A high-level statement of organizational key management policies that identifies a high-level structure, responsibilities, governing standards, organizational dependencies and other relationships, and security policies.

A high-level document that identifies a high-level structure, responsibilities, governing standards and guidelines, organizational dependencies and other relationships, and security policies.

The Key Management Policy is a high-level statement of organizational key management policies that identifies high-level structure, responsibilities, governing standards and guidelines, organizational dependencies and other relationships, and security policies.

A high-level statement of organizational key-management policies that identifies a high-level structure, responsibilities, governing standards, organizational dependencies and other relationships, and security policies.

A high-level statement of organizational key management policies that identifies a high-level structure, responsibilities, governing Standards and Recommendations, organizational dependencies and other relationships, and security policies.

Key management protocol : see document

Documented and coordinated rules for exchanging keys and metadata (e.g., X.509 certificates).

Key Management Service : see document

A key management service is a function performed for or by an

The generation, establishment, distribution, destruction, revocation, and recovery of keys.

Key Management System : see document

A system for the management of cryptographic keys and their metadata (e.g., generation, distribution, storage, backup, archive, recovery, use, revocation, and destruction). An automated key management system may be used to oversee, automate, and secure the key management process.

Key owner : see document

A person authorized by an FCKMS service provider or FCKMS service-using organization to use a specific key that is managed by the FCKMS.

One or more entities that are authorized to use a symmetric key or the private key of a key pair.

An entity authorized to use a cryptographic key or key pair and whose identifier is associated with a cryptographic key or key pair.

key pair : see document

A set of two keys with the property that one key can be made public while the other key must be kept private. In this standard, this could refer to either the (encapsulation key, decapsulation key) key pair of a KEM or the (encryption key, decryption key) key pair of a PKE.

A public key and its corresponding private key.

A public key and its corresponding private key; a key pair is used with a public key algorithm.

A private key and its corresponding public key; a key pair is used with an asymmetric-key (public-key) algorithm.

Two mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and (ii) even knowing one key, it is computationally infeasible to discover the other key.

A public key and its corresponding private key; a key pair is used with a public-key algorithm.

A public key and its corresponding private key.

See key-establishment key pair.

A public key and its corresponding private key. A key pair is used with a public key algorithm.

A public key and its corresponding private key; a key pair is used with a public-key (asymmetric-key) algorithm.

Key Performance Indicator : see document

A metric of progress toward intended results.

key processor (KP) : see document

The high-assurance cryptographic component in electronic key management system (EKMS) designed to provide for the local generation of keying material, encryption, and decryption of key, key load into electronic fill devices, and message signature functions.

Key Protection Technology : see document
key recovery : see document

A function in the lifecycle of keying material; mechanisms and processes that allow authorized entities to retrieve or reconstruct keying material from key backup or archive.

A stage in the lifecycle of keying material; mechanisms and processes that allow authorized entities to retrieve keying material from key backup or archive.

Mechanisms and processes that allow authorized entities to retrieve or reconstruct keys and other key information from key backups or archives.

A function in the lifecycle of a cryptographic key; mechanisms and processes that allow authorized entities to retrieve or reconstruct the key from key backups or archives.

Key registration : see document

A function in the lifecycle of keying material; the process of officially recording the keying material by a registration authority.

A stage in the lifecycle of keying material; the process of officially recording the keying material by a registration authority.

A function in the lifecycle of a cryptographic key; the process of officially recording the keying material by a registration authority.

Key Reinstallation Attack : see document
Key revocation : see document

A function in the lifecycle of keying material; a process whereby a notice is made available to affected entities that keying material should be removed from operational use prior to the end of the established cryptoperiod of that keying material.

A stage in the lifecycle of keying material; a process whereby a notice is made available to affected entities that keying material should be removed from operational use prior to the end of the established cryptoperiod of that keying material.

A possible function in the lifecycle of a cryptographic key; a process whereby a notice is made available to affected entities that the key should be removed from operational use prior to the end of the established cryptoperiod of that key.

Key Risk Indicator : see document

A metric used to measure risk.

Key Rollover : see document

The process of generating and using a new key (symmetric or asymmetric key pair) to replace one already in use. Rollover is done because a key has been compromised or is vulnerable to compromise as a result of use and age.

Key Rotation : see document

Changing the key, i.e., replacing it by a new key. The places that use the key or keys derived from it (e.g., authorized keys derived from an identity key, legitimate copies of the identity key, or certificates granted for a key) typically need to be correspondingly updated. With SSH user keys, it means replacing an identity key by a newly generated key and updating authorized keys correspondingly.

Key schedule : see document

The sequence of round keys that are generated from the key by KEYEXPANSION().

Key share : see document

One of n parameters (where n ≥ 2) such that among the n key shares, any k key shares (where k ≥ n) can be used to construct a key value, but having any k−1 or fewer key shares provides no knowledge of the (constructed) key value. Sometimes called a cryptographic key component or key split.

Key Signing Key (KSK) : see document

An authentication key that corresponds to a private key used to sign one or more other authentication keys for a given zone. Typically, the private key corresponding to a key signing key will sign a zone signing key, which in turn has a corresponding private key that will sign other zone data. See also “zone signing key.”

Key size : see document

The length of a key in bits; used interchangeably with “Key length”.

The length of a key in bits; used interchangeably with “Key length.”

Key splitting (k of n) : see document

Splitting a key into n key splits so that for some k (where k < n), any k key splits of the key can be used to form the key, but having any k-1 key splits provides no knowledge of the key value.

Key states : see document

A categorization of the states that a key can assume during its lifetime. See [NIST SP 800-57 Part 1].

The states through which a key transitions between its generation and its destruction. See Pre-activation state, Active state, Suspended state, Deactivated state, Compromised state, and Destroyed state.

Key Storage Device : see document
Key Storage Provider : see document
key stream : see document

Sequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key.

Key Stream Generator : see document
key tag : see document

Identification information associated with certain types of electronic key.

key tape : see document

Punched or magnetic tape containing key. Printed key in tape form is referred to as a key list.

Key Translation Center (KTC) : see document

A key center that receives keys from one entity wrapped using a symmetric key shared with that entity, unwraps the wrapped keys and rewraps the keys using a symmetric key shared with another entity.

key transport : see document

Process of exchanging public keys (and other information) in order to establish secure communications.

The transport of a key and other keying material from an entity that either owns or generates the key to another entity that is intended to use the key.

A key-establishment procedure whereby one party (the sender) selects and encrypts (or wraps) the keying material and then distributes it to another party (the receiver).When used in conjunction with a public- key (asymmetric) algorithm, the key is encrypted using the public key of the receiver and subsequently decrypted using receiver's private key.When used in conjunction with a symmetric algorithm, the key is encrypted with a key- wrapping key shared by the sending and receiving parties and decrypted using the same key.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver) using an asymmetric algorithm.

See Key transport.

A manual or automated key-establishment procedure whereby one entity (the sender) selects and distributes the key to another entity (the receiver).

A (pair-wise) key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver). Contrast with key agreement.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver). Contrast with key agreement.

The transport of a key and other keying material from an entity that either owns the key or generates the key to another entity that is intended to use the key.

Secure transport of cryptographic keys from one cryptographic module to another module. When used in conjunction with a public key (asymmetric) algorithm, keying material is encrypted using a public key and subsequently decrypted using a private key. When used in conjunction with a symmetric algorithm, key transport is known as key wrapping.

The transport of key information from one entity (the sender) to one or more other entities (the receivers). The sender may have generated the key information or acquired it from another source as part of a separate process. The key information may be distributed manually or using automated key transport mechanisms.

A key-establishment procedure whereby one party (the sender) selects a value for the secret keying material and then securely distributes that value to another party (the receiver).

A key-establishment procedure whereby one party (the sender) selects and encrypts (or wraps) the keying material and then distributes the material to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the keying material is encrypted using the public key of the receiver and subsequently decrypted using the private key of the receiver. When used in conjunction with a symmetric algorithm, the keying material is encrypted with a key-wrapping key shared by the two parties.

The transport of a key and other keying material from an entity that either owns, generates or otherwise acquires the key to another entity that is intended to use the key.

A key-establishment procedure whereby one party (the sender) selects and encrypts (or wraps) the key and then distributes it to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the key is encrypted using the public key of the receiver and subsequently decrypted using the receiver’s private key. When used in conjunction with a symmetric algorithm, the key is encrypted with a key-wrapping key shared by the sending and receiving parties and decrypted using the same key.

A key-establishment procedure whereby one party (the sender) selects and encrypts the keying material and then distributes the material to another party (the receiver). When used in conjunction with a public-key (asymmetric) algorithm, the keying material is encrypted using the public key of the receiver and subsequently decrypted using the private key of the receiver. When used in conjunction with a symmetric algorithm, the keying material is encrypted with a key-encrypting key shared by the two parties.

Key transport (automated) : see document

A key-establishment procedure whereby one entity (the sender) selects a value for secret keying material and then securely distributes that value to one or more other entities (the receivers). Contrast with Key agreement.

Key type : see document

One of the twenty-one types of keys listed in [NIST SP 800-130].

key update : see document

A function performed on a cryptographic key in order to compute a new, but related, key.

A procedure in which a new cryptographic key is computed as a function of the (old) cryptographic key that it will replace.

A key-derivation process whereby the derived key replaces the key from which it was derived when the key-derivation process is later repeated.

A function performed on a cryptographic key in order to compute a new key that is related to the old key.

A stage in the lifecycle of keying material; alternate storage for operational keying material during its cryptoperiod.

A function performed on a cryptographic key in order to compute a new key that is related to the old key and is used to replace that key. Note that this Recommendation disallows this method of replacing a key.

Key Wrap with Padding mode : see document
Key wrapping : see document

A method of encrypting and decrypting keys and (possibly) associated data using a symmetric key; both confidentiality and integrity protection are provided.

A method of cryptographically protecting keys using a symmetric key that provides both confidentiality and integrity protection.

In this Recommendation, key-wrapping is a method of protecting keying material using a symmetric-key-based authenticated encryption method, such as a block cipher key-wrapping mode specified in [NIST SP 800-38F] that provides both confidentiality and integrity protection.

Encrypting a symmetric key using another symmetric key (the key encrypting key). A key used for key wrapping is known as a key encrypting key.

A method of protecting secret keying material (along with associated integrity information) that provides both confidentiality and integrity protection when using symmetric-key algorithms.

A method of providing both confidentiality and integrity protection for keying material using a symmetric key,

A method of encrypting and decrypting keys and (possibly) associated data using symmetric-key cryptography; both confidentiality and integrity protection are provided. See SP 800-38F. 6

A method of cryptographically protecting the confidentiality and integrity of keys using a symmetric-key algorithm.

A method of encrypting and decrypting keys and (possibly) associated data using symmetric-key cryptography; both confidentiality and integrity protection are provided; see SP 800-38F.

A method of protecting keying material (along with associated integrity information) that provides both confidentiality and integrity protection when using a symmetric-key algorithm.

A method of encrypting keys (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key.

Key wrapping algorithm : see document

A cryptographic algorithm approved for use in wrapping keys.

Key/metadata recovery : see document

The process of retrieving or reconstructing a key or metadata from backup or archive storage.

Key-Agreement Scheme : see document
Key-agreement transaction : see document

An execution of a key-agreement scheme.

A key-establishment event which results in secret keying material that is shared between the parties using a key-agreement scheme.

Key-Auto-Key (KAK) : see document

Cryptographic logic using previous key to produce key.

Key-Based Key Derivation Functions : see document
Keyboard, Video, Mouse : see document
Key-center environment : see document

As used in this Recommendation, an environment in which the keys or key components needed to support cryptographically protected exchanges within one or more communicating groups are obtained from a common central source.

Key-confirmation provider : see document

The party that provides assurance to the other party (the recipient) that the two parties have indeed established a shared secret or shared keying material.

key-dependent input : see document
Key-Dependent Message : see document
Key-derivation function : see document

A function that, with the input of a cryptographic key and other data, generates a bit string called the keying material, as defined in this Recommendation.

As used in this Recommendation, either a one-step key-derivation method or a key-derivation function based on a pseudorandom function as specified in [SP 800-108].

Key Derivation Function.

A function that, with the input of a cryptographic key and other data, generates a binary string, called keying material.

A function by which keying material is derived from a shared secret (or a key) and other information.

A function that, with the input of a cryptographic key or shared secret, and possibly other data, generates a binary string, called keying material.

As used in this Recommendation, a function used to derive secret keying material from a shared secret (or a key) and other information.

A function that − with the input of a cryptographic key or shared secret and possibly other data − generates a binary string, called keying material.

As used in this Recommendation, either a one-step key-derivation method or a key-derivation function based on a pseudorandom function as specified in SP 800-108.

A function used to derive keying material from a shared secret (or a key) and other information.

Key-derivation key : see document

A key used as an input to a key-derivation function to derive additional keying material.

As used in this Recommendation, a key that is used during the key-expansion step of a key-derivation procedure to derive the secret output keying material. This key-derivation key is obtained from a shared secret during the randomness-extraction step.

A key used as an input to a key derivation function to derive other keys.

A key used as an input to a key-derivation method to derive other keys. See [NIST SP 800-108].

A key that is used as an input to a key derivation function or key expansion function to derive other keys.

A key that is used as input to the key expansion step to derive other keys. In this Recommendation, the key derivation key is obtained by performing randomness extraction on a shared secret.

See Key-derivation key.

A key used with a key-derivation function or method to derive additional keys. Sometimes called a master key.

A key used as an input to a key-derivation method to derive other keys. See SP 800-108.

A key used with a key-derivation method to derive additional keys. Sometimes called a master key.

A key used as an input to a key-derivation method to derive other keys; see SP 800-108.

A key used with a key-derivation function or method to derive additional keys. Also called a master key.

Key-derivation method : see document

As used in this Recommendation, a process that derives secret keying material from a shared secret. This Recommendation specifies both one-step and two-step key-derivation methods.

A method by which keying material is derived from a shared secret and other information. A key-derivation method may use a key-derivation function or a key-derivation procedure.

A key-derivation function or other approved procedure for deriving keying material.

As used in this Recommendation, a method by which secret keying material is derived from a shared secret and other information. A key-derivation method may use a key-derivation function or a key-derivation procedure.

Key-derivation procedure : see document

A procedure consisting of multiple steps and using an approved algorithm (e.g., a MAC algorithm) by which keying material is derived from a shared secret and other information.

As used in this Recommendation, a multi-step process to derive secret keying material from a shared secret and other information.

As used in this Recommendation, a two-step key-derivation method consisting of randomness extraction followed by key expansion.

A multi-step process that uses an approved Message Authentication Code (MAC) algorithm to derive keying material from a shared secret and other information.

Keyed Hash Algorithm : see document

Algorithm that creates a hash based on both a message and a secret key; also known as a hash message authentication code algorithm.

An algorithm that creates a message authentication code based on both a message and a secret key shared by two endpoints. Also known as a hash message authentication code algorithm.

Keyed-Hash Message Authentication Code : see document

A message authentication code that uses a cryptographic key in conjunction with a hash function.

Keyed-hash Message Authentication Code (as specified in FIPS 198-1).

Keyed-hash Message Authentication Code (as specified in [FIPS 198]) with an approved hash function hash.

Keyed-Hash Message Authentication Code specified in [FIPS198].

Keyed-Hash Message Authentication Code-Message Digest : see document
Keyed-Hash Message Authentication Code-Secure Hash Algorithm : see document
Key-Encapsulation Mechanism : see document

A set of three cryptographic algorithms (KeyGen, Encaps, and Decaps) that can be used by two parties to establish a shared secret key over a public channel.

Key-Encryption-Key (KEK) : see document

A key that encrypts other key (typically Traffic Encryption Keys or TEKs) for transmission or storage.

The key for the underlying block cipher of KW, KWP, or TKW. May be called a key-wrapping key in other documents.

A cryptographic key that is used for the encryption or decryption of other keys to provide confidentiality protection. Also see Key-wrapping key.

A cryptographic key that is used for the encryption or decryption of other keys to provide confidentiality protection for those keys. Also see Key-wrapping key.

A cryptographic key that is used for the encryption or decryption of other keys.

key-establishment key pair : see document

A public key and its corresponding private key; a key pair is used with a public key algorithm.

A private key and its corresponding public key; a key pair is used with an asymmetric-key (public-key) algorithm.

A private/public key pair used in a key-establishment scheme. It can be a static key pair or an ephemeral key pair.

A public key and its corresponding private key; a key pair is used with a public-key algorithm.

A public key and its corresponding private key.

A private/public key pair used in a key-establishment scheme.

See key-establishment key pair.

A public key and its corresponding private key. A key pair is used with a public key algorithm.

A public key and its corresponding private key; a key pair is used with a public-key (asymmetric-key) algorithm.

key-establishment mechanism : see document
Key-establishment transaction : see document

An execution of a key-establishment scheme. It can be either a key-agreement transaction or a key-transport transaction.

An instance of establishing secret keying material using a key-agreement or key-transport transaction.

An instance of establishing secret keying material using a key-establishment scheme.

Key-generating module : see document

A cryptographic module in which a given key is generated.

keying material : see document

A bit string such that non-overlapping segments of the string (with the required lengths) can be used as cryptographic keys or other secret (pseudorandom) parameters.

Data that is represented as a binary string such that any non-overlapping segments of the string with the required lengths can be used as secret keys, secret initialization vectors, and other secret parameters.

The data (e.g., keys) necessary to establish and maintain cryptographic keying relationships.

Key, code, or authentication information in physical, electronic, or magnetic form. It includes key tapes and list, codes, authenticators, one-time pads, floppy disks, and magnetic tapes containing keys, plugs, keyed microcircuits, electronically generated key, etc.

A bit string, such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys and secret parameters, such as initialization vectors.

A binary string, such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys.

Data that is represented as a binary string such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys. In this Recommendation, keying material is derived from a shared secret established during an execution of a key-establishment scheme or generated by the sender in a key-transport scheme. As used in this Recommendation, secret keying material may include keys, secret initialization vectors, and other secret parameters.

A binary string, such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys and secret parameters, such as initialization vectors.

The data (e.g., keys and IVs) necessary to establish and maintain cryptographic keying relationships.

Data that is represented as a binary string such that any non-overlapping segments of the string with the required lengths can be used as secret keys, secret initialization vectors and other secret parameters.

A cryptographic key and other parameters (e.g., IVs or domain parameters) used with a cryptographic algorithm.

A cryptographic key and other parameters (e.g., IVs or domain parameters) used with a cryptographic algorithm. When keying material is derived as specified in SP 800-56CSP 800-108:bit string such that any non-overlapping segments of the string with the required lengths 4 and 5 Data represented as a can be used as secret keys, secret initialization vectors, and other secret parameters.

Data that is represented as a binary string such that any non-overlapping segments of the string with the required lengths can be used as symmetric cryptographic keys. In this Recommendation, keying material is derived from a shared secret established during an execution of a key-agreement scheme, or transported by the sender in a key-transport scheme. As used in this Recommendation, secret keying material may include keys, secret initialization vectors, and other secret parameters.

Key-pair owner : see document

The entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

In asymmetric-key cryptography, the entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself, or a trusted party generated the key pair for the entity.

In asymmetric-key cryptography, the entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

key-policy attribute-based encryption : see document
Key-recovery agent : see document

An FCKMS role that assists in the key-recovery/metadata-recovery process.

A human entity authorized to access stored key information in key backups and archives.

keystroke monitoring : see document

The process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.

Key-transport Scheme : see document
Key-transport transaction : see document

An execution of a key-transport scheme.

A key-establishment event which results in secret keying material that is shared between the parties using a key-transport scheme.

key-wrap algorithm : see document

A deterministic, symmetric-key authenticated-encryption algorithm that is intended for the protection of cryptographic keys. Consists of two functions: authenticated encryption and authenticated decryption.

Key-wrapping key : see document

In this Recommendation, a key-wrapping key is a symmetric key established through a key-agreement transaction and used with a key-wrapping algorithm to protect the keying material to be transported.

A symmetric key-encrypting key that is used to provide both confidentiality and integrity protection. Also see Key-encrypting key.

A symmetric key used with a key-wrapping algorithm to protect keying material. In accordance with this Recommendation (SP 800-56B), a key-wrapping key can be established using a KAS1, KAS2 or KTS-OAEP scheme and then used with a key-wrapping algorithm to protect transported keying material. (See Section 9.3.)

A symmetric key that is used with a key-wrapping algorithm to protect the confidentiality and integrity of keys.

A symmetric key used to provide confidentiality and integrity protection for other keys.

A symmetric key that is used to provide both confidentiality and integrity protection for other keys. Also see Key-encrypting key.

A key used as an input to a key-wrapping method; see SP 800-38F.

In this Recommendation, a key-wrapping key is a symmetric key established during a key-transport transaction and used with a key- wrapping algorithm to protect the keying material to be transported.

A symmetric key-encrypting key.

KG : see document
KGD : see document
kHz : see document
KiB : see document

Kibi Byte, Measuring Unit 210 Bytes = 1024 Bytes

210 bytes.

Kilobits per second : see document
Kilobyte : see document
Kilohertz : see document
KIRP : see document
KMC : see document
KME : see document
KMI : see document
KMI operating account (KOA) : see document

A key management infrastructure (KMI) business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization; and 2) to control the distribution of KMI products to those devices.

KMI Operating Account Manager : see document
KMI protected channel (KPC) : see document

A key management infrastructure (KMI) Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.

KMI-aware device : see document

A user device that has a user identity for which the registration has significance across the entire key management infrastructure (KMI) (i.e., the identity’s registration data is maintained in a database at the primary services node (PRSN) level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a product source node (PSN) for distribution to the specific device.

KMID : see document
KMIP : see document
KMN : see document

The activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.

KMP : see document

A high-level statement of organizational key management policies that identifies a high-level structure, responsibilities, governing standards, organizational dependencies and other relationships, and security policies.

Documents how key management for current and/or planned cryptographic products and services will be implemented to ensure lifecycle key management support for cryptographic processes.

A high-level document that identifies a high-level structure, responsibilities, governing standards and guidelines, organizational dependencies and other relationships, and security policies.

A high-level statement of organizational key management policies that identifies a high-level structure, responsibilities, governing Standards and Recommendations, organizational dependencies and other relationships, and security policies.

KMPS : see document

A document or set of documents that describes, in detail, the organizational structure, responsible roles, and organization rules for the functions identified in the Key Management Policy.

A document or set of documentation that describes (in detail) the organizational structure, responsible roles, and organization rules for the functions identified in the associated cryptographic Key Management Policy (see [IETF RFC 3647]).

A document or set of documentation that describes in detail the organizational structure, responsible roles, and organization rules for the functions identified in the Key Management Policy.

KMS : see document
Know Your Customer : see document
Knowledge : see document

A retrievable set of concepts within memory.

a body of information applied directly to the performance of a function.

Knowledge and Skill statement : see document
Knowledge, Skills, and Abilities : see document
Knowledge-Based Authentication : see document

Authentication of an individual based on knowledge of information associated with his or her claimed identity in public databases. Knowledge of such information is considered to be private rather than secret, because it may be used in contexts other than authentication to a Verifier, thereby reducing the overall assurance associated with the authentication process.

known answer test : see document
Known Data : see document

A category of information that may be present within an attribute of a CPE name. Known data represents any meaningful value about a product (e.g., “sp1”, “2.3.4”, “pro”, NA), but does not include the logical value ANY.

Known Exploited Vulnerabilities : see document
Known Hosts File : see document

A file associated with a specific account that contains one or more host keys. Each host key is associated with an SSH server address (IP or hostname) so that the server can be authenticated when a connection is initiated. The user or administrator who makes the first connection to an SSH server is responsible for verifying that the host key presented by that server is the actual key (not a rogue key) before it gets placed in the known hosts file.

known inclusion re-identification probability : see document
KOA : see document
KOA agent : see document

A user identity that is designated by a key management infrastructure operating account (KOA) manager to access primary services node (PRSN) product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.

KOA manager (KOAM) : see document

An external operational management role that is responsible for the operation of a key management infrastructure operating account (KOA) that includes all distribution of KMI key and products from the management client (MGC) to the end cryptographic units (ECUs) and fill devices, and management and accountability of all electronic and physical key, and physical COMSEC materials from receipt and/or production to destruction or transfer to another KOA. (Similar to an electronic key management system (EKMS) Manager or COMSEC Account Manager)

KOA registration manager : see document

The individual responsible for performing activities related to registering key management infrastructure operating accounts (KOAs).

KOAM : see document
Kolmogorov-Smirnov Test : see document

A statistical test that may be used to determine if a set of data comes from a particular probability distribution.

KP : see document
KP-ABE : see document
KPC : see document
KPI : see document
KPT : see document
KRACK : see document
KRI : see document
KSA : see document
KSD : see document
KSG : see document
KSK : see document
KSP : see document
KTS : see document
KTS-OAEP-basic : see document

The basic form of the key-transport Scheme with Optimal Asymmetric Encryption Padding.

KTS-OAEP-Party_V-confirmation : see document

Key-transport Scheme with Optimal Asymmetric Encryption Padding and key confirmation provided by party V. Previously known as KTS-OAEP-receiver-confirmation.

KVM : see document
KW : see document
KWP : see document
KYC : see document
l : see document

The length in bits of a MacTag, or the length in bits of a truncated message digest (used, for example, by a digital signature algorithm).

l(n) : see document

Lambda function of the RSA modulus n, i.e., the least positive integer i such that 1= ai mod n for all a relatively prime to n. When n = p ´ q, l(n) = LCM(p - 1, q - 1).

L2CAP : see document
L2F : see document
L2TP : see document
L2VPN : see document
label : see document

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object.

Explicit or implicit marking of a data structure or output media associated with an information system representing the FIPS 199 security category, or distribution limitations or handling caveats of the information contained therein.

Information that either identifies an associated parameter or provides information regarding the parameter’s proper protection and use.

See security label.

label flipping : see document

A type of data poisoning attack in which an adversary is restricted to changing the training labels.

label limit : see document

A capability with which an attacker does not control the labels of training samples in supervised learning.

labeled security protections : see document

Access control protection features of a system that use security labels to make access control decisions.

laboratory attack : see document

Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media. Rationale: Term is no longer used in revised version of NIST SP 800-88.

LACNIC : see document

The Internet Address Registry for Latin America and the Caribbean, responsible for assigning and managing Internet number resources for their region.

LAG : see document
lagging indicator : see document

A metric that tracks the outcome of events or trends.

LAMP : see document
LAN : see document

A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network.

Land Mobile Radio : see document
LANL : see document
Laplace mechanism : see document

An algorithmic primitive for differential privacy that adds random noise sampled from the Laplace distribution to the output of a query.

large language model : see document
Large Volume Pump : see document
Large-Scale Integration : see document
Large-Scale Processing Environment : see document
Last Numbers Dialed : see document

a log of last numbers dialed, similar to that kept on the phone, but kept on the SIM without a timestamp.

Latency : see document

time delay in processing voice packets.

Latin America and Caribbean Network Information Centre : see document

The Internet Address Registry for Latin America and the Caribbean, responsible for assigning and managing Internet number resources for their region.

Latin American and Caribbean IP Address Regional Registry : see document
Launch Control Policy : see document
Law Enforcement : see document
Law Enforcement Officer : see document
lawful government purpose : see document

Any activity, function, operation, or other circumstance the Government authorizes; also the standard to apply when determining whether individuals, organizations, or groups of users may receive or access controlled unclassified information (CUI) that is not subject to a limited dissemination control authorized by the CUI Executive Agent.

Layer 2 Forwarding : see document
Layer 2 Tunneling Protocol : see document
Layer 2 VPN : see document
Layer Two Tunneling Protocol : see document
Layered Binary Label : see document

Label that has only one design and is applied to IoT products that meet appropriate requirements but allows for unique layers that provide specific information about the IoT product (e.g., URL or scannable code).

layered COTS product solutions : see document

Commercial information assurance (IA) and IA-enabled information technology (IT) components used in layered solutions approved by the National Security Agency (NSA) to protect information carried on national security systems (NSSs). See commercial solutions for classified.

LCC : see document
LCD : see document
LCMS : see document
LCP : see document
LDA : see document
LDAP : see document

The Lightweight Directory Access Protocol, or LDAP, is a directory access protocol. In this document, LDAP refers to the protocol defined by RFC 1777, which is also known as LDAP V2. LDAP V2 describes unauthenticated retrieval mechanisms.

LDAPS : see document
LE : see document
leading indicator : see document

A predictive metric that tracks events or behaviors that precede incidents.

Lean Execution System : see document
leap second : see document

A second added to Coordinated Universal Time (UTC) to make it agree with astronomical time to within 0.9 second. UTC is an atomic time scale based on the performance of atomic clocks. Astronomical time is based on the rotational rate of the Earth. Since atomic clocks are more stable than the rate at which the Earth rotates, leap seconds are needed to keep the two time scales in agreement.

learners : see document

Individuals who perform cybersecurity work, including students, job seekers, and employees.

Learning Management System : see document
learning objectives : see document

Identifies the outcomes that the learning program sub-component or module should strive to meet for each of the participants and their associated roles in reducing, managing, and mitigating risks.

learning program : see document

Consists of numerous elements led by the learning program managers, who develop a strategic plan to deliver a right-sized program to reduce organizational cybersecurity and privacy risks via workforce education and training. Operates throughout the year and incorporates plans for ongoing improvements that are based on rigorous assessments and metrics that support compliance and other mandated reporting.

learning program plan : see document

A formal document that provides an overview of an agency’s cybersecurity and privacy learning program, including a description of its structure, the resources dedicated to it, the roles of senior agency officials and staff, and the strategic goals and objectives of the learning program to meet applicable privacy requirements and manage privacy risks.

Learning With Errors : see document
Learning With Rounding : see document
Least common multiple : see document

The smallest positive integer that is divisible by two or more positive integers without a remainder. For example, the least common multiple of 2 and 3 is 6.

The smallest positive integer that is divisible by two positive integers without a remainder. For example, the least common multiple of 2 and 3 is 6.

least significant bit(s) : see document

The right-most bit(s) of a bit string.

least trust : see document

The principle that a security architecture should be designed in a way that minimizes 1) the number of components that require trust; and 2) the extent to which each component is trusted.

LED : see document
Ledger : see document

A record of transactions.

Legacy Environment : see document

A Custom environment containing older systems or applications that may need to be secured to meet today’s threats, but often use older, less secure communication mechanisms and need to be able to communicate with other systems.

Typical Custom environment usually involving older systems or applications.

Custom environment usually involving older systems or applications.

legacy use : see document

The algorithm or key length may be used only to process already protected information (e.g., to decrypt ciphertext data or to verify a digital signature).

Leighton-Micali One-Time Signature : see document
Leighton-Micali signature : see document
Lempel-Ziv Complexity Test : see document

The purpose of the test is to determine how far the tested sequence can be compressed. The sequence is considered to be non-random if it can be significantly compressed

Lempel-Ziv-Stac : see document
LEO : see document
LEP : see document
LES : see document
Lesser General Public License : see document
Letter of Interest : see document
LEV : see document
level 1 : see document

The risk management level that addresses overall risk strategy, policies, and procedures for the entire organization. Also refers to any element that is meant to be evaluated by Level 1 personnel.

level 2 : see document

The risk management level that addresses the risk strategy, policies, and procedures for a specific mission or business process (but not the entire organization). Also refers to any element that is meant to be evaluated by Level 2 personnel.

level 3 : see document

The risk management level that implements ISCM for specific systems. Also refers to any element that is meant to be evaluated by Level 3 personnel.

level of assurance : see document

OMB Memorandum M-04-04 describes four levels of identity assurance and references NIST technical standards and guidelines, which are developed for agencies to use in identifying the appropriate authentication technologies that meet their requirements.

LF : see document
LFSR : see document
LGPL : see document
life cycle : see document

Evolution of a system, product, service, project, or other human-made entity.

Evolution of a system, product, service, project, or other human-made entity from conception through retirement.

Evolution of a system, product, service, project, or other human-made entity from conception through retirement.

Evolution of a system, product, service, project or other human-made entity from conception through retirement.

life cycle model : see document

Framework of processes and activities concerned with the life cycle that may be organized into stages, which also acts as a common reference for communication and understanding.

life cycle security concepts : see document

The processes, methods, and procedures associated with the system throughout its life cycle and provides distinct contexts for the interpretation of system security. Life cycle security concepts apply during program management, development, engineering, acquisition, manufacturing, fabrication, production, operations, sustainment, training, and retirement.

life cycle stages : see document

Period that begins when a system is conceived and ends when the system is no longer available for use.

The period of time that begins when a system is conceived and ends when the system is no longer available for use. Refer to life cycle stages.

The period of time that begins when a system is conceived and ends when the system is no longer available for use. Refer to life cycle stages.

Light-Emitting Diode : see document
Lightweight Directory Access Protocol (LDAP) : see document

The Lightweight Directory Access Protocol, or LDAP, is a directory access protocol. In this document, LDAP refers to the protocol defined by RFC 1777, which is also known as LDAP V2. LDAP V2 describes unauthenticated retrieval mechanisms.

The LDAP is a directory access protocol. In this document, LDAP refers to the protocol defined by RFC 1777, which is also known as LDAP V2. LDAP V2 describes unauthenticated retrieval mechanisms.

Lightweight Directory Access Protocol Secure : see document
Lightweight Directory Access Protocol Server : see document
Lightweight node : see document

A blockchain node that does not need to store a full copy of the blockchain and often passes its data to full nodes to be processed.

likelihood : see document

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

chance of something happening

Chance of something happening.

likelihood of occurrence : see document

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

See likelihood of occurrence.

likelihood ratio test : see document

A statistical test aimed at distinguishing between two competing models that could have produced an observed event based on a comparison of the likelihoods of the observed event, given the two models.

Likely Exploited Vulnerabilities : see document
Limit, Specification : see document

A condition indicating that risk has exceeded acceptable levels and that immediate action is needed to reduce the risk, or the system/assessment object may need to be removed from production (lose authority to operate).

See Limit, Specification.

limited dataset : see document

A limited data set is protected health information that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual (i) Names; (ii) Postal address information, other than town or city, State, and zip code; (iii) Telephone numbers; (iv) Fax numbers; (v) Electronic mail addresses; (vi) Social security numbers; (vii) Medical record numbers; (viii) Health plan beneficiary numbers; (ix) Account numbers; (x) Certificate/license numbers; (xi) Vehicle identifiers and serial numbers, including license plate numbers; (xii) Device identifiers and serial numbers; (xiii) Web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) Biometric identifiers, including finger and voice prints; and (xvi) Full face photographic images and any comparable images. Limited data sets can contain complete dates, age to the nearest hour, city, state, and complete ZIP code.

line conditioning : see document

Elimination of unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.

line conduction : see document

Unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.

line of business : see document

The following Office of Management and Budget (OMB)-defined process areas common to virtually all federal agencies: Case Management, Financial Management, Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security, Budget Formulation and Execution, Geospatial, and information technology (IT) Infrastructure.

The following OMB-defined process areas common to virtually all federal agencies: Case Management, Financial Management, Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security, Budget Formulation and Execution, Geospatial, and IT Infrastructure.

Lineage : see document

The history of processing of a data element, which may include point-topoint data flows and the data actions performed upon the data element.

Linear Complexity Test : see document

The purpose of this test is to determine whether or not the sequence is complex enough to be considered random.

Linear Dependence : see document

In the context of the binary rank matrix test, linear dependence refers to m-bit vectors that may be expressed as a linear combination of the linearly independent m-bit vectors.

Linear Equivalence Problem : see document
Linear Feedback Shift Register : see document
linear temporal logic : see document
Lines of Business : see document

“Lines of business” or “areas of operation” describe the purpose of government in functional terms or describe the support functions that the government must conduct in order to effectively deliver services to citizens. Lines of business relating to the purpose of government and the purposes tend to be mechanisms the government uses to achieve its mission-based. Lines of business relating to support functions and resource management functions that are necessary to conduct government operations tend to be common to most agencies. The recommended information types provided in NIST SP 800-60 are established from the “business areas” and “lines of business” from OMB’s Business Reference Model (BRM) section of Federal Enterprise Architecture (FEA) Consolidated Reference Model Document Version 2.3

Link Aggregate : see document
Link Control Protocol : see document
link encryption : see document

Encryption of information between nodes of a communications system.

Link Layer Discovery Protocol (IEEE 802.1AB) : see document
Link Layer Protocol : see document
linkable information : see document

Information about or related to an individual for which there is a possibility of logical association with other information about the individual.

information about or related to an individual for which there is a possibility of logical association with other information about the individual

linked information : see document

Information about or related to an individual that is logically associated with other information about the individual.

information about or related to an individual that is logically associated with other information about the individual

linking attack : see document

An approach for exposing information specific to individuals in a de‐identified dataset by matching up records with a second dataset.

Linking the Oil and Gas Industry to Improve Cybersecurity : see document
Linux Container : see document
Linux, Apache, MySQL, PHP : see document
Liquefied Natural Gas : see document
Liquid Crystal Display : see document
Liskov-Rivest-Wagner : see document
literacy : see document

An individual’s familiarity with a basic set of knowledge.

little-endian : see document

The property of a byte string having its bytes positioned in order of increasing significance. In particular, the leftmost (first) byte is the least significant, and the rightmost (last) byte is the most significant. The term “little-endian” may also be applied in the same manner to bit strings (e.g., the 8-bit string 11010001 corresponds to the byte $2^0+2^1+2^3+2^7=139$).

Live Entropy Source : see document

An approved entropy source (see [NIST SP 800-90B]) that can provide an RBG with bits having a specified amount of entropy immediately upon request or within an acceptable amount of time, as determined by the user or application relying upon that RBG.

LKH : see document
LKM : see document
LLDP : see document
LLM : see document
LLP : see document
LMD : see document
LMD/KP : see document
LM-OTS : see document
LMR : see document
LMS : see document
LND : see document

a log of last numbers dialed, similar to that kept on the phone, but kept on the SIM without a timestamp.

LNG : see document
LOA : see document
Loadable Kernel Module : see document
LOC : see document
local access : see document

Access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

Access to an organizational system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

Local Area Network (LAN) : see document

A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network.

A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network.

local authority : see document

Organization responsible for generating and signing user certificates in a public key infrastructure (PKI)-enabled environment.

local COMSEC management software (LCMS) : see document

Application-level software on the local management device (LMD) that provides for the management of key, physical COMSEC materials, non-cryptographic services, and communications. Through a graphical interface, the LCMS automates the functions of the COMSEC Account Manager, including accounting, auditing, distribution, ordering, and production. Programs and systems that have specialized key management requirements have software shell programs (known as user applications software (UAS)) that run on the LMD with the LCMS software to provide custom functionality.

Local Defect Checks : see document

The defect checks that an organization adds to Foundational defect checks based on an assessment of its own needs and risk tolerance. A local defect check supports or strengthens the Foundational defect checks. Agencies might choose not to apply a given local defect check in cases where the supporting controls have not been selected/implemented.

Local Delivery Agent (LDA) : see document

A program running on a mail server that delivers messages between a sender and recipient if their mailboxes are both on the same mail server. An LDA may also process the message based on a predefined message filter before delivery.

local element : see document

A user to whom COMSEC material has been issued a hand receipt. Known in EKMS and KMI as a Local Element.

See hand receipt holder.

Local Interface : see document

An interface that can only be accessed physically, such as a port (e.g., USB, audio, video/display, serial, parallel, Thunderbolt) or a removable media drive (e.g., CD/DVD drive, memory card slot).

local management device (LMD) : see document

The component in electronic key management system (EKMS) that provides electronic management of key and other COMSEC material and serves as an interface to the Key Processor. (It is composed of a user-supplied personal computer, an operating system, LCMS and user application software (UAS), as required).

Local Management Device/Key Processor : see document
Local Preference : see document
Local Public Safety Department : see document
local registration authority (LRA) : see document

A registration authority with responsibility for a local community.

Local Remediation Level : see document

measures the level of protection against a misuse vulnerability within the local IT environment and captures both how widespread mitigation implementation is and how effective such mitigation is.

Local Traffic Manager : see document
Local Vulnerability Prevalence : see document

measures the prevalence of vulnerable systems in a specific environment.

Location : see document
Location Information (LOCI) : see document

The Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the (C/U)SIM when the phone is active and saved whenever the phone is turned off.

the Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the SIM when the phone is active and saved whenever the phone is turned off.

Lock Pointer : see document

A memory pointer that points to a target area of memory and write protects all memory locations less than the target location. This form of access control is implemented in ISO/IEC 18000-3.

loc-RIB : see document

Routes selected from the adj-RIB-In table.

Log : see document

A record of the events occurring within an organization’s systems and networks.

Log Analysis : see document

Studying log entries to identify events of interest or suppress log entries for insignificant events.

Log Archival : see document

Retaining logs for an extended period of time, typically on removable media, a storage area network (SAN), or a specialized log archival appliance or server.

Log Clearing : see document

Removing all entries from a log that precede a certain date and time.

Log Compression : see document

Storing a log file in a way that reduces the amount of storage space needed for the file without altering the meaning of its contents.

Log Conversion : see document

Parsing a log in one format and storing its entries in a second format.

Log Entry : see document

An individual record within a log.

Log File Integrity Checking : see document

Comparing the current message digest for a log file to the original message digest to determine if the log file has been modified.

Log Management : see document

The process for generating, transmitting, storing, analyzing, and disposing of log data.

Log Management Infrastructure : see document

The hardware, software, networks, and media used to generate, transmit, store, analyze, and dispose of log data.

Log Normalization : see document

Converting each log data field to a particular data representation and categorizing it consistently.

See “Log Normalization”.

The conversion of information into consistent representations and categorizations.

Log Parsing : see document

Extracting data from a log so that the parsed values can be used as input for another logging process.

Log Preservation : see document

Keeping logs that normally would be discarded, because they contain records of activity of particular interest.

Log Reduction : see document

Removing unneeded entries from a log to create a new log that is smaller.

Log Reporting : see document

Displaying the results of log analysis.

Log Retention : see document

Archiving logs on a regular basis as part of standard operational activities.

Log Rotation : see document

Closing a log file and opening a new log file when the first log file is considered to be complete.

Log Viewing : see document

Displaying log entries in a human-readable format.

logic bomb : see document

A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.

Logic Elements : see document
logical access control system : see document

An automated system that controls an individual’s ability to access one or more computer system resources such as a workstation, network, application, or database. A logical access control system requires validation of an individual’s identity through some mechanism such as a PIN, card, biometric, or other token. It has the capability to assign different access privileges to different persons depending on their roles and responsibilities in an organization.

An automated system that controls an individual’s ability to access one or more computer system resources such as a workstation, network, application, or database. A logical access control system requires validation of an individual’s identity through some mechanism such as a personal identification number (PIN), card, biometric, or other token. It has the capability to assign different access privileges to different persons depending on their roles and responsibilities in an organization.

An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application, or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric, or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization.

Logical Backup : see document

A copy of the directories and files of a logical volume.

Logical Identifier : see document

A device identifier that is expressed logically by the device’s software. An example is a media access control (MAC) address assigned to a network interface.

Logical Key Hierarchy : see document
Logical Link Control and Adaptation Protocol : see document
Logical Partition : see document
Logical partitioning : see document

The hypervisor allowing multiple guest OSs to share the same physical resources.

logical perimeter : see document

A conceptual perimeter that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system without a reliable human review by an appropriate authority. The location of such a review is commonly referred to as an “air gap”.

Logical Test : see document

An expression comprised of logical operators and one or more expressions to be evaluated. The individual expressions within a logical test may be fact references, check fact references, and/or other logical tests.

Logical Unit Number : see document
Logical Volume : see document

A partition or a collection of partitions acting as a single entity that has been formatted with a filesystem.

Logical Volume Manager : see document
LOGIIC : see document
login : see document

The establishment of an authenticated session between a person and a system. Also known as “sign in,” “log on,” or “sign on.”

logistic regression : see document

A type of linear classifier that predicts the probability of an observation being part of a class.

Logo : see document

The NIST National Checklist Program logo.

NIST National Checklist Program logo.

LOI : see document
Long Range Alliance : see document
Long Runs of Ones Test : see document

The purpose of this test is to determine whether the longest run of ones within the tested sequence is consistent with the longest run of ones that would be expected in a random sequence.

Long Short-Term Memory : see document
long title : see document

The descriptive title of a COMSEC item.

Longest Repeated Substring : see document
Longitudinal Redundancy Code : see document
Long-Term Evolution : see document
Long-Term Key : see document
Long-Term Support : see document
Look-Up Table : see document
Loop-Back Mode : see document

An operating system facility that allows a device to be mounted via a loopback address and viewed logically on the PC.

LoRa Alliance : see document
Los Alamos National Laboratory : see document
Low Energy : see document
Low Frequency : see document
low impact : see document

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).

The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).

Low Pin Count : see document
low probability of detection (LPD) : see document

Result of measures used to hide or disguise intentional electromagnetic transmissions.

low probability of intercept (LPI) : see document

Result of measures used to resist attempts by adversaries to analyze the parameters of a transmission to determine if it is a signal of interest.

low probability of positioning : see document

Result of measures used to resist attempts by adversaries to determine the location of a particular transmitter.

Low Rate Initial Production : see document
low‐dimensional : see document

A statistic composed of few numbers—e.g. a single count, or a histogram with 5 bins.

Low-Earth Orbit : see document
low-impact system : see document

An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.

An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS Publication 199 potential impact value of low.

An information system in which all three security properties (i.e., confidentiality, integrity, and availability) are assigned a FIPS PUB 199 potential impact value of low. Note: For National Security Systems, CNSSI No. 1253 does not adopt this FIPS PUB 200 high water mark across security objectives.

A system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS Publication 199 potential impact value of low.

low-power transmitter : see document

For the purposes of determining separation between RED equipment/lines and radio frequency (RF) transmitters, low-power is that which is less than or equal to 100 m Watt (20 dBm) effective isotropic radiated power (EIRP). Examples of low-power transmitters are wireless devices for local communications that do not need a Federal Communications Commission (FCC) license, such as some IEEE 802.11X network access points, and portable (but not cellular) telephones.

LP : see document
LPAR : see document
LPC : see document
LPD : see document
LPI : see document
LPSD : see document
LRA : see document
LRC : see document
LRIP : see document
LRS : see document
LRW : see document
LSB : see document
LSBs(X) : see document

The bit string consisting of the s right-most bits of the bit string X.

LSI : see document
LSPE : see document
LSTM : see document
LTE : see document
LTE air interface : see document
LTK : see document
LTL : see document
LTM : see document
LTS : see document
LUN : see document
LUT : see document
LVM : see document
LVP : see document
LWE : see document
LWR : see document
LXC : see document
LZS : see document
M&S : see document
M2M : see document
MA : see document

Any act that either prevents the failure or malfunction of equipment or restores its operating capability.

The process of managing PIV Cards or Derived PIV Credentials (and its token) once they are issued. It includes re-issuance, post issuance updates, and termination.

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.

Any act that either prevents the failure or malfunction of IoT device and supporting equipment or restores its operating capability.

MAB : see document
MAC : see document

A family of secret-key cryptographic algorithms acting on input data of arbitrary length to produce an output value of a specified length (called the MAC of the input data). The MAC can be employed to provide an authentication of the origin of data and/or data-integrity protection. In this Recommendation, approved MAC algorithms are used to determine families of pseudorandom functions (indexed by the choice of key) that are employed during key derivation.

A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. Mandatory Access Control is a type of nondiscretionary access control.

An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following: (i) passing the information to unauthorized subjects or objects; (ii) granting its privileges to other subjects; (iii) changing one or more security attributes on subjects, objects, the information system, or system components; (iv) choosing the security attributes to be associated with newly-created or modified objects; or (v) changing the rules governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints.

Message Authentication Code.

a data authenticator generated from the message, usually through cryptographic techniques. In general, a cryptographic key is also required as an input.

A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.

A hardware address that uniquely identifies each component of an IEEE 802-based network. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data.

MAC algorithm : see document

An algorithm that computes a MAC from a message and a key.

MAC Authentication Bypass : see document
MAC Chaining Value : see document

A 16-byte value that is an input to the CMAC function and used to detect communication errors in duplicate or missing commands.

MAC key : see document

A symmetric key used as input to a security function to produce a message authentication code (MAC).

MAC tag : see document

Data obtained from the output of a MAC algorithm that can be used by an entity to verify the integrity and the origination of the information used as input.

Data obtained from the output of a MAC algorithm (possibly by truncation) that can be used by an entity to verify the integrity and the origination of the information used as input to the MAC algorithm.

Data obtained from the output of a MAC algorithm that can be used by an entity to verify the integrity and the origination of the information used as input to the MAC algorithm.

Machine Learning : see document

The development and use of computer systems that adapt and learn from data with the goal of improving accuracy.

Machine Owner Key : see document
Machine Readable Table : see document
Machine Readable Travel Document : see document
Machine to Machine : see document
machine unlearning : see document

A technique that involves selectively removing the influences of specific training data points from a trained machine learning model, such as to remove unwanted capabilities or knowledge in a foundation model, or to enable a user to request the removal of their records from a model. Efficient approximate unlearning techniques may not require retraining the ML model from scratch.

Machine-Readable : see document

Product output that is in a structured format, typically XML, which can be consumed by another program using consistent processing logic.

MacKeyBits : see document

The bit length of MacKey such that MacKeyBits = 8 ´ MacKeyLen.

macOS Security Compliance Project : see document
MacOutputBits : see document

The bit length of the MAC output block such that MacOutputBits = 8 ´ MacOutputLen.

MacOutputLen : see document

The byte length of the MAC output block.

macro virus : see document

A virus that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute and propagate.

A specific type of computer virus that is encoded as a macro embedded in some document and activated when the document is handled.

MACsec : see document
MACsec Key Agreement : see document
MacTagBits : see document

The bit length of the MAC tag such that MacTagBits = 8 ´ MacTagLen.

MAG : see document
Magnetic Media : see document

A class of storage device that uses only magnetic storage media for persistent storage, without the assistance of heat (ie. heat assisted magnetic recording (HAMR)) or the additional use of other persistent storage media such as flash memory-based media.

magnetic remanence : see document

Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See clearing.

Magnetic Resonance Imaging : see document
Magneto Optical : see document
Mail Delivery Agent : see document
Mail Exchange : see document
Mail Exchanger : see document
Mail Server : see document

A host that provides “electronic post office” facilities. It stores incoming mail for distribution to users and forwards outgoing mail. The term may refer to just the application that performs this service, which can reside on a machine with other services, but for this document the term refers to the entire host including the mail server application, the host operating system and the supporting hardware.

Mail Server Administrator : see document

The mail server equivalent of a system administrator. Mail server administrators are system architects responsible for the overall design and implementation of mail servers.

Mail Submission Agent : see document
Mail Transfer Agent (MTA) : see document

A program running on a mail server that receives messages from mail user agents or other MTAs and either forwards them to another MTA or, if the recipient is on the MTA, delivers the message to the local delivery agent (LDA) for delivery to the recipient. Common MTAs include Microsoft Exchange and sendmail.

Mail User Agent (MUA) : see document

A mail client application used by an end user to access a mail server to read, compose, and send email messages. Common MUAs include Microsoft Outlook and Mozilla Thunderbird.

maintenance key : see document

Key intended only for off-the-air, in-shop use. Maintenance key may not be used to protect classified or sensitive U.S. Government information. Also known as bench test key.

major application : see document

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.

An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunications components. Major applications can be either major software applications or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.

Major Information System : see document

An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.

Major Revision : see document

Any increase in the version of an SCAP component’s specification or SCAP related data set that involves substantive changes that will break backwards compatibility with previous releases.

Major version update : see document

A revision of a specification that breaks backward compatibility with the previous revision of the specification in numerous significant ways.

majority judgment algorithm : see document

An inter-level judgment conflict resolution algorithm where the judgment that occurs most frequently is taken as the result. If more than one judgment occurs the greatest number of times, then the weakest such judgment is the result.

MAL : see document
malicious cyber activity : see document

Activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

malware : see document

An application that is covertly inserted into another piece of software (e.g., operating system, application) with the intent to steal or destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.

Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of a system. Examples of malicious code include viruses, worms, Trojan horses, spyware, some forms of adware, or other code-based entities that infect a host.

Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.

See Malicious Code.

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.

See malicious code and malicious logic.

Software designed and operated by an adversary to violate the security of a computer (includes spyware, virus programs, root kits, and Trojan horses).

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

A program that is written intentionally to carry out annoying or harmful actions, which includes Trojan horses, viruses, and worms.

A virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host.

See “Malware”.

A computer program that is covertly placed onto a computer with the intent to compromise the privacy, accuracy, or reliability of the computer’s data, applications, or operating system.

A program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.

See Malicious malicious Ccode.

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host.

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

Software or firmware intended to perform an unauthorized process that will have adverse impacts on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.

See “Malware.”

A computer program that is covertly placed onto a computer with the intent to compromise the privacy, accuracy, or reliability of the computer’s data, applications, or OS. Common types of malware threats include viruses, worms, malicious mobile code, Trojan horses, rootkits, and spyware.

MAM : see document
MAN : see document
Manage Boundaries : see document

An ISCM capability that addresses the following network and physical boundary areas: Physical Boundaries – Ensure that movement (of people, media, equipment, etc.) into and out of the physical facility does not compromise security. Filters – Ensure that traffic into and out of the network (and thus out of the physical facility protection) does not compromise security. Do the same for enclaves that subdivide the network. Other – Ensure that information is protected (with adequate strength) when needed to protect confidentiality and integrity, whether that information is in transit or at rest.

See Capability, Boundary Management.

Manage Credentials and Authentication : see document

An ISCM capability that ensures that people have the credentials and authentication methods necessary (and only those necessary) to perform their duties, while limiting access to that which is necessary.

See Capability, Credentials and Authentication Management.

Manage Privileges : see document

An ISCM capability that ensures that people have the privileges necessary (and only those necessary) to perform their duties, to limit access to that which is necessary.

See Capability, Privilege and Account Management.

Manageability : see document

Providing the capability for the granular administration of data, including alteration, deletion, and selective disclosure.

Providing the capability for the granular administration of personal information, including alteration, deletion, and selective disclosure.

Providing the capability for granular administration of personally identifiable information, including alteration, deletion, and selective disclosure.

Per NISTIR8062: Providing the capability for granular administration of personally identifiable information, including alteration, deletion, and selective disclosure.

Providing the capability for granular administration of data, including alteration, deletion, and selective disclosure.

Providing the capability for granular administration of PII including alteration, deletion, and selective disclosure.

Manageability Engine : see document
Managed Detection and Response : see document
Managed Devices : see document

Personal computers, laptops, mobile devices, virtual machines, and infrastructure components require management agents, allowing information technology staff to discover, maintain, and control them. Those with broken or missing agents cannot be seen or managed by agent-based security products.

Personal computers, laptops, mobile devices, virtual machines, and infrastructure components require management agents, allowing information technology staff to discover, maintain, and control these devices. Those with broken or missing agents cannot be seen or managed by agent-based security products.

Managed Environment : see document

Environment comprising centrally managed IT products, everything ranging from servers and printers to desktops, laptops, smartphones, and tablets.

Inward-facing environment that is typically very structured and centrally managed.

Environment comprising centrally managed IT products.

Managed Incident Lightweight Exchange : see document
managed interface : see document

An interface within an information system that provides boundary protection capability using automated mechanisms or devices.

An interface within a system that provides boundary protection capabilities using automated mechanisms or devices.

Managed Security Services Provider : see document
Management : see document
management client (MGC) : see document

A configuration of a client node that enables a key management infrastructure (KMI) external operational manager to manage KMI products and services by either 1) accessing a PRSN or 2) exercising locally-provided capabilities. A management client (MGC) consists of a client platform and an advanced key processor (AKP).

management controls : see document

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. Rationale: Listed for deletion in 2010 version of CNSS 4009.

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information security.

management controls are actions taken to manage thedevelopment, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability and personnel security decisions.

Restricting who can manage the computer to a limited number of known people

Management Information Base : see document
Management Network : see document
management security controls : see document

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security. Rationale: Listed for deletion in 2010 version of CNSS 4009.

Management stations : see document

Systems with which only IT and network administrators interact

Manager : see document

An individual responsible for network resources (people, data, processing capability) who is charged with conducting business of an organization.

mandate : see document

A mandatory order or requirement under statute.

mandatory access control (MAC) : see document

A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. Mandatory Access Control is a type of nondiscretionary access control.

An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following: (i) passing the information to unauthorized subjects or objects; (ii) granting its privileges to other subjects; (iii) changing one or more security attributes on subjects, objects, the information system, or system components; (iv) choosing the security attributes to be associated with newly-created or modified objects; or (v) changing the rules governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints.

See mandatory access control (MAC).

Message Authentication Code.

means that access control policy decisions are made by a central authority, not by the individual owner of an object. User cannot change access rights. An example of MAC occurs in military security, where an individual data owner does not decide who has a top-secret clearance, nor can the owner change the classification of an object from top-secret to secret.

A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.

See Mandatory Access Control.

An access control policy that is uniformly enforced across all subjects and objects within a system. A subject that has been granted access to information is constrained from: passing the information to unauthorized subjects or objects; granting its privileges to other subjects; changing one or more security attributes on subjects, objects, the system, or system components; choosing the security attributes to be associated with newly created or modified objects; or changing the rules for governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints. Mandatory access control is considered a type of nondiscretionary access control.

mandatory modification (MAN) : see document

A change to a COMSEC end-item, which the National Security Agency (NSA) requires to be completed and reported by a specified date. See optional modification.

manipulative communications deception : see document

Alteration or simulation of friendly telecommunications for the purpose of deception. See communications deception and imitative communications deception. Rationale: Listed for deletion in 2010 version of CNSS 4009.

manual cryptosystem : see document

Cryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.

Manual key distribution : see document

A non-automated means of transporting cryptographic keys by physically moving a device or document containing the key or key component.

Manual key transport : see document

A non-automated means of transporting cryptographic keys by physically moving a device or document containing the key or key component.

A non-automated means of transporting cryptographic keys by physically moving a device or document containing the key or key share.

A non-automated means of transporting cryptographic keys by physically moving a device, document or person containing or possessing the key or key component.

manual remote rekeying : see document

Synonymous with manual remote rekeying.

Procedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See automatic remote rekeying.

Manufacturer and User Facility Device Experience : see document
Manufacturer Disclosure Statement for Medical Device Security : see document
Manufacturer Usage Description (MUD) : see document

A component-based architecture specified in Request for Comments (RFC) 8520 that is designed to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function.

Manufacturing : see document
Manufacturing Operations : see document

Activities concerning the facility operation, system processes, materials input/output, maintenance, supply and distribution, health, and safety, emergency response, human resources, security, information technology and other contributing measures to the manufacturing enterprise.

Activities concerning the facility operation, system processes, materials input/output, maintenance, supply and distribution, health, and safety, emergency response, human resources, security, information technology and other contributing measures to the manufacturing enterprise.

MAO : see document
Maple : see document

An interactive computer algebra system that provides a complete mathematical environment for the manipulation and simplification of symbolic algebraic expressions, arbitrary extended precision mathematics, two- and three-dimensional graphics, and programming.

Mapping : see document

An indication that one concept is related to another concept.

Depiction of how data from one information source maps to data from another information source.

MARAD : see document
margin : see document

The margin allocated during design based on assessments of uncertainty and unknowns. This margin is often consumed as the design matures.

A spare amount or measure or degree allowed or given for contingencies or special situations. The allowances carried to account for uncertainties and risks.

The margin that is designed explicitly to provide space between the worst normal operating condition and the point at which failure occurs (derives from physical design margin).

Marine Transportation System : see document
Maritime Administration : see document
Market research : see document

Collecting and analyzing information about capabilities within the market to satisfy agency needs.

marking : see document

The means used to associate a set of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies.

See security marking.

The means used to associate a set of security attributes with objects in a human-readable form in order to enable organizational, process-based enforcement of information security policies.

MASK : see document

a byte string.

Mask Generation Function : see document
masquerading : see document

A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity.

Mass Casualty Incident : see document
Massachusetts Institute of Technology : see document
Master Boot Record : see document
Master Control Unit : see document
Master key : see document

As used in this Recommendation, a key that is used during the key-expansion step of a key-derivation procedure to derive the secret output keying material. This key-derivation key is obtained from a shared secret during the randomness-extraction step.

A key used as an input to a key-derivation method to derive other keys. See [NIST SP 800-108].

See Key-derivation key.

A key used with a key-derivation function or method to derive additional keys. Sometimes called a master key.

A key used as an input to a key-derivation method to derive other keys. See SP 800-108.

A key used with a key-derivation method to derive additional keys. Sometimes called a master key.

A key used as an input to a key-derivation method to derive other keys; see SP 800-108.

A key used with a key-derivation function or method to derive additional keys. Also called a master key.

Master Scenario Events List (MSEL) : see document

A chronologically sequenced outline of the simulated events and key event descriptions that participants will be asked to respond to during an exercise.

master services agreement : see document
Master Session Key : see document
Master Terminal Unit (MTU) : see document

A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an OT network. In a SCADA system, this is often called a SCADA server, MTU, or supervisory controller.

See Control Server.

Match : see document

Comparison decision stating that the biometric probe(s) and the biometric reference are from the same source. Match is a possible result of a Comparison. The opposite of a match is a non-match.

match/matching : see document

The process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.

The process of comparing biometric information against a previously stored biometric data and scoring the level of similarity.

Matching : see document

The process of determining whether two or more asset identification expressions refer to the same asset.

matching agreement : see document

A written agreement between a recipient agency and a source agency (or a non-Federal agency) that is required by the Privacy Act for parties engaging in a matching program.

MATLAB : see document

An integrated, technical computer environment that combines numeric computation, advanced graphics and visualization, and a high level programming language. MATLAB includes functions for data analysis and visu alization; numeric and symbolic computation; engineering and scientific graphics; modeling, simulation and prototyping; and programming, application development and a GUI design.

Matyas-Meyer-Oseas : see document
MAUDE : see document
MAV : see document
max(x1, …, xn) : see document

The maximum of the xi values

Maximum Allowable Outage : see document
Maximum allowed length of a prefix specified in RAO : see document
Maximum Distance Separable : see document
Maximum Foreseeable Loss : see document
Maximum Prefix Length : see document
Maximum Segment Size : see document
Maximum Tolerable Downtime : see document

The amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission.

Maximum Transmission Unit : see document
MB : see document
Mbps : see document
MBR : see document
MBSE : see document
MC/DC : see document
MCAA : see document
MCC : see document
MCI : see document
MCM : see document
MCPTT : see document
MCU : see document
MCV : see document

A 16-byte value that is an input to the CMAC function and used to detect communication errors in duplicate or missing commands.

MD : see document

A hash that uniquely identifies data. Changing a single bit in the data stream used to generate the message digest will yield a completely different message digest.

A digital signature that uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.

A crytpographic checksum, typically generated for a file that can be used to detect changes to the file.. Synonyous with hash value/result.

A digital signature that uniquely identifes data and has the property that changing a single bit in the data will cause a completely different message diges to be generated.

See Digital Fingerprint

The result of applying a hash function to a message.

MD5 : see document
MDA : see document
MDISS : see document
mDL : see document
MDM : see document
mDNS : see document
MDPH : see document
MDR : see document
MDRAP : see document
MDS : see document
MDS2 : see document
MDT : see document
MDU : see document
ME : see document
MEA : see document
mean time to detect : see document

A metric that tracks the average amount of time that a problem exists before it is found.

Mean Time To Failure : see document
mean time to recovery : see document

A metric that tracks the average amount of time that it takes to recover from a product or system failure.

Means : see document

“An agent, tool, device, measure, plan, or policy for accomplishing or furthering a purpose.”

Measure of Effectiveness : see document
Measure of Performance : see document
Measured Launch Environment : see document
Measured service : see document

Cloud systems automatically control and optimize resource use by leveraging a metering capability [1] at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

measurement : see document

The process of obtaining quantitative values using quantitative methods.

the process of data collection, analysis, and reporting

Measurement, Control, & Automation Association : see document
measures : see document

Quantifiable and objective values that result from measurement.

the results of data collection, analysis, and reporting

MEC : see document
mechanism : see document

A process or system that is used to produce a particular result.

The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon.

A natural or established process by which something takes place or is brought about.

A device or method for achieving a security-relevant purpose.

A device or function designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.

An operating system entry point or separate operating system support program that performs a specific action or related group of actions.

A process or system that is used to produce a particular result. The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon. A natural or established process by which something takes place or is brought about. Refer to security mechanism. Note: A mechanism can be technology- or nontechnology-based (e.g., apparatus, device, instrument, procedure, process, system, operation, method, technique, means, or medium).

A method, tool, or procedure that is the realization of security requirements. Note 1: A security mechanism exists in machine, technology, human, and physical forms. Note 2: A security mechanism reflects security and trust principles. Note 3: A security mechanism may enforce security policy and therefore must have capabilities consistent with the intent of the security policy.

A process or system that is used to produce a particular result. The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon. A natural or established process by which something takes place or is brought about. Refer to security mechanism. Note: A mechanism can be technology- or nontechnology-based (e.g., apparatus, device, instrument, procedure, process, system, operation, method, technique, means, or medium).

mechanisms : see document

An assessment object that includes specific protection-related items (e.g., hardware, software, or firmware).

An assessment object that includes specific protection-related items (e.g., hardware, software, or firmware) employed within or at the boundary of an information system.

MED : see document
media : see document

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-scale integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Plural of medium.

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration memory chips, and printouts (but excluding display media) onto which information is recorded, stored, or printed within a system.

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration (LSI) memory chips, and printouts (but excluding display media) onto which information is recorded, stored, or printed within system.

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system.

Physical devices or writing surfaces including magnetic tapes, optical disks, magnetic disks, Large-Scale Integration memory chips, and printouts (but excluding display media) onto which information is recorded, stored, or printed within a system.

Media Access Control (MAC) : see document

Message Authentication Code.

A unique 48-bit value that is assigned to a particular wireless network interface by the manufacturer.

Media Access Control Address : see document

Message Authentication Code.

A hardware address that uniquely identifies each component of an IEEE 802-based network. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.

Media Access Control Security : see document
Media gateway : see document

the interface between circuit switched networks and IP network. Media gateways handle analog/digital conversion, call origination and reception, and quality improvement functions such as compression or echo cancellation.

media library : see document

Stores, protects, and controls all authorized versions of media CIs.

Stores, protects, and controls all authorized versions of media CIs.

Media Protection : see document
media sanitization : see document

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Medical Device Innovation, Safety & Security Consortium : see document
Medical Device Risk Assessment Platform : see document
Medical Imaging & Technology Alliance : see document
Medium : see document

Material on which data are or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid state devices, or optical discs.

Medium Access Control : see document

Message Authentication Code.

MEE : see document
MEF : see document
Megabits per second : see document
Megabyte : see document
Megahertz : see document
MEID : see document
Melting : see document

A physically Destructive method of sanitizing media; to be changed from a solid to a liquid state generally by the application of heat.

membership-inference attack : see document

A data privacy attack to determine whether a data sample was part of the training set of a machine learning model.

Memorandum of Understanding or Agreement : see document

A type of intra-agency, interagency, or National Guard agreement between two or more parties, which includes specific terms that are agreed to, and a commitment by at least one party to engage in action. It includes either a commitment of resources or binds a party to a specific action.

A type of intra-agency, interagency, or National Guard agreement between two or more parties, which includes only general understandings between the parties. It neither includes a commitment of resources nor binds a party to a specific action.

Agreement between the Federal PKI Policy Authority and an Agency allowing interoperability between the Agency Principal CA and the FBCA.

Memorandum of Agreement (as used in the context of this CP, between an Agency and the FPKIPA allowing interoperation between the FBCA and Agency Principal CA)

A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.

A statement of intent between the participating organizations to work together and often states goals, objectives, or the purpose for the partnership; details the terms of and conditions for the agreement; and outlines the operations needed to achieve the goals or purpose.

memorized secret : see document

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

A string of characters (letters, numbers, and other symbols) that is used to authenticate an identity, to verify access authorization, or to derive cryptographic keys.

A type of authenticator consisting of a character string that is intended to be memorized or memorable by the subscriber to permit the claimant to demonstrate something they know as part of an authentication process. Passwords were referred to as memorized secrets in the initial release of SP 800-63B.

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

A string of characters (letters, numbers and other symbols) that are used to authenticate an identity, to verify access authorization or to derive cryptographic keys.

A protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.

A string of characters (letters, numbers and other symbols) that are used to authenticate an identity or to verify access authorization. A passphrase is a special case of a password that is a sequence of words or other text. In this document, the use of the term “password' includes this special case.

A string of characters (letters, numbers and other symbols) that are used to authenticate an identity or to verify access authorization.

A type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstratesomething they knowas part of an authentication process.

See memorized secret.

A string of characters (letters, numbers and other symbols) that is used to authenticate an identity, to verify access authorization or to derive cryptographic keys.

A type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.

A string of characters (letters, numbers and other symbols) that are used to authenticate an identity or to verify access authorization. A passphrase is a special case of a password that is a sequence of words or other text. In this document, the use of the term “password” includes this special case.

A string of characters (letters, numbers and other symbols) that are used to authenticate an identity, verify access authorization or derive cryptographic keys.

A string of characters (letters, numbers, and other symbols) that are used to authenticate an identity or to verify access authorization. A passphrase is a special case of a password that is a sequence of words or other text. In this Recommendation, the use of the term “password” includes this special case.

Confidential authentication information, usually composed of a string of characters.

A secret shared between the user and the party issuing credentials. Memorized Secret Tokens are typically character strings (e.g., passwords and passphrases) or numerical strings (e.g., PINs).

A secret that a Claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings.

Memory Allocation : see document
Memory Encryption Engine : see document
Memory Management Unit : see document
Memory Protection Unit : see document
memory scavenging : see document

The collection of residual information from data storage.

Memory Tagging Extension : see document
Menezes-Qu-Vanstone : see document

The Menezes-Qu-Vanstone key-agreement primitive.

MEP : see document
Merkle tree : see document

A data structure where the data is hashed and combined until there is a singular root hash that represents the entire structure.

Merkle-Damgård : see document
Merkle-Damgård with Permutation using Hirose’s DBL compression function : see document
MES : see document
Mesh : see document

A key management architecture in which key processing facilities may interact with each other with no concept of dominance implied by the interaction.

Mesh Encryption : see document

A special case of many host-to-host VPNs. Whenever one host in a network wishes to communicate with another host in the network, it first establishes an IPsec connection. Typically, adding or removing one node in the mesh does not require reconfiguration of the other nodes.

Mesh Link Establishment : see document
Message : see document

The data that is signed. Also known as signed data during the signature verification and validation process.

The basic unit of data sent from one Web services agent to another in the context of Web services.

The data that is signed.

The data that is signed. Also known as “signed data” during the signature verification and validation process.

Message authentication : see document

A process that provides assurance of the integrity of messages, documents or stored data.

message authentication code (MAC) : see document

A family of secret-key cryptographic algorithms acting on input data of arbitrary length to produce an output value of a specified length (called the MAC of the input data). The MAC can be employed to provide an authentication of the origin of data and/or data-integrity protection. In this Recommendation, approved MAC algorithms are used to determine families of pseudorandom functions (indexed by the choice of key) that are employed during key derivation.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. MACs provide authenticity and integrity protection but not non-repudiation protection.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. See checksum.

Message Authentication Code.

A family of cryptographic algorithms that is parameterized by a symmetric key. Each of the algorithms can act on input data of arbitrary length to produce an output value of a specified length (called the MAC of the input data). A MAC algorithm can be used to provide data origin authentication and data integrity.

a data authenticator generated from the message, usually through cryptographic techniques. In general, a cryptographic key is also required as an input.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of data.

A bit string of fixed length, computed by a MAC generation algorithm, that is used to establish the authenticity and, hence, the integrity of a message.

A cryptographic checksum on data that is designed to reveal both accidental errors and intentional modifications of the data.

A cryptographic checksum on data that uses an approved security function and a symmetric key to detect both accidental and intentional modifications of data.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. MACs provide authenticity and integrity protection, but not non-repudiation protection.

A cryptographic checksum based on an approved cryptographic function and a symmetric key to detect both accidental and intentional modifications of data.

A family of cryptographic algorithms that is parameterized by a symmetric key. Each of the algorithms can act on input data (called a message) of an arbitrary length to produce an output value of a specified length (called the MAC of the input data). A MAC algorithm can be used to provide data origin authentication and data integrity protection. In this Recommendation, a MAC algorithm is also called a MAC function.

A cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data.

message digest : see document

The result of applying a hash function to a message. Also known as a “hash value.”

The result of applying a hash function to a message. Also known as a "hash value."

The result of applying a hash function to a message. Also known as a “hash value.”

The result of applying a hash function to a message. Also known as a “hash value” or “hash output”.

The result of applying a hash function to data.

The result of applying a cryptographic hash function to data (e.g., a message). Also known as a “message digest”.

See “Hash value”.

See “message digest”.

the fixed size result of hashing a message.

The fixed-length bit string produced by a hash function.

The result of applying a hash function to information.

A hash that uniquely identifies data. Changing a single bit in the data stream used to generate the message digest will yield a completely different message digest.

A digital signature that uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.

See message digest.

The result of applying a hash function to information; also called a message digest.

See hash value.

A crytpographic checksum, typically generated for a file that can be used to detect changes to the file.. Synonyous with hash value/result.

The result of applying a hash function to a message

A digital signature that uniquely identifes data and has the property that changing a single bit in the data will cause a completely different message diges to be generated.

See Digital Fingerprint

See Hash digest.

The result of applying a hash function to a message.

Message Digest 5 : see document
Message Exchange Pattern : see document
message indicator (MI) : see document

Sequence of bits transmitted over a communications system for synchronizing cryptographic equipment.

Message Inject : see document

A pre-scripted message that will be given to participants during the course of an exercise.

Message Integrity Check : see document
Message Integrity Code : see document
Message Queuing Telemetry Transport : see document
Message Signature Key : see document
metaattribute : see document

Information about attributes necessary to implement metapolicy and digital policy processing within an access control mechanism.

Metacharacter : see document

A character that has some special meaning to a computer program and therefore will not be interpreted properly as part of a literal string.

metacontrol : see document

A control of, or about, a control. For example, a control that specifies how the desired or actual state data for another control is to be managed.

metadata : see document

Information describing the characteristics of data including, for example, structural metadata describing data structures (e.g., data format, syntax, and semantics) and descriptive metadata describing data contents (e.g., information security labels).

Information used to describe specific characteristics, constraints, acceptable uses and parameters of another data item (e.g., a cryptographic key).

Data about data. For filesystems, metadata is data that provides information about a file’s contents.

The information associated with a key that describes its specific characteristics, constraints, acceptable uses, ownership, etc. Sometimes called the key's attributes.

The information associated with a key that describes its specific characteristics, constraints, acceptable uses, ownership, etc.; sometimes called the key's attributes.

The information associated with a key that describes its specific characteristics, constraints, acceptable uses, ownership, etc.; sometimes called the key’s attributes.

Information that describes the characteristics of data, including structural metadata that describes data structures (i.e., data format, syntax, semantics) and descriptive metadata that describes data contents (i.e., security labels).

Information describing the characteristics of data. This may include, for example, structural metadata describing data structures (i.e., data format, syntax, semantics) and descriptive metadata describing data contents

Metadata (bound) : see document

Metadata that has been cryptographically combined with the associated key to produce a MAC or digital signature that can be used to verify that the key and metadata are indeed associated with each other.

Metadata (compromised) : see document

Sensitive metadata that has been disclosed to or modified by an unauthorized entity.

Metadata (explicit) : see document

Parameters used to describe the properties associated with a cryptographic key that are explicitly recorded, managed, and protected by the CKMS.

Metadata (implicit) : see document

Information about a cryptographic key that may be inferred (i.e., by context), but is not explicitly recorded, managed, or protected by the CKMS.

Metadata Standards Working Group : see document
Meter : see document

The number of blocks in the formatted payload.

In LMS, the number of bytes associated with each node of a Merkle tree.

metrics : see document

Measures and assessment results designed to track progress, facilitate decision-making, and improve performance with respect to a set target.

Tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.

Metrology : see document

The sub-component of a Smart Meter responsible for measuring and calculating Metered Data that may be used for register readings, time-of-use readings, load profile data, and other electrical or revenue measurement purposes. The Metrology may or may not be a separate electronic element and may or may not include other electronic elements or interfaces as well.

Metropolitan Area Network : see document
MF : see document

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

A characteristic of an authentication system or a token that uses more than one authentication factor. The three types of authentication factors are something you know, something you have, and something you are.

MFA : see document

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

An authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a multi-factor authenticator or by combining single-factor authenticators that provide different types of factors.

An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See Authenticator.

An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.

The three authentication factors are something you know, something you have, and something you are. See authenticator.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

MFG : see document
MFL : see document
MGC : see document
MGF : see document
MGMT : see document
MHz : see document
MI : see document
MIA : see document
MIB : see document
MIC : see document
Micro Secure Digital : see document
Microcontroller Unit : see document
microSD : see document
Microservice : see document

A set of containers that work together to compose an application.

Microsoft : see document
Microsoft Challenge-Handshake Authentication Protocol : see document
Microsoft Challenge-Handshake Authentication Protocol version 1 : see document
Microsoft Challenge-Handshake Authentication Protocol version 2 : see document
Microsoft Disk Operating System : see document
Microsoft Excel Workbook File : see document
Microsoft Intermediate Language : see document
Microsoft Management Console : see document
Microsoft Point-to-Point Encryption : see document
Microsoft SQL : see document
Microsoft Support Diagnostic Tool : see document
Microsystems Technology Office : see document
Middleware : see document

Software that aggregates and filters data collected by RFID readers and possibly passes the information to an enterprise subsystem database. Middleware may also responsible for monitoring and managing readers.

mil : see document
MILE : see document
Military Standard : see document
Millennium Challenge Corporation : see document
Millimeter : see document
Milliwatt : see document
MILP : see document
MIL-STD : see document
MIME : see document
MIME Object Security Services : see document
min-entropy : see document

A lower bound on the entropy of a random variable. The precise formulation for min-entropy is $(-\log_{2} \max p_{i})$ for a discrete distribution having probabilities $p_{1},...,p_{k}$. Min-entropy is often used as a measure of the unpredictability of a random variable.

The min-entropy (in bits) of a random variable X is the largest value m having the property that each observation of X provides at least m bits of information (i.e., the min-entropy of X is the greatest lower bound for the information content of potential observations of X). The min-entropy of a random variable is a lower bound on its entropy. The precise formulation for min-entropy is −(log2 max pi) for a discrete distribution having n possible outputs with probabilities p1,…, pn. Min-entropy is often used as a worst-case measure of the unpredictability of a random variable. Also see [NIST SP 800-90B].

The min-entropy (in bits) of a random variable X is the largest value m having the property that each observation of X provides at least m bits of information (i.e., the min-entropy of X is the greatest lower bound for the information content of potential observations of X). The min-entropy of a random variable is a lower bound on its entropy. The precise formulation for min-entropy is (log2 max pi) for a discrete distribution having probabilities p1, ...,pk. Min-entropy is often used as a worst-case measure of the unpredictability of a random variable.

The min-entropy (in bits) of a random variable X is the largest value m having the property that each observation of X provides at least m bits of information (i.e., the min-entropy of X is the greatest lower bound for the information content of potential observations of X). The min-entropy of a random variable is a lower bound on its entropy. The precise formulation for min-entropy is - log2 (max pi) for a discrete distribution having event probabilities p1, ..., pk. Min-entropy is often used as a worst-case measure of the unpredictability of a random variable.

A measure of the difficulty that an Attacker has to guess the most commonly chosen password used in a system. In this document, entropy is stated in bits. When a password has n-bits of min-entropy then an Attacker requires as many trials to find a user with that password as is needed to guess an n-bit random quantity. The Attacker is assumed to know the most commonly used password(s). See Appendix A.

MINEX : see document

Minutia Exchange – the NIST program supporting minutia-based biometrics

Minimalist Cryptography : see document

Cryptography that can be implemented on devices with very limited memory and computing capabilities, such as RFID tags.

Minimally Securable IoT Device : see document

An IoT device that has the device cybersecurity capabilities (i.e., hardware and software) customers may need to implement cybersecurity controls used to mitigate some common cybersecurity risks.

Mining : see document

The data structure where the data is hashed and combined until there is a singular root hash that represents the entire structure.

The act of solving a puzzle within a proof of work consensus model.

minor application : see document

An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.

Minor Revision : see document

Any increase in the version of an SCAP component’s specification or SCAP related data set that may involve adding additional functionality, but that preserves backwards compatibility with previous releases.

Minor version update : see document

A revision of a specification that may add or enhance functionality, fix bugs, and make other changes from the previous revision, but the changes have minimal impact, if any, on backward compatibility.

Mint : see document

A protocol-level operation that creates and distributes new tokens to blockchain addresses, either individually or in batch.

MIP : see document
MIS Training Institute : see document
misconfiguration : see document

An incorrect or subobtimal configuration of an information system or system component that may lead to vulnerabilities.

An incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities.

A setting within a computer program that violates a configuration policy or that permits or causes unintended behavior that impacts the security posture of a system. CCE can be used for enumerating misconfigurations. NOTE: NIST generally defines vulnerability as including both software flaws and configuration issues [misconfigurations]. For the purposes of the validation program and dependent procurement language, the SCAP Validation program is defining vulnerability and misconfiguration as two separate entities, with “vulnerability” referring strictly to software flaws.

misdirection : see document

The process of maintaining and employing deception resources or environments and directing adversary activities to those resources or environments.

misnamed files : see document

A technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.

mission assurance : see document

A process to protect or ensure the continued function and resilience of capabilities and assets—including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains—critical to the execution of organizational mission-essential functions in any operating environment or condition.

A process to protect or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains, critical to the execution of organizational mission-essential functions in any operating environment or condition.

mission assurance category : see document

A Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.

Message Authentication Code.

mission critical : see document

Any telecommunications or information system that is defined as a national security system (FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.

Any telecommunications or information system that is defined as a national security system (Federal Information Security Management Act (FISMA) of 2002) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.

Mission Critical Push-To-Talk : see document
Mission Critical Voice : see document
Mission Essential Functions : see document
Mission Impact Analysis : see document
mission objective : see document

A high-level goal that must be achieved for an organization to succeed at its primary mission or purpose.

mission operations center : see document

A facility that provides C2 for the satellite bus, receives TT&C from the satellite, and requests and retrieves data as necessary.

mission resilience : see document

The ability to continuously maintain the capability and capacity to perform essential functions and services, without time delay, regardless of threats or conditions, and with the understanding that adequate warning of a threat may not be available.

mission/business segment : see document

Elements of organizations describing mission areas, common/shared business services, and organization-wide services. Mission/business segments can be identified with one or more information systems which collectively support a mission/business process.

mission-critical element : see document

A system component or subsystem that delivers mission critical functionality to a system or that may, by virtue of system design, introduce vulnerability to mission critical functions. Note: Mission-critical element is often denoted as "critical component".

mission-critical functionality : see document

Any system function, the compromise of which would degrade the effectiveness of that system in achieving the core mission for which it was designed.

MISTI : see document
misuse enablement : see document

In the AML context, a circumvention of technical restrictions imposed by the AI system’s owner on its use, such as restrictions designed to prevent a GenAI system from producing outputs that could cause harm to others.

misuse of Controlled Unclassified Information (CUI) : see document

Any situation where controlled unclassified information (CUI) is used in a manner inconsistent with the policy contained in Executive Order 13556, 32 Code of Federal Regulations (CFR), the CUI Registry, additional issuances from the CUI Executive Agent, or any of the laws, regulations, and Government-wide policies that establish the designation of CUI categories and subcategories. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI.

MIT : see document
MITA : see document
Mitigate : see document

To make less severe or painful or to cause to become less harsh or hostile.

mitigation : see document

A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.

The temporary reduction or lessening of the impact of a vulnerability or the likelihood of its exploitation.

MitM : see document

An attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them.

Mixed-Integer Linear Programming : see document
MKA : see document
ML : see document

The development and use of computer systems that adapt and learn from data with the goal of improving accuracy.

ML-DSA : see document
MLE : see document
ML-KEM : see document
MLS : see document

Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.

MLWE : see document
MLWR : see document
mm : see document
MMC : see document
MME : see document
MMO : see document
MMS : see document

An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips.

MMT : see document
MMU : see document
MNO : see document
MO : see document
MOA : see document

Memorandum of Agreement (as used in the context of this CP, between an Agency and the FPKIPA allowing interoperation between the FBCA and Agency Principal CA)

MOBIKE : see document
Mobile Application Management : see document
Mobile Application Vetting : see document
mobile code : see document

Executable code that is normally transferred from its source to another computer system for execution. This transfer is often through the network (e.g., JavaScript embedded in a web page) but may transfer through physical media as well.

Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient.

Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.

A program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics.

Executable code that is normally transferred from its source to another computer system for execution. This transfer is often through the network (e.g., JavaScript embedded in a web page) but may transfer through physical media as well.

Software that is transmitted from a remote host to be executed on a local host, typically without the user’s explicit instruction.

mobile code risk categories : see document

Categories of risk associated with mobile code technology based on functionality, level of access to workstation, server, and remote system services and resources, and the resulting threat to information systems.

mobile code technologies : see document

Software technologies that provide the mechanisms for the production and use of mobile code (e.g., Java, JavaScript, ActiveX, VBScript).

Software technologies that provide the mechanisms for the production and use of mobile code.

Mobile Data Terminal : see document
Mobile Data Unit : see document
mobile device : see document

A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and e-readers.

A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable data storage; and (iv) is powered-on for extended periods of time with a self-contained power source. Mobile devices may also include voice communication capabilities, on board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. Note: If the device only has storage capability and is not capable of processing or transmitting/receiving information, then it is considered a portable storage device, not a mobile device. See portable storage device.

A mobile device is a small hand-held device that has a display screen with touch input and/or a QWERTY keyboard and may provide users with telephony capabilities. Mobile devices are used interchangeably (phones, tablets) throughout this document.

A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.

A mobile device, for the purpose of this document is a portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.

A portable computing device that (1) has a small form factor so it can easily be carried by a single individual; (2) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (3) possesses local, nonremovable or removable data storage; and (4) includes a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples are smartphones, tablets, and e-readers.

A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable/removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.

A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers.

A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable data storage; and is powered on for extended periods of time with a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.

A portable computing device that has a small form factor such that it can easily be carried by a single individual, is designed to operate without a physical connection (e.g., wirelessly transmit or receive information), possesses local, non-removable or removable data storage, and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.

Mobile Device Management (MDM) : see document

The administration of mobile devices such as smartphones, tablets, computers, laptops, and desktop computers. MDM is usually implemented through a third-party product that has management features for particular vendors of mobile devices.

Mobile Device Manager : see document
Mobile Device Security : see document
Mobile Driving License : see document
Mobile Endpoint Security : see document
Mobile Equipment : see document
Mobile Equipment Identifier : see document
Mobile Internet Key Exchange (MOBIKE) : see document

A form of IKE supporting the use of devices with multiple network interfaces that switch from one network to another while IPsec is in use.

mobile mode : see document

Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient.

Mobile Network Operator : see document
Mobile Services Category Team : see document
Mobile Single Sign-On : see document
Mobile Subscriber Integrated Services Digital Network (MSISDN) : see document

The international telephone number assigned to a cellular subscriber.

Mobile Switching Center : see document
Mobile Threat Catalogue : see document
Mobile Threat Defense : see document
Mobile Threat Intelligence : see document
Mobile Threat Posture : see document
Mobile Threat Protection : see document
Mobile Virtual Network Operator : see document
Mobility Management Entity : see document
MOC : see document
MOD : see document
Modality Performed Procedure Step : see document
Mode Configuration : see document
mode of iteration : see document

A method for iterating the multiple invocations of a pseudorandom function in order to derive the keying material with a required length.

Mode of Operation (Mode) : see document

An algorithm for the cryptographic transformation of data that is based on a block cipher.

The value of the random sample that occurs with the greatest frequency. This value is not necessarily unique.

An algorithm for the cryptographic transformation of data that features a symmetric key block cipher algorithm.

An algorithm for the cryptographic transformation of data that features a symmetric key block cipher.

An algorithm for the cryptographic transformation of data that is based on a block cipher.

See “block cipher mode of operation.”

An algorithm that uses a block cipher algorithm as a cryptographic primitive to provide a cryptographic service, such as confidentiality or authentication.

ModeCFG : see document
Model : see document

A detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component.

A very detailed description or scaled representation of one component of a larger system that can be created, operated, and analyzed to predict actual operational characteristics of the final produced component.

model control : see document

A capability with which an attacker can control the machine learning model parameters.

model extraction : see document

A type of privacy attack that extracts details of the model architecture and/or parameters.

model poisoning : see document

A poisoning attack which operates through model control.

model privacy attacks : see document

An attack against machine learning models to extract sensitive information about the model.

model weight : see document

A numerical parameter within an AI model that helps determine the model’s outputs in response to inputs.

Model-Based Systems Engineering : see document
Modeling and Simulation : see document
Moderate : see document
Moderate Impact : see document

The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life-threatening injuries).

The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries.).

The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life-threatening injuries).

moderate-impact system : see document

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high.

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of moderate and no security objective is assigned a FIPS Publication 199 potential impact value of high.

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of moderate and no security objective is assigned a FIPS PUB 199 potential impact value of high. Note: For National Security Systems, CNSSI No. 1253 does not adopt this FIPS PUB 200 high water mark across security objectives.

A system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of moderate and no security objective is assigned a potential impact value of high.

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high.

modern key : see document

A collective name for asymmetric key such as secure data network system (SDNS) FIREFLY key and message signature key. It does not include the public key infrastructure (PKI) system or keys.

Modification, Access, and Creation : see document

Message Authentication Code.

Modified condition decision coverage : see document

This is a strong coverage criterion that is required by the US Federal Aviation Administration for Level A (catastrophic failure consequence) software; i.e., software whose failure could lead to loss of function necessary for safe operation. It requires that every condition in a decision in the program has taken on all possible outcomes at least once, and each condition has been shown to independently affect the decision outcome, and that each entry and exit point have been invoked at least once.

MODP : see document
Modular Contracting : see document

Under modular contracting, an executive agency’s need for a system is satisfied in successive acquisitions of interoperable increments. Each increment complies with common or commercially accepted standards applicable to information technology so that the increments are compatible with other increments of information technology comprising the system.

Under modular contracting, an executive agency’s need for a system is satisfied in successive acquisitions of interoperable increments. Each increment complies with common or commercially accepted standards applicable to information technology so that the increments are compatible with other increments of information technology composing the system.

Modular Exponential : see document
module : see document

Program unit that is discrete and identifiable with respect to compiling, combining with other units, and loading.

Discrete and identifiable element with a well-defined interface and well-defined purpose or role whose effect is described as relations among inputs, outputs, and retained state.

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic module boundary. See [FIPS 140].

See Cryptographic module.

The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic boundary.

The set of hardware, software, and/or firmware that implements approved cryptographic functions (including key generation) that are contained within the cryptographic boundary of the module.

The set of hardware, software, and/or firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic module boundary. See FIPS 140.

See Cryptographic module

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms), holds plaintext keys and uses them for performing cryptographic operations, and is contained within a cryptographic module boundary. This Profile requires the use of a validated cryptographic module as specified in [FIPS 140].

The set of hardware, software, and/or firmware that implements approved security functions and is contained within a cryptographic boundary.

The set of hardware, software, and/or firmware that implements security functions (including cryptographic algorithms and keygeneration methods) and is contained within a cryptographic module boundary. See FIPS 140.

an embedded software component of a product or application, or a complete product in-and-of-itself that has one or more capabilities.

Module Learning With Errors : see document
Module Learning With Rounding : see document
Module Short Integer Solution : see document
Module-Lattice-Based Digital Signature Algorithm : see document
Module-Lattice-Based Key-Encapsulation Mechanism : see document
Modules-In-Process : see document
MOE : see document
MOK : see document
Monitor-Evaluate-Adjust cycle : see document
monitoring : see document

Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.

Monobit Test : see document

The purpose of this test is to determine whether the number of ones and zeros in a sequence are approximately the same as would be expected for a truly random sequence.

MOP : see document
Morale, Welfare, and Recreation : see document
MOSS : see document
most significant bit(s) : see document

The left-most bit(s) of a bit string.

MOU : see document
MOU/A : see document
Mount Airey Group : see document
moving target defense : see document

The concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity, and increase the costs of their probing and attack efforts.

MP : see document

A policy about policies, or policy for managing policies, such as assignment of priorities and resolution of conflicts between digital policies or other metapolicies.

MPC : see document
MPCith : see document
MPLS : see document
MPPE : see document
MPPS : see document
MPTC : see document
MPU : see document
MQTT : see document
MQV : see document

The Menezes-Qu-Vanstone key-agreement primitive.

MRAE : see document
MRI : see document
MRT : see document
MRTD : see document
MS : see document
MS SQL : see document
MSA : see document
MSB : see document
MSBs(X) : see document

The bit string consisting of the s left-most bits of the bit string X.

MSC : see document
MS-CHAP : see document
MS-CHAPv1 : see document
MS-CHAPv2 : see document
mSCP : see document
MSCT : see document
MS-DOS : see document
MSDT : see document
MSEC : see document
MSEL : see document
MSIL : see document
MSIS : see document
MSISDN : see document

The international telephone number assigned to a cellular subscriber.

MSK : see document
MSL : see document

Capability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.

MSO : see document
MSQL : see document
MSS : see document
MSSO : see document
MSSP : see document
MSSQL : see document
MSWG : see document
MTA : see document
MTC : see document
MTD : see document

The amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission.

MTE : see document
MTI : see document
mTLS : see document
MTO : see document
MTP : see document
MTS : see document
MTTF : see document
MTU : see document
MUA : see document
MUD : see document
MUD-Capable : see document

An Internet of Things (IoT) device that can emit a MUD uniform resource locator in compliance with the MUD specification.

An IoT device that is capable of emitting a MUD uniform resource locator (URL) in compliance with the MUD specification.

Multi-Block Message Test : see document
Multicast Domain Name System : see document
Multicast Group : see document
Multicast Security : see document
Multicloud Management : see document
Multi-Exit Discriminator (MED) : see document

A BGP attribute used on external links to indicate preferred entry or exit points (among many) for an AS.

Multifactor : see document

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

Multi-Factor : see document

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

A characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

A characteristic of an authentication system or a token that uses more than one authentication factor. The three types of authentication factors are something you know, something you have, and something you are.

multi-factor authentication : see document

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric).

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

An entity that facilitates authentication of other entities attached to the same LAN using a public key certificate.

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

See authenticator type and multi-factor authenticator.

An authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a multi-factor authenticator or by combining single-factor authenticators that provide different types of factors.

The means used to confirm the identity of a user, process, or device (e.g., user password or token).

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See authenticator.

An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

Authentication using two or more factors to achieve authentication. Factors are (i) something you know (e.g., password/personal identification number); (ii) something you have (e.g., cryptographic identification device, token); and (iii) something you are (e.g., biometric).

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). See authenticator.

Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See Authenticator.

Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.

The three authentication factors are something you know, something you have, and something you are. See authenticator.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). See also Authenticator.

Multifactor Authenticator : see document

An authenticator that provides more than one distinct authentication factor, such as a cryptographic authentication device with an integrated biometric sensor that is required to activate the device.

multi-level cross domain solution : see document

A type of cross domain solution (CDS) that uses trusted labeling to store data at different classifications and allows users to access the data based upon their security domain and credentials.

multilevel device : see document

Equipment trusted to properly maintain and separate data of different security domains.

Multilevel Secure : see document
multi-level security (MLS) : see document

Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.

Multi-level security domain : see document

A security domain that supports information protection at more than one impact-level.

multi-level solution : see document

Store data in multiple security domains at varied security levels and allow users to access the data at an appropriate security level.

Multimedia Card : see document
Multimedia Messaging Service (MMS) : see document

An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips.

multimodal models : see document

A model that processes and relates information from multiple sensory modalities that each represent primary human channels of communication and sensation, such as vision and touch.

multi-party computation : see document
Multi-Party Computation in the Head : see document
Multi-Party Threshold Cryptography : see document
multipath : see document

The propagation phenomenon that results in signals reaching the receiving antenna by two or more paths. When two or more signals arrive simultaneously, wave interference results. The received signal fades if the wave interference is time varying or if one of the terminals is in motion.

multiple security levels (MSL) : see document

Capability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.

Capability of a system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.

Multiple-center group : see document

As used in this Recommendation, a set of two or more key centers that have agreed to work together to provide cryptographic keying services to their subscribers.

Multiple-System Operator : see document
Multiprotocol Label Switching : see document
Multipurpose Internet Mail Extensions (MIME) : see document

A protocol that makes use of the headers in an IETF RFC 2822 message to describe the structure of rich message content.

multi-releasable : see document

A characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.

Multi-Signature : see document

A cryptographic signature scheme where the process of signing information (e.g., a transaction) is distributed among multiple private keys.

Multi-tree XMSS : see document
mutual authentication : see document

The process of both entities involved in a transaction verifying each other. See bidirectional authentication.

The process of both entities involved in a transaction verifying each other.

Occurs when parties at both ends of a communication activity authenticate each other (see authentication).

Two parties authenticating each other at the same time. Also known as mutual authentication or two-way authentication.

mutual TLS : see document
mutual Transport Layer Security : see document
MVNO : see document
mW : see document
MWR : see document
MX : see document
N/A : see document
N/S : see document
NaaS : see document
NAC : see document
NACAM : see document
NACI : see document
NACSI : see document
NACSIM : see document
NAE : see document
NAESB : see document
NAK : see document
NAM : see document
name : see document

A unique identifier associated with a registered object. This register assigns two of names, a numeric name and an alpha-numeric name, to each object.

Name Server : see document
Namespace isolation : see document

A form of isolation that limits which resources a container may interact with.

NANOG : see document
NANU : see document
NAP : see document
NAPT : see document
NARA : see document
NAS : see document
NASA : see document
NASIC : see document
NAT : see document

A mechanism for mapping addresses on one network to addresses on another network, typically private addresses to public addresses.

The process of mapping addresses on one network to addresses on another network.

National Aeronautics and Space Administration : see document
National Agency Check with Inquiries : see document
National Air and Space Intelligence Center : see document
National and Commercial Space Programs Act : see document
National Archives and Records Administration : see document
National Association of Manufacturers : see document
National Association of Water Companies : see document
National Center for Biotechnology Information : see document
National Centers for Biomedical Computing : see document
National Centers of Academic Excellence in Cybersecurity : see document
National Checklist Program : see document
National Checklist Program Repository : see document

A NIST-maintained repository, which is a publicly available resource that contains information on a variety of security configuration checklists for specific IT products or categories of IT products.

National COMSEC Advisory Memorandum : see document
National COMSEC Incident Reporting System (NCIRS) : see document

System established by the National Security Agency (NSA) as a means of ensuring that all reported incidents are evaluated so that actions can be taken to minimize any adverse impact on national security. The NCIRS is comprised of the organizations within the NSS community (NSA, heads of Department or Agency, material controlling authorities, and product resource managers) responsible for the reporting and evaluation of COMSEC incidents.

National COMSEC Information Memorandum : see document
National COMSEC Instruction : see document
National Coordinating Center for Communications : see document
National Crime Information Center : see document
National Cyber Awareness System : see document
National Cyber Security Alliance : see document
National Cybersecurity and Communications Integration Center : see document
National Cybersecurity Center of Excellence : see document
National Cybersecurity Excellence Partnership : see document
National Defense Industrial Association : see document
National Electric Sector Cybersecurity Resource : see document
National Electrical Manufacturers Association : see document
National Environmental Satellite, Data, and Information Service : see document
National Essential Functions : see document
National Farmers Union : see document
National Finance Center : see document
National Fire Protection Association : see document
National Geodetic Survey : see document
National Geospatial-Intelligence Agency : see document
National Highway Traffic Safety Administration : see document
National Identity Exchange Federation : see document
National Incident Management System : see document
National Industrial Security Program Operating Manual : see document
National Information Assurance Partnership (NIAP) : see document

A U.S. Government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security. NIAP was originally established as collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program. The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. Government- sponsored and endorsed program for conducting internationally-recognized security evaluations of commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. Common Criteria (CC) evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408).

national information infrastructure (NII) : see document

Nationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the internet, the public switched network, and cable, wireless, and satellite communications.

National Infrastructure Advisory Council : see document
National Infrastructure Protection Plan : see document
National Initiative for Cybersecurity Education : see document
National Institute of Justice : see document
National Institute of Standards and Technology : see document
National Institutes of Health : see document
National Institutes of Health Information Technology Acquisition and Assessment Center : see document
National Interest Determination : see document
National Law Enforcement and Corrections Technology Center–North East : see document
National Oceanic and Atmospheric Administration : see document
National Online Informative References Program : see document
National Public Safety Broadband Network : see document
National Public Safety Telecommunications Council : see document
National Renewable Energy Laboratory : see document
National Science Foundation : see document
National Security Agency : see document
National Security Agency/Central Security Service : see document
National Security and Emergency Preparedness : see document
National Security Council : see document
National Security Council’s Cyber Interagency Policy Committee : see document
National Security Decision Directive : see document
National Security Directive : see document
National Security Emergency Preparedness Telecommunications Services : see document

Telecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.

national security information (NSI) : see document

Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.

Information that has been determined pursuant to Executive Order (E.O.) 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

Information that Executive Order 13526, "Classified National Security Information," December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.

National Security Presidential Directive : see document
national security system (NSS) : see document

(A) Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i) the function, operation, or use of which— (I) involves intelligence activities; (II) involves cryptologic activities related to national security; (III) involves command and control of military forces; (IV) involves equipment that is an integral part of a weapon or weapons system; or (V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (B) Subparagraph (A) (i) (V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

(A) Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i) the function, operation, or use of which— (I) involves intelligence activities; (II) involves cryptologic activities related to national security; (III) involves command and control of military forces; (IV) involves equipment that is an integral part of a weapon or weapons system; or (V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (B) Subparagraph (A) (i) (V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

Any system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor on behalf of an agency, or any other organization on behalf of an agency – (i) the function, operation, or use of which: involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapon system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

those telecommunications and information systems operated by the U.S. Government, its contractors, or agents, that contain classified information or, as set forth in 10 U.S.C. 2315, that involves intelligence activities, involves cryptologic activities related to national security, involves command and control of military forces, involves equipment that is an integral part of a weapon or weapon system, or involves equipment that is critical to the direct fulfillment of military or intelligence missions.

National Security Telecommunications Advisory Committee : see document
National Security Telecommunications and Information Systems Security Advisory/Information Memorandum : see document
National Security Telecommunications and Information Systems Security Committee : see document
National Security Telecommunications and Information Systems Security Directive : see document
National Security Telecommunications and Information Systems Security Instruction : see document
National Security Telecommunications and Information Systems Security Policy : see document
National Semiconductor Technology Center : see document
National Software Reference Library : see document
National Strategic Computing Initiative : see document
National Technology Transfer and Advancement Act : see document
National Telecommunications and Information Administration : see document
National Telecommunications and Information Systems Security Advisory/Information Memorandum : see document
National Telecommunications and Information Systems Security Directive : see document
National Telecommunications and Information Systems Security Instruction : see document
National Telecommunications and Information Systems Security Policy : see document
National Transportation Safety Board : see document
National Voluntary Laboratory Accreditation Program : see document
National Vulnerability Database : see document

The U.S. Government repository of standards-based vulnerability management data, enabling automation of vulnerability management, security measurement, and compliance (e.g., FISMA).

The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data informs automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

National White Collar Crime Center : see document
National Agency Check with Written Inquiries : see document
National Criminal History Check : see document
NATO : see document
natural person : see document

A real-life human being, not synthetic or artificial.

Naval Sea Systems Command : see document
Naval Surface Warfare Center : see document
NAVCEN : see document
navigation : see document

The ability to determine a current and desired position (relative or absolute) and apply corrections to course, orientation, and speed to attain a desired position. Navigation coverage requirements could be global, from sub-surface to surface and from surface to space.

NAVSEA : see document
NAWC : see document
NC : see document

A varying value that has, at most, a negligible chance of repeating; for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has at most a negligible chance of repeating, for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has at most a negligible chance of repeating – for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has at most a negligible chance of repeating; for example, a random value that is generated anew for each use, a time-stamp, a sequence number, or some combination of these. It can be a secret or non-secret value.

A value that is used only once.

A value that is used only once within a specified context.

A randomly generated value used to defeat “playback” attacks in communication protocols. One party randomly generates a nonce and sends it to the other party. The receiver encrypts it using the agreed upon secret key and returns it to the sender. Because the sender randomly generated the nonce, this defeats playback attacks because the replayer cannot know in advance the nonce the sender will generate. The receiver denies connections that do not have the correctly encrypted nonce.

A time-varying value that has at most an acceptably small chance of repeating. For example, the nonce may be a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols SHALL not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.

A time-varying value that has at most a negligible chance of repeating, e.g., a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has an acceptably small chance of repeating. For example, a nonce is a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has (at most) an acceptably small chance of repeating. For example, the nonce may be a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

See Cryptographic Nonce

A time-varying value that has, at most, an acceptably small chance of repeating. For example, a nonce is a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols must not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.

NCAS : see document
NCBC : see document
NCBI : see document
NCC : see document
NCC FSWG : see document
NCCIC : see document
NCCoE : see document
NCCP : see document
NCEP : see document
NCES : see document
NCF : see document
NCHC : see document
NCIC : see document
NCIRS : see document
NCP : see document
NCSA : see document
NCSPA : see document
ND : see document
NDA : see document
NDAC : see document

See mandatory access control (MAC).

NDI : see document
NDIA : see document
NDMP : see document
NDS/IP : see document
NEA : see document
Near Field Communication (NFC) : see document

A form of contactless, close proximity, radio communications based on radio-frequency identification (RFID) technology.

NECST : see document
needs assessment : see document

The process of identifying gaps in learning and the needs of learning activities.

need-to-know : see document

A determination within the executive branch in accordance with directives issued pursuant to this order that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.

Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.

NEF : see document
Negative Acknowledgement : see document
negative risk : see document

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Potential cause of unacceptable asset loss and the undesirable consequences or impact of such a loss.

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service; the potential for a threat source to successfully exploit a particular information system vulnerability.

Any circumstance or event with the potential to adversely impact agency operations (including safety, mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

The potential for a “threat source” (defined below) to exploit (intentional) or trigger (accidental) a specific vulnerability.

potential cause of an unwanted incident, which may result in harm to a system or organization

Any circumstance or event with the potential to harm an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. Threats arise from human actions and natural events.

An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss. Note: The specific causes of asset loss, and for which the consequences of asset loss are assessed, can arise from a variety of conditions and events related to adversity, typically referred to as disruptions, hazards, or threats. Regardless of the specific term used, the basis of asset loss constitutes all forms of intentional, unintentional, accidental, incidental, misuse, abuse, error, weakness, defect, fault, and/or failure events and associated conditions.

An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss. Note: The specific causes of asset loss, and for which the consequences of asset loss are assessed, can arise from a variety of conditions and events related to adversity, typically referred to as disruptions, hazards, or threats. Regardless of the specific term used, the basis of asset loss constitutes all forms of intentional, unintentional, accidental, incidental, misuse, abuse, error, weakness, defect, fault, and/or failure events and associated conditions.

nei : see document
Neighbor Discovery : see document
neighboring datasets : see document

The definition of neighboring datasets is a parameter to the differential privacy framework. In many contexts, two databases are considered neighbors if they differ in the data of one individual.

NEMA : see document
NERC : see document
NERC CIP : see document
NESAG : see document
NESCOR : see document
NESDIS : see document
Nessus Network Monitor : see document
NetBEUI : see document
NetBIOS : see document
NetBIOS Extended User Interface : see document
NetCentric Enterprise Services : see document
NETCONF : see document
Netscape Server Application Programming Interface : see document
network : see document

An open communications medium, typically the internet, used to transport messages between the claimant and other parties. Unless otherwise stated, networks are assumed to be open and subject to active (e.g., impersonation, session hijacking) and passive (e.g., eavesdropping) attacks at any point between the parties (e.g., claimant, verifier, CSP, RP).

Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

A system implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

An open communications medium, typically the Internet, used to transport messages between the claimant and other parties. Unless otherwise stated, no assumptions are made about the network’s security; it is assumed to be open and subject to active (e.g., impersonation, man-in-the- middle, session hijacking) and passive (e.g., eavesdropping) attack at any point between the parties (e.g., claimant, verifier, CSP, RP).

An open communications medium, typically the Internet, used to transport messages between the claimant and other parties. Unless otherwise stated, no assumptions are made about the network’s security; it is assumed to be open and subject to active (e.g., impersonation, man-in-the-middle, session hijacking) and passive (e.g., eavesdropping) attack at any point between the parties (e.g., claimant, verifier, CSP, RP).

A system implemented with a collection of connected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

An information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

An open communications medium, typically the Internet, that is used to transport messages between the Claimant and other parties. Unless otherwise stated, no assumptions are made about the security of the network; it is assumed to be open and subject to active (i.e., impersonation, man-in-the-middle, session hijacking) and passive (i.e., eavesdropping) attack at any point between the parties (e.g., Claimant, Verifier, CSP or RP).

network access : see document

Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, the internet).

Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., a local area network, a wide area network, and Internet).

Access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.

any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Network Access Control (NAC) : see document

A feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device.

Network Access Protection : see document
Network Access Server : see document
Network Address Port Translation : see document
Network Address Translation (NAT) : see document

A routing technology used by many firewalls to hide internal system addresses from an external network through use of an addressing schema.

A mechanism for mapping addresses on one network to addresses on another network, typically private addresses to public addresses.

The process of mapping addresses on one network to addresses on another network.

A function by which internet protocol addresses within a packet are replaced with different IP addresses. This function is most commonly performed by either routers or firewalls. It enables private IP networks that use unregistered IP addresses to connect to the internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded to another network.

A function by which internet protocol (IP) addresses within a packet are replaced with different IP addresses. This function is most commonly performed by either routers or firewalls. It enables private IP networks that use unregistered IP addresses to connect to the internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses before packets are forwarded to another network.

Network Address Translator : see document
Network Administrator : see document

A person who manages a local area network (LAN) within an organization. Responsibilities include ensuring network security, installing new applications, distributing software upgrades, monitoring daily activity, enforcing licensing agreements, developing a storage management program, and providing for routine backups.

A person who manages a network within an organization. Responsibilities include network security, installing new applications, distributing software upgrades, monitoring daily activity, enforcing licensing agreements, developing a storage management program, and providing for routine backups.

network as a service : see document
Network Basic Input/Output System : see document
network configuration feature : see document
Network Configuration Protocol : see document
Network Data Management Protocol : see document
network defense : see document

Programs, activities, and the use of tools necessary to facilitate them (including those governed by NSPD-54/HSPD-23 and NSD-42) conducted on a computer, network, or information or communications system by the owner or with the consent of the owner and, as appropriate, the users for the primary purpose of protecting (1) that computer, network, or system; (2) data stored on, processed on, or transiting that computer, network, or system; or (3) physical and virtual infrastructure controlled by that computer, network, or system. Network defense does not involve or require accessing or conducting activities on computers, networks, or information or communications systems without authorization from the owners or exceeding access authorized by the owners.

Network Discovery : see document

The process of discovering active and responding hosts on a network, identifying weaknesses, and learning how the network operates.

Network Domain Security / Internet Protocol : see document
Network Endpoint Assessment : see document
Network Equipment Security Assurance Group : see document
Network Extension : see document

A method of providing partial or complete network access to remote users.

Network File Share : see document
Network File Sharing : see document
Network File System : see document
Network Forensic Analysis Tool : see document
Network Function Virtualization : see document
Network Functions Virtualization : see document
Network Information System : see document
network interconnection : see document

A physical or virtual communications link between two or more networks operated by different organizations or operated within the same organization but within different authorization boundaries.

Network Interface : see document

An interface that connects an IoT device to a network (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]).

An interface that connects the IoT device to a network.

Network Interface Capability : see document

The ability to interface with a communication network for the purpose of communicating data to or from an IoT device. A network interface capability allows a device to be connected to and use a communication network. Every IoT device has at least one network interface capability and may have more than one.

Network Interface Controller : see document
Network Intrusion Detection System : see document

Software that performs packet sniffing and network traffic analysis to identify suspicious activity and record relevant information.

Network Layer : see document

Layer of the TCP/IP protocol stack that is responsible for routing packets across networks.

Network Layer Routing Information (synonymous with prefix) : see document
Network Layer Security : see document

Protecting network communications at the layer of the TCP/IP model that is responsible for routing packets across networks.

Protecting network communications at the layer of the IP model that is responsible for routing packets across networks.

network map : see document

A representation of the internal network topologies and components down to the host/device level to include but not limited to: connection, sub-network, enclave, and host information.

network mapping : see document

A process that discovers, collects, and displays the physical and logical information required to produce a network map.

Network of Things : see document
Network Policy Server : see document
network resilience : see document

A computing infrastructure that provides continuous business operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged), rapid recovery if failure does occur, and the ability to scale to meet rapid or unpredictable demands.

Network Service Provider : see document
Network Sniffing : see document

A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.

Network Time Protocol : see document
Network Time Protocol Version 4 : see document
Network Traffic : see document

Computer network communications that are carried over wired or wireless networks between hosts.

Network Trust Link : see document
Network Trust Link Service : see document
Network Virtualization Overlay : see document
Network-Attached Storage : see document
network-based intrusion detection and prevention system : see document

An intrusion detection and prevention system that monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify and stop suspicious activity.

Networking and Information Technology Research and Development : see document
Network-on-Chip : see document
New features, Efficiency, Compatibility, Security and Technical reason : see document
New Technologies Inc. : see document
New Technology File System : see document
Next Generation Access Control : see document
Next Generation Access Control Functional Architecture : see document
Next Generation Access Control Generic Operations and Abstract Data Structures : see document
Next Generation Access Control-Implementation Requirements, Protocols and API Definitions : see document
Next Generation Firewall : see document
Next Hop : see document
Next Secure : see document
Next Unit of Computing : see document
Next-generation Database Access Control : see document
Next-Generation Sequencing : see document
NFAT : see document
NFC : see document
NFIQ : see document

NIST Fingerprint Image Quality – an automated algorithm for quantifying good fingerprint images; available as open-source.

NFPA : see document
NFS : see document
NFSR : see document
NFT : see document

An owned, transferable, and indivisible data record that is a digital representation of a physical or virtual linked asset. The data record is created and managed by a smart contract on a blockchain.

NFU : see document
NFV : see document
NGA : see document
NGAC : see document
NGAC-FA : see document
NGAC-GOADS : see document
NGAC-IRPADS : see document
NGFW : see document
NGS : see document
NH : see document
NHTSA : see document
NIAC : see document
NIAP : see document
NIC : see document
NICE : see document
niche cross domain solution (CDS) : see document

Cross domain solution that may (1) serve a specific narrow purpose, or (2) be built on very specialized hardware, or (3) be used in a special access program, and not appropriate for broader deployment.

NID : see document
NIDS : see document

Software that performs packet sniffing and network traffic analysis to identify suspicious activity and record relevant information.

NIEF : see document
NIH : see document
NII : see document
NIJ : see document
NIMS : see document
NIPP : see document
NIS : see document
NISPOM : see document
NIST : see document
NIST Checklist Repository : see document

The website that maintains the checklists, the descriptions of the checklists, and other information regarding the National Checklist Program. Also known as the repository. https://checklists.nist.gov

NIST Cloud Computing Forensic Science Working Group : see document
NIST Cloud Computing Program : see document
NIST Cybersecurity Framework Core : see document
NIST Framework for Improving Critical Infrastructure Cybersecurity : see document
NIST Interagency or Internal Report : see document
NIST IR : see document
NIST Personal Identity Verification Program : see document
NIST Risk Management Framework : see document
NIST SP : see document
NIST Special Publication : see document

Include proceedings of conferences sponsored by NIST, NIST annual reports, and other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

A type of publication issued by NIST. Specifically, the SP 800-series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. The 1800 series reports the results of NCCoE demonstration projects.

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. The 1800 series reports the results of National Cybersecurity Center of Excellence demonstration projects.

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

NIST Special Publication 800 series document : see document
NIST standard : see document

Federal Information Processing Standard (FIPS) or Special Publication (SP).

NIST standards : see document

Federal Information Processing Standards (FIPS) and NIST Recommendations.

NIST-allowed : see document

Specified in a list of allowed security functions (e.g., in an annex to [FIPS 140]).

NIST-approved : see document

FIPS-approved or NIST-Recommended.

NITAAC : see document
NITRD : see document
NLECTC-NE : see document
NLP : see document

Statements governing management and access of enterprise objects. NLPs are human expressions that can be translated to machine-enforceable access control policies.

NLRI : see document
NLZ : see document
NNAS : see document
NNM : see document
NOAA : see document
NoC : see document
Node : see document

An individual system within the blockchain network.

NOFORN : see document
noise injection : see document

A de-identification technique that modifies a dataset by adding random values to the values of a selected attribute.

Nok Nok Authentication Server : see document
no-lone zone (NLZ) : see document

An area, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See two-person integrity (TPI).

nominal frequency : see document

An ideal frequency with zero uncertainty. The nominal frequency is the frequency labeled on an oscillator’s output. For this reason, it is sometimes called the nameplate frequency. For example, an oscillator whose nameplate or label reads 5 MHz has a nominal frequency of 5 MHz. The difference between the nominal frequency and the actual output frequency of the oscillator is the frequency offset.

Non Volatile Memory express : see document
Non-Access Stratum : see document
non-adversarial threat : see document

A threat associated with accident or human error, structural failure, or environmental causes.

A threat associated with accident or human error, structural failure, or environmental causes. Note: See Appendix D of [SP 800-30].

Non-assurance message : see document

A signed message that does not contain all information required for an assurance message.

Non-Automated Checklist : see document

A checklist that is designed to be used manually, such as English prose instructions that describe the steps an administrator should take to secure a system or to verify its security settings.

nonce : see document

A time-varying value that has – at most – a negligible chance of repeating; for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A varying value that has, at most, a negligible chance of repeating; for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value that is only used once.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols must not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge because a nonce is not necessarily unpredictable.

A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing the transmittal of live data rather than replayed data, thus detecting and protecting against replay attacks.

A time-varying value that has at most a negligible chance of repeating, for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has at most a negligible chance of repeating – for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has at most a negligible chance of repeating; for example, a random value that is generated anew for each use, a time-stamp, a sequence number, or some combination of these. It can be a secret or non-secret value.

A value that is used only once.

A value that is used only once within a specified context.

A randomly generated value used to defeat “playback” attacks in communication protocols. One party randomly generates a nonce and sends it to the other party. The receiver encrypts it using the agreed upon secret key and returns it to the sender. Because the sender randomly generated the nonce, this defeats playback attacks because the replayer cannot know in advance the nonce the sender will generate. The receiver denies connections that do not have the correctly encrypted nonce.

A time-varying value that has at most an acceptably small chance of repeating. For example, the nonce may be a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols SHALL not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.

A time-varying value that has at most a negligible chance of repeating, e.g., a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has an acceptably small chance of repeating. For example, a nonce is a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A time-varying value that has (at most) an acceptably small chance of repeating. For example, the nonce may be a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols are not repeated until the authentication keys are changed. Otherwise, there is a possibility of a replay attack.

See Nonce

See Cryptographic Nonce

A time-varying value that has, at most, an acceptably small chance of repeating. For example, a nonce is a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these.

A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols must not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable.

Nonce Misuse-Resistant AE : see document
Nonce-based AE : see document
Non-component : see document
Non-Custodial : see document

Refers to an application or process that does not require users to relinquish any control over their data or private keys.

non-deterministic noise : see document

A random value that cannot be predicted.

a random value that cannot be predicted

Non-Developmental Items : see document
non-disclosure agreement : see document

Delineates specific information, materials, or knowledge that the signatories agree not to release or divulge to any other parties.

non-discretionary access control : see document

A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. Mandatory Access Control is a type of nondiscretionary access control.

An access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following: (i) passing the information to unauthorized subjects or objects; (ii) granting its privileges to other subjects; (iii) changing one or more security attributes on subjects, objects, the information system, or system components; (iv) choosing the security attributes to be associated with newly-created or modified objects; or (v) changing the rules governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints.

See mandatory access control (MAC).

A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.

See Mandatory Access Control.

nonfederal organization : see document

An entity that owns, operates, or maintains a nonfederal system.

nonfederal system : see document

A system that does not meet the criteria for a federal system.

Nonfungible : see document

Refers to something that is uniquely identifiable (i.e., not replaceable or interchangeable).

non-fungible token : see document

An owned, transferable, and indivisible data record that is a digital representation of a physical or virtual linked asset. The data record is created and managed by a smart contract on a blockchain.

non-ignorable bias : see document

In the context of de-identification, a bias that results from the suppression or redaction of data based on the value of the suppressed data.

Non-linear Feedback Shift Register : see document
Non-local Connection : see document

A connection to the manufacturing system affording the user access to system resources and system functionality while physically not present.

nonlocal maintenance : see document

Maintenance activities conducted by individuals communicating through an external network (e.g., the internet) or an internal network.

Maintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network.

Maintenance activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.

Maintenance activities conducted by individuals who communicate through either an internal or external network.

Non-MUD-Capable : see document

An IoT device that is not capable of emitting a MUD URL in compliance with the MUD specification.

non-organizational user : see document

A user who is not an organizational user (including public users).

Non-Owner : see document

An OLIR produced by anyone other than the owner of the Reference Document.

An Informative Reference produced by anyone who is NOT the owner of the Reference Document.

non-person entity (NPE) : see document

An entity with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware devices, software applications, and information artifacts.

Non-Public Personal Information : see document

Information about a person that is not publicly known; called “private information” in some other publications.

non-repudiation : see document

A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).

A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).

The capability to protect against an individual falsely denying having performed a particular transaction.

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.

Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message.

A service that may be afforded by the appropriate application of a digital signature. Non-repudiation refers to the assurance that the owner of a signature key pair that was capable of generating an existing signature corresponding to certain data cannot convincingly deny having signed the data.

A service using a digital signature that is used to support a determination of whether a message was actually signed by a given entity.

In a general information security context, assurance that the sender of information is provided with proof of delivery, and the recipient is provided with proof of the sender's identity, so neither can later deny having process the information .

A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party as having originated from a specific entity in possession of the private key of the claimed signatory. In a general information security context, assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.

A service using a digital signature that is used to support a determination by a third party of whether a message was actually signed by a given entity.

Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.

The inability to deny responsibility for performing a specific act.

A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party as having originated from a specific entity in possession of the private key of the claimed signatory.

Non-Secure World : see document
Non-Technical Supporting Capability : see document

Non-technical supporting capabilities are actions an organization performs in support of the cybersecurity of an IoT device.

Non-technical supporting capabilities are actions an organization performs in support of the cybersecurity of a product.

Non-technical supporting capabilities are actions an organization performs in support of the cybersecurity of an IoT device.

Non-Technical Supporting Capability Core Baseline : see document

The non-technical supporting capability core baseline is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.

Non-Technology-Based Input Product : see document

Manufactured component parts or materials used in the organization manufacturing process that do not incorporate information technology and are provided by third-parties.

Non-Uniform Memory Access : see document
Nonvalidating DNSSEC-Aware Stub Resolver : see document

A DNSSEC-aware stub resolver that trusts one or more DNSSEC-aware recursive name servers to perform most of the tasks discussed in this document set on its behalf. In particular, a nonvalidating DNSSEC-aware stub resolver is an entity that sends DNS queries, receives DNS responses, and is capable of establishing an appropriately secured channel to a DNSSEC-aware recursive name server that will provide these services on behalf of the DNSSEC-aware stub resolver. See also “DNSSEC-aware stub resolver” and “validating DNSSEC-aware stub resolver.”

Non-vendor-directed : see document

This term is used to indicate that any sample chosen for testing is selected by the testing laboratory without the input or knowledge of the product vendor.

Non-Volatile Data : see document

Data that persists even after a computer is powered down.

Non-Volatile Dual In-Line Memory Module : see document
Non-Volatile Random-Access Memory : see document
Normal (Gaussian) Distribution : see document

A continuous distribution whose density function is given by f(x;μ;σ)=1/√(〖2πσ〗^2 ) e^(-〖1/2 ((x-μ)/σ)〗^2 ) , where μ and σ are location and scale parameters.

Normal Operation : see document

The process of using a system.

Normal World : see document
Normalization : see document

The conversion of information into consistent representations and categorization.

Converting each log data field to a particular data representation and categorizing it consistently.

See “Log Normalization”.

The conversion of information into consistent representations and categorizations.

Normalization Form Canonical Composition : see document
Normalization strategy : see document

The similarity function can follow one of two normalization strategies, depending on whether the algorithm describes resemblance or containment. For resemblance queries, the number of matching features will be weighed against the total number of features in both objects. In the case of containment queries, the algorithm may disregard unmatched features in the larger of the objects’ two-feature sets.

Normalize : see document

The process by which differently formatted data is converted into a standardized format and labeled consistently.

North American Electric Reliability Corporation : see document
North American Electric Reliability Corporation Critical Infrastructure Protection : see document
North American Energy Standards Board : see document
North American Network Operators Group : see document
North Atlantic Treaty Organization : see document
North/South : see document
NoSQL : see document
NoT : see document
Not Applicable : see document
Not Releasable to Foreign Nationals : see document
NOTAM : see document
Notary : see document

A trusted entity that submits transactions across blockchains on behalf of users, often with respect to tokens the users have previously locked up.

Notice Advisory to NAVSTAR Users : see document
Notices to Air Missions : see document
NPE : see document
NPIVP : see document
NPPI : see document

Information about a person that is not publicly known; called “private information” in some other publications.

NPS : see document
NPSBN : see document
NPSTC : see document
NRBG : see document
NRC : see document
NREL : see document
NS : see document
NS/EP : see document
NSA : see document
NSA/CSS : see document
NSA/CSS Technical Cyber Threat Framework : see document
NSA-approved commercial solution : see document

The combination of multiple commercial-off-the-shelf (COTS) information assurance (IA) products in a layered configuration that satisfies the security requirements of an operational use case, when properly implemented in accordance with NSA-approved requirements and standards.

NSA-approved cryptography : see document

Cryptography that consists of: (i) an approved algorithm; (ii) an implementation that has been approved for the protection of classified information in a particular environment; and (iii) a supporting key management infrastructure.

Cryptography that consists of: (i) an approved algorithm; (ii) an implementation that has been approved for the protection of classified information and/or controlled unclassified information in a particular environment; and (iii) a supporting key management infrastructure.

Cryptography that consists of an approved algorithm, an implementation that has been approved for the protection of classified information and/or controlled unclassified information in a specific environment, and a supporting key management infrastructure.

NSA-approved product : see document

Cryptographic equipment, assembly or component classified or certified by the National Security Agency (NSA) for encrypting and decrypting classified national security information and sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms.

NSAPI : see document
NSC : see document
NSC’s Cyber IPC : see document
NSCI : see document
NSD : see document
NSDD : see document
NSEC : see document
NSEC3 : see document
NSF : see document
NSI : see document

Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.

NSP : see document
NSPD : see document
NSRL : see document
NSS : see document

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Any information system (including any telecommunications system) used or operated by an agency or by a contractor on behalf of an agency, or any other organization on behalf of an agency – (i) the function, operation, or use of which: involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapon system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

NSS baselines : see document

The combination of NIST SP 800-53 baselines (represented by an “X”) and the additional NIST SP 800-53 security controls required for National Security System (NSS) (represented by a “+”) that are applicable to NSS.

NSTAC : see document
NSTC : see document
NSTISSAM : see document
NSTISSC : see document
NSTISSD : see document
NSTISSI : see document
NSTISSP : see document
NSWC : see document
NSX for vSphere : see document
NSX-V : see document
NT File System : see document
NTCTF : see document
NTFS : see document
NTI : see document
NTIA : see document
NTISSAM : see document
NTISSD : see document
NTISSI : see document
NTISSP : see document
NTL : see document
NTLS : see document
NTP : see document
NTP SEC : see document
NTP Security Notice : see document
NTPv4 : see document
NTSB : see document
NTT : see document
NTTAA : see document
NUC : see document
Nuclear Command and Control Information Assurance Material (NCCIM) : see document

Information Assurance materials necessary to assure release of a nuclear weapon at the direction of the President and to secure against the unauthorized use of a nuclear weapon.

Nuclear Energy Agency : see document
Nuclear Energy Institute : see document
null : see document

Dummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.

NUMA : see document
number theoretic transform : see document
NVD : see document

The U.S. Government repository of standards-based vulnerability management data, enabling automation of vulnerability management, security measurement, and compliance (e.g., FISMA).

The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data informs automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

NVDIMM : see document
NVLAP : see document
NVM : see document
NVMe : see document
NVMe over Fibre : see document
NVMe-oF : see document
NVO3 : see document
NVRAM : see document
NW : see document
NW3C : see document
O : see document

Output Block

O/S : see document
O1,…,O64 : see document

Bits of the Output Block

OA : see document
OADR : see document
OAEP : see document
OAL : see document
OAM : see document
OASIS : see document
OASIS Structured Threat Information Expression : see document
OASIS Trusted Automated Exchange of Indicator Information : see document
OAuth : see document
OBD-II : see document
object : see document

An entity to be protected from unauthorized use.

A passive entity that contains or receives information. Note that access to an object potentially implies access to the information it contains.

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject.

Passive system-related entity, including devices, files, records, tables, processes, programs, and domains that contain or receive information. Access to an object (by a subject) implies access to the information it contains. See subject.

An operating system abstraction that is visible at the application program interface, has a unique name, and capable of being shared. In this document, the following are resources: files, programs, directories, databases, mini-disks, and special files. In this document, the following are not resources: records, blocks, pages, segments, bits, bytes, words, fields, and processors.

the set of passive entities within the system, protected from unauthorized use.

A passive entity that contains or receives information.

See Object, Assessment.

Assessment objects identify the specific items being assessed, and as such, can have one or more security defects. Assessment objects include specifications, mechanisms, activities, and individuals which in turn may include, but are not limited to, devices, software products, software executables, credentials, accounts, account-privileges, things to which privileges are granted (including data and physical facilities), etc. See SP 800-53A.

object attribute : see document
Object Identification : see document
Object Linking and Embedding : see document
Object Management Group : see document
Object Naming Service : see document

An inter-enterprise subsystem for the EPCglobal Network that provides network resolution services that direct EPC queries to the location where information associated with that EPC can be accessed by authorized users.

object reuse : see document

Reassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium. Rationale: Term has been replaced by the term “residual information protection”.

Object, Assessment : see document

The item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

The item (specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject.

the set of passive entities within the system, protected from unauthorized use.

A passive entity that contains or receives information.

See Object, Assessment.

Assessment objects identify the specific items being assessed, and as such, can have one or more security defects. Assessment objects include specifications, mechanisms, activities, and individuals which in turn may include, but are not limited to, devices, software products, software executables, credentials, accounts, account-privileges, things to which privileges are granted (including data and physical facilities), etc. See SP 800-53A.

Obligation : see document

An operation specified in a policy or policy set that should be performed by the PEP in conjunction with the enforcement of an authorization decision.

obscured data : see document

data that has been distorted by cryptographic or other means to hide information. It is also referred to as being masked or obfuscated.

Observable : see document

An event (benign or malicious) on a network or system.

observational data : see document

Data captured through the observation of an activity or behavior without the direct involvement of the subject.

observe, orient, decide, and act : see document
OCB : see document
OCC : see document
Occupant Emergency Plan : see document
Occupation Safety and Health Administration : see document
OCF : see document
OCI : see document
OCIL : see document
OCIO : see document
OCO : see document
OCP : see document
OCPI : see document
OCPP : see document
OCR : see document
OCSP : see document
OCTAVE : see document
octet : see document

A string of eight bits.

A group of eight binary digits.

A string of eight bits. Often referred to as a byte.

Octet Length : see document

The number of octets in an octet string.

Octet String : see document

An ordered sequence of octets.

OD : see document
ODBC : see document
ODM : see document
ODNI : see document
ODP : see document

The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement.

See assignment operation and selection operation.

The variable part of a security requirement that is instantiated by an organization during the tailoring process by assigning an organization-defined value as part of the requirement.

ODV : see document
OECD : see document
OEM : see document
OEM Service Release 2 : see document
OEP : see document
OET : see document
OFB : see document
OFDM : see document
Off-Card : see document

Refers to data that is not stored within the PIV Card or to a computation that is not performed by the Integrated Circuit Chip (ICC) of the PIV Card.

Off-Chain : see document

Refers to data that is stored or a process that is implemented and executed outside of any blockchain system.

offensive cyberspace operations (OCO) : see document

Cyberspace operations intended to project power by the application of force in or through cyberspace.

Office for Civil Rights : see document
Office for Human Research Protections : see document
Office of Commercial Space Transportation : see document
Office of Engineering and Technology : see document
Office of Information and Regulatory Affairs : see document
Office of Information Systems Management : see document
Office of Management and Budget : see document
Office of Personnel Management : see document
Office of Planning, Research and Evaluation : see document
Office of Safety, Health and Environment : see document
Office of Space Commercialization : see document
Office of the Chief Information Officer : see document
Office of the Director of National Intelligence : see document
Office of the Inspector General : see document
Office of the National Coordinator : see document
Office of the National Cyber Director : see document
Official CPE Dictionary : see document

The authoritative repository of identifier names, which is hosted by NIST.

Official Identifier CPE Name : see document

Any bound representation of a CPE WFN that uniquely identifies a single product class and is contained within the Official CPE Dictionary.

official information : see document

All information of any kind, however stored, that is in the custody and control of the Department/Agency (D/A), relates to information in the custody and control of the D/A, or was acquired by D/A employees, or former employees, as part of their official duties or because of their official status within the D/A while such individuals were employed by or served on behalf of the D/A.

off-line cryptosystem : see document

Cryptographic system in which encryption and decryption are performed independently of the transmission and reception functions.

Offline Test : see document

Offline tests use previously captured images as inputs to core biometric implementations. Such tests are repeatable and can readily be scaled to very large populations and large numbers of competing products. They institute a level-playing field and produce robust estimates of the core biometric power of an algorithm. This style of testing is particularly suited to interoperability testing of a fingerprint template (see [ISOSWAP]).

Offset CodeBook : see document
Off-The-Shelf : see document
OFW : see document
OGSA : see document
OHRP : see document
OID : see document

A globally unique identifier of a data object as defined in ISO/IEC 8824-2.

OIDC : see document
OIF : see document
OIG : see document
OIMO : see document

Organization Identity Management Official; The individual responsible for overseeing the operations of an issuer in accordance with [FIPS 201-2] and for performing the responsibilities specified in this guideline.

OIRA : see document
OISM : see document
OLA : see document
OLE : see document
OLE for Process Control : see document
OLIR : see document

Relationships between elements of two documents that are recorded in a NIST IR 8278A-compliant format and shared by the OLIR Catalog. There are three types of OLIRs: concept crosswalk, set theory relationship mapping, and supportive relationship mapping.

OLIR Catalog : see document

The Online Informative References (OLIR) Catalog, which provides information about the Informative References submitted to and accepted by NIST.

The National OLIR Program’s online site for sharing OLIRs.

The OLIR Program’s online site for sharing OLIRs.

OLIR Developer : see document

A person, team, or organization that creates an OLIR and submits it to the National OLIR Program.

A general term that includes: (i) developers or manufacturers of information systems, system components, or information system services; (ii) systems integrators; (iii) vendors; (iv) and product resellers. Development of systems, components, or services can occur internally within organizations (i.e., in-house development) or through external entities.

The party that develops the entire entropy source or the noise source.

A general term that includes: (i) developers or manufacturers of information systems, system components, or information system services; (ii) systems integrators; (iii) vendors; and (iv) product resellers. Development of systems, components, or services can occur internally within organizations (i.e., in-house development) or through external entities.

A person, team, or organization that creates an Informative Reference.

See Informative Reference Developer.

A person, team, or organization that creates an Informative Reference and submits it to the National OLIR Program.

A person, team, or organization that creates an Informative Reference and submits it to the OLIR Program.

OLIR Program : see document

NIST’s Cybersecurity Framework (CSF) Online Informative References Program.

OLIR Template : see document

A spreadsheet that contains the fields necessary for creating a well-formed OLIR for submission to the OLIR Program. It serves as the starting point for the Developer.

A spreadsheet that contains the fields necessary for creating a well- formed Informative Reference for submission to the OLIR Program. It is available on the Cybersecurity Framework website and serves as the starting point for the Developer.

A spreadsheet that contains the fields necessary for creating a well-formed Informative Reference for submission to the OLIR Program. It serves as the starting point for the Developer.

OMA : see document
OMB : see document
OMG : see document
omSVP : see document
on behalf of (an agency) : see document

A situation that occurs when: (i) a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information; and (ii) those activities are not incidental to providing a service or product to the government.

A situation that occurs when: (i) a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting federal information; and (ii) those activities are not incidental to providing a service or product to the Government.

On-Access Scanning : see document

Performing real-time scans on a computer of each file as it is downloaded, opened, or executed.

Configuring a security tool to perform real-time scans of each file for malware as the file is downloaded, opened, or executed.

On-Board Diagnostic II : see document
Onboarding : see document

The process by which a device obtains the credentials (e.g., network SSID and password) that it needs in order to gain access to a wired or wireless network.

ONC : see document
On-Card : see document

Refers to data that is stored within the PIV Card or to a computation that is performed by the Integrated Circuit Chip (ICC) of the PIV Card.

On-Card biometric Comparison : see document
On-card comparison : see document
On-Card Biometric One-to-One Comparison : see document
ONCD : see document
On-Chain : see document

Refers to data that is stored or a process that is implemented and executed within a blockchain system.

On-Demand Scanning : see document

Launching scans of a computer manually as needed.

Allowing users to launch security tool scans for malware on a computer as desired.

On-demand self-service : see document

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

One More Shortest Vector Problem : see document
one-part code : see document

Code in which plain text elements and their accompanying code groups are arranged in alphabetical, numerical, or other systematic order, so one listing serves for both encoding and decoding. One-part codes are normally small codes used to pass small volumes of low-sensitivity information.

one-source mapping : see document

A mapping between concepts within a single concept source.

one-time cryptosystem : see document

Cryptosystem employing key used only once.

one-time pad (OTP) : see document

Manual one-time cryptosystem produced in pad form.

Onetime Password : see document
One-time password : see document
One-Time Programmable Memory : see document
One-time signature : see document
one-time tape (OTT) : see document

Punched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.

One-to-one : see document

The process in which a biometric sample from an individual is compared to a biometric reference to produce a comparison score.

Of or relating to biometric verification in which submitted feature data is compared with that of one, claimed, identity.

one-way hash algorithm : see document

Hash algorithms which map arbitrarily long inputs into a fixed-size output such that it is very difficult (computationally infeasible) to find two different hash inputs that produce the same output. Such algorithms are an essential part of the process of producing fixed-size digital signatures that can both authenticate the signer and provide for data integrity checking (detection of input modification after signature).

one-way transfer device : see document

A hardware or software mechanism that only permits data to move in one direction and does not allow the flow of data in the opposite direction.

ongoing assessment and authorization : see document

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. See organizational information security continuous monitoring and automated security monitoring.

See information security continuous monitoring (ISCM).

The continuous evaluation of the effectiveness of security control or privacy control implementation; with respect to security controls, a subset of Information Security Continuous Monitoring (ISCM) activities.

The continuous evaluation of the effectiveness of security control implementation; it is not separate from ISCM but in fact is a subset of ISCM activities.

Online Certificate Status Protocol (OCSP) : see document

An online protocol used to determine the status of a public key certificate.

Online Certificate Status Protocol responder : see document

A PKI entity that verifies the revocation status of certificates following the Online Certificate Status Protocol (specified in RFC 6960).

online cryptosystem : see document

Cryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions.

online service : see document

A service that is accessed remotely via a network, typically the internet.

ONS : see document

An inter-enterprise subsystem for the EPCglobal Network that provides network resolution services that direct EPC queries to the location where information associated with that EPC can be accessed by authorized users.

OOB : see document

Communication between parties utilizing a means or method that differs from the current method of communication (e.g., one party uses U.S. Postal Service mail to communicate with another party where current communication is occurring online).

OODA : see document
OPACITY : see document
OPC : see document
OPCODE : see document
Open Access Same-Time Information Systems : see document
Open Authorization : see document
Open Charge Point Interface : see document
Open Charge Point Protocol : see document
Open Checklist Interactive Language (OCIL) : see document

SCAP language for expressing security checks that cannot be evaluated without some human interaction or feedback.

Open Connectivity Foundation : see document
Open Container Initiative : see document
Open Database Connectivity : see document
Open Grid Services Architecture : see document
Open Group Risk Analysis and Taxonomy : see document
Open Identity Federation : see document
Open Mobile Alliance : see document
Open Platform Communication : see document
Open Platform Communications : see document
Open Pretty Good Privacy (OpenPGP) : see document

A protocol defined in IETF RFCs 2440 and 3156 for encrypting messages and creating certificates using public key cryptography. Most mail clients do not support OpenPGP by default; instead, third-party plug-ins can be used in conjunction with the mail clients. OpenPGP uses a “web of trust” model for key management, which relies on users for management and control, making it unsuitable for medium to large implementations.

Open Protocol for Access Control, Identification, and Ticketing with privacY : see document
Open Relay Blacklist : see document
Open Security Controls Assessment Language : see document
Open Shortest Path First : see document
Open Source HIDS SECurity : see document
Open Source Security Testing Methodology Manual : see document
Open Source Software : see document
open storage : see document

1. Any storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations). Open storage of classified cryptographic material and equipment must be done within an approved COMSEC facility, vault, or secure room when authorized personnel are not present.

2. Storage of classified information within an approved facility not requiring use of General Services Administration-approved storage containers while the facility is not occupied by authorized personnel.

Open Supervised Device Protocol : see document
Open System : see document

A system that allows entities from different enterprises to access information related to tags used in the system. Open systems use an inter-enterprise subsystem to share information between entities.

Open Systems Interconnection : see document
Open Travel Alliance : see document
Open Trusted Technology Provider Standard : see document
Open Virtual Appliance : see document
Open Virtual Appliance or Application : see document
Open Virtualization Appliance : see document
Open Virtualization Archive : see document
Open Virtualization Format : see document
Open Vulnerability and Assessment Language (OVAL) : see document

A language for representing system configuration information, assessing machine state, and reporting assessment results.

SCAP language for specifying low-level testing procedures used by checklists.

Open Web Application Security Project : see document
Open Worldwide Application Security Project : see document
OpenFAIR : see document
OpenFog RA : see document
OpenFog Reference Architecture : see document
OpenID Connect : see document
OpenPGP : see document
OpenShift Container Platform : see document
Operating Expenses : see document
Operating System (OS) Fingerprinting : see document

Analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target.

Operating system virtualization : see document

A virtual implementation of the operating system interface that can be used to run applications written for the same operating system.

A virtual implementation of the OS interface that can be used to run applications written for the same OS.

Operation : see document

the set of access modes or types permitted on objects of the system.

An active process invoked by a subject.

Operation Security : see document
Operational and Access Management : see document
operational concept : see document

Verbal and graphic statement, in broad outline, of an organization’s assumptions or intent in regard to an operation or series of operations of new, modified, or existing organizational systems.

Verbal and graphic statement of an organization’s assumptions or intent in regard to an operation or series of operations of a specific system or a related set of specific new, existing, or modified systems.

See security concept of operations.

operational environment : see document

Context determining the setting and circumstance of all influences on a delivered system.

The type of environment in which the checklist is intended to be applied. Types of operational environments are Standalone, Managed, and Custom (including Specialized Security-Limited Functionality, Legacy, and United States Government).

Standalone, Managed, or Custom (including Specialized Security-Limited Functionality, Legacy, and United Stated Government).

Standalone, Managed, or Custom (including Specialized Security-Limited Functionality, Legacy, and Sector Specific).

operational key : see document

Key intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.

operational margin : see document

A spare amount or measure or degree allowed or given for contingencies or special situations. The allowances carried to account for uncertainties and risks.

The margin that is designed explicitly to provide space between the worst normal operating condition and the point at which failure occurs (derives from physical design margin).

operational optimization : see document

Selection of those risks from the register that are most valuable based upon leadership preferences, mission objectives, stakeholder sentiment (e.g., those of customers, citizens, or shareholders), and other subjective criteria. Another optimization factor is operational and based on an iterative communications cycle of risk reporting and analytics.

Operational phase : see document

A phase in the lifecycle of keying material whereby keying material is used for standard cryptographic purposes.

A phase in the lifecycle of a cryptographic key whereby the key is used for standard cryptographic purposes.

operational resilience : see document

The ability of systems to resist, absorb, and recover from, or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of the ability to perform mission-related functions.

The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.

Operational Risk : see document
Operational Risk Management : see document
Operational storage : see document

Storage within an FCKMS where the key can be accessed to perform cryptographic functions during normal operations.

The normal storage of operational keying material during its cryptoperiod.

The normal storage of operational keying material during the key’s cryptoperiod.

A function in the lifecycle of keying material; the normal storage of operational keying material during its cryptoperiod.

Operational Test : see document

Operational tests involve a deployed system and are usually conducted to measure in-the- field performance and user-system interaction effects. Such tests require the members of a human test population to transact with biometric sensors. False acceptance rates may not be measurable, depending on the controls instituted.

operational waiver : see document

Authority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.

Operationalization : see document

Putting MUD implementations into operational service in a manner that is both practical and effective.

Operationally Critical Threat, Asset, and Vulnerability Evaluation : see document
operations code (OPCODE) : see document

Code composed largely of words and phrases suitable for general communications use.

Operations Level Agreement : see document
operations security (OPSEC) : see document

Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.

1. A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level.

2. A systematic and proven process intended to deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: (1) identification of critical information; (2) analysis of threats; (3) analysis of vulnerabilities; (4) assessment of risks; and (5) application of appropriate countermeasures.

operator : see document

An FCKMS role that is authorized to operate an FCKMS (e.g., initiate the FCKMS, monitor performance, and perform backups), as directed by the system administrator.

Individual or organization that performs the operations of a system.

OpEx : see document
OPM : see document
Opportunity : see document

A condition that may result in a beneficial outcome.

OPRE : see document
OpRisk : see document
OPSEC : see document

Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.

Optical Disk : see document

A plastic disk that is read using an optical laser device.

Optimal Asymmetric Encryption Padding : see document
Option ROM : see document

Firmware that is called by the system BIOS. Option ROMs include BIOS firmware on add-on cards (e.g., video card, hard drive controller, network card) as well as modules which extend the capabilities of the system BIOS.

optional modification : see document

National Security Agency (NSA)-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See mandatory modification (MAN).

ORA : see document
Oracle : see document

A source of data from outside a blockchain that serves as input for a smart contract.

ORB : see document
Orchestration : see document

Defines the sequence and conditions in which one Web service invokes other Web services to realize some useful function. An orchestration is the pattern of interactions that a Web service agent must follow to achieve its goal.

Orchestrator : see document

A tool that enables DevOps personas or automation working on their behalf to pull images from registries, deploy those images into containers, and manage the running containers. Orchestrators are also responsible for monitoring container resource consumption, job execution, and machine health across hosts.

ORCON : see document
ordering privilege manager (OPM) : see document

The key management entity (KME) authorized to designate other KME as a short title assignment requester (STAR) or ordering privilege manager (OPM).

Organisation for Economic Co-operation and Development : see document
Organization for the Advancement of Structured Information Standards : see document
Organization or Information System : see document
Organization Validated : see document
Organizational Conflict of Interest : see document
Organizational Information Security Continuous Monitoring : see document

Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions.

organizational registration authority (ORA) : see document

Entity within the public key infrastructure (PKI) that authenticates the identity and the organizational affiliation of the users.

an entity that acts an intermediary between the CA and a prospective certificate subject; the CA trusts the ORA to verify the subject's identity and that the subject possesses the private key corresponding to the public key to be bound to that identity in a certificate. Note that equivalent functions are referred to as Local Registration Authority (LRAs) or Registration Authorities (RAs) in some documents.

organizational system : see document

A nonfederal system that processes, stores, or transmits CUI associated with a critical program or high value asset.

Organizational Unit : see document
organizational user : see document

An organizational employee or an individual the organization deemed to have similar status of an employee including, for example, contractor, guest researcher, or individual detailed from another organization.

An organizational employee or an individual the organization deems to have equivalent status of an employee including, for example, contractor, guest researcher, or individual detailed from another organization.

An organizational employee or an individual the organization deems to have equivalent status of an employee including, for example, contractor, guest researcher, individual detailed from another organization. Policy and procedures for granting equivalent status of employees to individuals may include need-to-know, relationship to the organization, and citizenship.

An organizational employee or an individual whom the organization deems to have equivalent status of an employee, including a contractor, guest researcher, or individual detailed from another organization. Policies and procedures for granting the equivalent status of employees to individuals may include need-to-know, relationship to the organization, and citizenship.

organizationally-tailored control baseline : see document

A control baseline tailored for a defined notional (type of) information system using overlays and/or system-specific control tailoring, and intended for use in selecting controls for multiple systems within one or more organizations.

organization-defined control parameter : see document

See organization-defined parameter.

See organization-defined control parameter.

The variable part of a control or control enhancement that can be instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a pre-defined list provided as part of the control or control enhancement.

The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement. See assignment operation and selection operation.

organization-defined parameter : see document

The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement.

See assignment operation and selection operation.

The variable part of a security requirement that is instantiated by an organization during the tailoring process by assigning an organization-defined value as part of the requirement.

Organization-Defined Value : see document
Original Design Manufacturer : see document
Original Device Manufacturer : see document
Original Equipment Manufacture Adaptation Layer : see document
Original Equipment Manufacturer : see document
Originating Agency’s Determination Required : see document
Originator : see document

An entity that initiates an information exchange or storage event.

Originator Controlled : see document
Originator-usage period : see document

The period of time in the cryptoperiod of a key during which cryptographic protection may be applied to data using that key.

The period of time in the cryptoperiod of a symmetric key during which cryptographic protection may be applied to data.

ORM : see document
Orphan block : see document

Any block that is not in the main chain after a temporary ledger conflict.

OS : see document

A collection of software that manages computer hardware resources and provides common services for computer programs.

The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.

An integrated collection of service routines for supervising the sequencing of programs by a computer. An operating system may perform the functions of input/output control, resource scheduling, and data management. It provides application programs with the fundamental commands for controlling the computer.

The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its principal component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the mail server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations.

A program that runs on a computer and provides a software platform on which other programs can run.

A computer program, implemented in either software or firmware, which acts as an intermediary between users of a computer and the computer hardware. The purpose of an operating system is to provide an environment in which a user can execute applications.

OSC : see document
OSCAL : see document
oscillator : see document

An electronic device used to generate an oscillating signal. The oscillation is based on a periodic event that repeats at a constant rate. The device that controls this event is called a resonator. The resonator needs an energy source so it can sustain oscillation. Taken together, the energy source and resonator form an oscillator. Although many simple types of oscillators (both mechanical and electronic) exist, the two types of oscillators primarily used for time and frequency measurements are quartz oscillators and atomic oscillators.

OSDP : see document
OSHA : see document
OSHE : see document
OSI : see document
OSPF : see document
OSR2 : see document
OSS : see document
OSSEC : see document
OSSTMM : see document
OT : see document

Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment).

A broad range of programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment. These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.

Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.

Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.

The hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of physical devices.

Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.

OTA : see document
OTAD : see document
OTAR : see document
OTAT : see document
other system : see document

A system that the system of interest interacts with in the operational environment. These systems may provide services to the system of interest (i.e., the system of interest is dependent on the other systems) or be the beneficiaries of services provided by the system of interest (i.e., other systems are dependent on the system of interest).

A system that the system-of-interest interacts with in the operational environment. These systems may provide services to the system-of-interest (i.e., the system-of-interest is dependent on the other systems) or be the beneficiaries of services provided by the system-of-interest (i.e., other systems are dependent on the system-of-interest).

OtherInput : see document

Other information for key derivation; a bit string.

OTP : see document
OTS : see document
OTT : see document
O-TTPS : see document
OU : see document
OUI : see document
Outage : see document

A period when a service or an application is not available or when equipment is not operational.

outcome : see document

Result of the performance (or non-performance) of a function or process(es).

outcome‐specific utility metrics : see document

A way of measuring the utility of data for answering a specific question or class of questions.

Outer Firewall : see document
out-of-distribution : see document

Data that was collected at a different time and possibly under different conditions or in a different environment than the data collected to train the model.

Output Block : see document

A data block that is an output of either the forward cipher function or the inverse cipher function of the block cipher algorithm.

Output Feedback : see document
Output Feedback Block : see document
Output space : see document

The set of all possible distinct bitstrings that may be obtained as samples from a digitized noise source.

outside(r) threat : see document

An unauthorized entity outside the security domain that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

An unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service.

OV : see document
OVA : see document
OVAL : see document
OVAL ID : see document

An identifier for a specific OVAL definition that conforms to the format for OVAL IDs.

Over the Air : see document
overlay : see document

A specification of security controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

A set of security controls, control enhancements, supplemental guidance, and other supporting information, that is intended to complement (and further refine) security control baselines to provide greater ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

See Overlay.

A specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

A specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. See tailoring.

A fully specified set of security controls, control enhancements, and supplemental guidance derived from tailoring a security baseline to fit the user’s specific environment and mission.

Overlay network : see document

A software-defined networking component included in most orchestrators that can be used to isolate communication between applications that share the same physical network.

overt channel : see document

Communications path within a computer system or network designed for the authorized transfer of data. See covert channel.

Overt Testing : see document

Security testing performed with the knowledge and consent of the organization’s IT staff.

over-the-air key distribution (OTAD) : see document

Providing electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.

over-the-air key transfer (OTAT) : see document

Electronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.

over-the-air rekeying (OTAR) : see document

Changing traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.

overwrite : see document

Writing one or more patterns of data on top of the physical location of data stored on the media.

Writing data on top of the physical location of data stored on the media.

overwrite procedure : see document

A software process that replaces data previously stored on storage media with a predetermined set of meaningless data or random patterns. Rationale: Definition is obvious based on definition of overwrite.

OVF : see document
OWASP : see document
OW-CPA : see document
OWL-S : see document
Owner : see document

A key pair owner is the entity authorized to use the private key of a key pair.

An OLIR produced by the owner of the Reference Document.

A key pair owner is the entity authorized to use the private key of a key pair.

1. For an asymmetric key pair, consisting of a private key and a public key, the owner is the entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

2. For a symmetric key (i.e., a secret key), the entity or entities that are authorized to share and use the key.

For a static public key, static private key and/ or the static key pair containing those components, the owner is the entity that is authorized to use the static private key corresponding to the static public key, whether that entity generated the static key pair itself or a trusted party generated the key pair for the entity. For an ephemeral key pair, ephemeral private key or ephemeral public key, the owner is the entity that generated the ephemeral key pair and uses the ephemeral private key associated with the public key of that key pair.

For a key pair, the owner is the entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

For a static key pair, the entity that is associated with the public key and authorized to use the private key. For an ephemeral key pair, the owner is the entity that generated the public/private key pair. For a symmetric key, the owner is any entity that is authorized to use the key.

A key pair owner is the entity that is authorized to use the private key of a key pair.

For a symmetric key (i.e., a secret key), the entity or entities that are authorized to share and use the key.

For an asymmetric key pair, consisting of a private key and a public key, the owner is the entity that is authorized to use the private key associated with a public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

For an asymmetric key pair consisting of a private key and a public key, the owner is the entity that is authorized to use the private key associated with the public key, whether that entity generated the key pair itself or a trusted party generated the key pair for the entity.

A user who can modify the contents of an access control list.

An Informative Reference produced by the owner of the Reference Document.

For a static key pair, the entity that is associated with the public key and authorized to use the private key. For an ephemeral key pair, the owner is the entity that generated the public/private key pair. For a symmetric key, any entity that is authorized to use the key.

P.L. : see document
P_HASH : see document

A function that uses the HMAC-HASH as the core function in its construction. The specification of this function is in RFCs 2246 and 5246.

P1 : see document

First parameter of a card command

P1,…,P64 : see document

Bits of the Plaintext Block

P2 : see document

Second parameter of a card command

P25 : see document
P2P : see document
PA : see document
PAA : see document
PaaS : see document
PAC : see document
PACCOR : see document
Pacific Northwest National Laboratory : see document
package management system : see document

An administrative tool or utility that facilitates the installation and maintenance of software on a given host, device or pool of centrally managed hosts, and the reporting of installed software attributes. May also be referred to as package manager, software manager, application manager, or app manager.

package manifest : see document

A listing of the contents of a software package.

Packet : see document

The logical unit of network communications produced by the transport layer.

Packet Capture : see document
Packet Capture Next Generation Dump File Format : see document
Packet Data Convergence Protocol : see document
Packet Data Network : see document
Packet Filter : see document

A routing device that provides access control functionality for host addresses and communication sessions.

Specifies which types of traffic should be permitted or denied and how permitted traffic should be protected, if at all.

Packet Gateway : see document
Packet Number : see document
packet sniffer : see document

Software that observes and records network traffic.

Software that monitors network traffic on wired or wireless networks and captures packets.

packet sniffer and passive wiretapping : see document

See packet sniffer and passive wiretapping.

PACS : see document

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

PAD : see document
page check : see document

The verification of the presence of each required page in a physical publication.

pairing code : see document

An 8-digit code used to establish a relationship between the PIV Card and a device for the purpose of creating the virtual contact interface after secure messaging has been established.

Pairwise Main Key : see document
Pairwise Master Key : see document
Pairwise Master Key Security Association : see document
Pairwise Pseudonymous Identifier : see document

A pseudonymous identifier generated by an IdP for use at a specific RP.

An opaque unguessable subscriber identifier generated by a CSP for use at a specific individual RP. This identifier is only known to and only used by one CSP-RP pair.

Pairwise Transient Key : see document
Pairwise Trust : see document

Establishment of trust by two entities that have direct business agreements with each other.

PAKE : see document
Palm data dump/duplicate disk : see document
Palm File Format : see document
Palm Operating System Emulator : see document
Palo Alto Networks : see document
Palo Alto Next-Generation Firewall : see document
PAM : see document
PAN : see document
Pandemic Influenza : see document
PANW : see document
PAO : see document
PAOS : see document
PAP : see document

Provides a user interface for creating, managing, testing, and debugging digital policies and metapolicies, and storing these policies in the appropriate repository.

Paperwork Reduction Act : see document
parallel file system : see document
Parallel NFS : see document
Parallel Redundancy Protocol : see document
parameter : see document

A value that is used to control the operation of a function or that is used by a function to compute one or more outputs.

See organization-defined control parameter.

Paravirtualization : see document

A method for a hypervisor to offer interfaces to a guest OS that the guest OS can use instead of the normal hardware interfaces.

parent assessment element : see document

The assessment element in a prior process step from which the current element was derived.

parity : see document

Bit(s) used to determine whether a block of data has been altered. Rationale: Term has been replaced by the term “parity bit”.

parity bit : see document

A checksum that is computed on a block of bits by computing the binary sum of the individual bits in the block and then discarding all but the low-order bit of the sum. See checksum.

Parsec : see document
Participant Guide : see document

An exercise document that typically contains the exercise’s purpose, scope, objectives, and scenario, and a copy of the IT plan being exercised

Partition : see document

A logical portion of a media that functions as though it were physically separate from other logical portions of the media.

Partitioning : see document

Managing guest operating system access to hardware so that each guest OS can access its own resources but cannot encroach on the other guest OSs’ resources or any resources not allocated for virtualization use.

party : see document

An individual (person), organization, device, or a combination thereof. In this Recommendation, an entity may be a functional unit that executes certain processes.

An individual (person), organization, device, or process. Used interchangeably with “entity.”

An item inside or outside an information and communication technology system, such as a person, an organization, a device, a subsystem, or a group of such items that has recognizably distinct existence.

An individual (person), organization, device or process.

An individual person, organization, device, or process. In this specification, there are two parties (e.g., Party A and Party B, or Alice and Bob) who jointly perform the key establishment process using a KEM.

An individual person, organization, device, or process. Used interchangeably with party.

An individual person, organization, device, or process. Used interchangeably with “entity.”

An individual (person), organization, device, or process. Used interchangeably with party.

An individual (person), organization, device, or process. Used interchangeably with “entity.”

An individual (person), organization, device or process. Used interchangeably with “party”.

An individual (person), organization, device or process. Used interchangeably with “entity”.

An individual (person), organization, device or a combination thereof. “Party” is a synonym. In this Recommendation, an entity may be a functional unit that executes certain processes.

An individual (person), organization, device, or process.

Either a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).

An individual (person), organization, device, or process. “Party” is a synonym.

An individual (person), organization, device or process.

A human (person/individual/user), organization, device or process.

See Entity.

An individual (person), organization, device or process. Used interchangeably with “party.”

An individual (person), organization, device, or process; used interchangeably with “party.”

item inside or outside an information and communication technology system, such as a person, an organization, a device, a subsystem, or a group of such items that has recognizably distinct existence

An individual, group or an organization participating in an action.

A person, device, service, network, domain, manufacturer, or other party who might interact with an IoT device.

An individual (person), organization, device, or process. “Entity” is a synonym for party.

Organization entering into an agreement.

PAS : see document
passive attack : see document

An attack that does not alter systems or data.

An attack against an authentication protocol where the Attacker intercepts data traveling along the network between the Claimant and Verifier, but does not alter the data (i.e., eavesdropping).

Passive Security Testing : see document

Security testing that does not involve any direct interaction with the targets, such as sending packets to a target.

Passive Tag : see document

A tag that does not have its own power supply. Instead, it uses RF energy from the reader for power. Due to the lower power, passive tags have shorter ranges than other tags, but are generally smaller, lighter, and cheaper than other tags.

passive wiretapping : see document

The monitoring or recording of data that attempts only to observe a communication flow and gain knowledge of the data it contains, but does not alter or otherwise affect that flow.

Passphrase : see document

A password that consists of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.

A passphrase is a memorized secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage, but is generally longer for added security.

A password used to protect an identity key. After entered by a user or administrator, a passphrase is mathematically converted into large number which serves as a key that is used to encrypt the identity key. In order to decrypt the identity, the passphrase must be entered again so that the same key can be regenerated for decryption.

password authenticated key exchange : see document
Password Authentication Protocol : see document
Password Cracking : see document

The process of recovering secret passwords stored in a computer system or transmitted over a network.

Password Protected : see document

The ability to protect the contents of a file or device from being accessed until the correct password is entered.

The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.

Password-Based Key Derivation Function 2 : see document
PAT : see document
patch : see document

A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

A “repair job” for a piece of programming; also known as a “fix”. A patch is the immediate solution to an identified problem that is provided to users; it can sometimes be downloaded from the software maker's Web site. The patch is not necessarily the best solution for the problem, and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In many operating systems, a special program is provided to manage and track the installation of patches.

A “repair job” for a piece of programming; also known as a “fix.” A patch is the immediate solution that is provided to users; it can sometimes be downloaded from the software maker’s Web site. The patch is not necessarily the best solution for the problem, and product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In many operating systems, a special program is provided to manage and track the installation of patches.

Patch and Update Management Program : see document
patch level : see document

Denotes either a patch level or a patch set. More specifically, when patches must be applied in order, the patch level is the identifier of the most recently applied patch.

patch management : see document

The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.

patch set : see document

When patches do not need to be applied in any particular order, the patch set includes all (and only) the applied patches.

patching : see document

The act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems or adds new capabilities.

Path Maximum Transmission Unit : see document
Path Maximum Transmission Unit Discovery : see document
Path Validation : see document

The process of verifying the binding between the subject identifier and subject public key in a certificate, based on the public key of a trust anchor, through the validation of a chain of certificates that begins with a certificate issued by the trust anchor and ends with the target certificate. Successful path validation provides strong evidence that the information in the target certificate is trustworthy.

Patient Care Unit : see document
payload control center : see document

A facility that provides C2 for satellite payloads.

A facility that provides C2 for satellite payloads.

Payment Card Industry : see document
Payment Card Industry Data Security Standard : see document

An information security standard administered by the Payment Card Industry Security Standards Council that is for organizations that handle branded credit cards from the major card schemes.

PBAC : see document
PBKDF2 : see document
PBX : see document
PC : see document
PC/SC : see document
PCAP : see document
PcapNg : see document
PCB : see document
PCC : see document

A facility that provides C2 for satellite payloads.

PCH : see document
PCI : see document
PCI DSS : see document

An information security standard administered by the Payment Card Industry Security Standards Council that is for organizations that handle branded credit cards from the major card schemes.

PCI express : see document
PCIe : see document
PCL : see document
PCM : see document
PCMCIA : see document
PCR : see document
PCRF : see document
PCS : see document
PCU : see document
PCVT : see document
PDA : see document
PDCP : see document
pdd : see document
PDF : see document
PDN : see document
PDP : see document

Computes access decisions by evaluating the applicable digital policies and metapolicies. One of the main functions of the PDP is to mediate or deconflict digital policies according to metapolicies.

PDR : see document
PDS : see document
PE : see document
PEAP : see document
PEC : see document
PED : see document

An electronic device used in a debit, credit, or smart card-based transaction to accept and encrypt the cardholder's personal identification number.

pedigree : see document

The validation of the composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid.

peer entity authentication : see document

The process of verifying that a peer entity in an association is as claimed.

peer entity authentication service : see document

A security service that verifies an identity claimed by or for a system entity in an association.

Peers : see document

Entities at the same tier in a CKMS hierarchy (e.g., all peers are client nodes).

Peer-to-Peer : see document
PEF : see document
PEI : see document
PEM : see document
Pending transaction pool : see document

A distributed queue where candidate transactions wait until they are added to the blockchain. Also known as memory pool, or mempool.

penetration : see document

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so.

See intrusion.

penetration testing : see document

Testing used in vulnerability analysis for vulnerability assessment, trying to reveal vulnerabilities of the system based on the information about the system gathered during the relevant evaluation activities.

A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.

A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an information system.

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

Testing that verifies the extent to which a system, device or process resists active attempts to compromise its security.

A test methodology intended to circumvent the security function of a system. Note: Penetration testing may leverage system documentation (e.g., system design, source code, manuals) and is conducted within specific constraints. Some penetration test methods use brute force techniques.

A test methodology intended to circumvent the security function of a system. Note: Penetration testing may leverage system documentation (e.g., system design, source code, manuals) and is conducted within specific constraints. Some penetration test methods use brute force techniques.

penetration-resistant architecture : see document

An architecture that uses technology and procedures to limit the opportunities for an adversary to compromise an organizational system and to achieve a persistent presence in the system.

PEP : see document

Enforces policy decisions in response to a request from a subject requesting access to a protected object; the access control decisions are made by the policy decision point.

A network device on which policy decisions are carried out or enforced.

PERA : see document
per-call key : see document

Unique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See cooperative key generation (CKG).

Perceived Target Value : see document

measures the likelihood of attack using the misuse vulnerability in an environment relative to vulnerable systems in other environments.

Perfect Forward Secrecy (PFS) : see document

An option available during quick mode that causes a new shared secret to be created through a Diffie-Hellman exchange for each IPsec SA.

An option that causes a new secret key to be created and shared through a new Diffie-Hellman key exchange for each IPsec SA. This provides protection against the use of compromised old keys that could be used to attack the newer derived keys still in use for integrity and confidentiality protection.

Performance Improvement Council : see document
performance reference model (PRM) : see document

Framework for performance measurement providing common output measurements throughout the Federal Government. It allows agencies to better manage the business of government at a strategic level by providing a means for using an agency’s enterprise architecture (EA) to measure the success of information systems investments and their impact on strategic outcomes.

perimeter : see document

1. Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected.

2. Encompasses all those components of the system or network for which a body of evidence is provided in support of a formal approval to operate. Rationale: Listed for deletion in 2010 version of CNSS 4009.

Period of protection : see document

The period of time during which the integrity and/or confidentiality of a key needs to be maintained.

The period of time during which the integrity or confidentiality of a key needs to be maintained.

Periodic Template Test : see document

The purpose of this test is to reject sequences that show deviations from the expected number of runs of ones of a given length.

periods processing : see document

2. A method of sequential operation of an information system (IS) that provides the capability to process information at various levels of sensitivity at distinctly different times.

1. A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system, with the system being properly purged or sanitized between periods.

A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system with the system being properly purged or sanitized between periods.

Peripheral Component Interconnect : see document
Peripheral Component Interconnect Express : see document
perishable data : see document

Information whose value can decrease substantially during a specified time. A significant decrease in value occurs when the operational circumstances change to the extent that the information is no longer useful.

Permalock : see document

A security feature that makes the lock status of an area of memory permanent. If the area of memory is locked and permalocked, then that area is permanently locked. If the area of memory is unlocked and permalocked, then that area is permanently unlocked.

permanent connection : see document

A perpetual communication channel. Permanent connections are most often made via a dedicated circuit.

Per-message secret number : see document

A secret random number that is generated prior to the generation of each digital signature.

Permission : see document

Authorization to perform some action on a system.

Permissioned : see document

A system where every node, and every user must be granted permissions to utilize the system (generally assigned by an administrator or consortium).

Permissionless : see document

A system where all users’ permissions are equal and not set by any administrator or consortium.

Permissions : see document

Allowable user actions (e.g., read, write, execute).

Permutation : see document

An ordered (re)arrangement of the elements of a (finite) set; a function that is both a one-to-one and onto mapping of a set to itself.

An invertible function.

Person : see document

Any person considered as an asset by the management domain.

Person in the Middle : see document
persona : see document

2. In military cyberspace operations, an abstraction of logical cyberspace with digital representations of individuals or entities in cyberspace, used to enable analysis and targeting. May be associated with a single or multiple entities.

1. An electronic identity that can be unambiguously associated with a single person or non-person entity (NPE). A single person or NPE may have multiple personas, with each persona being managed by the same or different organizations.

Personal accountability : see document

A policy that requires that every person who accesses sensitive information be held accountable for his or her actions. A method for identity authentication is required.

Personal Area Network : see document
Personal Authorization : see document
Personal Computer Memory Card International Association : see document
Personal Computer/Smart Card : see document
Personal Digital Assistant (PDA) : see document

A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, as well as for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar.

A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, and for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar.

Personal Firewall : see document

A software application residing on a client device that increases device security by offering some protection against unwanted network connections initiated by other hosts. Personal firewalls may be client managed or centrally managed.

A software-based firewall installed on a desktop or laptop computer to monitor and control its incoming and outgoing network traffic.

A utility on a computer that monitors network activity and blocks communications that are unauthorized.

A software program that monitors communications between a PC and other computers and blocks communications that are unwanted.

Personal Firewall Appliance : see document

A device that performs functions similar to a personal firewall for a group of computers on a home network.

Personal Health Records : see document
personal identification number (PIN) : see document

A numeric secret that a cardholder memorizes and uses as part of authenticating their identity.

A password that typically consists of only decimal digits.

A secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.

A memorized secret typically consisting of only decimal digits.

A secret number that a cardholder memorizes and uses to authenticate his or her identity as part of multifactor authentication.

A password consisting only of decimal digits.

Personal Identification Verification : see document
personal identity verification (PIV) : see document

A physical artifact (e.g., identity card, “smart” card) issued to a government individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable). PIV requirements are defined in FIPS PUB 201.

personal identity verification (PIV) authorization : see document

The official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.

personal identity verification (PIV) authorizing official : see document

An individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.

personal identity verification (PIV) card : see document

A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains a PIV Card application that stores identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials.

A physical artifact (e.g., identity card, “smart” card) issued to an individual, which contains a PIV Card application that stores indentity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against stored credentials by another person (human-readable and -verifiable) or an automated process (computer-readable and -verifiable).

A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so the claimed identity of the cardholder may be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

Defined by [FIPS 201] as a physical artifact (e.g., identity card, smart card) issued to federal employees and contractors that contains stored credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

A physical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

Personal Identity Verification (PIV) Identity Account : see document

The logical record containing credentialing information for a given PIV cardholder. This is stored within the issuer’s identity management system and includes PIV enrollment data, cardholder identity attributes, and information regarding the cardholder’s PIV Card and any derived PIV credentials bound to the account.

Personal Identity Verification-Interoperable : see document
Personal Information : see document

Any information relating to an identified or identifiable natural person (data subject).

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

See Personally Identifiable Information.

Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).

any information relating to an identified or identifiable natural person (data subject)

Any information about an individual that can be used to distinguish or trace an individual's identify and any other information that is linked or linkable to an individual.

Personal Information Management : see document

data types such as contacts, calendar entries, tasks, notes, memos and email that may be synchronized from PC to device and vice-versa.

Personal Information Management (PIM) Applications : see document

A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list.

A core set of applications that provide the electronic equivalents of an agenda, address book, notepad, and business card holder.

Personal Information Management (PIM) Data : see document

The set of data types such as contacts, calendar entries, phonebook entries, notes, memos, and reminders maintained on a device, which may be synchronized with a personal computer.

Personal Profile Application : see document
Personal Protective Equipment : see document
Personalization String : see document

An optional string of bits that is combined with a secret entropy input and (possibly) a nonce to produce a seed.

personally identifiable information processing : see document

An operation or set of operations performed upon personally identifiable information that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of personally identifiable information.

personally identifiable information processing permissions : see document

The requirements for how personally identifiable information can be processed or the conditions under which personally identifiable information can be processed.

personnel registration manager : see document

The management role that is responsible for registering human users, i.e., users that are people.

personnel security : see document

The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities requiring trustworthiness.

The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities that require trustworthiness.

Personnel-security compromise : see document

The accidental or intentional action of any person that reduces the security of the FCKMS and/or compromises any of its keys and sensitive metadata.

PES : see document
PET : see document
PETE : see document
PFF : see document
PFR : see document
PFS : see document

An option available during quick mode that causes a new shared secret to be created through a Diffie-Hellman exchange for each IPsec SA.

PGP : see document
PGP/OpenPGP : see document
P-GW : see document
PHA : see document
Pharming : see document

An attack in which an attacker causes the subscriber to be redirected to a fraudulent website, typically a fraudulent verifier/RP in the context of authentication. This could cause the subscriber to reveal sensitive information (e.g., a password) to the attacker, download harmful software, or contribute to a fraudulent act. This may be accomplished by corrupting an infrastructure service (e.g., the DNS) or the subscriber’s endpoint.

Using technical means to redirect users into accessing a fake Web site masquerading as a legitimate one and divulging personal information.

An attack in which an attacker corrupts an infrastructure service such as DNS (Domain Name System) causing the subscriber to be misdirected to a forged verifier/RP, which could cause the subscriber to reveal sensitive information, download harmful software, or contribute to a fraudulent act.

An attack in which an Attacker corrupts an infrastructure service such as DNS (Domain Name Service) causing the Subscriber to be misdirected to a forged Verifier/RP, which could cause the Subscriber to reveal sensitive information, download harmful software or contribute to a fraudulent act.

phase : see document

The position of a point in time (instant) on a waveform cycle. A complete cycle is defined as the interval required for the waveform to retain its arbitrary initial value.

phenomenologies : see document

Physical phenomena such as radio frequencies, inertial sensors, and scene mapping, as well as diverse sources and data paths using those physical phenomena (e.g., multiple radio frequencies) to provide interchangeable solutions to users to ensure robust availability.

PHI : see document

Individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC. 1232g; (ii) Records described at 20 USC. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer.

Individually identifiable health information:(1) Except as provided in paragraph (2) of this definition, that is:(i) Transmitted by electronic media;(ii) Maintained in electronic media; or(iii) Transmitted or maintained in any other form or medium.(2) Protected health information excludes individually identifiable health information:(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);(iii) In employment records held by a covered entity in its role as employer; and(iv) Regarding a person who has been deceased for more than 50 years.

individually identifiable health information (1) Except as provided in paragraph (2) of this definition, that is (i) Transmitted by electronic media; Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and Employment records held by a covered entity in its role as employer.

phishing resistance : see document

The ability of the authentication protocol to prevent the disclosure of authentication secrets and valid authenticator outputs to an impostor verifier without reliance on the vigilance of the claimant.

PHM4SM : see document
PHMSA : see document
PHP : see document
PHP Hypertext Preprocessor : see document
PHR : see document
PHY : see document
Physical Access : see document
Physical Access Control : see document
physical access control system : see document

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

An electronic system that controls the ability of people or vehicles to enter a protected area by means of authentication and authorization at access control points.

Physical Address Space : see document
Physical and Environmental Protection : see document
physical authenticator : see document

An authenticator that the claimant proves possession of as part of an authentication process.

Physical Destruction : see document

A Sanitization method for media.

Physical Identifier : see document

A device identifier that is expressed physically by the device (e.g., printed onto a device’s housing, displayed on a device’s screen).

Physical Layer : see document
Physical Measurement Laboratory : see document
Physical Network Interface Card : see document
Physical partitioning : see document

The hypervisor assigning separate physical resources to each guest OS.

physically protected space (PPS) : see document

A space inside one physically protected perimeter. Separate areas of equal protection may be considered part of the same PPS if the communication links between them are provided sufficient physical protection.

Physical-security compromise : see document

The unauthorized access to sensitive data, hardware, and/or software by physical means.

PI : see document

Information with the purpose of uniquely identifying a person within a given context.

information with the purpose of uniquely identifying a person within a given context

PIA : see document

An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.

An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

PIC : see document
Piconet : see document

A small Bluetooth network created on an ad hoc basis that includes two or more devices.

Picture Archiving and Communication System : see document
PID : see document
PII : see document

Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Any information about an individual that can be used to distinguish or trace an individual's identify and any other information that is linked or linkable to an individual.

PII Confidentiality Impact Level : see document

The PII confidentiality impact level—low, moderate, or high— indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.

PII Processing : see document

An operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII.

PIM : see document

data types such as contacts, calendar entries, tasks, notes, memos and email that may be synchronized from PC to device and vice-versa.

PIN : see document

A memorized secret typically consisting of only decimal digits.

A secret number that a cardholder memorizes and uses to authenticate his or her identity as part of multifactor authentication.

PIN Entry Device : see document

An electronic device used in a debit, credit, or smart card-based transaction to accept and encrypt the cardholder's personal identification number.

PIN Unblocking Key : see document
PIP : see document

Serves as the retrieval source of attributes, or the data required for policy evaluation to provide the information needed by the policy decision point to make the decisions.

Pipeline and Hazardous Materials Safety Administration : see document
PIR : see document
PIRT : see document
PIT : see document
PITM : see document
PIV : see document
PIV Card : see document

The physical artifact (e.g., identity card, “smart” card) issued to an applicant by an issuer that contains stored identity markers or credentials (e.g., a photograph, cryptographic keys, digitized fingerprint representations) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable).

PIV Card Issuer : see document
PIV Credential : see document

A credential that authoritatively binds an identity (and, optionally, additional attributes) to the authenticated cardholder that is issued, managed, and used in accordance with the PIV standards. These credentials include public key certificates stored on a PIV Card as well as other authenticators bound to a PIV identity account as derived PIV credentials.

Evidence attesting to one’s right to credit or authority; in [FIPS 201-2]. It is the PIV Card or Derived PIV Credential token and data elements associated with an individual that authoritatively binds an identity (and, optionally, additional attributes) to that individual.

PIV Enrollment Record : see document

A sequence of related enrollment data sets that is created and maintained by PIV Card issuers. The PIV enrollment record typically contains data collected at each step of the PIV identity proofing, registration, and issuance processes.

PIV Visual Credential Authentication (VIS) : see document

An authentication mechanism where a human guard inspects the PIV Card and the person presenting it and makes an access control decision based on validity of the card and its correspondence with the presenter. This mechanism is deprecated.

PIV-I : see document
Pivot : see document

The act of an attacker moving from one compromised system to one or more other systems within the same or other organizations. Pivoting is fundamental to the success of advanced persistent threat (APT) attacks. SSH trust relationships may more readily allow an attacker to pivot.

Pivoting : see document

A process where an attacker uses one compromised system to move to another system within an organization.

PIX : see document
Pixels Per Inch : see document
PK : see document
PKC : see document

Encryption system that uses a public-private key pair for encryption and/or digital signature.

Cryptography that uses separate keys for encryption and decryption; also known as asymmetric cryptography.

PKCE : see document
PKCS : see document
PKCS1 : see document
PKE : see document
PKI : see document

The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.

The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.

A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and storage of enterprise data.

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

PKI-Card Authentication (PKI-CAK) : see document

A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the card authentication key of the PIV Card and a contact or contactless reader.

PKI-PIV Authentication (PKI-AUTH) : see document

A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV Card and a contact reader or a contactless card reader that supports the virtual contact interface.

PKI-PIV Authentication key (PKI-AUTH) : see document

A PIV Authentication mechanism that is implemented by an asymmetric key challenge/response protocol by using the PIV Authentication key of the PIV Card and a contact reader or a contactless card reader that supports the virtual contact interface.

PKIX : see document
PKIX-CMP : see document
PL : see document
plaintext : see document

Intelligible data that has meaning and can be understood without the application of cryptography.

Intelligible data that has meaning and can be understood without the application of decryption.

Unencrypted information that may be input to an encryption operation. Note: Plain text is not a synonym for clear text. See clear text.

Information that is not encrypted.

Intelligible data that has meaning and can be read or acted upon without the application of decryption. Also known as cleartext.

Usable data that is formatted as input to a mode.

The input data to the authenticated encryption function that is both authenticated and encrypted.

The input to the authenticated-encryption function.

Intelligible data that has meaning and can be understood without the application of decryption.

Data that has not been encrypted; intelligible data that has meaning and can be understood without the application of decryption.

Plaintext data : see document

In this Recommendation, data that will be encrypted by an encryption algorithm or obtained from ciphertext using a decryption algorithm.

Plan Coordinator : see document

A person responsible for all aspects of IT planning, including the TT&E element of maintaining the IT plans. The plan coordinator has overall responsibility for the IT plans, including development, implementation, and maintenance.

Plan of Action & Milestones (POA&M) : see document
Plan Of Action & Milestones3 : see document
plan of action and milestones : see document

A document that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and the scheduled completion dates for the milestones.

plan of action and milestones2 : see document
Plan of Action and Milestones4 : see document

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” [13]

Plan of Actions and Milestones1 : see document

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled milestone completion dates.

Planning : see document
Platform : see document

A computer or hardware device and/or associated operating system, or a virtual environment, on which software can be installed or run. Examples of platforms include Linux™, Microsoft Windows Vista®, and Java™.

In the context of the CPE Applicability Language specification only, a logical structure combining one or more bound CPE names through logical operators.

Platform AbstRaction for SECurity : see document
Platform as a Service (PaaS) : see document

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Platform Attribute Certificate Creator : see document
Platform Certificate Verification Tool : see document
Platform Configuration Register : see document
Platform Controller Hub : see document
Platform Firmware Resilience : see document
Platform Information Technology : see document
platform IT (PIT) : see document

Information technology (IT), both hardware and software, that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems.

platform IT (PIT) system : see document

A collection of PIT within an identified boundary under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.

Platform Key : see document
Platform Manifest Correlation System : see document
Platform Root of Trust : see document
Platform Security Architecture : see document
Platform Services Controller : see document
Platform Trust : see document

An assurance in the integrity of the underlying platform configuration, including hardware, firmware, and software.

PLC : see document

A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.

PLIST : see document
PM : see document
PM2 : see document
PMA : see document
PMCS : see document
PMEF : see document
PMF : see document
PMI : see document
PMK : see document
PMKSA : see document
PML : see document
PMO : see document
PMRM : see document
PMS : see document
PMTU : see document
PMTUD : see document
PN : see document
pNFS : see document
PNG : see document
pNIC : see document
PNNL : see document
PNT : see document
PNT data : see document

All information used to form or disseminate PNT solutions, including signals, waveforms, and network packets.

PNT Profile : see document
PNT solution : see document

The full solution provided by a PNT system or source, including time, position, and velocity. A PNT system or source may provide a full PNT solution or a part of it. For example, a GNSS receiver provides a full PNT solution, while a local clock provides only a timing or frequency solution.

PNT source : see document

A PNT system component that is used to produce a PNT solution. Examples include GNSS receivers, networked and local clocks, inertial navigation systems (INS), and timing services provided over a wired or wireless connection.

PNT system : see document

The components, processes, and parameters that collectively produce the final PNT solution for the consumer.

POA&M : see document

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled milestone completion dates.

A document for a system that “identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.” [13]

POC : see document
Pocket PC : see document
PoE : see document
PoET : see document
Point : see document
point at infinity : see document

Identity element of a Montgomery curve or a curve in short-Weierstrass form.

Point of Contact : see document
Point of Presence : see document
point order : see document

Smallest non-zero multiple of a group element that results in the group’s identity element.

Pointer Authentication Code : see document
Point-of-Sale : see document
Point-to-Point Protocol : see document
Point-to-Point Tunneling Protocol : see document
poisoning attacks : see document

Adversarial attacks in which an adversary interferes with a model during its training stage, such as by inserting malicious training data (data poisoning) or modifying the training process itself (model poisoning).

Poisson Distribution : see document

Poisson distributions model (some) discrete random variables. Typically, a Poisson random variable is a count of the number of rare events that occur in a certain time interval.

Policy : see document

The set of basic principles and associated guidelines, formulated and enforced by the governing body of an organization, to direct and limit its actions in pursuit of long-term goals.

Statements, rules or assertions that specify the correct or expected behavior of an entity. For example, an authorization policy might specify the correct access control rules for a software component.

Statements, rules, or assertions that specify the correct or expected behavior of an entity. For example, an authorization policy might specify the correct access control rules for a software component.

A statement of objectives, rules, practices or regulations governing the activities of people within a certain context.

Policy Administrator : see document
Policy and Charging Rules Function : see document
policy based access control (PBAC) : see document

A strategy for managing user access to one or more systems, where the business roles of users is combined with policies to determine what access privileges users of each role should have. Theoretical privileges are compared to actual privileges, and differences are automatically applied. For example, a role may be defined for a manager. Specific types of accounts on the single sign-on server, Web server, and database management system may be attached to this role. Appropriate users are then attached to this role.

A form of access control that uses an authorization policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, heuristics).

Policy Engine : see document
Policy Machine : see document
Policy Retrieval Point : see document
POP : see document

A mailbox access protocol defined by IETF RFC 1939. POP is one of the most commonly used mailbox access protocols.

A standard protocol used to receive electronic mail from a server.

POP3 : see document
Port Address Translation : see document
port scan : see document

A technique that sends client requests to a range of service port addresses on a host.

Port Scanner : see document

A program that can remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

Port World-Wide Name : see document
Portable Data File : see document
Portable Document Format : see document
portable electronic device (PED) : see document

Electronic devices having the capability to store, record, and/or transmit text, images/video, or audio data. Examples of such devices include, but are not limited to: pagers, laptops, cellular telephones, radios, compact disc and cassette players/recorders, portable digital assistant, audio devices, watches with input capability, and reminder recorders.

Portable Network Graphics : see document
portable storage device : see document

A system component that can be inserted into and removed from a system and that is used to store information or data (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., compact/digital video disks, flash/thumb drives, external solid-state drives, external hard disk drives, flash memory cards/drives that contain nonvolatile memory).

Portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Note: Examples include, but are not limited to: USB flash drives, external hard drives, and external solid state disk (SSD) drives. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception. See also removable media.

See portable storage device.

An information system component that can be inserted into and removed from an information system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain non-volatile memory).

A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).

A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage—including text, video, audio or image data—as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).

A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).

Portal VPN : see document

A single standard SSL connection to a Web site (the portal) that allows a remote user to securely access multiple network services via a standard Web browser.

PoS : see document
POSE : see document
Position Designation System : see document
positioning : see document

The ability to accurately and precisely determine one’s location and orientation two-dimensionally (or three-dimensionally, when required) referenced to a standard reference frame, such as the World Geodetic System 1984, WGS 84, or the International Terrestrial Reference Frame ITRF2020.

The ability to accurately and precisely determine one’s location and orientation two-dimensionally (or three-dimensionally, when required) referenced to a standard reference frame, such as the World Geodetic System 1984, WGS84[G873], or ITRF2014.

positioning, navigation, and timing : see document
positive control material : see document

Generic term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.

Positron Emission Tomography : see document
POST : see document
Post Office Protocol (POP) : see document

A mailbox access protocol defined by IETF RFC 1939. POP is one of the most commonly used mailbox access protocols.

A standard protocol used to receive electronic mail from a server.

Post Office Protocol, Version 3 : see document
Post-Market Capability : see document

A cybersecurity or privacy capability an organization selects, acquires, and deploys itself; any capability that is not pre-market.

post‐processing invariance : see document

A property of differential privacy. It says that the output of a differentially private mechanism remains differentially private, even if further processing is performed on it.

Post-Quantum Cryptography : see document
Post-quantum Pre-shared Key : see document
Potential Efforts on Threat Events : see document
potential impact : see document

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability that could be expected to have a limited (low) adverse effect, a serious (moderate) adverse effect, or a severe or catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability could be expected to have: (i) a limited adverse effect (FIPS 199 low); (ii) a serious adverse effect (FIPS 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199 moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect (FIPS Publication 199 low), a serious adverse effect (FIPS Publication 199 moderate), or a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.

Potentially Harmful Application : see document
potentially identifiable personal information : see document

A new category of information proposed by Robert Gellman for information that has been de-identified but can be potentially re-identified. Potentially identifiable personal information is any personal information without overt identifiers. Under Gellman’s proposal, parties that wish to exchange attempts PI2 could voluntarily subscribe to a regime that would provide for both criminal and civil penalties if the recipient of the data attempted to re-identify the data subjects.

POU : see document
PoW : see document
Power over Ethernet : see document
Power-on self-test : see document
PPA : see document
PPC : see document
PPD : see document
PPE : see document
PPI : see document

An opaque unguessable subscriber identifier generated by a CSP for use at a specific individual RP. This identifier is only known to and only used by one CSP-RP pair.

PPK : see document
PPP : see document
PPS : see document
PPTP : see document
PQC : see document
PQCrypto : see document
PR : see document

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

PR.AC : see document
PR.AT : see document
PR.DS : see document
PR.PT : see document
PR/SM : see document
PRA : see document
practitioner experience : see document

A source of ISCM assessment elements based on the experience of individuals (practitioners) with experience in designing, implementing, and operating ISCM capabilities, as well as security engineering experience.

PRAM : see document
Pre-activation state : see document

A lifecycle state of a key in which the key has been created, but is not yet authorized for use.

A key state in which the key has been generated but is not yet authorized for use.

precision : see document

Refers to how closely individual PNT measurements agree with each other.

Precision Medicine Initiative : see document
Precision Time Protocol : see document
precursor : see document

A sign that an attacker may be preparing to cause an incident. See indicator.

A sign that an attacker may be preparing to cause an incident.

PredAI : see document
Predictability : see document

Enabling reliable assumptions by individuals, owners, and operators about data and their processing by a system, product, or service.

Enabling reliable assumptions by individuals, owners, and operators about personal information and its processing by an information system.

Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by an information system.

Per NISTIR8062: Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by an information system.

Enabling reliable assumptions by individuals, owners, and operators about data and their processing by a system, product, or service.

Enabling of reliable assumptions by individuals, owners, and operators about PII and its processing by a system.

predictive artificial intelligence : see document
Pre-EFI Initialization : see document
Preimage : see document

A message Ms that produces a given message digest when it is processed by a hash function.

A message X that produces a given message digest when it is processed by a hash function.

Preimage resistance : see document

An expected property of a cryptographic hash function such that, given a randomly chosen message digest, message_digest, it is computationally infeasible to find a preimage of the message_digest, See “Preimage”.

An expected property of a hash function such that, given a randomly chosen message digest, message_digest, it is computationally infeasible to find a preimage of the message_digest, See “Preimage”.

Preliminary Design Review : see document
Pre-Market Capability : see document

A cybersecurity or privacy capability built into an IoT device. Pre-market capabilities are integrated into IoT devices by the manufacturer or vendor before they are shipped to customer organizations.

Prepare for Events : see document

An ISCM capability that ensures that procedures and resources are in place to respond to both routine and unexpected events that can compromise security. The unexpected events include both actual attacks and contingencies (natural disasters) like fires, floods, earthquakes, etc.

See Capability, Event Preparation Management.

prerequisite : see document

A required input to an algorithm that has been established prior to the invocation of the algorithm.

Presentation Attack Detection (PAD) : see document

Automated determination of a presentation attack. A subset of presentation attack determination methods (i.e., liveness detection) involves the measurement and analysis of anatomical characteristics or voluntary or involuntary reactions to determine whether a biometric sample is being captured from a living subject that is present at the point of capture.

Automated determination of a presentation attack. A subset of presentation attack determination methods, referred to asliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.

An automated determination of a presentation attack

Automated determination of a presentation attack. A subset of presentation attack determination methods, referred to as liveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.

President’s Council on Integrity and Efficiency : see document
President’s Management Agenda : see document
President’s National Security Telecommunications Advisory Committee : see document
Presidential Directive : see document

A form of an executive order issued by the President of the United States with the advice and consent of the National Security Council; also known as a Presidential Decision Directive (or PDD).

Presidential Policy Directive : see document
pre‐training : see document

In machine learning, a training step that trains a general‐purpose model (sometimes called a foundation model) on publicly‐available data. Pre‐training is often followed by fine‐tuning to equip the model with task‐specific information.

A component of the training stage in which a model learns general patterns, features, and relationships from vast amounts of unlabeled data, such as through self-supervised learning. Pre-training can equip models with knowledge of general features or patterns which may be useful in downstream tasks, and can be followed with additional training or fine-tuning that specializes the model for a specific downstream task.

Pretty Good Privacy : see document
PRF : see document

A function that can be used to generate output from a random seed and a data variable such that the output is computationally indistinguishable from truly random output.

Pseudorandom Function.

A function that can be used to generate output from a secret random seed and a data variable, such that the output is computationally indistinguishable from truly random output. In this Recommendation, an approved message authentication code (MAC) is used as a pseudorandom function in the key expansion step, where a key derivation key is used as the secret random seed.

Primary facility : see document

An FCKMS facility that houses a primary system.

Primary Mission Essential Functions : see document
primary services node (PRSN) : see document

A Key Management Infrastructure (KMI) core node that provides the users’ central point of access to KMI products, services, and information.

Primary system : see document

An FCKMS module that is currently active. Contrast with Backup (system).

Prime number : see document

An integer greater than 1 that has no positive integer factors other than 1 and itself.

An integer that is greater than 1 and divisible only by 1 and itself.

Prime number generation seed : see document

A string of random bits that is used to begin a search for a prime number with the required characteristics.

Primitive : see document

A low-level cryptographic algorithm that is used as a basic building block for higher-level cryptographic operations or schemes.

See cryptographic primitive.

A low-level cryptographic algorithm used as a basic building block for higher-level cryptographic operations or schemes.

Primitive algorithm : see document

A low-level cryptographic algorithm (e.g., an RSA encryption operation) used as a basic building block for higher-level cryptographic algorithms or schemes (e.g., RSA key transport).

principal accrediting authority (PAA) : see document

Senior official with authority and responsibility for all intelligence systems within an agency.

principal authorizing official (PAO) : see document

A senior (federal) official or executive with the authority to oversee and establish guidance for the strategic implementation of cybersecurity and risk management within their mission areas (i.e., the warfighting mission area (WMA), business mission area (BMA), enterprise information environment mission area (EIEMA), and DoD portion of the intelligence mission area (DIMA) as defined in DoDI 8115.02).

Printed Circuit Board : see document
Printed Wiring Assembly : see document
Prior Year : see document
PRISMA : see document
privacy architect : see document

Individual, group, or organization responsible for ensuring that the system privacy requirements necessary to protect individuals’ privacy are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and information systems processing PII.

privacy architecture : see document

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Privacy Breach : see document

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses data or (2) an authorized user accesses data for an other than authorized purpose.

privacy budget : see document

An upper bound on allowable cumulative privacy loss across all analyses that process a single dataset.

Privacy Capability : see document

See capability.

A combination of mutually-reinforcing privacy controls (i.e., safeguards and countermeasures) implemented by technical means (i.e., functionality in hardware, software, and firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e., procedures performed by individuals).

privacy compromise : see document

In the AML context, the unauthorized access of restricted or proprietary information that is part of an AI system, including information about a model’s training data, weights or architecture; or sensitive information that the model accesses such as the knowledge base of a GenAI retrieval-augmented generation (RAG) application.

Privacy Continuous Monitoring : see document
privacy control : see document

The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls can be selected to achieve multiple objectives; those controls that are selected to achieve both security and privacy objectives require a degree of collaboration between the organization’s information security program and privacy program.

The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks.

The administrative, technical, and physical safeguards employed within an organization to satisfy privacy requirements.

privacy control assessment : see document

See Security Control Assessment.

See Security Control Assessment or Privacy Control Assessment.

See security control assessment or risk assessment.

The testing or evaluation of privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the privacy requirements for an information system or organization.

The assessment of privacy controls to determine whether the controls are implemented correctly, operating as intended, and sufficient to ensure compliance with applicable privacy requirements and manage privacy risks. A privacy control assessment is both an assessment and a formal document detailing the process and the outcome of the assessment.

Privacy Control Assessor : see document

The individual, group, or organization responsible for conducting a security or privacy control assessment.

See Security Control Assessor.

See Security Control Assessor or Privacy Control Assessor.

The individual, group, or organization responsible for conducting a privacy control assessment.

The individual responsible for conducting assessment activities under the guidance and direction of a Designated Authorizing Official. The Assessor is a 3rd party.

See security control assessor or risk assessor.

privacy control baseline : see document

A collection of controls specifically assembled or brought together by a group, organization, or community of interest to address the privacy protection needs of individuals.

The set of privacy controls selected based on the privacy selection criteria that provide a starting point for the tailoring process.

privacy domain : see document

A domain that implements a privacy policy.

Privacy engineering : see document

A specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.

Privacy Engineering Program : see document
Privacy Enhanced Mail : see document
Privacy Event : see document

The occurrence or potential occurrence of problematic data actions.

The occurrence or potential occurrence of problematic data actions.

privacy impact assessment (PIA) : see document

A method of analyzing how personal information is collected, used, shared, and maintained. PIAs are used to identify and mitigate privacy risks throughout the development life cycle of a program or system. They also help ensure that handling information conforms to legal, regulatory, and policy requirements regarding privacy.

a process for examining the risks and ramifications of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and for identifying and evaluating protections and alternative processes to mitigate the impact to privacy of collecting information in identifiable form. Consistent with September 26, 2003, OMB guidance (M-03-22) implementing the privacy provisions of the e -Government Act, agencies must conduct privacy impact assessments for all new or significantly altered IT investments administering information in identifiable form collected from or about members of the public. Agencies may choose whether to conduct privacy impact assessments for IT investments administering information in identifiable form collected from or about agency employees.

An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.

“An analysis of how information is handled that ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; determines the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronicinformation system; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks.”

An analysis of how information is handled 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

privacy information : see document

Information that describes the privacy posture of an information system or organization.

privacy loss : see document

A measure of the extent to which a data release may reveal information that is specific to an individual.

A quantitative upper bound on the statistical distance between analysis outcomes on neighboring datasets.

privacy loss budget : see document

An upper bound on the cumulative total privacy loss for individuals.

Privacy Management Reference Model and Methodology : see document
privacy parameter : see document

A parameter of a differential privacy definition that partly or wholly determines privacy loss.

privacy plan : see document

Formal document that provides an overview of the privacy requirements for an information system or program and describes the privacy controls in place or planned for meeting those requirements. The privacy plan may be integrated into the organizational security plan or developed as a separate plan.

A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned for meeting applicable privacy requirements and managing privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

privacy posture : see document

The privacy posture represents the status of the information systems and information resources (e.g., personnel, equipment, funds, and information technology) within an organization based on information assurance resources (e.g., people, hardware, software, policies, procedures) and the capabilities in place to comply with applicable privacy requirements and manage privacy risks and to react as the situation changes.

privacy preserving data mining : see document

an [extension] of traditional data mining techniques to work with … data modified to mask sensitive information

privacy preserving data publishing : see document

methods and tools for publishing data in a more hostile environment, so that the published data remains practically useful while individual privacy is preserved

privacy program plan : see document

A formal document that provides an overview of an agency’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the Senior Agency Official for Privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks.

privacy requirement : see document

A requirement that applies to an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, regulations, procedures, and/or mission/business needs with respect to privacy. Note: The term privacy requirement can be used in a variety of contexts from high-level policy activites to low-level implementation activities in system development and engineering disciplines.

A specification for system/product/service functionality to meet stakeholders’ desired privacy outcomes.

Privacy Requirements : see document

Requirements of an organization, information program, or system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission and business case needs with respect to privacy.

Requirements levied on an organization, information program, or information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure that privacy protections are implemented in the collection, use, sharing, storage, transmittal, and disposal of information.

Privacy Risk Assessment : see document

A privacy risk management sub-process for identifying and evaluating specific privacy risks.

Privacy Risk Assessment Methodology (PRAM) : see document

The PRAM is a tool that applies the risk model from NISTIR 8062 and helps organizations analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions. The PRAM can help drive collaboration and communication between various components of an organization, including privacy, cybersecurity, business, and IT personnel.

Privacy Risk Management : see document

A cross-organizational set of processes for identifying, assessing, and responding to privacy risks.

Privacy Workforce Public Working Group : see document
privacy-enhancing cryptography : see document
privacy-enhancing technology : see document
privacy‐utility tradeoff : see document

The fundamental tension between privacy and accuracy. Adding more noise increases privacy but reduces accuracy, and vice‐versa.

Private Branch Exchange : see document
Private cloud : see document

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

private key : see document

The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm. The private key is uniquely associated with the owner and is not made public. The private key is used to compute a digital signature that may be verified using the corresponding public key.

A cryptographic key that is used with an asymmetric (public-key) cryptographic algorithm. The private key is uniquely associated with the owner and is not made public. The private key is used to compute a digital signature that may be verified using the corresponding public key.

A cryptographic key that is used with an asymmetric (public-key) cryptographic algorithm. The private key is uniquely associated with the owner and is not made public. The private key is used to compute a digital signature that may be verified using the corresponding public key.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric-key (public-key) cryptosystem, the private key has a corresponding public key. Depending on the algorithm, the private key may be used to1. Compute the corresponding public key,2. Compute a digital signature that may be verified by the corresponding public key,3. Decrypt keys that were encrypted by the corresponding public key, or4. Compute a shared secret during a key-agreement transaction.

A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key.

A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that is not made public and is uniquely associated with an entity that is authorized to use it. In an asymmetric-key cryptosystem, the private key is associated with a public key. Depending on the algorithm that employs the private key, it may be used to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified using the corresponding public key, 3. Decrypt data that was encrypted using the corresponding public key, or 4. Compute a key derivation key, which may then be used as an input to a key derivation process.

A cryptographic key used by a public-key (asymmetric) cryptographic algorithm that is uniquely associated with an entity and is not made public.

(1) The key of a signature key pair used to create a digital signature. (2) The key of an encryption key pair that is used to decrypt confidential information. In both cases, this key must be kept secret.

A cryptographic key that is kept secret and is used with a public-key cryptographic algorithm. A private key is associated with a public key.

The secret part of an asymmetric key pair that is used to digitally sign or decrypt data.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that is not made public and is uniquely associated with an entity that is authorized to use it. In an asymmetric-key cryptosystem, the private key is associated with a public key. Depending on the algorithm that employs the private key, it may be used to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified using the corresponding public key, 3. Decrypt data that was encrypted using the corresponding public key, or 4. Compute a key derivation key, which may then be used as an input to a key derivation process.

The secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm. For digital signatures, the private key is uniquely associated with the owner and is not made public. The private key is used to compute a digital signature that may be verified by the corresponding public key.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public. The private key has a corresponding public key. Depending on the algorithm, the private key may be used to: 1. Compute the corresponding public key, 2. Compute a digital signautre taht may be verified by the corresponding public key, 3. Decrypt keys that were encrypted by the corresponding public key, or 4. Compute a shared secret that during a key agreement transaction.

A cryptographic key, used with a public key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. The private key is known only by the owner of the key pair and is used to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt data that was encrypted by the corresponding public key, or 4. Compute a piece of common shared data, together with other information.

A cryptographic key, used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key has a corresponding public key. Depending on the algorithm, the private key may be used, for example, to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt keys that were encrypted by the corresponding public key, or 4. Compute a shared secret during a key-agreement transaction.

A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric (public) key cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt data that was encrypted by the corresponding public key, or 4. Compute a shared secret during a key-agreement process.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric-key (public-key) cryptosystem, the private key has a corresponding public key. Depending on the algorithm, the private key may be used, for example, to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt keys that were encrypted by the corresponding public key, or 4. Compute a shared secret during a key-agreement transaction.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that is not made public and is uniquely associated with an entity that is authorized to use it. In an asymmetric-key cryptosystem, the private key is associated with a public key. Depending on the algorithm that employs the private key, it may be used to: 1. Compute the corresponding public key; 2. Compute a digital signature that may be verified using the corresponding public key; 3. Decrypt data that was encrypted using the corresponding public key; or 4. Compute a key-derivation key, which may then be used as an input to a key-derivation process.

A cryptographic key, used with a public-key cryptographic algorithm, which is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used, for example, to: 1. Compute the corresponding public key, 2. Compute a digital signature that may be verified by the corresponding public key, 3. Decrypt keys that were encrypted by the corresponding public key, or 4. Compute a shared secret during a key-agreement transaction.

Private Key Infrastructure : see document
Private key/private signature key : see document

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm and is associated with a public key. The private key is uniquely associated with the owner and is not made public. This key is used to compute a digital signature that may be verified using the corresponding public key.

privilege : see document

The authorized behavior of a subject.

A right granted to an individual, a program, or a process.

A special authorization that is granted to particular users to perform security relevant operations.

Privilege Attribute Certificate : see document
privilege certificate manager (PCM) : see document

The key management entity (KME) authorized to create the privilege certificate for another KME.

privileged access account holder : see document

A user who is authorized (and therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform (e.g., special access to software applications or web publishing), requires additional training, and must sign an acceptable use policy. A user with a privileged access account.

Privileged Access Management : see document
Privileged Access Never : see document
privileged account : see document

An information system account with approved authorizations of a privileged user.

A system account with authorizations of a privileged user.

An information system account with authorizations of a privileged user.

A system account with the authorizations of a privileged user.

privileged command : see document

A human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.

A human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and associated security-relevant information.

Privileged Execute Never : see document
privileged network account : see document

A network account with elevated privileges that is typically allocated to system administrators, network administrators, DBAs, and others who are responsible for system/application control, monitoring, or administration functions.

privileged process : see document

A computer process that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary processes are not authorized to perform.

privileged user : see document

A user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

See privileged user.

A user that is authorized (and, therefore, trusted) to perform securityrelevant functions that ordinary users are not authorized to perform.

PRM : see document
PRNG : see document

A deterministic computational process that has one or more inputs called "seeds", and it outputs a sequence of values that appears to be random according to specified statistical tests. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.

See Deterministic Random Bit Generator.

proactive cyber defense : see document

A continuous process to manage and harden devices and networks according to known best practices.

Probabilistic Signature Scheme : see document
Probability Density Function (PDF) : see document

A function that provides the "local" probability distribution of a test statistic. From a finite sample size n, a probability density function will be approximated by a histogram.

Probability Distribution : see document

The assignment of a probability to the possible outcomes (realizations) of a random variable.

A function that assigns a probability to each measurable subset of the possible outcomes of a random variable.

probability of occurrence : see document

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

See likelihood of occurrence.

Probable Maximum Loss : see document
Probable prime : see document

An integer that is believed to be prime based on a probabilistic primality test. There should be no more than a negligible probability that the so-called probable prime is actually composite.

Probative Data : see document

Information that reveals the truth of an allegation.

probe : see document

A technique that attempts to access a system to learn something about the system.

problem : see document

Difficulty, uncertainty, or otherwise realized and undesirable event, set of events, condition, or situation that requires investigation and corrective action.

Problematic Data Action : see document

A data action that could cause an adverse effect for individuals.

A data action that causes an adverse effect, or problem, for individuals.

A system operation that processes PII through the information lifecycle and as a side effect causes individuals to experience some type of problem(s).

A data action that could cause an adverse effect for individuals

process : see document

Set of interrelated or interacting activities that use inputs to deliver an intended result.

An executing program.

set of interrelated or interacting activities which transforms inputs into outputs

Set of interrelated or interacting activities which transforms inputs into outputs. A program in execution.

Set of interrelated or interacting activities which transforms inputs into outputs. A program in execution.

Process Access Control : see document
process assistant : see document

An individual who provides support for the proofing process but does not support decision-making or risk-based evaluation (e.g., translation, transcription, or accessibility support).

Process Control System : see document
Process Hazard Analysis : see document
process hijacking : see document

A process checkpoint and migration technique that uses dynamic program re-writing techniques to add a checkpointing capability to a running program. Process hijacking makes it possible to checkpoint and migrate proprietary applications that cannot be re-linked with a checkpoint library allowing dynamic hand off of an ordinary running process to a distributed resource management system (e.g., the ability to trick or bypass the firewall allowing the server component to take over processes and gain rights for accessing the internet).

Process ID : see document
Process Information : see document
Process Manager 2 : see document
process outcome : see document

Observable result of the successful achievement of the process purpose.

process purpose : see document

High-level objective of performing the process and the likely outcomes of effective implementation of the process.

Process Safety Shutdown : see document
process step : see document

A reference to one of the 6 steps in the ISCM process defined in NIST SP 800-137.

A reference to one of the 6 steps in the ISCM process defined in SP 800-137.

processing : see document

An operation or set of operations performed on personal information that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, or disposal of personal information.

Operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII.

Per NISTIR8062: Operation or set of operations performed upon PII that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII.

Operation or set of operations performed upon PII that can include but is not limited to the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of PII.

See Data Processing.

Processor Element : see document
Processor Resource/System Manager : see document
product : see document

Result of a process.

Part of the equipment (hardware, software and materials) for which usability is to be specified or evaluated.

A complete set of computer programs, procedures and associated documentation and data designed for delivery to a software consumer.

A software application that has one or more capabilities.

Result of a process. Note: A system as a “product” is what is delivered by systems engineering.

Result of a process. Note: A system as a “product” is what is delivered by systems engineering.

Product Category : see document

The main product category of the IT product (e.g., firewall, IDS, operating system, web server).

product compliant list (PCL) : see document

The list of information assurance (IA) and IA-enabled products evaluated and validated pursuant to the NIAP program.

Product Component Host : see document

The organization, individual, and/or system that hosts the product component. Product component hosts may provide support for or supersede the need to test criteria since they are expected to implement, control, and verify the criteria.

product cybersecurity capability : see document

Cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software).

Product Output : see document

Information produced by a product. This includes the product user interface, human-readable reports, and machine-readable reports. Unless otherwise indicated by a specific requirement, there are no constraints on the format. When this output is evaluated in a test procedure, either all or specific forms of output will be sampled as indicated by the test procedure.

product owner : see document

Person or organization responsible for the development, modification, operation, and/or final disposition of software or hardware used in an information system.

Product Security Incident Response Team : see document
product source node (PSN) : see document

The Key Management Infrastructure core node that provides central generation of cryptographic key material.

Profile augmentations : see document

The properties or characteristics that are recommended, but not required, by this Profile for FCKMSs.

Profile features : see document

The properties or characteristics that could be used by FCKMSs, but are not required or recommended by this Profile.

Profile requirements : see document

The properties or characteristics that shall be exhibited in FCKMSs in order to conform to, or comply with, this Profile.

profiling : see document

Measuring the characteristics of expected activity so that changes to it can be more easily identified.

Prognostics and Health Management for Reliable Operations in Smart Manufacturing : see document
Program Management : see document
Program Management Office : see document
program manager : see document

Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.

program metrics : see document

Tools designed to facilitate decision-making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data.

Program Organizational Unit : see document
Program Review for Information Security Management Assistance : see document
Programmable Read-Only Memory : see document
project : see document

Endeavor with defined start and finish criteria undertaken to create a product or service in accordance with specified resources and requirements.

Project 25 : see document
Project Committee : see document
Project Management : see document
PROM : see document
prompt extraction : see document

An attack that tries to divulge the system prompt or other information in the context of a large language model that would normally be hidden from a user.

prompt injection : see document

An attack which exploits the concatenation of untrusted input with a prompt constructed by a higher-trust party such as the application designer.

Proof Key for Code Exchange : see document
Proof of Elapsed Time : see document
Proof of possession (POP) : see document

A verification process whereby assurance is obtained that the owner of a key pair actually has the private key associated with the public key.

Proof of Stake : see document
Proof of stake consensus model : see document

A consensus model where the blockchain network is secured by users locking an amount of cryptocurrency into the blockchain network, a process called staking. Participants with more stake in the system are more likely to want it to succeed and to not be subverted, which gives them more weight during consensus.

Proof of Work : see document
Proof of work consensus model : see document

A consensus model where a publishing node wins the right to publish the next block by expending time, energy, and computational cycles to solve a hard-to-solve, but easy-to-verify problem (e.g., finding the nonce which, when combined with the data to be added to the block, will result in a specific output pattern).

proofing agent : see document

An agent of the CSP who is trained to attend identity proofing sessions and can make limited risk-based decisions, such as physically inspecting identity evidence and comparing the applicant to the identity evidence.

proper working state : see document

A condition in which the device or system contains no compromised internal components or data fields (e.g., data stored to memory) and from which the device or system can recognize and process valid input signals and output valid PNT solutions. An initial pre-deployment configuration is a basic example. The accuracy of the immediate PNT solution is not specified in this definition, as it will depend on the specifics of the device or system’s performance and the degradation allowed by different resilience levels.

property inference : see document

A data privacy attack that infers a global property about the training data of a machine learning model.

Property List : see document
Property Management System : see document
PROPIN : see document
Proportional Integral Derivative : see document
Proprietary Identifier Extension : see document
proprietary information (PROPIN) : see document

Material and information relating to or associated with a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know- how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information. The information must have been developed by the company and not be available to the Government or to the public without restriction from another source.

proscribed information : see document

<FOCI> Top Secret (TS) information, COMSEC information excluding controlled cryptographic items when unkeyed and utilized with unclassified keys, restricted data (RD), special access program (SAP) information, or sensitive compartmented information (SCI).

ProSe : see document
Prose Checklist : see document

A checklist that provides a narrative descriptions of how a person can manually alter a product’s configuration.

PRoT : see document
Protect : see document
protect (CSF function) : see document

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Protect, Access Control : see document
Protect, Awareness and Training : see document
Protect, Data Security : see document
Protect, Protective Technology : see document
Protected Access Credential : see document
protected distribution system (PDS) : see document

Wire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.

Protected EAP : see document
Protected Execution Facility : see document
Protected Extensible Authentication Protocol : see document
Protected Management Frame(s) : see document
Protected Mode : see document

An operational mode found in x86-compatible processors with hardware support for memory protection, virtual memory, and multitasking.

Protected Storage : see document
protection : see document

In the context of systems security engineering, a control objective that applies across all types of asset types and the corresponding consequences of loss. A system protection capability is a system control objective and a system design problem. The solution to the problem is optimized through a balanced proactive strategy and a reactive strategy that is not limited to prevention. The strategy also encompasses avoiding asset loss and consequences; detecting asset loss and consequences; minimizing (i.e., limiting, containing, restricting) asset loss and consequences; responding to asset loss and consequences; recovering from asset loss and consequences; and forecasting or predicting asset loss and consequences.

Protection Bits : see document

A mechanism commonly included in UNIX and UNIX-like systems that controls access based on bits specifying read, write, or execute permissions for a file’s (or directory’s) owner, group, or other(world).

Protection in Transit : see document
protection needs : see document

Informal statement or expression of the stakeholder security requirements focused on protecting information, systems, and services associated with mission and business functions throughout the system life cycle.

Informal statement or expression of the stakeholder security requirements focused on protecting information, systems, and services associated with mission/business functions throughout the system life cycle. Note: Requirements elicitation and security analyses transform the protection needs into a formalized statement of stakeholder security requirements that are managed as part of the validated stakeholder requirements baseline.

Informal statement or expression of the stakeholder security requirements focused on protecting information, systems, and services associated with mission/business functions throughout the system life cycle. Note: Requirements elicitation and security analyses transform the protection needs into a formalized statement of stakeholder security requirements that are managed as part of the validated stakeholder requirements baseline.

protection philosophy : see document

Informal description of the overall design of an information system delineating each of the protection mechanisms employed. Combination of formal and informal techniques, appropriate to the evaluation class, used to show the mechanisms are adequate to enforce the security policy.

protection profile : see document

A minimal, baseline set of requirements targeted at mitigating well defined and described threats. The term Protection Profile refers to NSA/NIAP requirements for a technology and does not imply or require the use of Common Criteria as the process for evaluating a product. Protection Profiles may be created by Technical Communities and will include: - a set of technology-specific threats derived from operational knowledge and technical expertise; - a set of core functional requirements necessary to mitigate those threats and establish a basic level of security for a particular technology; and, - a collection of assurance activities tailored to the technology and functional requirements that are transparent, and produce achievable, repeatable, and testable results scoped such that they can be completed within a reasonable timeframe.

Protective Distribution System : see document

Wire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.

protective packaging : see document

Packaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.

protective technologies : see document

Special tamper-evident features and materials employed for the purpose of detecting, tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.

Protect-P (Function) : see document

Develop and implement appropriate data processing safeguards.

Protocol and Parameters Selection : see document
Provable prime : see document

An integer that is either constructed to be prime or is demonstrated to be prime using a primality-proving algorithm.

Provider : see document

The entity (person or organization) that provides an appropriate agent, referred to as the “provider agent” to implement a particular Web service. It will use the provider agent to exchange messages with the requester’s requester agent. “Provider” is also used as a shorthand to refer to the provider agent acting on the provider’s behalf.

A party that provides (1) a public key (e.g., in a certificate); (2) assurance, such as an assurance of the validity of a candidate public key or assurance of possession of the private key associated with a public key; or (3) key confirmation. Contrast with recipient.

provisioning API : see document

A protected API that allows an RP to access identity attributes for multiple subscribers for the purposes of provisioning and managing RP subscriber accounts.

Proximity Services : see document
proxy : see document

An application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. Note: This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a hyper text transfer protocol (HTTP) proxy used for Web access, and a simple mail transfer protocol (SMTP) proxy used for e-mail.

An agent that acts on behalf of a requester to relay a message between a requester agent and a provider agent. The proxy appears to the provider agent Web service to be the requester.

An intermediary device or program that provides communication and other services between a client and server.

A proxy is an application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network, processes it, and forwards it. This effectively closes the straight path between the internal and external networks, making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a Hypertext Transfer Protocol (HTTP) proxy used for Web access and a Simple Mail Transfer Protocol (SMTP) proxy used for e-mail.

Software that receives a request from a client, then sends a request on the client’s behalf to the desired destination.

proxy agent : see document

A software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it between the interfaces of the device.

Proxy Auto Config : see document
proxy server : see document

A server that services the requests of its clients by forwarding those requests to other servers.

Proxy-WASM : see document
PRP : see document
PRSN : see document
PS : see document

The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities requiring trustworthiness.

The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities that require trustworthiness.

PSA : see document
PSAC : see document
PSAP : see document
PSC : see document
PSCCC : see document
PSCP : see document
PSCR : see document
Pseudorandom : see document

A process or data produced by a process is said to be pseudorandom when the outcome is deterministic yet also effectively random as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively random” means “computationally indistinguishable from random within the limits of the intended security strength.”

A process (or data produced by a process) is said to be pseudorandom when the outcome is deterministic yet also appears random as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively random” means “computationally indistinguishable from random within the limits of the intended security strength.”

A process or data produced by a process is said to be pseudorandom when the outcome is deterministic yet also effectively random as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively random” means “computationally indistinguishable from random within the limits of the intended security strength.”

A process or data produced by a process is said to be pseudorandom when the outcome is deterministic yet also effectively random as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively random” means “computationally indistinguishable from random within the limits of the intended security strength.”

A process (or data produced by a process) is said to be pseudorandom when the outcome is deterministic, yet also effectively random, as long as the internal action of the process is hidden from observation. For cryptographic purposes, “effectively” means “within the limits of the intended cryptographic strength.”

A deterministic process (or data produced by such a process) whose output values are effectively indistinguishable from those of a random process as long as the internal states and internal actions of the process are unknown. For cryptographic purposes, “effectively indistinguishable” means “not within the computational limits established by the intended security strength.”

Pseudorandom function (PRF) : see document

An indexed family of (efficiently computable) functions, each defined for the same input and output spaces. (For the purposes of this Recommendation, one may assume that both the index set and the output space are finite.) If a function from the family is selected by choosing an index value uniformly at random, and one’s knowledge of the selected function is limited to the output values corresponding to a feasible number of (adaptively) chosen input values, then the selected function is computationally indistinguishable from a function whose outputs were fixed uniformly at random.

A function that can be used to generate output from a random seed and a data variable such that the output is computationally indistinguishable from truly random output.

Pseudorandom Function.

A function that can be used to generate output from a random seed and a data variable, such that the output is computationally indistinguishable from truly random output.

A function that can be used to generate output from a random seed such that the output is computationally indistinguishable from truly random output.

A function that can be used to generate output from a secret random seed and a data variable, such that the output is computationally indistinguishable from truly random output. In this Recommendation, an approved message authentication code (MAC) is used as a pseudorandom function in the key expansion step, where a key derivation key is used as the secret random seed.

Pseudorandom function family : see document

An indexed family of (efficiently computable) functions, each defined for the same particular pair of input and output spaces. (For the purposes of this Recommendation, one may assume that both the index set and the output space are finite.) The indexed functions are pseudorandom in the following sense:If a function from the family is selected by choosing an index value uniformly at random, and one’s knowledge of the selected function is limited to the output values corresponding to a feasible number of (adaptively) chosen input values, then the selected function is computationally indistinguishable from a function whose outputs were fixed uniformly at random.

Pseudorandom key : see document

As used in this Recommendation, a binary string that is taken from the output of a PRF.

pseudorandom number generator : see document

An RBG that includes a DRBG mechanism and (at least initially) has access to a randomness source. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Contrast with NRBG.

An RBG that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.

A deterministic computational process that has one or more inputs called "seeds", and it outputs a sequence of values that appears to be random according to specified statistical tests. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.

A deterministic algorithm which, given a truly random binary sequence of length k, outputs a binary sequence of length l >> k which appears to be random. The input to the generator is called the seed, while the output is called a pseudorandom bit sequence.

See Deterministic random bit generator (DRBG).

See Deterministic Random Bit Generator.

A random bit generator that includes a DRBG algorithm and (at least initially) has access to a source of randomness. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A cryptographic DRBG has the additional property that the output is unpredictable, given that the seed is not known. A DRBG is sometimes also called a Pseudo-random Number Generator (PRNG) or a deterministic random number generator.

A random bit generator that includes a DRBG algorithm and (at least initially) has access to a source of randomness. The DRBG produces a sequence of bits from a secret initial value called a seed. A cryptographic DRBG has the additional property that the output is unpredictable given that the seed is not known. A DRBG is sometimes also called a pseudo-random number generator (PRNG) or a deterministic random number generator.

An algorithm that produces a sequence of bits that are uniquely determined from an initial value called a seed. The output of the DRBG “appears” to be random, i.e., the output is statistically indistinguishable from random values. A cryptographic DRBG has the additional property that the output is unpredictable, given that the seed is not known. A DRBG is sometimes also called a Pseudo Random Number Generator (PRNG) or a deterministic random number generator.

Pseudo-Random Permutation : see document
PSFR : see document
PSIRT : see document
PSK : see document

A single secret key used by IPsec endpoints to authenticate endpoints to each other.

Single key used by IPsec endpoints to authenticate endpoints to each other.

PSN : see document
PSO : see document
PSS : see document
PSTN : see document
PSX : see document
pt : see document
PTK : see document
PTP : see document
PTT : see document
PUB : see document
public : see document

Any entity or person who might be impacted by or need to take action for a specific vulnerability; intended to be loosely interpreted.

Public and Private Key : see document

Public and private keys are two very large numbers that (through advanced mathematics) have a unique relationship, whereby information encrypted with one number (key) can only be decrypted with the other number (key) and vice versa. In order to leverage this characteristic for security operations, once two numbers are mathematically selected (generated), one is kept secret (private key) and the other is shared (public key). The holder of the private key can then authenticate themselves to another party who has the public key. Alternatively, a public key may be used by one party to send a confidential message to the holder of the corresponding private key. With SSH, the identity key is a private key and authorized keys are public keys.

Public CA : see document

A trusted third party that issues certificates as defined in IETF RFC 5280. A CA is considered public if its root certificate is included in browsers and other applications by the developers of those browsers and applications. The CA/Browser Forum defines the requirements public CAs must follow in their operations.

public channel : see document

A communication channel between two parties. Such a channel can be observed and possibly also corrupted by third parties.

Public cloud : see document

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

public domain software : see document

Software not protected by copyright laws of any nation that may be freely used without permission of or payment to the creator, and that carries no warranties from or liabilities to the creator.

Public Information : see document

The term 'public information' means any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public.

Any information, regardless of form or format that an agency discloses, disseminates, or makes available to the public.

Public Internet Registry : see document
public key : see document

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm and is associated with a private key. The public key is associated with an owner and may be made public. In the case of digital signatures, the public key is used to verify a digital signature that was generated using the corresponding private key.

A cryptographic key that is used with an asymmetric (public-key) cryptographic algorithm and is associated with a private key. The public key is associated with an owner and may be made public. In the case of digital signatures, the public key is used to verify a digital signature that was generated using the corresponding private key.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and that may be made public. In an asymmetric-key (public-key) cryptosystem, the public key has a corresponding private key. The public key may be known by anyone and, depending on the algorithm, may be used to1. Verify a digital signature that was generated using the corresponding private key,2. Encrypt keys that can be decrypted using the corresponding private key, or3. Compute a shared secret during a key-agreement transaction.

A mathematical key that has public availability and that applications use to verify signatures created with its corresponding private key. Depending on the algorithm, public keys can encrypt messages or files that the corresponding private key can decrypt.

A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public.

The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that may be made public and is associated with a private key and an entity that is authorized to use that private key. Depending on the algorithm that employs the public key, it may be used to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt data that can be decrypted by the corresponding private key, or 3. Compute a piece of shared data (i.e., data that is known only by two or more specific entities).

A cryptographic key used by a public-key (asymmetric) cryptographic algorithm that may be made public.

(1) The key of a signature key pair used to validate a digital signature. (2) The key ofan encryption key pair that is used to encrypt confidential information. In both cases, this key is made publicly available normally in the form of a digital certificate.

A cryptographic key that may be made public and is used with a public-key cryptographic algorithm. A public key is associated with a private key.

The public part of an asymmetric key pair that is used to verify signatures or encrypt data.

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm and is associated with a private key. The public key is associated with an owner and may be made public. In the case of digital signatures, the public key is used to verify a digital signature that was signed by the corresponding private key.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that may be made public and is associated with a private key and an entity that is authorized to use that private key. Depending on the algorithm that employs the public key, it may be used to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt data that can be decrypted by the corresponding private key, or 3. Compute a piece of shared data (i.e., data that is known only by two or more specific entities).

A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public. In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and is used to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt data that can be decrypted by the corresponding private key, or 3. Compute a piece of shared data.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and that may be made public. The public key has a corresponding private key. The public key may be known by anyone and, depending on the algorithm, may be used: 1. To verify a digital signature that is signed by the corresponding private key, 2. To encrypt keys that can be decrypted using corresponsing private key, or 3. As on of the input values to compute a shared secret during a key agreement transaction.

A cryptographic key, used with a public-key cryptographic algorithm, that is uniquely associated with an entity and that may be made public. In an asymmetric (public) cryptosystem, the public key has a corresponding private key. The public key may be known by anyone and, depending on the algorithm, may be used, for example, to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt keys that can be decrypted using the corresponding private key, or 3. Compute a shared secret during a key-agreement transaction.

A cryptographic key used with a public-key (asymmetric-key) algorithm that is uniquely associated with an entity and that may be made public. In an asymmetric (public) key cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used to 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt data that can be decrypted by the corresponding private key, or 3. Compute a shared secret during a key-agreement process.

A cryptographic key used with a public-key cryptographic algorithm that is uniquely associated with an entity and that may be made public. In an asymmetric-key (public-key) cryptosystem, the public key has a corresponding private key. The public key may be known by anyone and, depending on the algorithm, may be used, for example, to: 1. Verify a digital signature that was generated using the corresponding private key, 2. Encrypt keys that can be decrypted using the corresponding private key, or 3. Compute a shared secret during a key-agreement transaction.

A cryptographic key used with an asymmetric-key (public-key) cryptographic algorithm that may be made public and is associated with a private key and an entity that is authorized to use that private key. Depending on the algorithm that employs the public key, it may be used to: 1. Verify a digital signature that is signed by the corresponding private key; 2. Encrypt data that can be decrypted by the corresponding private key; or 3. Compute a piece of shared data (i.e., data that is known only by two or more specific entities).

A cryptographic key, used with a public-key cryptographic algorithm, that is uniquely associated with an entity and that may be made public. In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used, for example, to: 1. Verify a digital signature that is signed by the corresponding private key, 2. Encrypt keys that can be decrypted using the corresponding private key, or 3. Compute a shared secret during a key-agreement transaction.

public key certificate : see document

A digital document issued and digitally signed by the private key of a certification authority that binds an identifier to a cardholder through a public key. The certificate indicates that the cardholder identified in the certificate has sole control and access to the private key.

A set of data that uniquely identifies a public key (which has a corresponding private key) and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.

A set of data that uniquely identifies a public key that has a corresponding private key and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information and is digitally signed by a certification authority (i.e., a trusted party), thereby binding the public key to the owner.

A digital document issued and digitally signed by the private key of a certificate authority that binds an identifier to a subscriber’s public key. The certificate indicates that the subscriber identified in the certificate has sole control of and access to the private key. See also [RFC5280].

A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it. [ABADSG]. As used in this CP, the term “Certificate” refers to certificates that expressly reference the OID of this CP in the “Certificate Policies” field of an X.509 v.3 certificate.

A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies it’s Subscriber, (3) contains the Subscriber’s public key, (4) identifies it’s operational period, and (5) is digitally signed by the certification authority issuing it.

A digital representation of information which at least (1) identifies the certification authority (CA) issuing it, (2) names or identifies its subscriber, (3) contains the subscriber’s public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.

See certificate.

A data structure that contains an entity’s identifier(s), the entity's public key (including an indication of the associated set of domain parameters) and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e. a certificate authority, thereby binding the public key to the included identifier(s).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its cryptoperiod.

A set of data that uniquely identifies a key pair owner that is authorized to use the key pair, contains the owner’s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.

See public-key certificate.

See public key certificate.

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity (e.g., using an X.509 certificate). Additional information in the certificate could specify how the key is used and its validity period.

A data structure that contains an entity’s identifier(s), the entity's public key (including an indication of the associated set of domain parameters) and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e., a certificate authority, thereby binding the public key to the included identifier(s).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A digital document issued and digitally signed by the private key of a certificate authority that binds an identifier to a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. See also Request for Comment 5280.

A digital document issued and digitally signed by the private key of a certificate authority that binds an identifier to a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key. See also RFC 5280.

A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period.

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period. (Certificates in this practice guide are based on IETF RFC 5280).

A set of data that uniquely identifies an entity, contains the entity's public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity. Additional information in the certificate could specify how the key is used and its validity period. (Certificates in this practice guide are based on IETF RFC 5280.)

Also known as a digital certificate. A digital representation of information which at least 1. identifies the certification authority issuing it, 2. names or identifies its subscriber, 3. contains the subscriber's public key, 4. identifies its operational period, and 5. is digitally signed by the certification authority issuing it.

A data structure that contains an entity’s identifier(s), the entity's public key and possibly other information, along with a signature on that data set that is generated by a trusted party, i.e. a certificate authority, thereby binding the public key to the included identifier(s).

A digital document issued and digitally signed by the private key of a Certificate authority that binds the name of a Subscriber to a public key. The certificate indicates that the Subscriber identified in the certificate has sole control and access to the private key. See also [RFC 5280].

Public Key Certificate Standard : see document
public key cryptography (PKC) : see document

Cryptography that uses two separate keys to exchange data — one to encrypt or digitally sign the data and one to decrypt the data or verify the digital signature. Also known as public-key cryptography.

Encryption system that uses a public-private key pair for encryption and/or digital signature.

See public key cryptography (PKC).

Cryptography that uses separate keys for encryption and decryption; also known as asymmetric cryptography.

A form of cryptography that uses two related keys, a public key and a private key; the two keys have the property that, given the public key, it is computationally infeasible to derive the private key. For key establishment, public-key cryptography allows different parties to communicate securely without havng prior access to a secret key that is shared, by using one or more pairs (public key and private key) of cryptographic keys.

A cryptographic system where users have a private key that is kept secret and used to generate a public key (which is freely provided to others). Users can digitally sign data with their private key and the resulting signature can be verified by anyone using the corresponding public key. Also known as a Public-key cryptography.

See Asymmetric-key cryptography.

A form of cryptography that uses two related keys, a public key and a private key; the two keys have the property that, given the public key, it is computationally infeasible to derive the private key. For key establishment, public-key cryptography allows different parties to communicate securely without having prior access to a secret key that is shared, by using one or more pairs (public key and private key) of cryptographic keys.

Public Key Cryptography Standard : see document
Public Key Cryptography Standard 1 : see document
public key enabling (PKE) : see document

The incorporation of the use of certificates for security services such as authentication, confidentiality, data integrity, and non-repudiation.

public key infrastructure (PKI) : see document

A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and the storage of sensitive verification system data within identity cards and the verification system.

A framework that is established to issue, maintain, and revoke public key certificates.

A set of policies, processes, server platforms, software, and workstations used to administer certificates and public-private key pairs, including the ability to issue, maintain, and revoke public-key certificates.

The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.

The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.

A Framework that is established to issue, maintain, and revoke public key certificates.

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. The PKI includes the hierarchy of certificate authorities that allow for the deployment of digital certificates that support encryption, digital signature and authentication to meet business and security requirements.

A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

A framework that is established to issue, maintain and revoke public key certificates.

A framework that is established to issue, maintain and revoke public-key certificates.

A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates.

A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and storage of enterprise data.

A framework that is established to issue, maintain, and revoke public-key certificates.

A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and storage of sensitive verification system data within identity cards and the verification system.

Public Key Infrastructure X.509—Certificate Management Protocol : see document
Public key/public signature verification key : see document

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm and is associated with a private key. The public key is associated with an owner and may be made public. In the case of digital signatures, the public key is used to verify a digital signature that was signed using the corresponding private key.

Public Law : see document
Public Reviewer : see document

A member of the general public who reviews a candidate checklist and sends comments to NIST.

Member of the general public who reviews a candidate checklist and sends comments to NIST.

Public Safety Access Point : see document
Public Safety Advisory Committee : see document
Public Safety and First Responder : see document
Public Safety Communications Research : see document
Public Safety Communications Research Division : see document
Public Safety Experience : see document
Public Safety Organization : see document
public seed : see document

A starting value for a pseudorandom number generator. The value produced by the random number generator may be made public. The public seed is often called a “salt”.

Public Use File : see document
Publication : see document
Public-Key Encryption : see document
public-key encryption scheme : see document

A set of three cryptographic algorithms (KeyGen, Encrypt, and Decrypt) that can be used by two parties to send secret data over a public channel. Also known as an asymmetric encryption scheme.

Public-key validation : see document

The procedure whereby the recipient of a public key checks that the key conforms to the arithmetic requirements for such a key in order to thwart certain types of attacks.

Published Internet Protocol : see document
Publishing node : see document

A node that, in addition to all responsibilities required of a full node, is tasked with extending the blockchain by creating and publishing new blocks. Also known as mining node, committing node, minting node.

a full node that also publishes new blocks

PUF : see document
PUK : see document
pulse per second : see document
Pulverization : see document

A physically Destructive method of sanitizing media; the act of grinding to a powder or dust.

PUMP : see document
Purdue Enterprise Reference Architecture : see document
purge : see document

A method of sanitization that applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.

Rendering sanitized data unrecoverable by laboratory attack methods.

A method of Sanitization by applying physical or logical techniques that renders Target Data recovery infeasible using state of the art laboratory techniques.

Purposeful Interference Response Team : see document
Push-To-Talk (PTT) : see document

A method of communicating on half-duplex communication lines, including two-way radio, using a “walkie-talkie” button to switch from voice reception to transmit mode.

putative re-identifications : see document

Apparent re-identifications that may or may not be correct.

PuTTY Secure Copy Protocol : see document
P-value : see document

The probability (under the null hypothesis of randomness) that the chosen test statistic will assume values that are equal to or worse than the observed test statistic value when considering the null hypothesis. The P-valueis frequently called the “tail probability.”

The probability that the chosen test statistic will assume values that are equal to or more extreme than the observed test statistic value, assuming that the null hypothesis is true.

PWA : see document
PWWG : see document
PWWN : see document
PXE : see document
PXN : see document
PY : see document
QA : see document
QA/QC : see document
QAT : see document
QCCF : see document
QC-MDPC : see document
QCSD : see document
QEMU (Quick Emulator) : see document

A software module that is a component of the hypervisor platform that supports full virtualization by providing emulation of various hardware devices.

QMS : see document
QoD : see document
QoP : see document
QoS : see document
QR : see document
QR Code : see document
QROM : see document
quadrant : see document

Short name referring to technology that provides tamper-resistant protection to cryptographic equipment.

quadratic twist : see document

Certain elliptic curve related to a specified elliptic curve.

qualification : see document

Process of demonstrating whether an entity is capable of fulfilling specified requirements.

Qualified Products List : see document

a list of products that have met the qualification requirements stated in the applicable specification, including appropriate product identification and test or qualification reference number, with the name and plant address of the manufacturer and distributor, as applicable.

Qualitative Assessment : see document

The use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.

Use of a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels.

Qualitative Risk Analysis : see document

A method for risk analysis that is based on the assignment of a descriptor such as low, medium, or high.

quality assurance : see document

Part of quality management focused on providing confidence that quality requirements will be fulfilled.

Quality Assurance/Quality Control : see document
quality characteristic : see document

Inherent characteristic of a product, process, or system related to a requirement.

quality management : see document

Coordinated activities to direct and control an organization with regard to quality.

Quality Management Systems : see document
Quality of Protection : see document
quality property : see document

An emergent property of a system that includes, for example: safety, security, maintainability, resilience, reliability, availability, agility, and survivability. This property is also referred to as a systemic property across many engineering domains.

Quantitative Assessment : see document

The use of a set of methods, principles, or rules for assessing risk based on numbers where the meanings and proportionality of values are maintained inside and outside of the context of the assessment.

Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.

Quantitative Risk Analysis : see document

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.

Quantum random oracle model : see document
Quantum-accessible Random Oracle Model : see document
Quarantining : see document

Storing files containing malware in isolation for future disinfection or examination.

Quasi : see document

A bit string representation of the octet length of P.

Quasi-cyclic Codeword Finding : see document
Quasi-Cyclic Moderate Density Parity Check : see document
quasi-cyclic syndrome decoding : see document
quasi-identifier : see document

A variable that can be used to identify an individual through association with another variable.

query access : see document

A capability with which an attacker can issue queries to a trained machine learning model and obtain predictions or generations.

query of death : see document
question : see document

The text of a question to pose, optionally accompanied by instructions to help guide a person to a response.

questionnaire : see document

A sequence of questions to be used in determining a state or condition.

QUIC : see document
Quick Response : see document
Quick Response Code : see document
Quick UDP Internet Connection : see document
QuickAssist Technology : see document
Quote : see document

To precede printable non-alphanumeric characters (e.g., *, $, ?) with the backslash ( \) escape character in a value string. When a non-alphanumeric character is quoted in a WFN, it SHALL be processed as string data. When a non-alphanumeric character is unquoted in a WFN, it may be interpreted as a special character by CPE 2.3 specifications, including this one.

R&D : see document
R/W : see document
RA : see document

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, resulting from the operation of a system. It is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls or privacy controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

An entity authorized by the certification authority system (CAS) to collect, verify, and submit information provided by potential subscribers, which is to be entered into public key certificates. The term RA refers to hardware, software, and individuals that collectively perform this function.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.

An organization approved by ISO/IEC for performing registration.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

A value that defines an analyzer's estimated level of security risk for using an app. Risk assessments are typically based on the likelihood that a detected vulnerability will be exploited and the impact that the detected vulnerability may have on the app or its related device or network. Risk assessments are typically represented as categories (e.g., low-, moderate-, and high-risk).

RACE Integrity Primitives Evaluation Message Digest : see document
RAdAC : see document
Radial Basis Function : see document
Radio Access Network : see document
Radio Resource Control : see document
Radio Technical Commission for Aeronautics : see document
Radio-Frequency Identification : see document
Radiology Information System : see document
Radionuclide Transportation Agency : see document
RAE : see document
RAG : see document

A type of GenAI system in which a model is paired with a separate information retrieval system (or ”knowledge base”). Based on a user query, the RAG system identifies relevant information within the knowledge base and provides it to the GenAI model in context for the model to use in formulating its response. RAG systems allow the internal knowledge of a GenAI model to be modified without the need for retraining.

RAID : see document
RAIM : see document
RAM : see document
RAMPS : see document
RAN : see document
RAND : see document

For the purposes of this Recommendation, a value in a set that has an equal probability of being selected from the total population of possibilities and, hence, is unpredictable. A random number is an instance of an unbiased random variable, that is, the output produced by a uniformly distributed random process.

Random Access Machine : see document
Random Access Memory : see document
Random Binary Sequence : see document

A sequence of bits for which the probability of each bit being a “0” or “1” is ½. The value of each bit is independent of any other bit in the sequence, i.e., each bit is unpredictable.

Random bit : see document

A bit for which an attacker has exactly a 50% probability of success of guessing the value of the bit as either zero or one.

A bit for which an attacker has exactly a 50% probability of success of guessing the value of the bit as either a zero or one. It is also called an unbiased bit.

Random Bit Generator (RBG) : see document

A device or algorithm that can produce a sequence of bits that appear to be both statistically independent and unbiased.

A device or algorithm that outputs bits that are computationally indistinguishable from bits that are independent and unbiased.

Random Bit Generator

A device or algorithm that outputs a sequence of bits that appears to be statistically independent and unbiased. Also, see Random number generator.

A device or algorithm that outputs a sequence of binary bits that appears to be statistically independent and unbiased. An RBG is either a DRBG or an NRBG.

A device or algorithm that outputs a random sequence that is effectively indistinguishable from statistically independent and unbiased bits. An RBG is classified as either a DRBG or an NRBG.

A device or algorithm that outputs a sequence of bits that appears to be statistically independent and unbiased.

A device or algorithm that outputs a sequence of bits that appears to be statistically independent and unbiased. Also see Random number generator.

A device or algorithm that outputs a sequence of bits that appear to be statistically independent and unbiased. Also, see Random number generator.

Random Excursion Test : see document

The purpose of this test is to determine if the number of visits to a state within a random walk exceeds what one would expect for a random sequence.

Random Excursion Variant Test : see document

The purpose of this test is to detect deviations from the distribution of the number of visits of a random walk to a certain state.

Random Field : see document

In the RBG-based construction of IVs, either a direct random string or one of its successors.

random forest classification : see document
Random Forests : see document
Random nonce : see document

A nonce containing a random-value component that is generated anew for each nonce.

Random Number : see document

A value in a set of numbers that has an equal probability of being selected from the total population of possibilities and, in that sense, is unpredictable. A random number is an instance of an unbiased random variable, that is, the output produced by a uniformly distributed random process. Random numbers may, e.g., be obtained by converting suitable stings of random bits (see [NIST SP 800-90A], Appendix B.5 for details).

For the purposes of this Recommendation, a value in a set that has an equal probability of being selected from the total population of possibilities and, hence, is unpredictable. A random number is an instance of an unbiased random variable, that is, the output produced by a uniformly distributed random process.

random number generation : see document
random number generator (RNG) : see document

A process that is invoked to generate a random sequence of values (usually a sequence of bits) or an individual random value.

A mechanism that purports to generate truly random data.

A process used to generate an unpredictable series of numbers. Also called a Random bit generator (RBG).

Produces a sequence of zero and one bits that is random in the sense, that there is no way to describe its output that is more efficient than simply listing the entire string of output. There are two basic classes: deterministic and non-deterministic. A deterministic RNG (also known as a pseudorandom number generator) consists of an algorithm that produces a sequence of bits from an initial value called a seed. A non-deterministic RNG produces output that is dependent on some unpredictable physical source that is outside human control, such as thermal noise or radioactive decay.

A process used to generate an unpredictable series of numbers. Also, referred to as a Random bit generator (RBG).

random oracle model : see document

See Read-Only Memory.

Random Parameter : see document
Random value : see document

A sufficient entropy bit string.

Random Variable : see document

Random variables differ from the usual deterministic variables (of science and engineering) in that random variables allow the systematic distributional assignment of probability values to each possible outcome.

Randomized hashing : see document

A technique for randomizing the input to a cryptographic hash function.

A process by which the input to a hash function is randomized before being processed by the hash function.

Randomized message : see document

A message that has been modified using a random value.

randomizer : see document

Analog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator.

Randomness extraction : see document

The first step in the two-step key-derivation procedure specified in this Recommendation; during this step, a key-derivation key is produced from a shared secret.

The first step in the key derivation procedure specified in this Recommendation, which produces a key derivation key from a shared secret.

The first step in the two-step key-derivation procedure during which a key-derivation key is produced. The second step in the procedure is key expansion.

Randomness Source : see document

A component of a DRBG (which consists of a DRBG mechanism and a randomness source) that outputs bitstrings that are used as entropy input by the DRBG mechanism. The randomness source can be an entropy source or an RBG.

See Randomness Source.

Range : see document

The maximum possible distance for communicating with a wireless network infrastructure or wireless client.

Rank (of a matrix) : see document

Refers to the rank of a matrix in linear algebra over GF(2). Having reduced a matrix into row-echelon form via elementary row operations, the number of nonzero rows, if any, are counted in order to determine the number of linearly independent rows or columns in the matrix.

rank syndrome decoding : see document
Rank Test : see document

The purpose of this test is to check for linear dependence among fixed length substrings of the original sequence.

RAP : see document
RAPI : see document
Rapid elasticity : see document

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

RAR : see document

The report which contains the results of performing a risk assessment or the formal output from the process of assessing risk.

RARP : see document
RAS : see document
Rate : see document

In the sponge construction, the number of input bits processed per invocation of the underlying function.

Rationale : see document

The explanation for why a Reference Document Element and a Focal Document Element are related within a set theory relationship mapping. This will be one of the following: syntactic, semantic, or functional.

The explanation for why a Reference Document element and a Focal Document element are related. This will be one of the following: Syntactic, Semantic, or Functional.

RBAC : see document

Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.

RBF : see document
RBG : see document

Random Bit Generator

RBG seed : see document

The input to a pseudorandom number generator. Different seeds generate different pseudorandom sequences.

A string of bits that is used to initialize a DRBG. Also just called a Seed.

A secret value that is used to initialize a process (e.g., a DRBG). Also see RBG seed.

Noun : A string of bits that is used as input to a DRBG mechanism. The seed will determine a portion of the internal state of the DRBG, and its entropy must be sufficient to support the security strength of the DRBG. Verb : To acquire bits with sufficient entropy for the desired security strength. These bits will be used as input to a DRBG mechanism to determine a portion of the initial internal state. Also see reseed.

A string of bits that is used to initialize a DRBG. Also called a Seed.

A secret value that is used to initialize a process (e.g., a deterministic random bit generator). Also see RNG seed.

RC : see document

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

RC.CO : see document
RC4 : see document
RCFL : see document
RCP : see document
RCS : see document
RD : see document

All data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].

RDBMS : see document
RDMA : see document
RDP : see document
RDR : see document
RDS : see document
RE : see document
RE(f) : see document
Read : see document

Fundamental process in an information system that results only in the flow of information from storage media to a requester.

Read/Write : see document
Read/Write/Execute : see document
Reader : see document

A device that can wirelessly communicate with tags. Readers can detect the presence of tags as well as send and receive data and commands from the tags.

Reader Spoofing : see document

The act of impersonating a legitimate reader of an RFID system to read tags.

Reader Talks First : see document

An RF transaction in which the reader transmits a signal that is received by tags in its vicinity. The tags may be commanded to respond to the reader and continue with further transactions.

Read-Only Memory : see document

ROM is a pre-recorded storage medium that can only be read from and not written to.

See Read-Only Memory.

Real Mode : see document

A legacy high-privilege operating mode in x86-compatible processors.

Real Time Clock : see document
real time reaction : see document

Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access.

Really Simple Syndication : see document
Realm Management Extension : see document
Real-Time Locating Systems : see document
Real-Time Location System : see document
Real-Time Operating System : see document
reauthentication : see document

The process of confirming the subscriber’s continued presence and intent to be authenticated during an extended usage session.

Received Signal Strength Indication : see document
Receiver : see document

The party that receives secret keying material via a key-transport transaction. Contrast with sender.

Receiver Address : see document
receiver autonomous integrity monitoring : see document
receiver operating characteristic : see document

A curve that plots the true positive rate versus the false positive rate for a classifier.

Recipient-usage period : see document

The period of time during which the protected information is processed (e.g., decrypted).

The period of time during which the protected information may be processed (e.g., decrypted).

The period of time during the cryptoperiod of a symmetric key during which the protected information is processed.

Reciprocal Agreement : see document

An agreement that allows two organizations to back up each other.

reciprocity : see document

The mutual agreement among participating organizations to accept each other’s security assessments in order to reuse information-system resources and/or to accept each other’s assessed security posture in order to share information.

Mutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.

Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.

Agreement among participating organizations to accept each other’s security assessments to reuse system resources and/or to accept each other’s assessed security posture to share information.

Recommendation : see document

A special publication of the ITL that stipulates specific characteristics of the technology to use or the procedures to follow to achieve a common level of quality or level of interoperability.

A term used to refer to this specific document (i.e., SP 800-133): the “R” is always capitalized.

A special publication of the ITL stipulating specific characteristics of technology to use or procedures to follow to achieve a common level of quality or level of interoperability.

reconstruction attack : see document

A privacy attack that uses published statistics to reconstruct individual data points from the original private dataset.

Record : see document

To write data on a medium, such as a magnetic tape, magnetic disk, or optical disk.

record-matching probability : see document
records : see document

The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results) that serve as a basis for verifying that the organization and the system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain a complete set of information on particular items).

All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them.

The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

The recordings of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

All recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.

The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

The recordings (automated and manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

records management : see document

The process for tagging information for records keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.

Recover : see document
recover (CSF function) : see document

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Recover, Communications : see document
Recovery Point Objective : see document

The point in time to which data must be recovered after an outage.

recovery procedures : see document

Actions necessary to restore data files of an information system and computational capability after a system failure.

Recovery Time Objective : see document

The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.

RED : see document

Information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.

RED data : see document

Date that is not protected by encryption. Also known as unencrypted data.

RED equipment : see document

A term applied to equipment that processes unencrypted national security information that requires protection during electrical/electronic processing.

Red Hat Enterprise Linux : see document
Red Hat Package Manager : see document
RED key : see document

Key that has not been encrypted in a system approved by NSA for key encryption or encrypted key in the presence of its associated key encryption key (KEK) or transfer key encryption key (TrKEK). Encrypted key in the same fill device as its associated KEK or TrKEK is considered unencrypted. (RED key is also known as unencrypted key). Such key is classified at the level of the data it is designed to protect. See BLACK data and encrypted key.

RED line : see document

An optical fiber or a metallic wire that carries a RED signal or that originates/terminates in a RED equipment or system.

RED optical fiber line : see document

An optical fiber that carries RED signal or that originates/terminates in RED equipment or system.

RED signal : see document

Any electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.

Red Team : see document

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment. Also known as Cyber Red Team.

red team exercise : see document

An exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.

An exercise, reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems.

Red Team/Blue Team Approach : see document

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment. 1. The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team). 2. The term Blue Team is also used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's cyber security readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment. 1. The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team). 2. The term Blue Team is also used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's cyber security readiness posture. Often a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.

red teaming : see document

In the AI context, means a structured testing effort, often adopting adversarial methods, to find flaws and vulnerabilities in an AI system, including unforeseen or undesirable system behaviors or potential risks associated with the misuse of the system.

RED wireline : see document

A metallic wire that carries a RED signal or that originates/terminates in a RED equipment or system.

RED/BLACK concept : see document

Separation of electrical and electronic circuits, components, equipment, and systems that handle national security information (RED), in electrical form, from those that handle non-national security information (BLACK) in the same form.

redaction : see document

The removal of information from a document or dataset for legal or security purposes.

Reduced Instruction Set Computer : see document
Reduced Instruction Set Computing : see document
Redundant Array of Independent Disks : see document
REE : see document
Reed-Muller Reed-Solomon : see document
Reference : see document

Relationships between elements of two documents that are recorded in a NIST IR 8278A-compliant format and shared by the OLIR Catalog. There are three types of OLIRs: concept crosswalk, set theory relationship mapping, and supportive relationship mapping.

See Informative Reference.

Reference Architecture : see document
reference data : see document

Cryptographic material used in the performance of a cryptographic protocol, such as an authentication or a signing protocol. The reference data length is the maximum length of a password or PIN. For algorithms, the reference data length is the length of a key.

Reference Data Set : see document
Reference Document : see document

A document being compared to a Focal Document, such as traditional documents, products, services, education materials, and training.

A cybersecurity document that is related to the Framework.

A document being compared to a Focal Document. Examples include traditional documents, products, services, education materials, and training.

A source document being compared to a Focal Document. Examples include traditional documents, products, services, education materials, and training.

Reference Document Element : see document

A discrete section, sentence, phrase, or other identifiable piece of content from a Reference Document.

A discrete section, sentence, phrase, or other identifiable piece of content of a Reference Document.

Reference Integrity Manifest : see document
reference monitor : see document

The security engineering term for IT functionality that (1) controls all access, (2) cannot be by-passed, (3) is tamper-resistant, and (4) provides confidence that the other three items are true.

A set of design requirements on a reference validation mechanism which as key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism must be: (i) always invoked (i.e., complete mediation); (ii) tamperproof; and (iii) small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable).

A set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete mediation), tamperproof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable).

reference monitor concept : see document

An abstract model of the necessary and sufficient properties that must be achieved by any mechanism that performs an access mediation control function.

reference validation mechanism : see document

An implementation of the reference monitor concept that validates each access to resources against a list of authorized accesses allowed.

Reference Version : see document

The version of the OLIR.

The version of the Informative Reference.

regenerative cyber defense : see document

The process for restoring capabilities after a successful, large scale cyberspace attack, ideally in a way that prevents future attacks of the same nature.

Regional Alliances and Multistakeholder Partnerships to Stimulate : see document
Regional Computer Forensics Laboratory : see document
Regional Internet Registry : see document
register : see document

A set of records (paper, electronic, or a combination) maintained by a Registration Authority containing assigned names and the associated information.

register-transfer level : see document
Registrar : see document

Also known as a Registration Agent, a person who performs the enrollment process.

registration : see document

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. In some other NIST documents, such as [NIST SP 800-63A], identity registration is referred to as enrollment.

The process through which a CSP/IdP provides a successfully identity-proofed applicant with a subscriber account and binds authenticators to grant persistent access.

The process through which a party applies to become a subscriber of a credentials service provider (CSP) and a registration authority validates the identity of that party on behalf of the CSP.

The process through which an applicant applies to become a subscriber of a CSP and the CSP validates the applicant’s identity.

See Enrollment.

Making a person’s identity known to the enrollment/Identity Management System information system by associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the information system. Registration is necessary in order to initiate other processes, such as adjudication, card/token personalization and issuance and, maintenance that are necessary to issue and to re-issue or maintain a PIV Card or a Derived PIV Credential token.

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate.)

The process that a CA uses to create a certificate for a web server or email user. (In the context of this practice guide, enrollment applies to the process of a certificate requester requesting a certificate, the CA issuing the certificate, and the requester retrieving the issued certificate).

The assignment of a name to an object.

The process through which an applicant applies to become a subscriber of a CSP and an RA validates the identity of the applicant on behalf of the CSP. (NIST SP 800-63-3)

The process that a Certificate Authority (CA) uses to create a certificate for a web server or email user

The process of making a person’s identity known to the PIV system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.

See “Identity Registration”.

The process through which an Applicant applies to become a Subscriber of a CSP and an RA validates the identity of the Applicant on behalf of the CSP.

Registration agent : see document

An FCKMS role that is responsible for registering new entities and perhaps other selected information.

Registration authority (RA) : see document

A trusted entity that establishes and vouches for the identity and authorization of a certificate applicant on behalf of some authority (e.g., a CA).

registration authority (RA) : see document

1. An entity authorized by the certification authority system (CAS) to collect, verify, and submit information provided by potential Subscribers which is to be entered into public key certificates. The term RA refers to hardware, software, and individuals that collectively perform this function.

2. The key management entity (KME) within each Service or Agency responsible for registering KMEs and assigning electronic key management system (EKMS) IDs to them.

An entity that is responsible for identification and authentication of certificate subjects, but that does not sign or issue certificates (i.e., a Registration Authority is delegated certain tasks on behalf of an authorized CA).

A trusted entity that establishes and vouches for the identity of a user.

An entity that is responsible for the identification and authentication of certificate subjects on behalf of an authority, but that does not sign or issue certificates (e.g., an RA is delegated certain tasks on behalf of a CA).

An entity authorized by the certification authority system (CAS) to collect, verify, and submit information provided by potential subscribers, which is to be entered into public key certificates. The term RA refers to hardware, software, and individuals that collectively perform this function.

An organization approved by ISO/IEC for performing registration.

A trusted entity that establishes and vouches for the identity or attributes of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).

Registry : see document

A service that allows developers to easily store images as they are created, tag and catalog images for identification and version control to aid in discovery and reuse, and find and download images that others have created.

An authoritative, centrally-controlled store of information. Web services use registries to advertise their existence and to describe their interfaces and other attributes. Prospective clients query registries to locate required services and to discover their attributes.

regrader : see document

A trusted process explicitly authorized to re-classify and re-label data in accordance with a defined policy exception. Untrusted /Unauthorized processes are such actions by the security policy.

A trusted process explicitly authorized to re-classify and re-label data in accordance with a defined policy exception. Untrusted or unauthorized processes are such actions by the security policy.

regression : see document

A statistical technique used to predict the value of a variable based on the relationship between explanatory variables.

A type of supervised machine learning model that is trained on data, including numerical labels (i.e., response variables). Types of regression algorithms include linear regression, polynomial regression, and various non-linear regression methods.

Regular Expression : see document

A sequence of characters (or words) that forms a search pattern, mainly for use in pattern matching with strings, or string matching.

re-identification precision : see document

The ratio of correct re-identifications to the sum of correct and incorrect apparent re-identifications.

re-identification probability : see document

The probability that an individual’s identity will be correctly inferred by an outside party using information contained in a de-identified dataset.

re-identification rate : see document

The percentage of records in a dataset that can be re-identified.

re-identification risk : see document

The likelihood that a third party can re-identify data subjects in a de-identified dataset.

the risk that de-identified records can be re-identified. Re-identification risk is typically reported as the percentage of records in a dataset that can be re-identified.

reinforcement learning : see document

A type of machine learning in which a model learns to optimize its behavior according to a reward function by interacting with and receiving feedback from an environment.

Rekey : see document

A procedure in which a new cryptographic key is generated in a manner that is independent of the (old) cryptographic key that it will replace. Contrast with Key update.

A procedure in which a new cryptographic key is generated in a manner that is independent of the (old) cryptographic key that it will replace.

To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key. NIST SP 800-32 under Re-key (a certificate)

re-key (a certificate) : see document

The process of creating a new certificate with a new validity period, serial number, and public key while retaining all other Subscriber information in the original certificate.

To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key.

To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key. NIST SP 800-32 under Re-key (a certificate)

Relational DataBase Management System : see document
Relationship : see document

The type of logical comparison that the Reference Document Developer asserts compared to the Focal Document within a set theory relationship mapping. This will be one of the following: subset of, intersects with, equal to, superset of, or not related to.

The type of logical comparison that the Reference Document Developer asserts compared to the Focal Document. This will be one of the following: subset of, intersects with, equal to, superset of, or not related to.

Relationship Explanation : see document

A text description of the nature of the relationship between a Reference Document Element and a Focal Document Element within a supportive relationship mapping.

Relationship Identifier : see document

Identifying information where the value is a relationship to another asset.

Relationship Property : see document

Indicates whether the supporting concept is necessary for achieving the supported concept within a supportive relationship mapping.

relationship style : see document

An explicitly defined convention for characterizing relationships for a use case.

Relationship Type : see document

The type of supportive relationship being specified between a Reference Document Element and a Focal Document Element within a supportive relationship mapping. This will be one of the following: supports, is supported by, identical, equivalent, contrary, or no relationship.

relative error : see document

The absolute error divided by the unaltered query output.

Relatively prime : see document

Two positive integers are relatively prime if their greatest common divisor is 1.

Relay Node : see document
Release : see document

A collection of new and/or changed configuration items which are tested and introduced into a production environment together.

release of unverified plaintext : see document
release prefix : see document

Prefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations and "U.S." designates material intended exclusively for U.S. use.

Releasing Unverified Plaintext : see document
relevant event : see document

An occurrence (e.g., an auditable event or flag) considered to have potential security implications to the system or its environment that may require further action (noting, investigating, or reacting).

reliability : see document

The probability of performing a specified function without failure under given conditions for a specified period of time.

The ability of a system or component to function under stated conditions for a specified period of time.

The probability of performing a specified function without failure under given conditions for a specified period of time.

Reliability, Maintainability, Availability : see document
Reliable Datagram Sockets : see document
relying party : see document

An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.

An entity that relies on a verifier’s assertion of a subscriber’s identity, typically to process a transaction or grant access to information or a system.

An entity that relies on the validity of the binding of the Subscriber’s name to a public key to verify or establish the identity and status of an individual, role, or system or device; the integrity of a digitally signed message; the identity of the creator of a message; or confidential communications with the Subscriber.

An entity that relies upon the subscriber’s authenticator(s) and credentials or a verifier’s assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system.

A party that depends on the validity of the digital signature process.

In this Recommendation, a party that relies on the security and authenticity of a key or key pair for applying cryptographic protection and removing or verifying the protection that has been applied. This includes parties relying on the public key in a public key certificate and parties that share a symmetric key.

A person or Agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them.

An entity that relies on received information for authentication purposes.

An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.

An entity that relies on the certificate and the CA that issued the certificate to verify the identity of the certificate's subject and/or owner; the validity of the public key, associated algorithms and any relevant parameters; and the subject’s possession of the corresponding private key.

An entity that relies on the certificate and the CA that issued the certificate to verify the identity of the certificate owner and the validity of the public key, associated algorithms, and any relevant parameters in the certificate, as well as the owner’s possession of the corresponding private key.

A party that relies on the security and authenticity of a key or key pair for applying cryptographic protection and/or removing or verifying the protection that has been applied. This includes parties relying on the public key in a public key certificate and parties that share a symmetric key.

An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.

remanence : see document

Residual information remaining on storage media after clearing. See magnetic remanence and clearing.

Residual information remaining on storage media.

remediation : see document

The neutralization or elimination of a vulnerability or the likelihood of its exploitation.

The act of mitigating a vulnerability or a threat.

Remote Access Server : see document

Devices, such as virtual private network gateways and modem servers, that facilitate connections between networks.

Remote Application Programming Interface : see document
Remote Copy Protocol : see document
Remote Desktop Protocol : see document
remote diagnostics/ maintenance : see document

Maintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).

Remote Direct Memory Access : see document
Remote Method Invocation : see document
Remote Monitoring : see document
Remote Patient Monitoring : see document
Remote Procedure Call : see document
remote rekeying : see document

Procedure by which a distant crypto-equipment is rekeyed electrically. See automatic remote rekeying and manual remote rekeying.

Remote Shell : see document
Remote Switched Port Analyzer : see document
Remote Synchronization : see document
Remotely Triggered Black-Holing : see document
removable media : see document

Portable data storage medium that can be added to or removed from a computing device or network. Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external / removable hard drives; external / removable Solid State Disk (SSD) drives; magnetic / optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD). See also portable storage device.

removable media device : see document

A system component that can be inserted into and removed from a system and that is used to store information or data (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., compact/digital video disks, flash/thumb drives, external solid-state drives, external hard disk drives, flash memory cards/drives that contain nonvolatile memory).

Portable device that can be connected to an information system (IS), computer, or network to provide data storage. These devices interface with the IS through processing chips and may load driver software, presenting a greater security risk to the IS than non-device media, such as optical discs or flash memory cards. Note: Examples include, but are not limited to: USB flash drives, external hard drives, and external solid state disk (SSD) drives. Portable Storage Devices also include memory cards that have additional functions aside from standard data storage and encrypted data storage, such as built-in Wi-Fi connectivity and global positioning system (GPS) reception. See also removable media.

See portable storage device.

A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).

A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage—including text, video, audio or image data—as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).

A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).

Removable User Identity Module (R-UIM) : see document

A card developed for cdmaOne/CDMA2000 handsets that extends the GSM SIM card to CDMA phones and networks.

Repeatability : see document

The ability to repeat an assessment in the future, in a manner that is consistent with, and hence comparable to, prior assessments.

Replace : see document

The process of installing a new certificate and removing an existing one so that the new certificate is used in place of the existing certificate on all systems where the existing certificate is being used.

replay attack : see document

An attack in which the attacker is able to replay previously captured messages between a legitimate claimant and a verifier to masquerade as that claimant to the verifier or vice versa.

An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

An attack in which the Attacker is able to replay previously captured messages (between a legitimate Claimant and a Verifier) to masquerade as that Claimant to the Verifier or vice versa.

replay resistance : see document

The property of an authentication process to resist replay attacks, typically by the use of an authenticator output that is only valid for a specific authentication.

Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

The property of an authentication process to resist replay attacks, typically by use of an authenticator output that is valid only for a specific authentication.

reporter : see document

Any entity that reports a vulnerability to the Government and that may be an entity outside of the Government, within the Government, or within the specific system that has the vulnerability.

Reporting : see document

The final phase of the computer and network forensic process, which involves reporting the results of the analysis; this may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.

Representational State Transfer (REST) : see document

A software architectural style that defines a common method for defining APIs for Web services.

Representative (of a key owner) : see document

See Sponsor (of a key).

Reproducibility : see document

The ability of different experts to produce the same results from the same data.

Request for Comments : see document

A Request For Comments is a formal standards-track document developed in working groups within the Internet Engineering Task Force (IETF).

Request for Comments (IETF standards document) : see document
Request for Information : see document
Request for Proposal : see document
Requester : see document

The entity requesting to perform an operation upon the object.

A person, organization, device, hardware, network, software, or service. In these guidelines, a subject is a natural person.

The entity (person or organization) that wishes to make use of a provider’s Web service. It will use a requester agent to exchange messages with the provider’s provider agent. “Requester” is also used as a shorthand to refer to the requester agent acting on the requester’s behalf.

An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or changes the system state.

Generally an individual, process, or device causing information to flow among objects or change to the system state. See object.

An individual, process, or device that causes information to flow among objects or change to the system state. Also see object.

requirements engineering : see document

An interdisciplinary function that mediates between the domains of the acquirer and supplier to establish and maintain the requirements to be met by the system, software, or service of interest.

A series of successive decomposition and derivation actions beginning with stakeholder requirements and moving through high-level design requirements to low-level design requirements to the implementation of the design. During requirements engineering, several requirements baselines are defined. These baselines include: a functional baseline that provides the basis for contracting and controlling the system design; an allocated baseline that provides performance requirements for each configuration item of the system; and a product baseline that provides a detailed design specification for system elements.

Requirements Verification Traceability Matrix : see document
RES : see document
Research and Development : see document
Réseaux IP Européens : see document
Réseaux IP Européens Network Coordination Centre : see document

Regional Internet Registry for Europe, the Middle East, and parts of Central Asia that allocates and registers blocks of Internet number resources to Internet service providers (ISPs) and other organizations.

reserve keying material : see document

Key held to satisfy unplanned needs. See contingency key.

Reserved for Future Use : see document
resident alien : see document

A citizen of a foreign nation, legally residing in the United States on a permanent basis, who is not yet a naturalized citizen of the United States.

residual information protection : see document

Ensur(ing) that any data contained in a resource is not available when the resource is de-allocated from one object and reallocated to a different object.

residual risk : see document

Portion of risk remaining after controls/countermeasures have been applied.

Portion of risk remaining after security measures have been applied.

the potential for the occurrence of an adverse event after adjusting for theimpact of all in-place safeguards. (See Total Risk, Acceptable Risk, and Minimum Level of Protection.)

The remaining, potential risk after all IT security measures are applied. There is a residual risk associated with each threat.

Risk that remains after risk responses have been documented and performed.

Risk remaining after risk treatment.

residue : see document

Data left in storage after information processing operations are complete, but before degaussing or overwriting has taken place.

Resilience Management Model : see document
Resilience Requirements : see document

The business-driven availability and reliability characteristics for the manufacturing system that specify recovery tolerances from disruptions and major incidents.

Resilient Interdomain Traffic Exchange : see document
resilient otherwise : see document

Security considerations applied to enable system operation despite disruption while not maintaining a secure mode, state, or transition; or only being able to provide for partial security within a given system mode, state, or transition.

See securely resilient.

Resilient Systems Working Group : see document
resolution : see document

The process of collecting information about an applicant to uniquely distinguish an individual within the context of the population that the CSP serves.

Resolvable Private Address : see document
Resolver : see document

Software that retrieves data associated with some identifier.

resource : see document

An entity to be protected from unauthorized use.

Asset used or consumed during the execution of a process.

A passive entity that contains or receives information. Note that access to an object potentially implies access to the information it contains.

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject.

Passive system-related entity, including devices, files, records, tables, processes, programs, and domains that contain or receive information. Access to an object (by a subject) implies access to the information it contains. See subject.

An operating system abstraction that is visible at the application program interface, has a unique name, and capable of being shared. In this document, the following are resources: files, programs, directories, databases, mini-disks, and special files. In this document, the following are not resources: records, blocks, pages, segments, bits, bytes, words, fields, and processors.

Resource Access Point : see document
Resource allocation : see document

A mechanism for limiting how much of a host’s resources a given container can consume.

resource consumer : see document
resource control : see document

A capability in which an attacker controls one or more external resources consumed by a machine learning model at inference time, particularly for GenAI systems such as retrieval-augmented generation applications.

resource manager : see document
Resource pooling : see document

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

resource provider : see document
Resource Public Key Infrastructure : see document

The Resource Public Key Infrastructure is a framework aimed to secure the Internet’s routing infrastructure, in particular the routing information such as the IP address prefix and Originator mapping embedded in the BGP protocol. It provides certificates that are used to verify if the originating AS is permitted to publish the embedded IP address prefix(es).

Resource Record : see document
Resource Record Signature : see document
Resource Server : see document
Resource-Oriented Lightweight Information Exchange : see document
Respond : see document
respond (CSF function) : see document

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Respond, Communications : see document
Response : see document
Response Message Authentication Code : see document
Response Rate Limiting : see document
responsibility to provide : see document

An information distribution approach whereby relevant essential information is made readily available and discoverable to the broadest possible pool of potential users.

Responsible Person : see document
REST : see document

A software architectural style that defines a common method for defining APIs for Web services.

restoration : see document

The process of changing the status of a suspended (i.e., temporarily invalid) certificate to valid.

restricted authenticator : see document

An authenticator type, class, or instantiation that has additional risk of false acceptance associated with its use and is therefore subject to additional requirements.

restricted data : see document

All data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].

Restricted Syndrome Decoding Problem : see document
Restricted Syndrome Decoding Problem with subgoup G : see document
Result content : see document

Part or all of one or more SCAP result data streams.

results : see document

All data acquired from using a questionnaire, such as the answers to individual questions and the final result for the entire questionnaire.

Retention period : see document

The minimum amount of time that a key or other cryptographically related information should be retained in an archive.

The minimum amount of time that a key or other cryptographically related information should be retained.

The minimum amount of time that a key or other cryptographically related information should be retained in the archive.

retirement : see document

Withdrawal of active support by the operation and maintenance organization, partial or total replacement by a new system, or installation of an upgraded system.

retrieval-augmented generation : see document

A type of GenAI system in which a model is paired with a separate information retrieval system (or ”knowledge base”). Based on a user query, the RAG system identifies relevant information within the knowledge base and provides it to the GenAI model in context for the model to use in formulating its response. RAG systems allow the internal knowledge of a GenAI model to be modified without the need for retraining.

Return on Investment : see document
Return Oriented Programming : see document
Reverse Address Resolution Protocol : see document
Reverse Channel : see document

See back channel

Reverse SOAP : see document
Review Status : see document

The status of the checklist within the internal NCP review process. Possible status options are: Candidate, Final, Archived, or Under Review. A status of "Final" signifies that NCP has reviewed the checklist and has accepted it for publication within the program.

The status of the checklist within the internal NCP review process, a status of "Final" signifies that NCP has reviewed the checklist and has accepted it for publication within the program. Possible status options are: Candidate, Final, Archived, or Under Review.

Review Techniques : see document

Passive information security testing techniques, generally conducted manually, that are used to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. They include documentation, log, ruleset, and system configuration review; network sniffing; and file integrity checking.

revocation : see document

The process of permanently ending the binding between a certificate and the identity asserted in the certificate from a specified time forward.

A process whereby a notice is made available to affected entities that keys should be removed from operational use prior to the end of the established cryptoperiod of those keys.

Revoked Key Notification : see document
Revoked key notification (RKN) : see document

A report (e.g., a list) of one or more keys that have been revoked and the date(s) of revocation, possibly along with the reason for their revocation. Certificate Revocation Lists (CRLs) and Compromised Key Lists (CKLs) are examples of RKNs, along with Online Certificate Status Protocol (OCSP) responses (see RFC 6960).

Reward system : see document

See Incentive Mechanism

See Reward system

A means of providing blockchain network users an award for activities within the blockchain network (typically used as a system to reward successful publishing of blocks). Also known as incentive systems.

RF : see document
RF Subsystem : see document

The portion of the RFID system that uses radio frequencies to perform identification and related transactions. The RF subsystem consists of two components: a reader and a tag.

RFC : see document

A Request For Comments is a formal standards-track document developed in working groups within the Internet Engineering Task Force (IETF).

RFD : see document
RFI : see document
RFID : see document
RFP : see document
RFU : see document
RHEL : see document
RIB : see document
Ribonucleic Acid : see document
Rich Communication Services : see document
Rich Execution Environment : see document
Rich Site Summary or Really Simple Syndication : see document
RID : see document
RIDR : see document
Rijndael : see document

The block cipher that NIST selected as the winner of the AES competition.

RIM : see document
Ring Learning With Rounding : see document
RIP : see document
RIPE : see document
RIPE NCC : see document

Regional Internet Registry for Europe, the Middle East, and parts of Central Asia that allocates and registers blocks of Internet number resources to Internet service providers (ISPs) and other organizations.

RIPEMD : see document
Ripple : see document
RIR : see document
RIS : see document
RISC : see document
Risk Adaptive (Adaptable) Access Control : see document

In RAdAC, access privileges are granted based on a combination of a user’s identity, mission need, and the level of security risk that exists between the system being accessed and a user. RAdAC will use security metrics, such as the strength of the authentication method, the level of assurance of the session connection between the system and a user, and the physical location of a user, to make its risk determination.

A form of access control that uses an authorization policy that takes into account operational need, risk, and heuristics.

Access privileges are granted based on a combination of a user’s identity, mission need, and the level of security risk that exists between the system being accessed and a user. RAdAC will use security metrics, such as the strength of the authentication method, the level of assurance of the session connection between the system and a user, and the physical location of a user, to make its risk determination.

risk aggregation : see document

The combination of several risks into one risk to develop a more complete understanding of the overall risk.

risk analysis : see document

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. A part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

The process of identifying risks to organizational operations (including mission, functions, images, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

The process of identifying, estimating, and prioritizing risks to organizational operations (i.e., mission, functions, image, reputation), organizational assets, individuals, and other organizations that result from the operation of a system. A risk assessment is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls that are planned or in place. It is synonymous with “risk analysis.”

Process to comprehend the nature of risk and to determine the level of risk.

Overall process of risk identification, risk analysis, and risk evaluation.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.

See risk analysis

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

Risk management includes threat and vulnerability analyses as well as analyses of adverse effects on individuals arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses and analyses of privacy problems arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is part of risk management.

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.

See risk analysis.

Risk Assessment Methodology : see document

A risk assessment process, together with a risk model, assessment approach, and analysis approach.

risk assessment report (RAR) : see document

The report which contains the results of performing a risk assessment or the formal output from the process of assessing risk.

risk assessor : see document

The individual, group, or organization responsible for conducting a security or privacy control assessment.

The individual, group, or organization responsible for conducting a risk assessment.

See Security Control Assessor.

See Security Control Assessor or Privacy Control Assessor.

The individual responsible for conducting assessment activities under the guidance and direction of a Designated Authorizing Official. The Assessor is a 3rd party.

The individual, group, or organization responsible for conducting a security or privacy assessment.

See security control assessor or risk assessor.

The individual, group, or organization responsible for conducting a security or privacy control assessment.

risk criteria : see document

Terms of reference against which the significance of a risk is evaluated, such as organizational objectives, internal/external context, and mandatory requirements (e.g., standards, laws, policies).

Terms of reference against which the significance of a risk is evaluated.

Risk Detail Record : see document
Risk Detail Report : see document

A report listing detailed risk scenario information supporting the contents of a risk register entry including, but not limited to, risk history information, risk analysis data, and information about individual and organizational accountability.

risk elevation : see document

The process of transferring the decisions on risk response to a more senior stakeholder when the factors involved (e.g., a regulatory compliance risk) are particularly sensitive or critical. For example, enterprise risk strategy might direct that any risk with more than $1 million exposure or risks related to a particularly important business application must be managed at a more senior level.

risk escalation : see document

Occurs when a particular threshold is reached, either based on a time frame or some other risk condition, thus requiring a higher level of attention. For example, a risk that has remained through more than two fiscal periods without adequate treatment might be flagged for additional scrutiny. Another condition for escalation might occur if, during risk monitoring, conditions indicate that the risk exposure rating will significantly exceed the initial estimates.

risk evaluation : see document

Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is/are acceptable or tolerable.

Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.

risk executive (function) : see document

An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with organizational risks affecting mission/business success.

An individual or group within an organization, led by the senior accountable official for risk management, that helps to ensure that security risk considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that: (i) security and privacy risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security and privacy risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, including the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

An individual or group within an organization that helps to ensure that security risk-related considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its mission and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission or business success.

An individual or group within an organization that helps to ensure that provides a comprehensive, organization-wide approach to risk management. The risk executive (function) serves as the common risk management resource for senior leaders, executives, and managers, mission/business owners, chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, common control providers, enterprise architects, security architects, systems security or privacy engineers, system security or privacy officers, and any other stakeholders having a vested interest in the mission/business success of organizations. The risk executive (function) is an inherent U.S. Government function and is assigned to government personnel only. (SP800-37 Revision 2)

Risk Executive Function : see document
risk factor : see document

A characteristic used in a risk model as an input for determining the level of risk in a risk assessment.

A characteristic used in a risk model as an input to determining the level of risk in a risk assessment.

risk framing : see document

Risk framing is the set of assumptions, constraints, risk tolerances, and priorities/trade-offs that shape an organization’s approach for managing risk.

The set of assumptions, constraints, risk tolerances, and priorities/trade-offs that shape an organization’s approach for managing risk

A characteristic used in a risk model as an input to determining the level of risk in a risk assessment.

risk governance : see document

The process by which risk management evaluation, decisions, and actions are connected to enterprise strategy and objectives. Risk governance provides the transparency, responsibility, and accountability that enables managers to acceptably manage risk.

risk identification : see document

Process of finding, recognizing, and describing risks.

Risk Management Council or Committee : see document
risk management framework (RMF) : see document

A disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

A structured approach used to oversee and manage risk for an enterprise.

The Risk Management Framework (RMF), presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

The Risk Management Framework (RMF) provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of systems into the mission and business processes of the organization.

Risk Management Framework (RMF) step : see document

A reference to one of the 6 steps in the Risk Management Framework process defined in SP 800-37.

risk management level : see document

One of three organizational levels defined in NIST SP 800-39: Level 1 (organizational level), Level 2 (mission/business process level), or Level 3(system level).

Risk Management Process : see document
risk management strategy : see document

Strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.

risk mitigation : see document

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. A subset of Risk Response.

risk model : see document

A key component of a risk assessment methodology (in addition to assessment approach and analysis approach) that defines key terms and assessable risk factors.

risk optimization : see document

A risk-related process to minimize negative and maximize positive consequences and their respective probabilities; risk optimization depends on risk criteria, including costs and legal requirements.

Risk Profile : see document

A prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.

Risk Reserve : see document

A types of management reserve where funding or labor hours are set aside and employed if a risk is triggered to ensure the opportunity is realized or threat is avoided.

risk response : see document

Intentional and informed decision and actions to accept, avoid, mitigate, share, or transfer an identified risk.

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. See Course of Action.

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

Accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the Nation.

A way to keep risk within tolerable levels. Negative risks can be accepted, transferred, mitigated, or avoided. Positive risks can be realized, shared, enhanced, or accepted.

Risk Response Measure : see document

A specific action taken to respond to an identified risk.

risk response plan : see document

A summary of potential consequence(s) of the successful exploitation of a specific vulnerability or vulnerabilities by a threat agent, as well as mitigating strategies and C-SCRM controls.

risk treatment : see document

Process to modify risk.

RITE : see document
Rivest Cipher 4 : see document
Rivest-Shamir-Adleman : see document

For the purposes of this specification, RSA is a public-key signature algorithm specified by PKCS #1. As a reversible public-key algorithm, it may also be used for encryption.

Rivest, Shamir, Adelman; an algorithm approved in [FIPS 186] for digital signatures and in [SP 800-56B] for key establishment.

Algorithm developed by Rivest, Shamir and Adelman (allowed in FIPS 186-3 and specified in ANS X9.31 and PKCS #1).

A public-key algorithm that is used for key establishment and the generation and verification of digital signatures.

An algorithm approved in FIPS 186 for digital signatures and in SP 800-56B for key establishment.

RK : see document
RKN : see document
RLP : see document
RLS : see document
RLWR : see document
RM : see document
RMA : see document
R-MAC : see document
RMC : see document
RME : see document
RMF : see document

A disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

The Risk Management Framework (RMF), presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

The Risk Management Framework (RMF) provides a structured, yet flexible approach for managing the portion of risk resulting from the incorporation of systems into the mission and business processes of the organization.

RMI : see document
RMM : see document
RMON : see document
RMP : see document
RMRS : see document
RN : see document
RNA : see document
RNG : see document
RNG seed : see document

A seed that is used to initialize a deterministic random bit generator. Also called an RBG seed.

ROA : see document

A Route Origin Attestation is a cryptographically verifiable attestation that a given Internet prefix can be announced by an AS listed within the attestation.

Robot Operating System : see document
robust authenticated encryption : see document
Robust Inter-Domain Routing : see document
Robust Security Network Information Element : see document
robustness : see document

The ability of an information assurance (IA) entity to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range.

When applied to ISCM, a property that an ISCM capability is sufficiently accurate, complete, timely, and reliable for providing security status information to organization decision-makers to enable them to make risk-based decisions. The ability of an information assurance (IA) entity to operate correctly and reliably across a wide range of operational conditions and to fail gracefully outside of that operational range.

ROC : see document

A curve that plots the true positive rate versus the false positive rate for a classifier.

ROE : see document
Rogue Device : see document

An unauthorized node on a network.

ROI : see document
role : see document

A job function or employment position to which people or other system entities may be assigned in a system.

the set of named duties or job functions within an organization.

A collection of permissions in role-based access control, usually associated with a role or position within an organization.

role-based access control (RBAC) : see document

Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.

A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.

mapped to job function, assumes that a person will take on different roles, overtime, within an organization and different responsibilities in relation to IT systems.

Access control based on user roles (i.e., a collection of access authorizations that a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.

Role-based authentication : see document

A process that provides assurance of an entity’s role by means of an authentication mechanism that verifies the role of the entity. Contrast with identity-based authentication

ROLIE : see document
Rollup : see document

A scheme that enables the off-chain processing of transactions by one or more operators with on-chain state update commitments that contain “compressed” per-transaction data.

ROM : see document

ROM is a pre-recorded storage medium that can only be read from and not written to.

See Read-Only Memory.

Root Cause Analysis : see document

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.

Root Certificate : see document

A self-signed certificate, as defined by IETF RFC 5280, issued by a root CA. A root certificate is typically securely installed on systems so they can verify end-entity certificates they receive.

Root Certificate Authority (CA) : see document

In a hierarchical public key infrastructure (PKI), the certification authority (CA) whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.

In a hierarchical public key infrastructure (PKI), the CA whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.

Root Key : see document
Root of Trust for Measurement : see document
Root of Trust for Reporting : see document
Root of Trust for Storage : see document
Root of Trust for Update : see document
Root of Trust for Update verification component : see document
root user : see document

A user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

See privileged user.

rootkit : see document

A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.

A collection of files that is installed on a host to alter the standard functionality of the host in a malicious and stealthy way.

roots of trust : see document

A starting point that is implicitly trusted.

Highly reliable hardware, firmware, and software components that perform specific, critical security functions. Because roots of trust are inherently trusted, they must be secure by design. Roots of trust provide a firm foundation from which to build security and trust.

ROP : see document
ROS : see document
RoT : see document

A starting point that is implicitly trusted.

Rotate : see document

The process of renewing a certificate in conjunction with a rekey, followed by the process of replacing the existing certificate with the new certificate.

ROTs : see document
Rough Order of Magnitude : see document

See Read-Only Memory.

Round : see document

A sequence of transformations of the state that is iterated $Nr$ times in the specifications of CIPHER(), INVCIPHER(), and EQINVCIPHER(). The sequence consists of four transformations, except for one iteration, in which one of the transformations is omitted.

Round key : see document

One of the $Nr+1$ arrays of four words that are derived from the block cipher key using the key expansion routine; each round key is an input to an instance of ADDROUNDKEY() in the AES block cipher.

Round robin consensus model : see document

A consensus model for permissioned blockchain networks where nodes are pseudo-randomly selected to create blocks, but a node must wait several block-creation cycles before being chosen again to add another new block. This model ensures that no one participant creates the majority of the blocks, and it benefits from a straightforward approach, lacking cryptographic puzzles, and having low power requirements.

Route Flap Damping : see document
Route Leak Protection : see document
Route Origin Attestation : see document

A Route Origin Attestation is a cryptographically verifiable attestation that a given Internet prefix can be announced by an AS listed within the attestation.

Route Origin Authorization : see document
Route Origin Validation : see document
Router Under Test : see document
Routing Information Base : see document
Routing Information Protocol : see document
ROV : see document
Row Level Security : see document
rowhammer attack : see document

A software-based fault-injection attack that exploits dynamic random-access memory disturbance errors via user-space applications and allows the attacker to infer information about certain victim secrets stored in memory cells. Mounting this attack requires the attacker to control a user-space unprivileged process that runs on the same machine as the victim’s machine learning model.

RP : see document

An entity that relies upon the subscriber’s authenticator(s) and credentials or a verifier’s assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system.

A person or Agency who has received information that includes a certificate and a digital signature verifiable with reference to a public key listed in the certificate, and is in a position to rely on them.

An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.

RP subscriber account : see document

An account established and managed by the RP in a federated system based on the RP’s view of the subscriber account from the IdP. An RP subscriber account is associated with one or more federated identifiers and allows the subscriber to access the account through a federation transaction with the IdP.

RPC : see document
RPKI : see document

The Resource Public Key Infrastructure is a framework aimed to secure the Internet’s routing infrastructure, in particular the routing information such as the IP address prefix and Originator mapping embedded in the BGP protocol. It provides certificates that are used to verify if the originating AS is permitted to publish the embedded IP address prefix(es).

RPKI cache to router protocol : see document
RPKI Repository Delta Protocol : see document
RPKI Validation Cache : see document

RPKI Validation Cache provides Validated ROA Payload (VRP) and public router keys.

RPKI-to-router protocol : see document
RPM : see document
RPO : see document

The point in time to which data must be recovered after an outage.

RR : see document
RRC : see document
RRDP : see document
RRL : see document
RRSIG : see document
RS : see document

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

RS.CO : see document
RS2 : see document
RS2 Technologies : see document
RSA : see document

For the purposes of this specification, RSA is a public-key signature algorithm specified by PKCS #1. As a reversible public-key algorithm, it may also be used for encryption.

Rivest, Shamir, Adelman; an algorithm approved in [FIPS 186] for digital signatures and in [SP 800-56B] for key establishment.

Algorithm developed by Rivest, Shamir and Adelman (allowed in FIPS 186-3 and specified in ANS X9.31 and PKCS #1).

A public-key algorithm that is used for key establishment and the generation and verification of digital signatures.

An algorithm approved in FIPS 186 for digital signatures and in SP 800-56B for key establishment.

RSA Secret Value Encapsulation : see document
RSA Signature Scheme with Appendix - Probabilistic Signature Scheme : see document
RSA with Optimal Asymmetric Encryption Padding : see document
RSA-OAEP : see document
RSASVE : see document
RSD : see document
R-SDP : see document
R-SDP(G) : see document
RSH : see document
RSN : see document
RSNA : see document
RSNIE : see document
RSPAN : see document
RSS : see document
RSSI : see document
RSWG : see document
rsync : see document
RT : see document
RTA : see document
RTBH : see document
RTC : see document
RTCA : see document
RTF : see document

An RF transaction in which the reader transmits a signal that is received by tags in its vicinity. The tags may be commanded to respond to the reader and continue with further transactions.

RTL : see document
RTLS : see document
RTM : see document
RTO : see document

The overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business processes.

RTOS : see document
RTR : see document

A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.

On a network, a device that determines the best path for forwarding a data packet toward its destination. The router is connected to at least two networks, and is located at the gateway where one network meets another.

A computer that is a gateway between two networks at open system interconnection layer 3 and that relays and directs data packets through that internetwork. The most common form of router operates on IP packets.

A computer that is a gateway between two networks at open systems interconnection layer 3 and that relays and directs data packets through that internetwork. The most common form of router operates on IP packets.

RTS : see document
RTU : see document

A computer with radio interfacing used in remote situations where communications via wire is unavailable. Usually used to communicate with remote field equipment. PLCs with radio communication capabilities are also used in place of RTUs.

Special purpose data acquisition and control unit designed to support DCS and SCADA remote stations. RTUs are field devices often equipped with network capabilities, which can include wired and wireless radio interfaces to communicate to the supervisory controller. Sometimes PLCs are implemented as field devices to serve as RTUs; in this case, the PLC is often referred to as an RTU.

RTU-V : see document
Rule : see document

An element that holds check references and may also hold remediation information.

Rule-Based Event Correlation : see document

Correlating events by matching multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types.

rule-based security policy : see document

A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access.

A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. Also known as discretionary access control (DAC).

Rules of Engagement (ROE) : see document

Detailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.

ruleset : see document

A table of instructions used by a controlled interface to determine what data is allowable and how the data is handled between interconnected systems.

A collection of rules or signatures that network traffic or system activity is compared against to determine an action to take—such as forwarding or rejecting a packet, creating an alert, or allowing a system event.

A set of directives that govern the access control functionality of a firewall. The firewall uses these directives to determine how packets should be routed between its interfaces.

Run : see document

An uninterrupted sequence of like bits (i.e., either all zeroes or all ones).

Runs Test : see document

The purpose of the runs test is to determine whether the number of runs of ones and zeros of various lengths is as expected for a random sequence. In particular, this test determines whether the oscillation between such substrings is too fast or too slow.

runtime : see document

The period during which a computer program is executing.

RUP : see document
RUT : see document
RVC : see document

RPKI Validation Cache provides Validated ROA Payload (VRP) and public router keys.

RVTM : see document
RW : see document
RWX : see document
S&RM : see document
S/MIME : see document
S/MIME Certificate Association (Resource Record) : see document
S/RTBH : see document
S4 : see document
SA : see document

Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.

A person who manages a computer system, including its operating system and applications. A system administrator’s responsibilities are similar to that of a network administrator.

A person who manages a computer system, including its operating system and applications. Responsibilities are similar to that of a network administrator.

Set of values that define the features and protections applied to a connection.

Individual or group responsible for overseeing the day-to-day operability of a computer system or network. This position normally carries special privileges including access to the protection state and software of a system.

SA&A : see document
SaaS : see document
SABI : see document
SAC : see document
SACM : see document
SAD : see document
SAE : see document
SAE International : see document
SAFECode : see document
safeguards : see document

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system.

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

Protective measures prescribed to meet the security objectives (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management controls, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

The protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

An approved security measure taken to protect computational resources by eliminating or reducing the risk to a system, which may include hardware and software mechanisms, policies, procedures, and physical controls.

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a system. Synonymous with security controls and safeguards.

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for a system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.

SAFER : see document
safety : see document

Expectation that a system does not, under defined conditions, lead to a state in which human life, health, property, or the environment is endangered.

Freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

Safety Instrumented Function : see document
Safety Requirements : see document

AC properties, business requirements, specifications of expected/unexpected system security features, or directly translation of policy values. Safety requirements can also include privilege inheritance.

Safety, Controls, Alarms, and Interlocks : see document
SAISO : see document

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. [Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Modernization Act FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Agency Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

SAKA : see document
salt : see document

As used in this Recommendation, a byte string (which may be secret or non-secret) that is used as a MAC key by either: 1) a MAC-based auxiliary function H employed in one-step key derivation or 2) a MAC employed in the randomness-extraction step during two-step key derivation.

A non-secret value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

A bit string generated during digital signature generation using the RSA Signature Scheme with Appendix - Probabilistic Signature Scheme (RSASSA-PSS RSA).

A byte string that is used as an input in the randomness extraction step specified in Section 5.

A non-secret value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

A non-secret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

As used in this Recommendation, a byte string (which may be secret or non-secret) that is used as a MAC key.

SAM : see document
SAMATE : see document
SAML : see document
SAML SSO : see document
SAMM : see document
sampling : see document

The process of taking samples of something for the purpose of analysis.

SAN : see document

A field in an X.509 certificate that identifies one or more fully qualified domain names, IP addresses, email addresses, URIs, or UPNs to be associated with the public key contained in a certificate.

Sandbox : see document

A system that allows an untrusted application to run in a highly controlled environment where the application’s permissions are restricted to an essential set of computer permissions. In particular, an application in a sandbox is usually restricted from accessing the file system or the network. A widely used example of applications running inside a sandbox is a Java applet.

A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.

Isolating each guest OS from the others and restricting what resources they can access and what privileges they have.

A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized (Under Sandboxing).

sanitization : see document

Actions taken to render data written on media unrecoverable by ordinary and — for some forms of sanitization — extraordinary means.

A process to remove information from media such that data recovery is not possible, including the removal of all classified labels, markings, and activity logs.

Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.

2. The removal of extraneous or potentially harmful data (e.g., malware) within a file or other information container (e.g., network protocol packet).

1. A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, damage, and destruct are actions that can be taken to sanitize media. See media sanitization.

See sanitize.

Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.

A process to render access to Target Data on the media infeasible for a given level of effort. Clear, Purge, and Destroy are actions that can be taken to sanitize media.

Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.

Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.

Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.

Process to remove information from media such that data recovery is not possible.

sanitize : see document

Actions taken to render data written on media unrecoverable by ordinary and — for some forms of sanitization — extraordinary means.

A process to remove information from media such that data recovery is not possible, including the removal of all classified labels, markings, and activity logs.

2. The removal of extraneous or potentially harmful data (e.g., malware) within a file or other information container (e.g., network protocol packet).

1. A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, damage, and destruct are actions that can be taken to sanitize media. See media sanitization.

See sanitize.

Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.

A process to render access to Target Data on the media infeasible for a given level of effort. Clear, Purge, and Destroy are actions that can be taken to sanitize media.

Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.

Process to remove information from media such that data recovery is not possible.

SANITIZE Command : see document

A command in the ATA and SCSI standards that leverages a firmware-based process to perform a Sanitization action. If a device supports the sanitize command, the device must support at least one of three options: overwrite, block erase (usually for flash memory-based media), or crypto scramble (Cryptographic Erase). These commands typically execute substantially faster than attempting to rewrite through the native read and write interface. The ATA standard clearly identifies that the Sanitization operations must address user data areas, user data areas not currently allocated (including “previously allocated areas and physical sectors that have become inaccessible”), and user data caches. The resulting media contents vary based on the command used. The overwrite command allows the user to specify the data pattern applied to the media, so that pattern (or the inverse of that pattern, if chosen) will be written to the media (although the actual contents of the media may vary due to encoding). The result of the block erase command is vendor unique, but will likely be 0s or 1s. The result of the crypto scramble command is vendor unique, but will likely be cryptographically scrambled data (except for areas that were not encrypted, which are set to the value the vendor defines).

SANS : see document
SAO : see document

Senior Authorizing Official; A senior organization official that has budgetary control, provides oversight, develops policy, and has authority over all functions and services provided by the issuer.

SAOP : see document

The senior official designated by the head of each agency who has agency-wide responsibility for privacy, including implementing privacy protections; ensuring compliance with federal laws, regulations, and policies related to privacy; managing privacy risks at the agency; and filling a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Person responsible for ensuring that an agency complies with privacy requirements, manages privacy risks, and considers the privacy impacts of all agency actions and policies that involve personal information.

The senior organizational official with overall organization-wide responsibility for information privacy issues.

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

SAORM : see document
SAP : see document

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

SAPF : see document
SAR : see document
Sarbanes-Oxley Act : see document
SARD : see document
SAS : see document
SASE : see document
SAST : see document
SATA : see document
SATE : see document
satellite : see document

Bus and payload combined into one operational asset.

Satisfaction : see document

Freedom from discomfort, and positive attitudes towards the use of the product.

SAV : see document
SB : see document
SBA : see document
SBH : see document
SBIR : see document
SBOM : see document

A formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.

S-box : see document

A non-linear substitution table used in SUBBYTES() and KEYEXPANSION() to perform a one-to-one substitution of a byte value.

SBU : see document
SC : see document

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSSI No.1253 for national security systems and in FIPS 199 for other than national security systems.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, or the Nation.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See Security Category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in Committee on National Security Systems (CNSS) Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

SC 37 : see document

The Biometrics standardization subcommittee under ISO/IEC Joint Technical Committee

SCA : see document

The individual, group, or organization responsible for conducting a security control assessment.

An attack enabled by leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions.

Confidence that the supply chain will produce and deliver elements, processes, and information that function as expected.

SCADA : see document

A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.

SCADA Security Scientific Symposium : see document
SCADS : see document

A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.

SCAI : see document
Scalability : see document

The ability to support more users, concurrent sessions, and throughput than a single SSL VPN device can typically handle.

Scalability testing : see document

Testing the ability of a system to handle an increasing amount of work correctly.

scanning : see document

Sending packets or requests to another system to gain information to be used in a subsequent attack.

SCAP : see document
SCAP Capability : see document

A specific function or functions of a product as defined below: Authenticated Configuration Scanner: the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges. Common Vulnerabilities and Exposures (CVE) Option: the capability to process and present CVEs correctly and completely. Open Checklist Interactive Language (OCIL) Option: the capability to process and present OCIL correctly and completely.

SCAP component : see document

A logical unit of data expressed using one or more of the SCAP component specifications.

One of the eleven specifications that comprise SCAP: Asset Identification, ARF, CCE, CCSS, CPE, CVE, CVSS, OCIL, OVAL, TMSAD, and XCCDF.

SCAP conformant : see document

A product or SCAP data stream that meets the requirements of this specification.

SCAP content : see document

Part or all of one or more SCAP data streams.

SCAP Content Checklist : see document

An automated checklist that adheres to the SCAP specification in NIST SP 800-126 for documenting security settings in machine-readable standardized SCAP formats.

SCAP Content Validation Tool : see document
SCAP data stream : see document

A specific instantiation of SCAP content.

SCAP data stream collection : see document

A container for SCAP data streams and components.

SCAP result data stream : see document

An SCAP data stream that holds output (result) content.

A bundle of SCAP components, along with the mappings of references between SCAP components, that holds output (result) content.

SCAP Revision : see document

A version of the SCAP specification designated by a revision number in the format nn.nn.nn, where the first nn is the major revision number, the second nn number is the minor revision number, and the final nn number is the refinement number. A specific SCAP revision will populate all three fields, even if that means using zeros to show no minor revision or refinement number has been used to date. A leading zero will be used to pad single-digit revision or refinement numbers.

SCAP source data stream : see document

An SCAP data stream that holds input (source) content.

A bundle of SCAP components, along with the mappings of references between SCAP components, that holds input (source) content.

SCAP source data stream collection : see document

A container for SCAP data streams and components.

SCAP use case : see document

A pre-defined way in which a product can use SCAP. See Section 5 for the definitions of the SCAP use cases.

SCAPVal : see document
SCARL : see document
SCAS : see document
Scatternet : see document

A chain of piconets created by allowing one or more Bluetooth devices to each be a slave in one piconet and act as the master for another piconet simultaneously. A scatternet allows several devices to be networked over an extended distance.

scavenging : see document

Searching through object residue to acquire data.

SCBA : see document
SCC : see document
SCCM : see document
Scenario : see document

A sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives.

Scenario Test : see document

Scenario testing is intended to mimic an operational application and simultaneously institute controls on the procedures. Scenario testing requires members of a human test population to transact with biometric sensors. Scenario tests are appropriate for capturing and assessing the effects of interactions human users have with biometric sensors and interfaces.

SCEP : see document

A protocol defined in an IETF internet draft specification that is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as referenced in other industry standards.

SCEPACS : see document
scheduled data transfer : see document

A connection used to transfer data on a regular, recurring basis.

Scheme : see document

Set of rules and procedures that describes the objects of conformity assessment, identifies the specified requirements and provides the methodology for performing conformity assessment.

A (cryptographic) scheme consists of a set of unambiguously specified transformations that are capable of providing a (cryptographic) service when properly implemented and maintained. A scheme is a higher-level construct than a primitive and a lower-level construct than a protocol.

A set of unambiguously specified transformations that provide a (cryptographic) service when properly implemented and maintained. A scheme is a higher-level construct than a primitive and a lower-level construct than a protocol.

A set of unambiguously specified transformations that provide a (cryptographic) service (e.g., key establishment) when properly implemented and maintained. A scheme is a higher-level construct than a primitive and a lower-level construct than a protocol.

A (cryptographic) scheme consists of a set of unambiguously specified transformations that are capable of providing a (cryptographic) service when properly implemented and maintained. A scheme is a higher-level construct than a primitive, and a lower-level construct than a protocol.

Scheme Owner : see document

Person or organization responsible for the development and maintenance of a conformity assessment system or conformity assessment scheme.

The entity that manages the labeling scheme and determines its structure and management and performs oversight to ensure that the scheme is functioning consistently with overall objectives.

Schweitzer Engineering Laboratories : see document
SCI : see document

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

Science, Technology, Engineering, and Math : see document
SCIF : see document
SCIM : see document
SCIP : see document
SCM : see document
SCMS : see document
scoping considerations : see document

A part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of security controls in the security control baseline. Areas of consideration include policy/regulatory, technology, physical infrastructure, system component allocation, operational/environmental, public access, scalability, common control, and security objective.

A part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of controls in the control baselines. Considerations include policy/regulatory, technology, physical infrastructure, system element allocation, operational/environmental, public access, scalability, common control, and security objective.

A part of tailoring guidance that provides organizations with specific considerations on the applicability and implementation of security and privacy controls in the control baselines. Considerations include policy or regulatory, technology, physical infrastructure, system component allocation, public access, scalability, common control, operational or environmental, and security objective.

A part of tailoring guidance providing organizations with specific considerations on the applicability and implementation of security and privacy controls in the control baselines. Considerations include policy or regulatory, technology, physical infrastructure, system component allocation, public access, scalability, common control, operational or environmental, and security objective.

Scoping Guidance : see document

Provides organizations with specific technology-related, infrastructure-related, public access-related, scalability-related, common security control-related, and risk-related considerations on the applicability and implementation of individual security controls in the control baseline.

SCOR : see document
SCORE : see document
SCP : see document
Script : see document

A sequence of instructions, ranging from a simple list of operating system commands to full-blown programming language statements, which can be executed automatically by an interpreter.

Scripting Language : see document

A definition of the syntax and semantics for writing and interpreting scripts.

SCRM : see document

the implementation of processes, tools or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.

SCRTM : see document
SCSI : see document

A magnetic media interface specification. Small Computer System Interface.

SCTP : see document
SCV : see document
SCW : see document
SD : see document
SDA : see document
SDC : see document
SDDC : see document
SDEI : see document
SDK : see document
SDL : see document

The set of methods to reduce the risk of disclosing information on individuals, businesses or other organizations. Such methods are only related to the dissemination step and are usually based on restricting the amount of or modifying the data released.

SDLC : see document

A formal or informal methodology for designing, creating, and maintaining software (including code built into hardware).

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

SDMI : see document
SDN : see document
SDO : see document

any organization that develops and approves standards using various methods to establish consensus among its participants. Such organizations may be: accredited, such as ANSI -accredited IEEE; international treaty based, such as the ITU- T; private sector based, such as ISO/IEC; an international consortium, such as OASIS or IETF; or a government agency.

SDoC : see document

Declaration where the conformity assessment activity is performed by the person or organization that provides the ‘object’ (such as product, process, management system, person or body) and the supplier provides written confidence of conformity.

SDP : see document
SDR : see document
SDS : see document
SDWAN : see document
SD-WAN : see document
SE : see document
seal of approval : see document

A single label indicating a product has met a baseline standard.

Search Module Lattice Isomorphism Problem : see document
SEBoK : see document
SECAM : see document
SecCM : see document
seccomp : see document
SecDOP : see document
Second byte of a two-byte status word : see document

Second byte of a two-byte status word

Second preimage : see document

A message Ms’, that is different from a given message Ms , such that its message digest is the same as the known message digest of Ms.

A message X’, that is different from a given message X , such that its message digest is the same as the known message digest of X.

Second preimage resistance : see document

An expected property of a cryptographic hash function whereby it is computationally infeasible to find a second preimage of a known message digest, See “Second preimage”.

An expected property of a hash function whereby it is computationally infeasible to find a second preimage of a known message digest, See “Second preimage”.

Secondary market : see document

An unofficial, unauthorized, or unintended distribution channel.

Secret and Below Interoperability : see document
secret key : see document

A single cryptographic key that is used with a symmetric-key algorithm; also called a secret key. A symmetric-key algorithm is a cryptographic algorithm that uses the same secret key for an operation and its complement (e.g., encryption and decryption).

A cryptographic key that is used with a (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

A cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not be made public.

A cryptographic key used by one or more (authorized) entities in a symmetric-key cryptographic algorithm; the key is not made public.

See Secret key.

A cryptographic key used by a secret-key (symmetric) cryptographic algorithm and that is not made public.

A single cryptographic key that is used with a secret (symmetric) key algorithm.

A cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

A cryptographic key that is used with a secret key (also known as a symmetric key) cryptographic algorithm that is uniquely associated with one or more entities and shall not be made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

A single cryptographic key that is shared by both originator and recipient (see symmetric key algorithm)

A cryptographic key that is shared between two or more entities and used with a cryptographic application to process information.

A single cryptographic key that is used by one or more entities with a symmetric key algorithm.

A single cryptographic key that is used with a symmetric (secret key) cryptographic algorithm and is not made public (i.e., the key is kept secret). A secret key is also called a symmetric key.

The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

Compare with a private key, which is used with a public-key (asymmetric-key) algorithm.

A single cryptographic key that is used with a symmetric (secret key) algorithm, is uniquely associated with one or more entities, and is not made public (i.e., the key is kept secret); a symmetric key is often called a secret key.

A single cryptographic key that is used with a symmetric-key cryptographic algorithm, is uniquely associated with one or more entities and is not made public (i.e., the key is kept secret). A secret key is also called a Symmetric key. The use of the term “secret” in this context does not imply a classification level but rather implies the need to protect the key from disclosure.

A single cryptographic key that is used with a symmetric-key cryptographic algorithm, is uniquely associated with one or more entities, and is not made public (i.e., the key is kept secret). A symmetric key is often called a secret key. See Secret key.

A cryptographic key that must be protected from unauthorized disclosure to protect data encrypted with the key. The use of the term “secret” in this context does not imply a classification level; rather, the term implies the need to protect the key from disclosure or substitution.

secret key (symmetric) cryptographic algorithm : see document

A cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption and decryption.

See symmetric (secret key) algorithm.

A cryptographic algorithm that uses the same secret key for an operation and its complement (e.g., encryption and decryption). The key is kept secret and is called either a secret key or symmetric key.

See Symmetric-key algorithm.

Secret key information : see document

The key information that needs to be kept secret (i.e., symmetric keys, private keys, key shares and secret metadata).

Secret keying material : see document

The binary data that is used to form secret keys, such as AES encryption or HMAC keys.

The binary data that is used to form secret keys, such as AES encryption keys or HMAC keys.

As used in this Recommendation, the secret keying material that is either (1) derived by applying the key-derivation method to the shared secret and other shared information during a key-agreement transaction, or (2) is transported during a key-transport transaction.

secret seed : see document

A secret value used to initialize a pseudorandom number generator.

Sector : see document

The smallest unit that can be accessed on media.

Sector-Specific Agency : see document
secure access service edge : see document
Secure And Fast Encryption Routine : see document
Secure channel : see document

A path for transferring data between two entities or components that ensures confidentiality, integrity and replay protection, as well as mutual authentication between the entities or components. The secure channel may be provided using cryptographic, physical or procedural methods, or a combination thereof.

A path for transferring data between two entities or components that ensures confidentiality, integrity and replay protection, as well as mutual authentication between the entities or components. The secure channel may be provided using approved cryptographic, physical or procedural methods, or a combination thereof. Sometimes called a trusted channel.

A path for transferring data between two entities or components that ensures confidentiality, integrity, and replay protection as well as mutual authentication between the entities or components. The secure channel may be provided using cryptographic, physical, or procedural methods or a combination thereof.

secure communication protocol : see document

A communication protocol that provides the appropriate confidentiality, authentication, and content-integrity protection.

A communication protocol that provides the appropriate confidentiality, source authentication, and data integrity protection.

A communication protocol that provides the appropriate confidentiality, source authentication, and integrity protection.

A communication protocol that provides the appropriate confidentiality, authentication and content-integrity protection.

secure communications : see document

Telecommunications deriving security through use of National Security Agency (NSA)-approved products and/or protected distribution systems (PDSs).

Secure Communications Interoperability Protocol : see document
secure communications interoperability protocol (SCIP) product : see document

National Security Agency (NSA) certified secure voice and data encryption devices that provide interoperability with both national and foreign wired and wireless products.

Secure Computing : see document
Secure Copy Protocol : see document
Secure Device Authentication : see document
Secure Digital : see document
Secure Digital eXtended Capacity (SDXC) : see document

Supports cards up to 2 TB, compared to a limit of 32 GB for SDHC cards in the SD 2.0 specification.

Secure Digital Music Initiative : see document
Secure DTD2000 System : see document
Secure Element : see document
Secure Entry Point : see document
Secure Erase Command : see document

An overwrite command in the ATA standard (as ‘Security Erase Unit’) that leverages a firmware-based process to overwrite the media. This command typically executes substantially faster than attempting to rewrite through the native read and write interface. There are up to two options, ‘normal erase’ and ‘enhanced erase’. The normal erase, as defined in the standard, is only required to address data in the contents of LBA 0 through the greater of READ NATIVE MAX or READ NATIVE MAX EXT, and replaces the contents with 0s or 1s. The enhanced erase command specifies that, “…all previously written user data shall be overwritten, including sectors that are no longer in use due to reallocation” and the contents of the media following Sanitization are vendor unique. The actual action performed by an enhanced erase varies by vendor and model, and could include a variety of actions that have varying levels of effectiveness. The secure erase command is not defined in the SCSI standard, so it does not apply to media with a SCSI interface.

Secure Exception Level : see document
secure federated data-sharing system : see document
Secure File Transfer Protocol : see document
Secure FTP : see document
Secure Hash Algorithm : see document

A hash algorithm with the property that it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.

The Secure Hash Algorithm defined in Federal Information Processing Standard 180-1.

A hash function specified in FIPS 180-2, the Secure Hash Standard.

Secure Hash Algorithm.

The SHA-1 hash for the resource.

Secure Hash Algorithm 256 : see document

A hash algorithm that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.

The SHA-256 hash for the resource.

Secure Hash Algorithm 3 : see document

Secure Hash Algorithm-3.

Secure Hash Algorithm Keccak : see document
secure hash standard : see document

The standard specifying hash algorithms that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.

Secure Initialization Authenticated Code Module : see document
Secure Inter-Domain Routing : see document
Secure Inter-Domain Routing Working Group : see document
Secure Kernel : see document
Secure LDAP : see document
Secure Memory Encryption : see document
Secure Messaging : see document
Secure Messaging Key Authentication (SM-AUTH) : see document

An authentication mechanism where the secure messaging key and associated certificate are used for authentication.

Secure Monitor Call : see document
Secure Multi-Party Computation : see document
Secure Multipurpose Internet Mail Extensions (S/MIME) : see document

A set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).

A protocol defined in IETF RFCs 3850 through 3852 and 2634 for encrypting messages and creating certificates using public key cryptography. S/MIME is supported by default installations of many popular mail clients. S/MIME uses a classic, hierarchical design based on certificate authorities for its key management, making it suitable for medium to large implementations.

Secure Partition : see document
Secure Partition Manager : see document
Secure Production Identity Framework for Everyone : see document
Secure SCADA Communications Protocol : see document
Secure Service Container : see document
Secure Shell : see document
Secure Shell (network protocol) : see document
Secure Simple Pairing : see document
Secure Socket Tunneling Protocol : see document
Secure Sockets Layer (SSL) : see document

An authentication and security protocol that is widely implemented in browsers and web servers. TLS provides confidentiality, certificate-based authentication of the receiving (server) endpoint, and certificate-based authentication of the originating (client) endpoint. TLS is specified in [RFC8446] and [SP800-52].

Provides privacy and data integrity between two communicating applications. It is designed to encapsulate other protocols, such as HTTP. TLS v1.0 was released in 1999, providing slight modifications to SSL 3.0.

A security protocol providing privacy and data integrity between two communicating applications. The protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.

Provides privacy and reliability between two communicating applications. It is designed to encapsulate other protocols, such as HTTP. SSL v3.0 was released in 1996. It has been succeeded by IETF's TLS.

A protocol used for protecting private information during transmission via the Internet. Note: SSL works by using the service public key to encrypt a secret key that is used to encrypt the data that is transferred over the SSL session. Most web browsers support SSL and many web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:”. The default port for SSL is 443.

See Transport Layer Security (TLS).

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246. TLS is similar to the older SSL protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, specifies how TLS is to be used in government applications.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246. TLS is similar to the older SSL protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations [NIST SP 800-52], specifies how TLS is to be used in government applications.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246 and RFC 8446.

An authentication and security protocol widely implemented in browsers and web servers. SSL has been superseded by the newer Transport Layer Security (TLS) protocol; TLS 1.0 is effectively SSL version 3.1.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by [RFC 2246], [RFC 3546], and [RFC 5246]. TLS is similar to the older Secure Sockets Layer (SSL) protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations specifies how TLS is to be used in government applications.

Secure Sockets Layer/Transport Layer Security : see document
Secure Software Development Framework : see document
secure state : see document

Condition in which no subject can access any object in an unauthorized manner.

Secure Telephone Unit : see document
Secure Terminal Equipment : see document
Secure Transport : see document

Transfer of information using a transport layer protocol that provides security between applications communicating over an IP network.

Secure Virtual Machine : see document
secure web gateway : see document
Secure World : see document
Secure/Multipurpose Internet Mail Exchange (network protocol) : see document
Secured Component Verification : see document
Secured Encrypted Virtualization : see document
Secured Encrypted Virtualization with Encrypted State : see document
Secured Encrypted Virtualization with Secured Nested Paging : see document
securely resilient : see document

The ability of a system to preserve a secure state despite disruption, to include the system transitions between normal and degraded modes. Securely resilient is a primary objective of systems security engineering.

security : see document

A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach.

A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.

Protection against intentional subversion or forced failure. A composite of four attributes – confidentiality, integrity, availability, and accountability – plus aspects of a fifth, usability, all of which have the related issue of their assurance.

Freedom from those conditions that can cause loss of assets with unacceptable consequences.

Security is a system property. Security is much more that a set of functions and mechanisms. Information technology security is a system characteristic as well as a set of mechanisms which span the system both logically and physically.

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information.

A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. Note: See also information security and cybersecurity.

The combination of confidentiality, integrity and availability.

the preservation of confidentiality, integrity and availability of information. NOTE In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be relevant. A. Integrity, property of protecting the accuracy and completeness of assets; B. Confidentiality, property that information is not made available or disclosed to unauthorized individuals, entities, or processes; C. Availability, property of being accessible and usable upon demand by an authorized entity.

The state in which the integrity, confidentiality, and accessibility of information, service or network entity is assured.

refers to information security. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: A. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; B. Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and C. Availability, which means ensuring timely and reliable access to and use of information.

A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.

Security is a system property. Security is much more than a set of functions and mechanisms. IT security is a system characteristic as well as a set of mechanisms that span the system both logically and physically.

Security and Privacy Profile : see document
Security and Risk Management : see document
security architect : see document

Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.

security architecture : see document

Fundamental concepts or properties related to a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interaction between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans. See information security architecture.

complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.

A set of related physical and logical representations (i.e., views) of a system or a solution. The architecture conveys information about system/solution elements, interconnections, relationships, and behavior at different levels of abstractions and with different scopes. Refer to security architecture.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interactions between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

A set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected. Note: The security architecture reflects security domains, the placement of security-relevant elements within the security domains, the interconnections and trust relationships between the security-relevant elements, and the behavior and interactions between the security-relevant elements. The security architecture, similar to the system architecture, may be expressed at different levels of abstraction and with different scopes.

security assertion markup language (SAML) : see document

A protocol consisting of XML-based request and response message formats for exchanging security information, expressed in the form of assertions about subjects, between on-line business partners.

A framework for exchanging authentication and authorization information. Security typically involves checking the credentials presented by a party for authentication and authorization. SAML standardizes the representation of these credentials in an XML format called assertions, enhancing the interoperability between disparate applications.

An XML-based security specification developed by the Organization for the Advancement of Structured Information Standards (OASIS) for exchanging authentication (and authorization) information between trusted entities over the Internet. See [SAML].

Security Assertion Markup Language Single Sign-On : see document
security assessment : see document

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

See Security Control Assessment.

An evaluation of the security provided by a system, device or process.

The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.

Security Assessment and Authorization : see document
security assessment report (SAR) : see document

Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

Security Association (SA) : see document

A relationship established between two or more entities to enable them to protect data they exchange.

The logical set of security parameters containing elements required for authentication, key establishment, and data encryption.

Set of values that define the features and protections applied to a connection.

A set of values that define the features and protections applied to a connection.

Security Association Database (SAD) : see document

A list or table of all IPsec SAs, including those that are still being negotiated.

Security Assurance Methodology : see document
Security Assurance Specifications : see document
security attribute : see document

An abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.

An abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system and used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy.

An abstraction that represents the basic properties or characteristics of an entity with respect to safeguarding information. Typically associated with internal data structures—including records, buffers, and files within the system—and used to enable the implementation of access control and flow control policies; reflect special dissemination, handling or distribution instructions; or support other aspects of the information security policy.

Security Audit Trail : see document

A set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports, and/or backwards from records and reports to their component source transactions.

Data collected and potentially used to facilitate a security audit.

security auditor : see document

A trusted role that is responsible for auditing the security of certification authority systems (CASs) and registration authorities (RAs), including reviewing, maintaining, and archiving audit logs and performing or overseeing internal audits of CASs and RAs.

Security Authorization : see document

The official management decision of the Designated Authorizing Official to permit operation of an issuer after determining that the issuer’s reliability has satisfactorily been established through appropriate assessment processes.

The right or a permission that is granted to a system entity to access a system resource.

The official management decision given by a senior official to authorize operation of a system or the common controls inherited by designated organizations systems and to explicitly accept the risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Also known as authorization to operate.

The process that takes place after authentication is complete to determine which resources/services are available to a WiMAX device.

The process of verifying that a requested action or service is approved for a specific entity.

Access privileges that are granted to an entity; conveying an “official” sanction to perform a security function or activity.

Access privileges granted to an entity; conveys an “official” sanction to perform a security function or activity.

Access privileges granted to an entity; conveys an “official” sanction to perform a cryptographic function or other sensitive activity.

See authorization.

Access privileges that are granted to an entity that convey an “official” sanction to perform a security function or activity.

The granting or denying of access rights to a user, program, or process.

The process of initially establishing access privileges of an individual and subsequently verifying the acceptability of a request for access.

Security Authorization & Accreditation : see document
security authorization (to operate) : see document

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

See authorization to operate (ATO).

See Authorization (to operate).

Official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls and privacy controls.

Security Authorization Boundary : see document

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

See Authorization Boundary.

security authorization package : see document

Documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls. Contains: (i) the security plan; (ii) the security assessment report (SAR); and (iii) the plan of action and milestones (POA&M). Note: Many departments and agencies may choose to include the risk assessment report (RAR) as part of the security authorization package. Also, many organizations use system security plan in place of the security plan.

See security authorization package

The essential information that an authorizing official uses to determine whether to authorize the operation of an information system or the provision of a designated set of common controls. At a minimum, the authorization package includes an executive summary, system security plan, privacy plan, security control assessment, privacy control assessment, and any relevant plans of action and milestones.

Security Automation and Continuous Monitoring : see document
Security Automation Domain : see document

An information security area that includes a grouping of tools, technologies, and data.

security banner : see document

See security banner (also known as notice and consent banners)

1. A persistent visible window on a computer monitor that displays the highest level of data accessible during the current session.

2. The opening screen that informs users of the implications of accessing a computer resource (e.g. consent to monitor).

Security Capability : see document

See capability.

A combination of mutually-reinforcing security controls (i.e., safeguards and countermeasures) implemented by technical means (i.e., functionality in hardware, software, and firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e., procedures performed by individuals).

See Capability, Security.

A set of mutually reinforcing security controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security-related purpose.

security categorization : see document

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS PUB 199 for other than national security systems. See security category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSSI No.1253 for national security systems and in FIPS 199 for other than national security systems.

See security categorization.

The process of determining the security category for information or a system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See security category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See Security Category.

The process of determining the security category for information or an information system. Security categorization methodologies are described in Committee on National Security Systems (CNSS) Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.

security category : see document

A number associated with the security strength of a post-quantum cryptographic algorithm, as specified by NIST.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, or the Nation.

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on agency operations, agency assets, individuals, other organizations, and the Nation.

security concept of operations (Security CONOP) : see document

Verbal and graphic statement, in broad outline, of an organization’s assumptions or intent in regard to an operation or series of operations of new, modified, or existing organizational systems.

See security concept of operations.

A security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.

A security-focused description of a system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission. Note 1: The security concept of operations may address security for other life cycle concepts associated with the deployed system. These include, for example, concepts for sustainment, logistics, maintenance, and training. Note 2: Security concept of operations is not the same as concept for secure function. Concept for secure function addresses the design philosophy for the system and is intended to achieve a system that is able to be used in a trustworthy secure manner. The security concept of operations must be consistent with the concept for secure function.

A security-focused description of a system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission. Note 1: The security concept of operations may address security for other life cycle concepts associated with the deployed system. These include, for example, concepts for sustainment, logistics, maintenance, and training. Note 2: Security concept of operations is not the same as concept for secure function. Concept for secure function addresses the design philosophy for the system and is intended to achieve a system that is able to be used in a trustworthy secure manner. The security concept of operations must be consistent with the concept for secure function.

security configuration management (SecCM) : see document

The management and control of configurations for an information system to enable security and facilitate the management of risk.

Security Configuration Management (SecCM) : see document

The management and control of configurations for an information system to enable security and facilitate the management of risk.

Security Configuration Wizard : see document
Security Content Automation Program : see document
security content automation protocol (SCAP) : see document

A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP: CVE (common vulnerabilities and exposures); CCE (common configuration enumeration); CPE (common platform enumeration); CVSS (common vulnerability scoring system); OVAL (open vulnerability assessment language); and XCCDF (eXtensible configuration checklist description format).

A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans.

A protocol currently consisting of a suite of seven specifications that standardize the format and nomenclature by which security software communicates information about software flaws and security configurations.

Security Content Automation Protocol Validation Tool : see document
security control : see document

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

A mechanism designed to address needs as specified by a set of security requirements.

A protective measure against threats.

A protection measure for a system.

A safeguard or countermeasure prescribed for an information system or an organization, which is designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for a system to protect the confidentiality, integrity, and availability of the system, its components, processes, and data.

Safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

A safeguard or countermeasure prescribed for a system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.

security control and privacy control : see document

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.

Purposeful action on or within a process to meet specified objectives.

The mechanism that achieves the action.

Measure that is modifying risk.

See security control and privacy control.

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. An attribute assigned to an asset t hat reflects its relative importance or necessity in acheiving or contributing to the achievement of stated goals.

See security control or privacy control.

measure that is modifying risk. (Note: controls include any process, policy, device, practice, or other actions which modify risk.)

security control assessment : see document

An evidence-based evaluation and judgement on the nature, characteristics, quality, effectiveness, intent, impact, or capabilities of an item, organization, group, policy, activity, or person.

The action of evaluating, estimating, or judging against defined criteria. Different types of assessment (i.e., qualitative, quantitative, and semi-quantitative) are used to assess risk. Some types of assessment yield results.

The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

See Security Control Assessment.

See Security Control Assessment or Privacy Control Assessment.

See control assessment or risk assessment.

See security control assessment or risk assessment.

The testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

A completed or planned action of evaluation of an organization, a mission or business process, or one or more systems and their environments; or

The vehicle or template or worksheet that is used for each evaluation.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.

security control assessor (SCA) : see document

The individual, group, or organization responsible for conducting a security or privacy control assessment.

The individual, group, or organization responsible for conducting a security control assessment.

See Security Control Assessor.

See Security Control Assessor or Privacy Control Assessor.

The individual responsible for conducting assessment activities under the guidance and direction of a Designated Authorizing Official. The Assessor is a 3rd party.

The individual, group, or organization responsible for conducting a security or privacy assessment.

See security control assessor or risk assessor.

The individual, group, or organization responsible for conducting a security or privacy control assessment.

security control baseline : see document

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. A set of information security controls that has been established through information security strategic planning activities to address one or more specified security categorizations; this set of security controls is intended to be the initial security control set selected for a specific system once that system’s security categorization is determined.

One of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system that provides a starting point for the tailoring process.

The set of minimum security controls defined for a low-impact, moderate- impact, or high-impact information system.

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. See also control baseline.

Security Control Effectiveness : see document

The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.

security control enhancements : see document

Statement of security capability to: (i) build in additional, but related, functionality to a basic security control; and/or (ii) increase the strength of a basic control.

Statements of security capability to 1) build in additional, but related, functionality to a basic control; and/or 2) increase the strength of a basic control.

Statements of security capability to: (i) build in additional, but related, functionality to a basic control; and/or (ii) increase the strength of a basic control.

Augmentation of a security control to: (i) build in additional, but related, functionality to the control; (ii) increase the strength of the control; or (iii) add assurance to the control.

security control inheritance : see document

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control.

See security control inheritance.

Security Control Item : see document

See Security Control Item.

All or part of a SP 800-53 security control requirement, expressed as a statement for implementation and assessment. Both controls and control enhancements are treated as control items. Controls and control enhancements are further subdivided if multiple security requirements within the control or control enhancement in SP 800-53 are in listed format: a, b, c, etc.

Security Control Overlay Repository : see document
security control provider : see document

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). See common control provider.

Security Credential Management System : see document
security criteria : see document

Criteria related to a supplier’s ability to conform to security-relevant laws, directives, regulations, policies, or business processes; a supplier’s ability to deliver the requested product or service in satisfaction of the stated security requirements and in conformance with secure business practices; the ability of a mechanism, system element, or system to meet its security requirements; whether movement from one life cycle stage or process to another (e.g., to accept a baseline into configuration management, to accept delivery of a product or service) is acceptable in terms of security policy; how a delivered product or service is handled, distributed, and accepted; how to perform security verification and validation; or how to store system elements securely in disposal.

security design order of precedence : see document

A design approach for minimizing the design basis for loss potential and using architectural features to provide structure for implementing engineered security features and devices.

Security Development Lifecycle : see document
security domain : see document

A set of elements, data, resources, and functions that share a commonality in combinations of (1) roles supported, (2) rules governing their use, and (3) protection needs.

Set of assets and resources subject to a common security policy.

A set of systems under common administrative and access control.

A domain that implements a security policy and is administered by a single authority.

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See Security Domain.

See security domain.

A set of subjects, their information objects, and a common security policy.

A system or subsystem that is under the authority of a single trusted authority. Security domains may be organized (e.g., hierarchically) to form larger domains.

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

security engineering : see document

An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development lifecycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.

An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.

Security Event Management : see document
Security Event Management Software : see document

Software that imports security event information from multiple data sources, normalizes the data, and correlates events among the data sources.

Security Executive Agent : see document

Individual responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures that govern the conduct of investigations and adjudications for eligibility to access classified information and eligibility to hold a sensitive position in the Federal Government. In accordance with Executive Order 13467 (as amended), this individual is the Director of National Intelligence (DNI)

Security Experts Group : see document
security fault analysis (SFA) : see document

An assessment usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered.

Security Fault Injection Test : see document

Involves data perturbation (i.e., alteration of the type of data the execution environment components pass to the application, or that the application’s components pass to one another). Fault injection can reveal the effects of security defects on the behavior of the components themselves and on the application as a whole.

Security Features Users Guide : see document

Guide or manual explaining how the security mechanisms in a specific system work.

security filter : see document

A secure subsystem of an information system that enforces security policy on the data passing through it.

security function : see document

The capability provided by the system or a system element. The capability may be expressed generally as a concept or specified precisely in requirements.

Cryptographic algorithms, together with modes of operation (if appropriate); for example, block cipher algorithms, digital signature algorithms, asymmetric key-establishment algorithms, message authentication codes, hash functions, or random bit generators. See FIPS 140.6

Cryptographic algorithms, together with modes of operation (if appropriate); for example, block ciphers, digital signature algorithms, asymmetric key-establishment algorithms, message authentication codes, hash functions, or random bit generators. See FIPS 140.

Cryptographic algorithms, together with modes of operation (if appropriate); for example, block ciphers, digital signature algorithms, asymmetric key-establishment algorithms, message authentication codes, hash functions, or random bit generators; see FIPS 140.

security functionality : see document

The security-related features, functions, mechanisms, services, procedures, and architectures implemented within organizational information systems or the environments in which those systems operate.

The security-related features, functions, mechanisms, services, procedures, and architectures implemented within organizational systems or the environments in which those systems operate.

security functions : see document

The hardware, software, or firmware of the system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

The hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

Security Gateway : see document
Security Group Tag : see document
security impact analysis : see document

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

The analysis conducted by an organizational official to determine the extent to which a change to the information system have affected the security state of the system.

The analysis conducted by an organizational official to determine the extent to which a change to the information system has or may have affected the security posture of the system.

The analysis conducted by an agency official, often during the continuous monitoring phase of the security certification and accreditation process, to determine the extent to which changes to the information system have affected the security posture of the system.

The analysis conducted by qualified staff within an organization to determine the extent to which changes to the system affect the security posture of the system.

security incident : see document

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion.

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

See incident.

An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Anomalous or unexpected event, set of events, condition, or situation at any time during the life cycle of a project, product, service, or system.

Security Incident and Event Management : see document
Security Incident Event Monitoring : see document
Security Industry Association : see document
security information : see document

Information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.

Security Information and Event Management : see document

A program that provides centralized logging capabilities for a variety of log types.

Security Information and Event Management (SIEM) Tool : see document

Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.

Security Information Management : see document
security inspection : see document

Examination of an information system to determine compliance with security policy, procedures, and practices.

security kernel : see document

Hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.

security label : see document

The means used to associate a set of security attributes with a specific information object as part of the data structure for that object.

Explicit or implicit marking of a data structure or output media associated with an information system representing the FIPS 199 security category, or distribution limitations or handling caveats of the information contained therein.

Information that either identifies an associated parameter or provides information regarding the parameter’s proper protection and use.

See security label.

Security life of data : see document

The time period during which the security of the data needs to be protected (e.g., its confidentiality, integrity or availability).

Security Management Dashboard : see document

A tool that consolidates and communicates information relevant to the organizational security posture in near real-time to security management stakeholders.

security marking : see document

The means used to associate a set of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies.

See security marking.

The means used to associate a set of security attributes with objects in a human-readable form in order to enable organizational, process-based enforcement of information security policies.

Security Measure : see document
security mechanism : see document

A process or system that is used to produce a particular result.

The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon.

A natural or established process by which something takes place or is brought about.

A device or method for achieving a security-relevant purpose.

A device or function designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.

A process or system that is used to produce a particular result. The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon. A natural or established process by which something takes place or is brought about. Refer to security mechanism. Note: A mechanism can be technology- or nontechnology-based (e.g., apparatus, device, instrument, procedure, process, system, operation, method, technique, means, or medium).

A method, tool, or procedure that is the realization of security requirements. Note 1: A security mechanism exists in machine, technology, human, and physical forms. Note 2: A security mechanism reflects security and trust principles. Note 3: A security mechanism may enforce security policy and therefore must have capabilities consistent with the intent of the security policy.

A process or system that is used to produce a particular result. The fundamental processes involved in or responsible for an action, reaction, or other natural phenomenon. A natural or established process by which something takes place or is brought about. Refer to security mechanism. Note: A mechanism can be technology- or nontechnology-based (e.g., apparatus, device, instrument, procedure, process, system, operation, method, technique, means, or medium).

Security Mode Command : see document
Security Object : see document
security objective : see document

Confidentiality, integrity, or availability.

Security Operations Center : see document
Security Orchestration Automated Response : see document
security orchestration, automation, and response : see document
Security Parameters Index (SPI) : see document

Arbitrarily chosen value that acts as a unique identifier for an IPsec connection.

An arbitrarily chosen value that acts as a unique identifier for an IPsec connection.

security perimeter : see document

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging.

For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.

A physical or logical boundary that is defined for a system, domain, or enclave; within which a particular security policy or security architecture is applied.

See Accreditation Boundary.

Security Policy Database (SPD) : see document

A prioritized list of all IPsec policies.

security policy filter : see document

A hardware and/or software component that performs one or more of the following functions: (i) content verification to ensure the data type of the submitted content; (ii) content inspection, analyzing the submitted content to verify it complies with a defined policy (e.g., allowed vs. disallowed file constructs and content portions); (iii) malicious content checker that evaluates the content for malicious code; (iv) suspicious activity checker that evaluates or executes the content in a safe manner, such as in a sandbox/detonation chamber and monitors for suspicious activity; or (v) content sanitization, cleansing, and transformation, which modifies the submitted content to comply with a defined policy.

A hardware and/or software component that performs one or more of the following functions: content verification to ensure the data type of the submitted content; content inspection to analyze the submitted content and verify that complies with a defined policy; malicious content checker that evaluates the content for malicious code; suspicious activity checker that evaluates or executes the content in a safe manner, such as in a sandbox or detonation chamber and monitors for suspicious activity; or content sanitization, cleansing, and transformation, which modifies the submitted content to comply with a defined policy.

Security Policy Templates : see document
security posture : see document

The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

The security status of an organization’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the organization and to react as the situation changes.

The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. Synonymous with security status.

The security status of an enterprise’s networks, information, and systems based on information assurance (IA) resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

See Security Posture.

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. Synonymous with security status.

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

security program plan : see document

Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.

Security properties : see document

The security features (e.g., replay protection, or key confirmation) that a cryptographic scheme may, or may not, provide.

The security features (e.g., entity authentication, replay protection, or key confirmation) that a cryptographic scheme may, or may not, provide.

security protocol : see document

An abstract or concrete protocol that performs security-related functions.

Security Protocol and Data Model : see document
security range : see document

Highest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network. See system high and system low.

Security Reference Architecture : see document
security relevance : see document

The functions or constraints that are relied upon to directly or indirectly meet protection needs.

The term used to describe those functions or mechanisms that are relied upon, directly or indirectly, to enforce a security policy that governs confidentiality, integrity, and availability protections.

Functions or mechanisms that are relied upon, directly or indirectly, to enforce a security policy that governs confidentiality, integrity, and availability protections.

security requirement : see document

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, regulations, policies, standards, procedures, or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted.

A requirement that has security relevance.

A requirement levied on a system or an organization that is derived from applicable laws, Executive Orders, directives, regulations, policies, standards, procedures, or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted.

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

A requirement levied on an information system or an organization that is derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted. Note: Security requirements can be used in a variety of contexts from high-level policy-related activities to low-level implementation-related activities in system development and engineering disciplines.

A requirement that specifies the functional, assurance, and strength characteristics for a mechanism, system, or system element.

A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted. Note: Security requirements can be used in a variety of contects from high-level policy activies to low-level implementation activities in system development and engineering disciplines.

A requirement levied on an information system or an organization that is derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, and/or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted. Note: Security requirements can be used in a variety of contexts from high-level policy-related activities to low-level implementation-related activities in system development and engineering disciplines.

Requirements levied on an information system that are derived from laws, executive orders, directives, policies, instructions, regulations, or organizational (mission) needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

security requirements baseline : see document

Description of the minimum requirements necessary for an information system to maintain an acceptable level of risk.

security requirements guide (SRG) : see document

Compilation of control correlation identifiers (CCIs) grouped in more applicable, specific technology areas at various levels of technology and product specificity. Contains all requirements that have been flagged as applicable from the parent level regardless if they are selected on a Department of Defense (DoD) baseline or not.

security requirements traceability matrix (SRTM) : see document

Matrix documenting the system’s agreed upon security requirements derived from all sources, the security features’ implementation details and schedule, and the resources required for assessment.

security risk : see document

The effect of uncertainty on objectives pertaining to asset loss and the associated consequences.

the level of impact on agency operations (including mission functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Security Risk Assessment : see document
security safeguards : see document

Protective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

security service : see document

A security capability or function provided by an entity.

A capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.

A capability that supports one, or many, of the security goals. Examples of security services are key management, access control, and authentication.

A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.

Mechanisms used to provide confidentiality, data integrity, authentication or non-repudiation of information.

Mechanisms used to provide confidentiality, integrity authentication, source authentication and/or support non-repudiation of information.

Mechanisms used to provide confidentiality, identity authentication, integrity authentication, source authentication, and/or support the non-repudiation of information.

A security capability or function provided by an entity that supports one or more security objectives.

A security capability of function provided by an entity.

security solution : see document

The key design, architectural, and implementation choices made by organizations to satisfy specified security requirements for systems or system components.

The key design, architectural, and implementation choices made by organizations in satisfying specified security requirements for systems or system components.

security specification : see document

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, architectural designs) associated with a system.

The requirements for the security-relevant portion of the system.

An information item that identifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other expected characteristics of a system, service, or process.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. See specification requirement.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. Refer to security specification.

The requirements for the security-relevant portion of the system. Note: The security specification may be provided as a separate document or may be captured with a broader specification.

The requirements for the security-relevant portion of the system. Note: The security specification may be provided as a separate document or may be captured with a broader specification.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. Refer to security specification.

Security Status : see document

The security status of an enterprise’s networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

The security status of an organization’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the organization and to react as the situation changes.

See Security Posture.

The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

security strength : see document

A number associated with the amount of work (i.e., the number of operations) that is required to break a cryptographic algorithm or system. In this Recommendation, the security strength is specified in bits and is a specific value from the set {80, 112, 128, 192, 256}. Note that a security strength of 80 bits is no longer considered sufficiently secure.

A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. In this Recommendation, the security strength is specified in bits and is a specific value from the set {80, 112, 128, 192, 256}. Note that a security strength of 80 bits is no longer considered sufficiently secure.

A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. If 2N execution operations of the algorithm (or system) are required to break the cryptographic algorithm, then the security strength is N bits.

A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. In this Recommendation, the security strength is specified in bits and is a specific value from the set {80, 112, 128, 192, 256}.

A number associated with the amount of work (e.g., the number of operations) that is required to break a cryptographic algorithm or system.

A measure of the computational complexity associated with recovering certain secret and/or security-critical information concerning a given cryptographic algorithm from known data (e.g. plaintext/ciphertext pairs for a given encryption algorithm). In this Recommendation, the security strength of a key derivation function is measured by the work required to distinguish the output of the KDF from a bit string selected uniformly at random from the set of all bit strings with the same length as the output of the KDF, under the assumption that the key derivation key is the only unknown input to the KDF.

A number associated with the amount of work (that is, the number of basic operations of some sort) required to break a cryptographic algorithm or system. Security strength is often expressed in bits. If the security strength is S bits, then it is expected that (roughly) 2S basic operations are required to break the algorithm or system.

A number associated with the expected amount of work (that is, the base 2 logarithm of the number of operations) to cryptanalyze a cryptographic algorithm or system.

A number associated with the amount of work (i.e., the number of operations) that is required to break a cryptographic algorithm or system.

A number associated with the amount of work (that is, the number of operations of some sort) that is required to break a cryptographic algorithm or system in some way. In this Recommendation, the security strength is specified in bits and is a specific value from the set {112, 128, 192, 256}. If the security strength associated with an algorithm or system is S bits, then it is expected that (roughly) 2S basic operations are required to break it.

A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system.

A number characterizing the amount of work that is expected to suffice to "break" the security definition of a given cryptographic algorithm.

A number characterizing the amount of work that is expected to suffice to “defeat” an implemented cryptographic mechanism (e.g., by compromising its functionality and/or circumventing the protection that its use was intended to facilitate). In this Recommendation, security strength is measured in bits. If the security strength of a particular implementation of a cryptographic mechanism is s bits, it is expected that the equivalent of (roughly) 2s basic operations of some sort will be sufficient to defeat it in some way.

A number associated with the amount of work (that is, the number of operations) that is required to break a cryptographic algorithm or system. In this policy, security strength is specified in bits and is a specific value from the set {80, 112, 128, 192, 256}.

See security strength.

security target : see document

An implementation-dependent statement of security needs for a specific identified target of evaluation (TOE).

security technical implementation guide (STIG) : see document

Based on Department of Defense (DoD) policy and security controls. Implementation guide geared to a specific product and version. Contains all requirements that have been flagged as applicable for the product which have been selected on a DoD baseline.

Security Technical Implementation Guideline : see document
security test and evaluation (ST&E) : see document

Examination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.

Security testing : see document

Testing that attempts to verify that an implementation protects data and maintains functionality as intended.

Security Testing, Validation, and Measurement Group : see document
Security Token Service : see document
Security Tool Distribution : see document
Security/System Requirements Review : see document
Security-focused Configuration Management : see document
Security-Oriented Code Review : see document

A code review, or audit, investigates the coding practices used in the application. The main objective of such reviews is to discover security defects and potentially identify solutions.

security-relevant change : see document

Any change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations.

security-relevant information : see document

Information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.

Any information within the information system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.

SED : see document
Seed : see document

A bit string used as input to a pseudorandom process.

The input to a pseudorandom number generator. Different seeds generate different pseudorandom sequences.

A string of bits that is used to initialize a DRBG. Also just called a Seed.

A secret value that is used to initialize a process (e.g., a DRBG). Also see RBG seed.

Noun : A string of bits that is used as input to a DRBG mechanism. The seed will determine a portion of the internal state of the DRBG, and its entropy must be sufficient to support the security strength of the DRBG. Verb : To acquire bits with sufficient entropy for the desired security strength. These bits will be used as input to a DRBG mechanism to determine a portion of the initial internal state. Also see reseed.

A string of bits that is used to initialize a DRBG. Also called a Seed.

A secret value that is used to initialize a process (e.g., a deterministic random bit generator). Also see RNG seed.

seed key : see document

Initial key used to start an updating or key generation process.

Seed Period : see document

The period of time between instantiating or reseeding a DRBG with one seed and reseeding that DRBG with another seed.

Seedlife : see document

The length of the seed period.

SEG : see document
segment : see document

In the CFB mode, a sequence of bits whose length is a parameter that does not exceed the block size.

Segregated Witness : see document
SegWit : see document
SEHOP : see document
SEI : see document
SEL : see document
selection operation : see document

See assignment operation and organization-defined parameter.

A control parameter that allows an organization to select a value from a list of predefined values provided as part of the control or control enhancement (e.g., selecting to either restrict an action or prohibit an action).

See assignment operation and organization-defined control parameter.

selection statement : see document

A control parameter that allows an organization to select a value from a list of pre-defined values provided as part of the control or control enhancement (e.g., selecting to either restrict an action or prohibit an action). See assignment and organization-defined control parameter.

Self testing : see document

Testing within a system, device or process during normal operation to detect misbehavior.

Self-Contained Breathing Apparatus : see document
Self-dual Key : see document

A key with the property that when you encrypt twice with this key, the result is the initial input.

self-encrypting devices / self-encrypting drives (SED) : see document

Data storage device with built-in cryptographic processing that may be utilized to encrypt and decrypt the stored data, occurring within the device and without dependence on a connected information system.

self-protection : see document

The protection provided by an entity to ensure its own correct behavior and function despite adversity.

Self-Service Module : see document
Self-signed certificate : see document

A public-key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self-signed certificate protects the integrity of the data, but does not guarantee the authenticity of the information. The trust of self-signed certificates is based on the secure procedures used to distribute them.

A public-key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self-signed certificate protects the integrity of the information within the certificate but does not guarantee the authenticity of that information. The trust of self-signed certificates is based on the secure procedures used to distribute them.

A public-key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self- signed certificate protects the integrity of the data, but does not guarantee the authenticity of the information. The trust of self-signed certificates is based on the secure procedures used to distribute them.

self-supervised learning : see document

A type of machine learning that relies on generating implicit labels from unstructured data rather than relying on explicit, human-created labels. Self-supervised learning tasks are constructed to allow the true labels to be automatically inferred from the training data (enabling the use of large-scale training data) and to require models to capture essential features or relationships within the data to solve them. For example, a common self-supervised learning task is providing a model with partial data with the task to accurately generate the remainder.

SEM : see document
Semantic matching : see document

uses contextual attributes of the digital object to interpret the artifact in a manner that more closely corresponds with human perceptual categories. For example, perceptual hashes allow the matching of visually similar images and are unconcerned with the low-level details of how the images are persistently stored. Semantic methods tend to provide the most specific results but also tend to be the most computationally expensive ones.

Semantic Web Services Architecture : see document
Semantics : see document

The intended meaning of acceptable sentences of a language.

Semantics of a language : see document

The meanings of all the language's acceptable sentences.

Semi-Active Tag : see document

A tag that uses a battery to communicate but remains dormant until a reader sends an energizing signal. Semi-active tags have a longer range than passive tags and a longer battery life than active tags.

semiblock : see document

Given a block cipher, a bit string whose length is half of the block size.

semiblock string : see document

For a given block size, a string that can be represented as the concatenation of semiblocks.

Semiconductor Manufacturing Cybersecurity Consortium : see document
Semi-Free-Start : see document
Semi-Passive Tag : see document

A passive tag that uses a battery to power on-board circuitry or sensors but not to produce back channel signals.

Semi-Qualitative Risk Analysis : see document

A method for risk analysis with qualitative categories assigned numeric values to allow for the calculation of numeric results.

Semi-Quantitative Assessment : see document

The use of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts.

Use of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts.

semi-supervised learning : see document

A type of machine learning in which a small number of training samples are labeled, while the majority are unlabeled.

Sender : see document

The party that sends secret keying material to the receiver in a key-transport transaction. Contrast with receiver.

The party that sends secret keying material to the receiver using a key-transport transaction. Contrast with receiver.

Sender Policy Framework : see document
senior accountable official for risk management : see document

The senior official, designated by the head of each agency, who has vision into all areas of the organization and is responsible for alignment of information security management processes with strategic, operational, and budgetary planning processes.

senior agency information security officer (SAISO) : see document

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

See Senior Agency Information Security Officer.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. [Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

See senior agency information security officer (SAISO).

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the chief information officer (CIO) responsibilities under the Federal Information Security Management Act (FISMA) and serving as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. Note: Also known as senior information security officer (SISO) or chief information security officer (CISO).

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Modernization Act FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Agency Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the chief information officer (CIO) responsibilities under the Federal Information Security Management Act (FISMA) and who serves as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. Note: Also known as senior information security officer (SISO) or chief information security officer (CISO).

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term senior information security officer or chief information security officer to denote individuals who fill positions with similar responsibilities to senior agency information security officers.

See Senior Agency Information Security Officer

senior agency official for privacy : see document

A senior official designated by the head of each agency to have agency-wide responsibilities for privacy, including the implementation of privacy protections; compliance with federal laws, regulations, and policies related to privacy; the management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

The senior official designated by the head of each agency who has agency-wide responsibility for privacy, including implementing privacy protections; ensuring compliance with federal laws, regulations, and policies related to privacy; managing privacy risks at the agency; and filling a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Person responsible for ensuring that an agency complies with privacy requirements, manages privacy risks, and considers the privacy impacts of all agency actions and policies that involve personal information.

See Senior Agency Official for Privacy.

The senior organizational official with overall organization-wide responsibility for information privacy issues.

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

Senior Information Assurance Officer : see document
senior information security officer (SISO) : see document

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. [Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

See senior agency information security officer (SAISO).

See Senior Agency Information Security Officer.

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. [Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.]

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

Official responsible for carrying out the chief information officer (CIO) responsibilities under the Federal Information Security Management Act (FISMA) and serving as the CIO’s primary liaison to the agency’s authorizing officials, information system owners, and information systems security officers. Note: Also known as senior information security officer (SISO) or chief information security officer (CISO).

Official responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Modernization Act FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. Note 1: With respect to SecCM, a Senior Agency Information Security Officer is an individual that provides organization-wide procedures and/or templates for SecCM, manages or participates in the Configuration Control Board, and/or provides technical staff for security impact analyses. Note 2: Organizations subordinate to federal agencies may use the term Senior Agency Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.

See Senior Agency Information Security Officer (SAISO)

Sensing Capability : see document

The ability to provide an observation of an aspect of the physical world in the form of measurement data.

Sensitive : see document

A descriptor of information whose loss, misuse, or unauthorized access or modification could adversely affect security.

Sensitive But Unclassified : see document
sensitive compartmented information (SCI) : see document

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

1. A subset of Classified National Intelligence concerning or derived from intelligence sources, methods, or analytical processes, that is required to be protected within formal access control systems established by the Director of National Intelligence.

2. Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

Sensitive Compartmented Information Facility (SCIF) : see document

An area, room, group of rooms, buildings, or installation certified and accredited as meeting Director of National Intelligence security standards for the processing, storage, and/or discussion of sensitive compartmented information (SCI).

sensitive information : see document

Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act); that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

See controlled unclassified information (CUI). Note: The term sensitive information as well as others such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) will no longer be used upon implementation of 32 CFR 2002.

Sensitive but unclassified information.

Sensitive Security Parameter : see document
sensitivity : see document

A form of bias that results from failures in the heuristics humans use to make decisions.

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

the degree to which an IT system or application requires protection (to ensureconfidentiality, integrity, and availability) which is determined by an evaluation of the nature and criticality of the data processed, the relation of the system to the organization missions and the economic value of the system components.

Used in this guideline to mean a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

Sentences, formal : see document

The entire set of sentences that can be created or recognized as being valid using the formal syntax specifications of a formal language.

SEP : see document
SEPA : see document
Separation of Concerns : see document

A design principle for breaking down an application into modules, layers, and encapsulations, the roles of which are independent of one another.

Separation of Duty (SOD) : see document

refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or dynamically (by enforcing the control at access time). An example of dynamic separation of duty is the two-person rule. The first user to execute a two-person operation can be any authorized user, whereas the second user can be any authorized user different from the first [R.S. Sandhu., and P Samarati, “Access Control: Principles and Practice,” IEEE Communications Magazine 32(9), September 1994, pp. 40-48.]. There are various types of SOD, an important one is history-based SOD that regulate for example, the same subject (role) cannot access the same object for variable number of times.

A security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or access privilege to perpetrate damaging fraud.

SEPM : see document
Sequence : see document

An ordered set of quantities.

An ordered list of quantities.

Sequence Number : see document
Sequence Read Archive : see document
SERI : see document
Serial Advanced Technology Attachment : see document
Serial Attached SCSI : see document
Serial Peripheral Interface : see document
Serial Test : see document

The purpose of this test is to determine whether the number of occurrences of m-bit overlapping patterns is approximately the same as would be expected for a random sequence.

Server : see document

A system entity that provides a service in response to requests from clients.

A computer or device on a network that manages network resources. Examples include file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries).

A computer or device on a network that manages network resources. Examples are file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries).

Server Message Block : see document
Server Name Indication : see document
Server Platform Services Firmware : see document
Server Routing Protocol : see document
Server Side Includes : see document
service : see document

A software component participating in a service-oriented architecture that provides functionality or participates in realizing one or more capabilities.

A set of related IT components provided in support of one or more business processes.

Performance of activities, work, or duties.

A capability or function provided by an entity.

service authority : see document

See service authority.

The COMSEC Service Authority is the Department/Agency (D/A) senior staff component/command level element that provides staff supervision and oversight of COMSEC operations, policies, procedures, accounting, resource management, material acquisition, and training throughout the D/A. The multitude of responsibilities inherent to the COMSEC Service Authority functions may be allocated to one or more senior staff elements, while specific oversight and execution of selected functional responsibilities may be delegated to subordinate field agencies and activities.

Service Class Provider : see document
Service Component Reference Model : see document
Service Composition : see document

Aggregation of multiple small services into larger services.

Service Description : see document

A set of documents that describe the interface to and semantics of a service.

Service Discovery Protocol : see document
Service Interface : see document

The abstract boundary that a service exposes. It defines the types of messages and the message exchange patterns that are involved in interacting with the service, together with any conditions implied by those messages.

service level agreement (SLA) : see document

Defines the specific responsibilities of the service provider and sets the customer expectations.

A service contract between an FCKMS service provider and an FCKMS service-using organization that defines the level of service to be provided, such as the time to recover from an operational failure or a system compromise.

Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.

Service Mesh : see document
Service Model Operating System : see document
Service Organization Control : see document
Service Principal Name : see document
Service Processor : see document
Service Provider : see document

A provider of basic services or value-added services for operation of a network; generally refers to public carriers and other commercial enterprises.

A provider of basic services or value-added services for operation of a network generally refers to public carriers and other commercial enterprises.

Service-Oriented Architecture (SOA) : see document

A collection of services. These services communicate with each other. The communication can involve either simple data passing or it could involve two or more services coordinating some activity.

A set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well-defined business functions that are built as software components (i.e., discrete pieces of code and/or data structures) that can be reused for different purposes.

Serving Gateway : see document
Session : see document

A persistent interaction between a subscriber and an endpoint, either an RP or a CSP. A session begins with an authentication event and ends with a session termination event. A session is bound by the use of a session secret that the subscriber’s software (e.g., browser, application, OS) can present to the RP to prove association of the session with the authentication event.

A persistent interaction between a subscriber and an endpoint, either an RP or a CSP. A session begins with an authentication event and ends with a session termination event. A session is bound by use of a session secret that the subscriber’s software (a browser, application, or OS) can present to the RP or CSP in lieu of the subscriber’s authentication credentials.

A persistent interaction between a subscriber and an end point, either a relying party or a Credential Service Provider. A session begins with an authentication event and ends with a session termination event. A session is bound by use of a session secret that the subscriber’s software (a browser, application, or operating system) can present to the relying party or the Credential Service Provider in lieu of the subscriber’s authentication credentials.

Session Description Protocol : see document
Session Initiation Protocol : see document
set theory relationship mapping : see document

A concept relationship style derived from the branch of mathematics known as set theory.

An OLIR that characterizes each relationship between pairs of elements by qualifying the rationale for indicating the connection between the elements and classifying the relationship based on set theory principles.

Setting the bar : see document

Setting the bar means that a decision must be made as to the complexity of the material that will be developed; it applies to all three types of learning – awareness, training, and education.

Set-User-ID : see document
SEU : see document
SEV : see document
SEV-ES : see document
SEV-SNP : see document
SF : see document

A characteristic of an authentication system or an authenticator that requires only one authentication factor (something you know, something you have, or something you are) for successful authentication.

SFA : see document
SFC : see document
SFDS : see document
SFP+ : see document
SFS : see document
SFTP : see document
SFUG : see document
SGCC : see document
SGIP : see document
SGT : see document
S-GW : see document
SGX : see document
SHA : see document

A hash algorithm with the property that it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.

Secure Hash Algorithm.

SHA-1 : see document

A hash algorithm with the property that it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.

The Secure Hash Algorithm defined in Federal Information Processing Standard 180-1.

A hash function specified in FIPS 180-2, the Secure Hash Standard.

The SHA-1 hash for the resource.

SHA-2 : see document

A hash algorithm with the property that it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.

SHA-256 : see document

A hash algorithm that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.

The SHA-256 hash for the resource.

SHA-256(M) : see document

SHA-256 hash function as specified in [3].

SHA-256/192(M) : see document

T192(SHA-256(M)), the most significant (i.e., leftmost) 192 bits of the SHA-256 hash of M.

SHA-3 : see document

Secure Hash Algorithm-3.

shadow model : see document

A model that imitates the behavior of the target model. The training datasets and the truth about membership in these datasets are known for these models. Typically, the attack model is trained on the labeled inputs and outputs of the shadow model.

Shadow Stack : see document

A parallel hardware stack that applications can utilize to store a copy of return addresses that are checked against the normal program stack on return operations.

SHAKE : see document
SHAKE256/192(M) : see document

SHAKE256(M, 192), where SHAKE256 is specified in Section 6.2 of [5]. The output length is 192 bits.

SHAKE256/256(M) : see document

SHAKE256(M, 256), where SHAKE256 is specified in Section 6.2 of [5]. The output length is 256 bits.

SHAP : see document
Shapley Additive exPlanations : see document
Sharding : see document

A blockchain configuration and architecture that enables the processing of transactions in parallel. The blockchain’s global state is split among multiple blockchain subnetworks coordinated by a separate hub blockchain.

shared control : see document

A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control. See hybrid control.

shared secret key : see document

A shared secret that can be used directly as a cryptographic key in symmetric-key cryptography. It does not require additional key derivation. The shared secret key must be kept private and must be destroyed when no longer needed.

Shared Service Provider : see document
Shared Service Providers : see document
Shared Situational Awareness : see document
shielded enclosure : see document

Room or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.

Short Integer Solution : see document
Short Message Service (SMS) : see document

A cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset.

a mobile phone network facility that allows users to send and receive alphanumeric text messages of up to 160 characters on their cell phone or other handheld device

Short Message Service Chat : see document

a facility for exchanging messages between mobile phone users in real-time via SMS text messaging, which allows previous messages from the same conversation to be viewed.

Short Term Key : see document
short title : see document

Identifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling (e.g., KAM-211, KG-175). Each item of accountable COMSEC material is assigned a short title to facilitate handling, accounting and control.

short title assignment requester (STAR) : see document

The key management entity (KME) privileged to request assignment of a new short title and generation of key against that short title.

Shortest Independent Vector Problem : see document
Shortest Vector Problem : see document
short-term stability : see document

The stability of a time or frequency signal over a short measurement interval, usually an interval of 100 seconds or less in duration.

Shred : see document

A method of sanitizing media; the act of cutting or tearing into small particles.

Shrinkage : see document

Product loss or theft that results in declining revenue.

SHS : see document
SI : see document
SIA : see document

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

The analysis conducted by an organizational official to determine the extent to which a change to the information system has or may have affected the security posture of the system.

The analysis conducted by an agency official, often during the continuous monitoring phase of the security certification and accreditation process, to determine the extent to which changes to the information system have affected the security posture of the system.

SIAO : see document
SID : see document
side channel : see document

Allows an attacker to infer information about a secret by observing the nonfunctional characteristics of a program (e.g., execution time or memory) or measuring or exploiting the indirect coincidental effects of the system or its hardware (e.g., power consumption variation, electromagnetic emanations) while the program is executing. Most commonly, such attacks aim to exfiltrate sensitive information, including cryptographic keys.

Side Channel Analysis with Reinforcement Learning : see document
Sidechain : see document

A blockchain with its own consensus mechanism and set of nodes that is connected to another blockchain through a two-way bridge.

Side-Channel Attack : see document

An attack enabled by the leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, electromagnetic emissions, and acoustic emissions.

An attack enabled by leakage of information from a physical cryptosystem. Characteristics that could be exploited in a side-channel attack include timing, power consumption, and electromagnetic and acoustic emissions.

SIDH : see document
SIDR : see document
SIDR WG : see document
SIEM : see document
SIF : see document
SIFA : see document
SIG : see document
SIGE(…) : see document

A digital signature generated by the entity E using an approved hash function and an approved digital signature algorithm. The data that is signed is the information contained within the parentheses.

Signal Processing for Space Communications Workshop : see document
Signal Processing System : see document
Signaling Radio Bearer : see document
signaling rate : see document

The signaling rate of a digital signal is defined as the reciprocal of the bit width (1/bit width). The signaling rate is used to determine the frequency range of electrical isolation.

Signatory : see document

The entity that generates a digital signature on data using a private key.

The entity that generates a digital signature on data using a private key.

signature : see document

A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.

A recognizable, distinguishing pattern. See attack signature and digital signature.

The ability to trace the origin of the data.

A set of characteristics of known malware instances that can be used to identify known malware and some new variants of known malware.

Signature and Verification Operations Parallelizing Manager : see document
Signature Block Header : see document
signature certificate : see document

A public key certificate that contains a public key intended for verifying digital signatures rather than authenticating, encrypting data or performing any other cryptographic functions.

A public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.

Signature generation : see document

The process of using a digital signature algorithm and a private key to generate a digital signature on data.

The process of using a digital signature algorithm and a private key to generate a digital signature on data.

The use of a digital signature algorithm and a private key to generate a digital signature on data.

Signature ID : see document
Signature validation : see document

The (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).

The mathematical verification of the digital signature along with obtaining the appropriate assurances (e.g., public-key validity, private-key possession, etc.).

The (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public-key validity, private-key possession, etc.).

The (mathematical) verification of the digital signature plus obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).

Signature verification : see document

The process of using a digital signature algorithm and a public key to verify a digital signature on data.

The process of using a digital signature algorithm and a public key to verify a digital signature on data.

The use of a digital signature algorithm and a public key to verify a digital signature on data.

The use of a digital signature and a public key to verify a digital signature on data.

Signature-in-question : see document

The digital signature to be verified and validated.

Signed data : see document

The data or message upon which a digital signature has been computed.

The data or message upon which a digital signature has been computed. Also, see Message.

Signed Response : see document
Signed Zone : see document

A zone whose RRsets are signed and which contains properly constructed DNSKEY, Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS records.

significant consequences : see document

Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse U.S. foreign policy consequences, or serious economic impact on the United States.

significant cybersecurity or privacy responsibilities : see document

The preferred terminology herein for identifying those whose roles in the organization necessitate ongoing role-based training. These individuals have work-related responsibilities beyond those of all users and will need to participate in both general and specialized learning program activities.

signing key : see document

The cryptographic key used to create a signature. In asymmetric cryptography, the signing key refers to the private key of the cryptographic key pair. In symmetric cryptography, the signing key is the symmetric key.

SIKE : see document
Silicon Provider : see document
SIM : see document

A smart card chip specialized for use in GSM equipment.

SIMD : see document
SIMID : see document
Similarity : see document

The similarity of two artifacts, as measured by a particular approximate matching algorithm, is defined as an increasing monotonic function of the number of matching features contained in their respective feature sets.

Similarity digest : see document

A similarity digest is a (compressed) representation of the original data object’s feature set that is suitable for comparison with other similarity digests created by the same algorithm. In most cases, the digest is much smaller than the original artifact and the original object is not recoverable from the digest.

Similarity function : see document

compares two similarity digests and outputs a score. The recommended approach is to assign a score s in the 0 ≤ s ≤ 1 range, where 0 indicates no similarity and 1 indicates high similarity. This score represents a normalized estimate of the number of matching features in the feature sets corresponding to the artifacts from which the similarity digests were created.

Simple Certificate Enrollment Protocol (SCEP) : see document

A protocol defined in an IETF internet draft specification that is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as referenced in other industry standards.

Simple Key Loader : see document
Simple Mail Transfer Protocol (SMTP) : see document

An MTA protocol defined by IETF RFC 2821. SMTP is the most commonly used MTA protocol.

the primary protocol used to transfer electronic mail messages on the Internet.

Simple Name Server : see document
Simple Network Time Protocol : see document
Simple Object Access Protocol : see document

An XML-based protocol for exchanging structured information in a decentralized, distributed environment.

Simple Power Analysis : see document
Simple Public-Key GSS-API Mechanism : see document
Simple Service Discovery Protocol : see document
Simple Theorem Prover constraint solver : see document
Simple t-way combination coverage : see document

For a given test set for n variables, simple t-way combination coverage is the proportion of t-way combinations of n variables for which all variable-values configurations are fully covered.

Simplified Local Internet Number Resource Management : see document
Simulators : see document

A functional exercise staff member who simulates or represents non-participating individuals or organizations whose input or participation is necessary to the flow of the exercise.

Single Instruction, Multiple Data : see document
Single Log-Out : see document
single point keying (SPK) : see document

Means of distributing key to multiple, local crypto equipment or devices from a single fill point.

Single Sign-On : see document

An authentication process by which one account and its authenticators are used to access multiple applications in a seamless manner, generally implemented with a federation protocol.

Single-Event Upset : see document
Singulation : see document

A function performed by a reader to individually identify any tags in the reader’s operating range.

SINIT ACM : see document
SIP : see document
SiPS : see document
SIS : see document

A system that is composed of sensors, logic solvers, and final control elements whose purpose is to take the process to a safe state when predetermined conditions are violated. Other terms commonly used include emergency shutdown system (ESS), safety shutdown system (SSD), and safety interlock system (SIS).

SISO : see document

See Senior Agency Information Security Officer.

Site Recovery Manager : see document
situational awareness : see document

Perception of elements in the system and/or environment and a comprehension of their meaning, which could include a projection of the future status of perceived elements and the uncertainty associated with that status.

Within a volume of time and space, the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.

SIVP : see document
Size, Weight, and Power : see document
SK : see document
SKCE : see document
Skill : see document

The capacity to perform an observable action.

an observable competence to perform a learned psychomotor act. Skills in the psychomotor domain describe the ability to physically manipulate a tool or instrument like a hand or a hammer. Skills needed for cybersecurity rely less on physical manipulation of tools and instruments and more on applying tools, frameworks, processes, and controls that have an impact on the cybersecurity posture of an organization or individual.

Skimming : see document

The unauthorized use of a reader to read tags without the authorization or knowledge of tag’s owner or the individual in possession of the tag.

SKL : see document
SKU : see document
SLA : see document

Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.

Slack Space : see document

The unused space in a file allocation block or memory page that may hold residual data.

SLC : see document
SLH-DSA : see document
SLO : see document
SLURM : see document
SM : see document
Small and Medium-size Business : see document
Small business : see document

Small businesses are defined differently depending on the industry sector. For this publication, the definition of a small business includes for-profit, non-profit, and similar organizations with up to 500 employees. Synonymous with “Small Enterprise or Small Organization”. See the SBA website www.sba.gov for more information.

Small Business Administration : see document
Small Business Innovation Research : see document
Small Computer System Interface : see document

A magnetic media interface specification. Small Computer System Interface.

Small Office/Home Office : see document
SMAP : see document
smart card : see document

A credit card-sized card with embedded integrated circuits that can store, process, and communicate information.

A plastic card containing a computer chip that enables the holder to purchase goods and services, enter restricted areas, access medical, financial, or other records, or perform other operations requiring data stored on the chip.100

Smart Card Enabled Physical Access Control System : see document
smart data : see document

Association of authority, access requirements, retention provenance and any additional information with a data object; smart data includes data provenance and data tagging.

Smart Electric Power Alliance : see document
Smart Grid Cybersecurity Committee : see document
Smart Grid Interoperability Panel : see document
Smart Meter : see document

A device that includes Metrology, Communications Module, and, optionally, HAN interface. These components are typically integrated into a single physical unit suitable for installation in a standard utility meter socket. Sub-components may or may not be integrated on the printed circuit boards contained within the Smart Meter.

SMB : see document
SMBIOS : see document
SMBus : see document
SMC : see document
SME : see document
SMEP : see document
SMI : see document
SMIMEA : see document
SMI-S : see document
SML : see document
smLIP : see document
SMM : see document
SMOS : see document
SMPC : see document
SMS : see document

a mobile phone network facility that allows users to send and receive alphanumeric text messages of up to 160 characters on their cell phone or other handheld device

SMS Chat : see document

A facility for exchanging messages in real-time using SMS text messaging that allows previously exchanged messages to be viewed.

SMT : see document
SMTP : see document

the primary protocol used to transfer electronic mail messages on the Internet.

Snapshot : see document

A record of the state of a running image, generally captured as the differences between an image and the current state.

SNI : see document
sniffer : see document

See packet sniffer and passive wiretapping.

SNMP : see document
SNonce : see document
SNS : see document
SNTP : see document
SO : see document

Person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system.

Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.

SOA : see document

A set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well-defined business functions that are built as software components (i.e., discrete pieces of code and/or data structures) that can be reused for different purposes.

SOAP : see document

An XML-based protocol for exchanging structured information in a decentralized, distributed environment.

SOAP Header : see document

A collection of zero or more blocks of information prepended to a SOAP message, each of which might be targeted at any SOAP receiver within the message path.

SOAP Message : see document

The basic unit of communication between SOAP nodes.

SOAR : see document
SOC : see document
SOCHE : see document
Social Security Number : see document
Society of Automotive Engineers : see document
Society of Chemical Manufacturers and Affiliates : see document
SOCKS Protocol : see document

An Internet protocol to allow client applications to form a circuit-level gateway to a network firewall via a proxy service.

SOCMA : see document
SoD : see document

refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or dynamically (by enforcing the control at access time). An example of dynamic separation of duty is the two-person rule. The first user to execute a two-person operation can be any authorized user, whereas the second user can be any authorized user different from the first [R.S. Sandhu., and P Samarati, “Access Control: Principles and Practice,” IEEE Communications Magazine 32(9), September 1994, pp. 40-48.]. There are various types of SOD, an important one is history-based SOD that regulate for example, the same subject (role) cannot access the same object for variable number of times.

SOFA-B : see document
Soft fork : see document

A change to a blockchain implementation that is backwards compatible. Non-updated nodes can continue to transact with updated nodes.

software : see document

See hardware and software.

Computer programs and data stored in hardware – typically in read-only memory (ROM) or programmable read-only memory (PROM) – such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.

Computer programs and associated data that may be dynamically written or modified during execution.

The material physical components of a system. See software and firmware.

The material physical components of an information system. See firmware and software.

Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution.

Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

Computer programs and data stored in hardware—typically in read-only memory (ROM) or programmable read-only memory (PROM)—such that programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

All or part of the programs, procedures, rules, and associated documentation of an information processing system.

“Computer programs and associated data that may be dynamically written or modified during the device’s execution”

Computer programs and associated data that may be dynamically written or modified during the device’s execution (e.g., application code, libraries).

The physical components of a system. See Software and Firmware.

Software and Supply Chain Assurance : see document
Software and Systems Division : see document

A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.

Software as a Service (SaaS) : see document

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Software Asset Management : see document

An ISCM capability that identifies unauthorized software on devices that is likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated.

See Capability, Software Asset Management.

software assurance (SwA) : see document

1. The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle.

2. The planned and systematic set of activities that ensure that software life cycle processes and products conform to requirements, standards, and procedures.

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions as intended by the purchaser or user.

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle and that the software functions in the intended manner.

Software Assurance Automation Protocol : see document
Software Assurance Forum for Excellence in Code : see document
Software Assurance Maturity Model : see document
Software Assurance Reference Dataset : see document
Software Bill of Materials : see document

A formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product.

software composition analysis : see document
software configuration management : see document
Software Defined Network : see document
Software Defined Perimeter : see document
Software Defined Wide Area Network : see document
Software Delegated Exception Interface : see document
Software Development Kit : see document
Software Development Life Cycle : see document

A formal or informal methodology for designing, creating, and maintaining software (including code built into hardware).

Software Engineering Institute : see document
Software Guard eXtensions : see document
Software Identification : see document

A SWID tag is an ISO 19770-2 compliant XML file describing a software product. It is typically digitally signed by the software manufacturer to verify its validity. Ideally, for purposes of software asset management, the SWID tag will contain the digests (digital fingerprints) of each software file installed or placed on the device with the product.

software identification (SWID) tag : see document

A set of structured data elements containing authoritative identification information about a software component.

Software Inventory Message and Attributes : see document
Software Lifecycle : see document
Software Measures and Metrics to Reduce Security Vulnerabilities : see document
software product and executable file version : see document

A patch level versioning of the software product or digital fingerprint version of a software file.

Software Restriction Policy : see document
software supply chain : see document
software system test and evaluation process : see document

Process that plans, develops, and documents the qualitative/quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements.

Software-Defined Data Center : see document
Software-Defined Networking : see document
Software-Defined Storage : see document
SOHO : see document
Solid-State Drive : see document

A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.

Solution Architecture Process : see document

Fulton Banks Solution Architecture Process is: TBD.

SoM : see document
SONET : see document
SOP : see document
SoR : see document

A collection of records that contain information about individuals and are under the control of an agency. The records can be retrieved by the individual’s name, an identifying number, a symbol, or other identifier.

A system of records is a group of records under the control of a Federal agency which contains a personal identifier (such as a name, date of birth, finger print, Social Security Number, and Employee Number) and one other item of personal data (such as home address, performance rating, and blood type) from which information is retrieved using a personal identifier.

SORN : see document

A notice that federal agencies publish in the Federal Register to describe their system of record.

The Privacy Act requires each agency to publish a notice of its systems of records in the Federal Register. This is called a System of Record Notice (SORN).

An official public notice of an organization’s system(s) of records, as required by the Privacy Act of 1974, that identifies: (i) the purpose for the system of records; (ii) the individuals covered by information in the system of records; (iii) the categories of records maintained about individuals; and (iv) the ways in which the information is shared.

SoS : see document
Source Address : see document
Source Address Validation : see document
Source authentication : see document

A process that provides assurance of the source of information.

The process of providing assurance about the source of information. Sometimes called identity authentication or origin authentication.

The process of providing assurance about the source of information. Sometimes called origin authentication. Compare with Entity authentication.

The process of providing assurance about the source of information; sometimes called data-origin authentication. Compare with Identity authentication.

The process of providing assurance about the source of information. Sometimes called origin authentication. Compare with Identity authentication.

source code control : see document

A capability with which an attacker controls the source code of a machine learning algorithm.

Source content : see document

Part or all of SCAP source data streams.

Source Name : see document

A single WFN that a matching engine compares to a target WFN to determine whether or not there is a source-to-target match. (This is the X value in the CPE 2.2 matching algorithm.)

Source of Randomness : see document

A component of a DRBG (which consists of a DRBG mechanism and a randomness source) that outputs bitstrings that are used as entropy input by the DRBG mechanism. The randomness source can be an entropy source or an RBG.

See Randomness Source.

Source Restriction : see document

A restriction configured for an authorized key that limits the IP addresses or host names from which login using the key may take place. In some SSH implementations, source restrictions can be configured by using a "from=" restriction in an authorized keys file.

Source Value : see document

A single value that a matching engine compares to a corresponding target value to determine whether or not there is a source-to-target match. Source values include A-V pairs or set relation values (e.g., superset or subset).

Source-based Remotely Triggered Black-Holing : see document
Sources Sought Notice : see document

A synopsis posted by a government agency that states they are seeking possible sources for a project. It is not a solicitation for work, nor is it a request for proposal.

Southwestern Ohio Council for Higher Education : see document
SOW : see document

The SOW details what the developer must do in the performance of the contract. Documentation developed under the contract, for example, is specified in the SOW. Security assurance requirements, which detail many aspects of the processes the developer follows and what evidence must be provided to assure the organization that the processes have been conducted correctly and completely, may also be specified in the SOW.

SOX : see document
SP : see document

Include proceedings of conferences sponsored by NIST, NIST annual reports, and other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

Microsoft’s term for a collection of patches integrated into a single large update.

A provider of basic services or value-added services for operation of a network; generally refers to public carriers and other commercial enterprises.

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. The 1800 series reports the results of NCCoE demonstration projects.

A type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. The 1800 series reports the results of National Cybersecurity Center of Excellence demonstration projects.

A provider of basic services or value-added services for operation of a network generally refers to public carriers and other commercial enterprises.

SPA : see document
Space Policy Directive : see document
space structures : see document

Any human-made assets in space, including “space debris” or “space junk” that is no longer in use for any business or mission need.

spam : see document

Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Unsolicited bulk commercial email messages.

The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Unsolicited email.

SPAN : see document
SPARQL : see document

SPARQL Protocol and RDF Query Language

SPD : see document
SPDM : see document
spear phishing : see document

A colloquial term that can be used to describe any highly targeted phishing attack.

special access program : see document

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

special access program facility : see document

A specific physical space that has been formally accredited in writing by the cognizant program security officer (PSO) that satisfies the criteria for generating, safeguarding, handling, discussing, and storing classified or unclassified program information, hardware, and materials.

special category : see document

Sensitive compartmented information (SCI), special access program (SAP) information, or other compartment information.

special character : see document

Any non-alphanumeric character that can be rendered on a standard, American-English keyboard. Use of a specific special character may be application dependent. The list of 7-bit ASCII special characters follows: ` ~! @ # $ % ^ & * ( ) _ + | } { “ : ? > < [ ] \ ; ’ , . / - =

A non-alphanumeric character that may be defined by one or more CPE specifications to have a special meaning when it appears unquoted in a WFN. Special characters typically trigger a processor to perform a given function. The rules for escaping CPE special characters are defined in the CPE Naming specification [CPE23-N:5.3.2].

Special Cyber Operations Research and Engineering : see document
Special Interest Group : see document
Specialized Security-Limited Functionality : see document
Specialized Security-Limited Functionality (SSLF) Environment : see document

A Custom environment that is highly restrictive and secure; it is usually reserved for systems that have the highest threats and associated impacts.

Environment encompassing systems with specialized security requirements, in which higher security needs typically result in more limited functionality.

Custom environment encompassing systems with specialized security requirements, in which higher security needs typically result in more limited functionality.

Specific : see document

The desired security strength for a digital signature.

The summation symbol.

String of bytes.

specification : see document

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, architectural designs) associated with a system.

The requirements for the security-relevant portion of the system.

An information item that identifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other expected characteristics of a system, service, or process.

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.

An assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, architectural designs) associated with an information system.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. See specification requirement.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. Refer to security specification.

The requirements for the security-relevant portion of the system. Note: The security specification may be provided as a separate document or may be captured with a broader specification.

The requirements for the security-relevant portion of the system. Note: The security specification may be provided as a separate document or may be captured with a broader specification.

A document that specifies, in a complete, precise, verifiable manner, the requirements, design, behavior, or other characteristics of a system or component and often the procedures for determining whether these provisions have been satisfied. Refer to security specification.

Specification Limit : see document

A condition indicating that risk has exceeded acceptable levels and that immediate action is needed to reduce the risk, or the system/assessment object may need to be removed from production (lose authority to operate).

See Limit, Specification.

specification requirement : see document

A type of requirement that provides a specification for a specific capability that implements all or part of a control and that may be assessed (i.e., as part of the verification, validation, testing, and evaluation processes).

Specification versioning : see document

The process of denoting a revision to a specification by changing its version number.

SPF : see document
SPI : see document

Arbitrarily chosen value that acts as a unique identifier for an IPsec connection.

SPIFFE : see document
SPIFFE Runtime Environment : see document
SPIFFE Verifiable Identity Document : see document
spillage : see document

Security incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification or different security category. Rationale: Spillage encompasses this term.

See spillage.

Security incident that results in the transfer of classified information onto an information system not authorized to store or process that information.

SPIRE : see document
SPK : see document
SPKI : see document
SPKM : see document
SPL : see document
split knowledge : see document

2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.

1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data.

A process by which a cryptographic key is split into n key components, each of which provides no knowledge of the original key. The components can be subsequently combined to recreate the original cryptographic key. If knowledge of k (where k is less than or equal to n) components is required to construct the original key, then knowledge of any k – 1 key components provides no information about the original key other than, possibly, its length. Note that in this Recommendation, split knowledge is not intended to cover key shares, such as those used in threshold or multi-party signatures.

A process by which a cryptographic key is split into n key shares, each of which provides no knowledge of the key. The shares can be subsequently combined to create or recreate a cryptographic key or to perform independent cryptographic operations on the data to be protected using each key share. If knowledge of k (where k is less than or equal to n) shares is required to construct the key, then knowledge of any k – 1 key shares provides no information about the key other than, possibly, its length.

A process by which a cryptographic key is split into n multiple key components, individually providing no knowledge of the original key, which can be subsequently combined to recreate the original cryptographic key. If knowledge of k (where k is less than or equal to n) components is required to construct the original key, then knowledge of any k-1 key components provides no information about the original key other than, possibly, its length. Note that in this document, split knowledge is not intended to cover key shares, such as those used in threshold or multi-party signatures.

split tunneling : see document

A method that routes organization-specific traffic through the SSL VPN tunnel, but routes other traffic through the remote user's default gateway.

The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.

The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices, and simultaneously, access uncontrolled networks.

SPM : see document
SPN : see document
Sponge Construction : see document

The method originally specified in [Cryptographic sponge functions, version 0.1] for defining a function from the following: 1) an underlying function on bit strings of a fixed length, 2) a padding rule, and 3) a rate. Both the input and the output of the resulting function are bit strings that can be arbitrarily long.

Sponge Function : see document

A function that is defined according to the sponge construction, possibly specialized to a fixed output length.

sponsor : see document

Submits a Derived PIV Credential request on behalf of the applicant.

Sponsor (of a certificate) : see document

A human entity that is responsible for managing a certificate for the non-human entity identified as the subject in the certificate (e.g., applying for the certificate; generating the key pair; replacing the certificate, when required; and revoking the certificate). Note that a certificate sponsor is also a sponsor of the public key in the certificate and the corresponding private key.

A human entity that is responsible for managing a certificate for the non-human entity identified as the subject in the certificate (e.g., a device, application or process). Certificate management includes applying for the certificate, generating the key pair, replacing the certificate when required, and revoking the certificate). Note that a certificate sponsor is also a sponsor of the public key in the certificate and the corresponding private key.

Sponsor (of a key) : see document

A human entity that is responsible for managing a key for the non-human entity (e.g., device, application or process) that is authorized to use the key.

A human entity that is responsible for managing a key for the non-human entity (e.g., organization, device, application or process) that is authorized to use the key.

spoofing : see document

Two classes of spoofing include (1) measurement spoofing: introduces signal or signal delay that cause the target receiver to produce incorrect measurements of time of arrival or frequency of arrival or their rates of change; and (2) data spoofing: introduces incorrect digital data to the target receiver for its use in processing of signals and the calculation of PNT.

Within the context of this document, spoofing includes manipulation of legitimate GNSS signals with intent to corrupt PNT data or signal measurement integrity. For example, it includes, but is not limited to: the transmission of delayed or false GNSS signals with intent to manipulate an asset’s computed position or time and frequency.

Faking the sending address of a transmission to gain illegal entry into a secure system.

The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.

SPP : see document
Sprawl : see document

The proliferation of images.

spread spectrum : see document

Telecommunications techniques in which a signal is transmitted in a bandwidth considerably greater than the frequency content of the original information. Frequency hopping, direct sequence spreading, time scrambling, and combinations of these techniques are forms of spread spectrum.

SPS : see document
SPS FW : see document
SPSC : see document
SPSD : see document
SPT : see document
spyware : see document

Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

Software that is secretly or surreptitiously installed into a system to gather information on individuals or organizations without their knowledge; a type of malicious code.

Software that is secretly or surreptitiously installed onto an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge.

A program embedded within an application that collects information and periodically communicates back to its home site, unbeknownst to the user.

Malware intended to violate a user’s privacy.

Malware specifically intended to violate a user’s privacy.

SQL : see document
SQL injection : see document

Attacks that look for web sites that pass insufficiently-processed user input to database back-ends

SQL Server Management Studio : see document
SQLi : see document
SQN : see document
square : see document

The property that some element $x$ of a finite field $\mathbf{GF}(q)$ can be written as $x=z^2$ for some element $z$ in the same field $\mathbf{GF}(q)$.

SRA : see document
SRAM : see document
SRB : see document
SRES : see document
SRG : see document
sRGB : see document
SRK : see document
SRM : see document
SRP : see document
SRR : see document
SRTM : see document
SRx update ID : see document
SRxCryptoAPI : see document
SSA : see document
SSAA : see document
SSC : see document
SSCA : see document
SSCP : see document
SSD : see document

A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.

SSDF : see document
SSDP : see document
SSE : see document
SSE-CMM : see document
SSFA : see document
SSH : see document
SSH Client : see document

The software implementation that enables a user or an automated process to remotely access an SSH server. An SSH client is responsible for reliably performing all of the operations necessary to ensure a secure connection, including generating identity keys, prompting users to verify host keys, authenticating and establishing encrypted connections with SSH servers, prompting users for credentials, performing public key authentication, etc.

SSH Key : see document

A term that is generally used to refer to an identity and authorized keys. The term may also be occasionally used to refer to host or server private keys.

SSH Server : see document

A software implementation that enables SSH access to a system from SSH clients. SSH server may be included with an operating system or appliance or may be add-on software. An SSH server is typically a complex set of software modules responsible for a broad number of tasks, including enforcing configured SSH settings, authenticating users, limiting access to certain users and groups, ensuring secure connections, interfacing with other systems (e.g., PAM and Kerberos), performing file transfers, etc.

SSI : see document
SSID : see document

A name assigned to a wireless access point that allows stations to distinguish one wireless access point from another.

SSL : see document
SSL Visibility : see document
SSL/TLS : see document
SSLF : see document
SSLV : see document
SSM : see document
SSMS : see document
SSN : see document
SSO : see document

An authentication process by which one account and its authenticators are used to access multiple applications in a seamless manner, generally implemented with a federation protocol.

SSP : see document

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

Formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.

Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

Formal document that provides an overview of the security requirements for a system and describes the security controls in place or planned for meeting those requirements.

SSPP : see document
SSTP : see document
SSVOPM : see document
ST&E : see document
STA : see document
stability : see document

An inherent characteristic of an oscillator that determines how well it can produce the same frequency over a given time interval. Stability does not indicate whether the frequency is right or wrong, but only whether it stays the same. The stability of an oscillator does not necessarily change when the frequency offset changes. An oscillator can be adjusted, and its frequency moved either further away from or closer to its nominal frequency without changing its stability at all. The stability of an oscillator is usually specified by a statistic, such as the Allan deviation, that estimates the frequency fluctuations of the device over a given time interval. Some devices, such as an OCXO [Oven Controlled Crystal (Xtal) Oscillator] have good short-term stability and poor long-term stability. Other devices, such as a GPS disciplined oscillator (GPSDO), typically have poor short-term stability and good long-term stability.

stablecoin : see document

A cryptocurrency token that is a fungible unit of financial value pegged to a currency, some other asset, or index. It can be traded directly between parties and converted to other currencies or the pegged asset.

stage : see document

Period within the life cycle of an entity that relates to the state of its description or realization.

stakeholder : see document

Individual or organization having a right, share, claim, or interest in a system or in its possession of characteristics that meet their needs and expectations.

Individual, team, organization, or classes thereof, having an interest in a system.

Staking : see document

Protocol-defined token collateralization earning yields and/or providing privileges, either at the base layer (in proof-of-stake consensus models) or at the smart contract layer.

STAMP : see document
Standalone Environment : see document

Environment containing individually managed devices (e.g., desktops, laptops, smartphones, tablets).

Small office/home office environment.

Standard Normal Cumulative Distribution Function : see document

See the definition in Section 5.5.3. This is the normal function for mean = 0 and variance = 1.

Standard operating procedures : see document

A set of instructions used to describe a process or procedure that performs an explicit operation or explicit reaction to a given event.

Standard Positioning Service : see document
Standard Red Green Blue : see document
Standards Developing Organization : see document

any organization that develops and approves standards using various methods to establish consensus among its participants. Such organizations may be: accredited, such as ANSI -accredited IEEE; international treaty based, such as the ITU- T; private sector based, such as ISO/IEC; an international consortium, such as OASIS or IETF; or a government agency.

Standards Developing Organizations : see document
Standards-Setting Organization : see document
STAR : see document
Start of Authority : see document
State : see document

Intermediate result of the AES block cipher that is represented as a two-dimensional array of bytes with four rows and $Nb$ columns.

State Channel : see document

A scheme that enables the off-chain processing of transactions by a group of participants with instant second layer finality and deferred on-chain settlement via state updates.

State Public Safety Department : see document
State Update : see document

An on-chain transaction used to anchor the current state of an external ledger onto the underlying blockchain.

Stateful : see document

Refers to a data representation or a process that is dependent on an external data store.

Stateful Inspection : see document

Packet filtering that also tracks the state of connections and blocks packets that deviate from the expected state.

Stateful Protocol Analysis : see document

A firewalling capability that improves upon standard stateful inspection by adding basic intrusion detection technology. This technology consists of an inspection engine that analyzes protocols at the application layer to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations, allowing a firewall to allow or deny access based on how an application is running over a network.

Stateless : see document

Refers to a data representation or a process that is self-contained and does not depend on any external data store.

Stateless Hash-Based Digital Signature Algorithm : see document
Stateless Inspection : see document

See “Packet Filtering”.

Stateless Transport Tunneling : see document
Statement coverage : see document

This is the simplest of coverage criteria – the percentage of statements exercised by the test set.

Statement of Requirements : see document
statement of work requirement : see document

A type of requirement that represents an action that is performed operationally or during system development.

State-of-the-Art Resources : see document
Static Analysis Reference Dataset : see document
Static Analysis Tool Exposition : see document
static application security tool : see document
static code analyzer : see document

A tool that analyzes source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.

Static Core Root of Trust for Measurement : see document
Static key : see document

A key that is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key-establishment scheme. Contrast with an Ephemeral key.

A key that is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key- establishment scheme. Contrast with an ephemeral key.

Static key pair : see document

A key pair, consisting of a private key (i.e., a static private key) and a public key (i.e., a static public key) that is intended for use for a relatively long period of time and is typically intended for use in multiple key establishment transactions. Contrast with an ephemeral key pair.

A long-term key pair for which the public key is often provided in a public-key certificate.

Static Random Access Memory : see document
Station : see document

A client device in a wireless network.

Station Access Controller : see document
statistical bias : see document

A form of bias that occurs when the expected value of a released statistic does not match the true statistic.

statistical disclosure control : see document

The set of methods to reduce the risk of disclosing information on individuals, businesses or other organizations. Such methods are only related to the dissemination step and are usually based on restricting the amount of or modifying the data released.

Statistical Ineffective Fault Attack : see document
Statistical Test (of a Hypothesis) : see document

A function of the data (binary stream) which is computed and used to decide whether or not to reject the null hypothesis. A systematic statistical rule whose purpose is to generate a conclusion regarding whether the experimenter should accept or reject the null hypothesis Ho.

Statistically Independent Events : see document

Two events are independent if the occurrence of one event does not affect the chances of the occurrence of the other event. The mathematical formulation of the independence of events A and B is the probability of the occurrence of both A and B being equal to the product of the probabilities of A and B (i.e., P(A and B) = P(A)P(B)).

status authority (CSA) : see document

A trusted entity that provides on-line verification to a relying party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.

STD : see document
STE : see document
Stealthwatch Flow Collector : see document
Stealthwatch Management Center : see document
Stealthwatch Management Console : see document
steganography : see document

The art, science, and practice of communicating in a way that hides the existence of the communication.

The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.

Embedding data within other data to conceal it.

STEM : see document
STIG : see document
STIX : see document
STK : see document
Stock Keeping Unit : see document
Stockholm International Summit on Cyber Security in SCADA and ICS : see document
Storage : see document

Retrievable retention of data. Electronic, electrostatic, or electrical hardware or other elements (media) into which data may be entered, and from which data may be retrieved.

Storage Area Network : see document
Storage Management Initiative Specification : see document
Storage Root Key : see document
Store a key or metadata : see document

Placing a key and/or metadata in storage outside of a cryptographic module without retaining the original copy in the cryptographic module.

Stored Measurement Log : see document
STP : see document
STPA : see document
Strategic and Emerging Research Initiatives : see document
Stream component : see document

A major element of a data stream, such as an XCCDF benchmark or a set of OVAL definitions.

Stream Control Transmission Protocol : see document
strength of function : see document

Criterion expressing the minimum efforts assumed necessary to defeat the specified security behavior of an implemented security function by directly attacking its underlying security mechanisms.

Criterion expressing the minimum efforts assumed necessary to defeat the specified security behavior of an implemented security function by directly attacking its underlying security mechanisms. Note 1: Strength of function has as a prerequisite that assumes that the underlying security mechanisms are correctly implemented. The concept of strength of functions may be equally applied to services or other capability-based abstraction provided by security mechanisms. Note 2: The term robustness combines the concepts of assurance of correct implementation with strength of function to provide finer granularity in determining the trustworthiness of a system.

Criterion expressing the minimum efforts assumed necessary to defeat the specified security behavior of an implemented security function by directly attacking its underlying security mechanisms. Note 1: Strength of function has as a prerequisite that assumes that the underlying security mechanisms are correctly implemented. The concept of strength of functions may be equally applied to services or other capability-based abstraction provided by security mechanisms. Note 2: The term robustness combines the concepts of assurance of correct implementation with strength of function to provide finer granularity in determining the trustworthiness of a system.

Strength of Function for Authenticators – Biometrics : see document
strength of mechanism (SoM) : see document

A scale for measuring the relative strength of a security mechanism.

Strength, Weakness, Opportunity, and Threat Analysis : see document
Strengths, Weaknesses, Opportunities, Threats : see document
String : see document

An ordered sequence (string) of 0s and 1s. The leftmost bit is the most significant bit.

A sequence of bits.

A bitstring is an ordered sequence of 0’s and 1’s.

See Bitstring.

An ordered sequence of 0’s and 1’s. The leftmost bit is the most significant bit.

striped core : see document

A network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.

strong authentication : see document

A method used to secure computer systems and/or networks by verifying a user’s identity by requiring two-factors in order to authenticate (something you know, something you are, or something you have).

Strong Existential Unforgeability under Chosen-Message Attack : see document
StrongAuth KeyAppliance : see document
StrongKey Crypto Engine : see document
StrongKey CryptoEngine : see document
Strongly existentially UnForgeable under Chosen Message Attack : see document
structural relationship mapping : see document

A concept relationship style that captures an inherent hierarchical structure of concepts, usually defined within a single concept source.

Structured Exception Handler Overwrite Protection : see document
Structured Product Labeling : see document
Structured Query Language : see document
Structured Query Language Injection : see document
Structured Threat Information eXpression : see document
STS : see document
STT : see document
STU : see document
STVMG : see document
SU : see document
subaccount : see document

A COMSEC account that only received key from, and only reports to, its parent account, never a Central Office of Record.

subassembly : see document

Two or more parts that form a portion of an assembly or a unit replaceable as a whole, but having a part or parts that are individually replaceable.

Sub-Capability : see document

A capability that supports the achievement of a larger capability. In this NISTIR, each defined capability is decomposed into the set of sub-capabilities that are necessary and sufficient to support the purpose of the larger capability.

Subcommittee : see document
Subdirectory : see document

A directory contained within another directory.

Sub-functions : see document

Sub-functions are the basic operations employed to provide the system services within each area of operations or line of business. The recommended information types provided in NIST SP 800-60 are established from the “business areas” and “lines of business” from OMB’s Business Reference Model (BRM) section of Federal Enterprise Architecture (FEA) Consolidated Reference Model Document Version 2.3

sub-hand receipt : see document

The hand receipt of COMSEC material to authorized individuals by persons to whom the material has already been hand receipted.

subject : see document

The entity requesting to perform an operation upon the object.

A person, organization, device, hardware, network, software, or service. In these guidelines, a subject is a natural person.

An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or changes the system state.

A person, organization, device, hardware, network, software, or service.

Generally an individual, process, or device causing information to flow among objects or change to the system state. See object.

An individual, process, or device that causes information to flow among objects or change to the system state. Also see object.

the set of active entities of the system, operating within roles on behalf of individual users.

Subject (in a certificate) : see document

The entity authorized to use the private key associated with the public key in the certificate.

Subject Alternative Name : see document

A field in an X.509 certificate that identifies one or more fully qualified domain names, IP addresses, email addresses, URIs, or UPNs to be associated with the public key contained in a certificate.

Subject Matter Expert : see document
subjectAltName : see document
SubjectPublicKeyInfo : see document
Subkey : see document

A secret string that is derived from the key.

Subkey Generation : see document

An algorithm that derives subkeys from a key.

subordinate certificate authority : see document

In a hierarchical public key infrastructure (PKI), a certificate authority (CA) whose certificate signing key is certified by another CA, and whose activities are constrained by that other CA. See superior certification authority.

subsampling : see document

An algorithmic strategy where the query output is computed using only a fraction of the original data, selected at random.

subscriber : see document

An entity that has applied for and received a certificate from a Certificate Authority.

An individual enrolled in the CSP identity service.

An entity that (1) is the subject named or identified in a certificate issued to such an entity, and (2) holds a private key that corresponds to a public key listed in that certificate.

The individual who is the subject named or identified in a Derived PIV Authentication certificate and who holds the token that contains the private key that corresponds to the public key in the certificate.

A Subscriber is an entity that (1) is the subject named or identified in a certificate issued to that entity, (2) holds a private key that corresponds to the public key listed in the certificate, and (3) does not itself issue certificates to another party. This includes, but is not limited to, an individual or network device

A party who has received a credential or authenticator from a CSP.

An individual applying for a Derived PIV Credential

A party who has received a credential or authenticator from a Credential Service Provider.

A party who has received a credential or token from a CSP.

subscriber account : see document

An account established by the CSP for each subscriber enrolled in its identity service that contains information about the subscriber and a record of any authenticators registered to the subscriber.

Subscriber Identity Module (SIM) : see document

A smart card chip specialized for use in GSM equipment.

subscriber-controlled wallet : see document

A type of IdP that is issued attribute bundles by the CSP. The subscriber-controlled wallet that is either housed on a subscriber-controlled device (sometimes known as a digital wallet) or as a remote service (sometimes known as a cloud wallet).

Subset Fault Analysis : see document
Substation Serial Protection Protocol : see document
Substitution–Permutation Network : see document
subsystem : see document

A major subdivision or component of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

A major subdivision of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

A major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.

A major subdivision or element of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

Successor : see document

In the RBG-based construction of IVs, the result of one or more applications of the appropriate incrementing function to a direct random string.

SUF-CMA : see document
SUID : see document
Suitability and Credentialing Executive Agent : see document

Individual responsible for prescribing suitability standards and minimum standards of fitness for employment. With the issuance of Executive Order 13467, as amended, the Suitability and Credentialing Executive Agent is responsible for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures governing the conduct of investigations and adjudications for Suitability, Fitness, and Credentialing determinations in the Federal Government. Pursuant to Sections 1103 and 1104 of Title 5, United States Code, and the Civil Service Rules, the director of the Office of Personnel Management (OPM) is the Suitability and Credentialing Executive Agent.

Suite A : see document

A specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission critical information.

Suite B : see document

A specific set of cryptographic algorithms suitable for protecting both classified and unclassified national security systems, classified national security information, and sensitive information throughout the U.S. government and to support interoperability with allies and coalition partners.

Suite B compatible : see document

An information assurance (IA) or IA-enabled information technology (IT) product that: a. Uses National Security Agency (NSA)-approved public standards-based security protocols. If none are available with the necessary functionality, then uses a NSA-approved security protocol; b. Includes (as selectable capabilities) all of the Suite B cryptographic algorithms that are functionally supported by the NSA-approved security protocol(s); and c. Has been evaluated or validated in accordance with NSTISSP 11.

summation query : see document

A query that sums a derived quantity from each row in a dataset with a particular property.

Summer Undergraduate Research Fellowship : see document
superencryption : see document

2. An encryption operation for which the plaintext input to be transformed is the ciphertext output of a previous encryption operation.

1. The encrypting of already encrypted information.

superior certification authority : see document

In a hierarchical public key infrastructure (PKI), a certification authority (CA) who has certified the certificate signature key of another CA, and who constrains the activities of that CA. See subordinate certification authority.

supersession : see document

The scheduled or unscheduled replacement of COMSEC material with a different edition.

supersingular isogeny Diffie-Hellman : see document
Supersingular Isogeny Key Encapsulation : see document
superuser : see document

A user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

See privileged user.

supervised learning : see document

A type of machine learning in which a model learns to predict explicit (often human-generated) labels or output values for data.

Supervisor Mode Access Prevention : see document
Supervisor Mode Execution Prevention : see document
supplemental controls : see document

Controls that may be added to address specific threats or attacks in addition to those controls specified in the assurance levels in these guidelines.

Supplicant Number once : see document
supplier : see document

Organization or individual that enters into an agreement with the acquirer or integrator for the supply of a product or service. This includes all suppliers in the supply chain, developers or manufacturers of systems, system components, or system services; systems integrators; suppliers; product resellers; and third-party partners.

Organization or individual that enters into an agreement with the acquirer or integrator for the supply of a product or service. This includes all suppliers in the supply chain. Includes (i) developers or manufacturers of information systems, system components, or information system services; (ii) vendors; and (iii) product resellers.

Organization or individual that enters into an agreement with the acquirer or integrator for the supply of a product or service. This includes all suppliers in the supply chain, developers or manufacturers of systems, system components, or system services; systems integrators; vendors; product resellers; and third party partners.

Organization or individual that enters into an agreement with the acquirer or integrator for the supply of a product or service. This includes all suppliers in the supply chain.

Product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers.

Organization or an individual that enters into an agreement with the acquirer for the supply of a product or service.

Supplier’s Declaration of Conformity : see document

Declaration where the conformity assessment activity is performed by the person or organization that provides the ‘object’ (such as product, process, management system, person or body) and the supplier provides written confidence of conformity.

supply chain : see document

Linked set of resources and processes between and among multiple levels of organizations, each of which is an acquirer, that begins with the sourcing of products and services and extends through their life cycle.

Linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.

A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.

The network of retailers, distributors, transporters, storage facilities, and suppliers that participate in the sale, delivery, and production of a particular product.101

Linked set of resources and processes between and among multiple tiers of organizations, each of which is an acquirer, that begins with the sourcing of products and services and extends through their life cycle.

supply chain assurance : see document

Confidence that the supply chain will produce and deliver elements, processes, and information that function as expected.

supply chain attack : see document

Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.

supply chain element : see document

Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and/or disposal of systems and system components.

An information technology product or product component that contains programmable logic and that is critically important to the functioning of an information system.

A statement about an ISCM concept that is true for a well-implemented ISCM program.

Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components.

Organizations, departments, facilities, or personnel responsible for a particular systems security engineering activity conducted within an engineering process (e.g., operations elements, logistics elements, maintenance elements, and training elements).

supply chain risk : see document

The risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of an item of supply or a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system (Ref: The Ike Skelton National Defense Authorization Act for Fiscal Year 2011).

Risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

The potential for harm or compromise that arises as a result of security risks from suppliers, their supply chains, and their products or services. Supply chain risks include exposures, threats, and vulnerabilities associated with the products and services traversing the supply chain as well as the exposures, threats, and vulnerabilities to the supply chain.

supply chain risk assessment : see document

A systematic examination of supply chain risks, likelihoods of their occurrence, and potential impacts.

supply chain risk information : see document

Includes, but is not limited to, information that describes or identifies: (1) Functionality of covered articles, including access to data and information system privileges; (2) Information on the user environment where a covered article is used or installed; (3) The ability of the source to produce and deliver covered articles as expected (i.e., supply chain assurance); (4) Foreign control of, or influence over, the source (e.g., foreign ownership, personal and professional ties between the source and any foreign entity, legal regime of any foreign country in which the source is headquartered or conducts operations); (5) Implications to national security, homeland security, and/or national critical functions associated with use of the covered source; (6) Vulnerability of federal systems, programs, or facilities; (7) Market alternatives to the covered source; (8) Potential impact or harm caused by the possible loss, damage, or compromise of a product, material, or service to an organization’s operations or mission; (9) Likelihood of a potential impact or harm, or the exploitability of a system; (10) Security, authenticity, and integrity of covered articles and their supply and compilation chain; (11) Capacity to mitigate risks identified; (12) Credibility of and confidence in other supply chain risk information; (13) Any other information that would factor into an analysis of the security, integrity, resilience, quality, trustworthiness, or authenticity of covered articles or sources; (14) A summary of the above information and, any other information determined to be relevant to the determination of supply chain risk.

supply chain risk management (SCRM) : see document

A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplies product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).

The process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of information and communications technology product and service supply chains.

A systematic process for managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risks presented by the supplier, the supplied products and services, or the supply chain.

the implementation of processes, tools or techniques to minimize the adverse impact of attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.

Support : see document

To be capable of providing a service or perform a function that is required or desired; to agree with a policy or position; to fulfill requirements.

Support a security strength : see document

A security strength of s bits is said to be supported by a particular choice of algorithm, primitive, auxiliary function, or parameters for use in the implementation of a cryptographic mechanism if that choice will not prevent the resulting implementation from attaining a security strength of at least s bits.In this Recommendation, it is assumed that implementation choices are intended to support a security strength of 112 bits or more (see [SP 800-57] and [SP 800-131A]).

A term applied to a method (e.g., an RBG, or a key with its associated cryptographic algorithm) that is capable of providing (at a minimum) the security strength required or desired for protecting data.

A security strength of s bits is said to be supported by a particular choice of algorithm, primitive, auxiliary function, parameters (etc.) for use in the implementation of a cryptographic mechanism if that choice will not prevent the resulting implementation from attaining a security strength of at least s bits. In this Recommendation, it is assume that implementation choices are intended to support a security strenght of 112 bits or more (see [NIST SP 800-57] and [NIST SP 800-131A])

A term applied to a method (e.g., an RBG or a key with its associated cryptographic algorithm) that is capable of providing (at a minimum) the security strength required or desired for protecting data. A security strength of s bits is said to be supported by a particular choice of keying material, algorithm, primitive, auxiliary function, parameters (etc.) for use in the implementation of a cryptographic mechanism if that choice will not prevent the resulting implementation from attaining a security strength of at least s bits.

Support Vector Machines : see document

Models that implement a decision function in the form of a hyperplane that serves to separate (i.e., classify) observations that belong to one class from another based on patterns of information about those observations (i.e., features).

Supporting Capabilities : see document

Capabilities that provide functionality that supports the other IoT capabilities. Examples of supporting capabilities are device management, cybersecurity, and privacy capabilities.

Supporting Parties : see document

Providers of external system services to the manufacturer through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. Supporting services include, for example, Telecommunications, engineering services, power, water, software, tech support, and security.

Supporting Services : see document

Providers of external system services to the manufacturer through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. Supporting services include, for example, Telecommunications, engineering services, power, water, software, tech support, and security.

supportive relationship mapping : see document

A concept relationship style that identifies how one concept can or does help achieve another concept.

An OLIR that indicates how a supporting concept can or does help achieve a supported concept, with one of the concepts being a Focal Document Element and the other a Reference Document Element.

suppression measure : see document

Action, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.

SURF : see document
Surge Protector : see document

A device designed to protect electrical devices from voltage spikes or dips.

survivability : see document

The ability of a system to minimize the impact of a finite- duration disturbance on value delivery (i.e., stakeholder benefit at cost), achieved through the reduction of the likelihood or magnitude of a disturbance; the satisfaction of a minimally acceptable level of value delivery during and after a disturbance; and/or a timely recovery.

The ability of a system to minimize the impact of a finite-duration disturbance on value delivery (i.e., stakeholder benefit at cost), achieved through the reduction of the likelihood or magnitude of a disturbance; the satisfaction of a minimally acceptable level of value delivery during and after a disturbance; and/or a timely recovery.

susceptibility : see document

The inability to avoid adversity.

Suspended state : see document

A lifecycle state of a key whereby the use of the key for applying cryptographic protection has been temporarily suspended.

A key state in which the use of a key or key pair may be suspended for a period of time.

suspension : see document

The process of changing the status of a valid certificate to suspended (i.e., temporarily invalid).

The process of temporarily changing the status of a key or certificate to invalid (e.g., in order to determine if it has been compromised). The certificate may subsequently be revoked or reactivated.

SVID : see document
SVM : see document
SVP : see document
SW : see document
SwA : see document

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions as intended by the purchaser or user.

The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle and that the software functions in the intended manner.

SwAAP : see document
SWAM : see document

See Capability, Software Asset Management.

SWaP : see document
SWG : see document
SWID : see document
SWID Tag : see document

A SWID tag is an ISO 19770-2 compliant XML file describing a software product. It is typically digitally signed by the software manufacturer to verify its validity. Ideally, for purposes of software asset management, the SWID tag will contain the digests (digital fingerprints) of each software file installed or placed on the device with the product.

SWIMA : see document
Switch : see document

A network device that filters and forwards packets between LAN segments.

A device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination.

A device that channels incoming data from any of multiple input ports to the specific output port that will take the data toward its intended destination.

Switched Port Analyzer : see document
SwMM-RSV : see document
SWOT : see document
SWSA : see document
Sybil Attack : see document

A cybersecurity attack wherein an attacker creates multiple accounts and pretends to be many persons at once.

syllabary : see document

List of individual letters, combination of letters, or syllables, with their equivalent code groups, used for spelling out words or proper names not present in the vocabulary of a code. A syllabary may also be a spelling table.

Symantec Endpoint Protection : see document
Symantec Endpoint Protection Manager : see document
Symmetric Card Authentication Key Authentication (SYM-CAK) : see document

An authentication mechanism where the PIV Card is identified using the CHUID or another data element, and then the card responds to a challenge by signing the challenge value with the symmetric card authentication key. This mechanism is deprecated.

Symmetric Cryptography : see document

Cryptography that uses the same key for both encryption and decryption.

A cryptographic algorithm that uses the same secret key for its operation and, if applicable, for reversing the effects of the operation (e.g., an AES key for encryption and decryption).

Symmetric Encryption : see document
symmetric encryption algorithm : see document

Encryption algorithms using the same secret key for encryption and decryption.

symmetric key : see document

A cryptographic key that is used to perform both the cryptographic operation and its inverse (e.g., to encrypt, decrypt, create a message authentication code, or verify a message authentication code).

A single cryptographic key that is used with a symmetric-key algorithm; also called a secret key. A symmetric-key algorithm is a cryptographic algorithm that uses the same secret key for an operation and its complement (e.g., encryption and decryption).

A cryptographic key used to perform both the cryptographic operation and its inverse (e.g., to encrypt and decrypt or to create a message authentication code and verify the code).

A cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.

A cryptographic key used by one or more (authorized) entities in a symmetric-key cryptographic algorithm; the key is not made public.

See Secret key.

A cryptographic key used by a secret-key (symmetric) cryptographic algorithm and that is not made public.

A single cryptographic key that is used with a secret (symmetric) key algorithm.

A cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

A cryptographic key that is used with a secret key (also known as a symmetric key) cryptographic algorithm that is uniquely associated with one or more entities and shall not be made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

A single cryptographic key that is shared by both originator and recipient (see symmetric key algorithm)

A cryptographic key used to perform both the cryptographic operation and its inverse. For example, to encrypt and decrypt or create a message authentication code and to verify the code.

A cryptographic key that is shared between two or more entities and used with a cryptographic application to process information.

A single cryptographic key that is used by one or more entities with a symmetric key algorithm.

A single cryptographic key that is used with a symmetric (secret key) cryptographic algorithm and is not made public (i.e., the key is kept secret). A secret key is also called a symmetric key.

The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.

Compare with a private key, which is used with a public-key (asymmetric-key) algorithm.

A single cryptographic key that is used with a symmetric (secret key) algorithm, is uniquely associated with one or more entities, and is not made public (i.e., the key is kept secret); a symmetric key is often called a secret key.

A single cryptographic key that is used with a symmetric-key cryptographic algorithm, is uniquely associated with one or more entities and is not made public (i.e., the key is kept secret). A secret key is also called a Symmetric key. The use of the term “secret” in this context does not imply a classification level but rather implies the need to protect the key from disclosure.

A single cryptographic key that is used with a symmetric-key cryptographic algorithm, is uniquely associated with one or more entities, and is not made public (i.e., the key is kept secret). A symmetric key is often called a secret key. See Secret key.

sync fabric : see document

Any on-premises, cloud-based, or hybrid service used to store, transmit, or manage authentication keys generated by syncable authenticators that are not local to the user’s device.

syncable authenticators : see document

Software or hardware cryptographic authenticators that allow authentication keys to be cloned and exported to other storage in order to sync those keys to other authenticators (i.e., devices).

Software or hardware cryptographic authenticators that allow authentication keys to be cloned and exported to other storage to sync those keys to other authenticators (i.e., devices).

synchronization : see document

The process of setting two or more clocks to the same time.

Synchronization Protocols : see document

Protocols that allow users to view, modify, and transfer/update data between a cell phone and personal computer.

Protocols that allow users to view, modify, and transfer/update PDA data from the PC or vice-versa. The two most common synchronization protocols are: Microsoft’s ActiveSync and Palm’s HotSync.

synchronous crypto-operation : see document

Method of on-line cryptographic operation in which cryptographic equipment and associated terminals have timing systems to keep them in step.

Synchronous Optical Network : see document
synchronous training : see document

Training in which instructors and learners are scheduled to participate together in a virtual or physical classroom-based learning environment.

Syndrome Decoding Problem : see document
Syntactic matching : see document

uses internal structures present in digital objects. For example, the structure of a TCP network packet is defined by an international standard and matching tools can make use of this structure during network packet analysis to match the source, destination or content of the packet. Syntax-sensitive similarity measurements are specific to a particular class of objects that share an encoding but require no interpretation of the content to produce meaningful results.

Syntax : see document

The rules for constructing or recognizing the acceptable sentences of a language.

synthetic data generation : see document

A process in which seed data are used to create artificial data that have some of the statistical characteristics of the seed data.

a process in which seed data is used to create artificial data that has some of the statistical characteristics as the seed data

synthetic dataset : see document

The absolute error divided by the unaltered query output.

Synthetic Identifier : see document

An identifier that is assigned to an asset in the context of some management domain.

synthetic identity fraud : see document

The use of a combination of personal information to fabricate a person or entity to commit a dishonest act for personal or financial gain.

syntonization : see document

The process of setting two or more oscillators to the same frequency.

SysAdmin, Audit, Network, Security : see document
Syslog : see document

A protocol that specifies a general log entry format and a log entry transport mechanism.

system administrator (SA) : see document

Individual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.

An FCKMS role that is responsible for the personnel, daily operation, training, maintenance, and related management of an FCKMS other than its keys. The system administrator is responsible for initially verifying individual identities, and then establishing appropriate identifiers for all personnel involved in the operation and use of the FCKMS.

A person who manages a computer system, including its operating system and applications. A system administrator’s responsibilities are similar to that of a network administrator.

A person who manages a computer system, including its operating system and applications. Responsibilities are similar to that of a network administrator.

An individual, group, or organization responsible for setting up and maintaining a system or specific system elements, implements approved secure baseline configurations, incorporates secure configuration settings for IT products, and conducts/assists with configuration monitoring activities as needed.

Individual or group responsible for overseeing the day-to-day operability of a computer system or network. This position normally carries special privileges including access to the protection state and software of a system.

System and Communications Protection : see document
System and Information Protection : see document
System Assurance : see document

The justified confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle.

System authority : see document

An FCKMS role that is responsible to executive-level management (e.g., the Chief Information Officer) for the overall operation and security of an FCKMS. A system authority manages all operational FCKMS roles.

system boundary : see document

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

See Authorization Boundary.

System Categorization : see document

The characterization of a manufacturing system, its components, and operations, based on an assessment of the potential impact that a loss of availability, integrity, or confidentiality would have on organizational operations, organizational assets, or individuals.

System Center Configuration Manager : see document
system component : see document

A discrete identifiable information or operational technology asset that represents a building block of a system and may include hardware, software, and firmware.

A hardware, software, or firmware part or element of a larger system with well-defined inputs and outputs and a specific function.

A hardware, software, firmware part or element of a larger PNT system with well-defined inputs and outputs and a specific function.

Smallest selectable set of elements on which requirements may be based.

A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.

See system component.

See information system component.

Discrete identifiable information technology assets that represent a building block of a system and include hardware, software, firmware, and virtual machines.

A discrete, identifiable information technology asset (hardware, software, firmware) that represents a building block of a system. System components include commercial information technology products.

See system element.

system context : see document

The specific system elements, boundaries, interconnections, interactions, and operational environment that define a system.

The specific system elements, boundaries, interconnections, interactions, and environment of operation that define a system.

System Contingency Plan : see document
System Design Review : see document
System Developer : see document

An individual group, or organization that develops hardware/software for distribution or sale.

System Development Life Cycle (SDLC) : see document

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal.

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal.

The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.

System Development Lifecycle : see document
System Development Platform : see document
system element : see document

A hardware, software, or firmware part or element of a larger system with well-defined inputs and outputs and a specific function.

A hardware, software, firmware part or element of a larger PNT system with well-defined inputs and outputs and a specific function.

Smallest selectable set of elements on which requirements may be based.

See system component.

Member of a set of elements that constitute a system.

Member of a set of elements that constitute a system. Note 1: A system element can be a discrete component, product, service, subsystem, system, infrastructure, or enterprise. Note 2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive nature of the term allows the term system to apply equally when referring to a discrete component or to a large, complex, geographically distributed system-of-systems. Note 4: System elements are implemented by: hardware, software, and firmware that perform operations on data/information; physical structures, devices, and components in the environment of operation; and the people, processes, and procedures for operating, sustaining, and supporting the system elements.

See system element.

Member of a set of elements that constitute a system. Note 1: A system element can be a discrete component, product, service, subsystem, system, infrastructure, or enterprise. Note 2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive nature of the term allows the term system to apply equally when referring to a discrete component or to a large, complex, geographically distributed system-of-systems. Note 4: System elements are implemented by: hardware, software, and firmware that perform operations on data/information; physical structures, devices, and components in the environment of operation; and the people, processes, and procedures for operating, sustaining, and supporting the system elements.

System Flash Memory : see document

The non-volatile storage location of system BIOS, typically in electronically erasable programmable read-only memory (EEPROM) flash memory on the motherboard. While system flash memory is a technology-specific term, guidelines in this document referring to the system flash memory are intended to apply to any non-volatile storage medium containing the system BIOS.

System for Cross-Domain Identity Management : see document
system high : see document

Highest security level supported by an information system.

system high mode : see document

Information systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: 1) valid security clearance for all information within an information system; 2) formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, sub compartments and/or special access programs); and 3) valid need-to- know for some of the information contained within the information system. Rationale: system high, along with other related terms, has been listed for deletion.

System Identifier : see document
system indicator : see document

Symbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.

System initialization : see document

A function in the lifecycle of keying material; setting up and configuring a system for secure operation.

A function in the lifecycle of a cryptographic key; setting up and configuring a system for secure operation.

System Integrator : see document

Those organizations that provide customized services to the acquirer including for example, custom development, test, operations, and maintenance.

An organization that customizes (e.g., combines, adds, optimizes) components, systems, and corresponding processes. The integrator function can also be performed by acquirer.

Those organizations that provide customized services to the acquirer including custom development, test, operations, and maintenance.

system integrity : see document

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

system interconnection : see document

The direct connection of two or more information systems for the purpose of sharing data and other information resources.

the requirements for communication or interconnection by an ITsystem with one or more other IT systems or networks, to share processing capability or pass data and information in support of multi-organizational or public programs.

The direct connection of two or more IT systems for the purpose of sharing data and other information resources.

A direct connection between two or more systems in different authorization boundaries for the purpose of exchanging information and/or allowing access to information, information services, and resources.

system life cycle : see document

Period that begins when a system is conceived and ends when the system is no longer available for use.

The period of time that begins when a system is conceived and ends when the system is no longer available for use. Refer to life cycle stages.

The period of time that begins when a system is conceived and ends when the system is no longer available for use. Refer to life cycle stages.

system low : see document

Lowest security level supported by an information system.

System Management BIOS : see document
System Management Bus : see document
System Management Interrupt : see document
System Management Mode (SMM) : see document

A high-privilege operating mode found in x86-compatible processors used for low-level system management functions. System Management Mode is only entered after the system generates a System Management Interrupt and only executes code from a segregated block of memory.

System Management Tools : see document
system of record : see document

A collection of records that contain information about individuals and are under the control of an agency. The records can be retrieved by the individual’s name, an identifying number, a symbol, or other identifier.

A system of records is a group of records under the control of a Federal agency which contains a personal identifier (such as a name, date of birth, finger print, Social Security Number, and Employee Number) and one other item of personal data (such as home address, performance rating, and blood type) from which information is retrieved using a personal identifier.

system of records : see document

“A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

system of records notice : see document

A notice that federal agencies publish in the Federal Register to describe their system of record.

The Privacy Act requires each agency to publish a notice of its systems of records in the Federal Register. This is called a System of Record Notice (SORN).

An official public notice of an organization’s system(s) of records, as required by the Privacy Act of 1974, that identifies: (i) the purpose for the system of records; (ii) the individuals covered by information in the system of records; (iii) the categories of records maintained about individuals; and (iv) the ways in which the information is shared.

The notice(s) published by an agency in the Federal Register upon the establishment and/or modification of a system of records describing the existence and character of the system.

system of systems : see document

System of interest whose system elements are themselves systems; typically, these entail large-scale interdisciplinary problems with multiple heterogeneous distributed systems.

System of interest whose system elements are themselves systems; typically, these entail large-scale interdisciplinary problems with multiple, heterogeneous, distributed systems.

Set of systems or system elements that interact to provide a unique capability that none of the constituent systems can accomplish on its own.

System-of-interest whose system elements are themselves systems; typically, these entail large-scale interdisciplinary problems with multiple heterogeneous distributed systems. Note: In the system-of-systems environment, constituent systems may not have a single owner, may not be under a single authority, or may not operate within a single set of priorities.

System-of-interest whose system elements are themselves systems; typically, these entail large-scale interdisciplinary problems with multiple, heterogeneous, distributed systems.

System on Chip : see document
system or device certificate : see document

The system or device whose name appears as the subject in a certificate.

system owner : see document

Person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system.

Person or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.

system owner (or program manager) : see document

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of a system.

An organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of a system.

Official responsible for the overall procurement, development, integration, modification, operation, and maintenance of a system.

Official responsible for the procurement, development, integration, modification, operation, and maintenance of a system.

system privacy officer : see document

Individual with assigned responsibility for maintaining the appropriate operational privacy posture for a system or program.

System privacy requirement : see document

System requirements that have privacy relevance. System privacy requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system privacy requirements have been satisfied. Note: Each system privacy requirement is expressed in a manner that makes verification possible via analysis, observation, test, inspection, measurement, or other defined and achievable means.

System requirements that have privacy relevance. System privacy requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system privacy requirements have been satisfied. Note Each system privacy requirement is expressed in a manner that makes verification possible via analysis, observation, test, inspection, measurement, or other defined and achievable means.

system prompt : see document

Application-specific instructions provided in-context to a GenAI system by the model developer or application designer. System prompts are typically prepended to other input, and may be higher-trust than other forms of input.

System Security Authorization Agreement : see document
System Security Engineer : see document
system security officer : see document

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Person responsible to the designated approving authority for ensuring the security of an information system throughout its lifecycle, from design through disposal.

See system security officer (SSO).

Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program

Individual with assigned responsibility for maintaining the appropriate operational security posture for a system or program.

system security plan : see document

A document that describes how an organization meets or plans to meet the security requirements for a system. In particular, the system security plan describes the system boundary, the environment in which the system operates, how security requirements are implemented, and the relationships with or connections to other systems.

A document that describes how an organization meets or plans to meet the security requirements for a system. In particular, the system security plan describes the system boundary, the environment in which the system operates, how the security requirements are satisfied, and the relationships with or connections to other systems.

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

See System Security Plan.

Formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.

Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.

Formal document that provides an overview of the security requirements for a system and describes the security controls in place or planned for meeting those requirements.

A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

A system document that provides an overview of the security requirements of a system and describes the controls in place to meet those requirements.

See information system security plan.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See System Security Plan or Information Security Program Plan.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See System Security Plan or Information Security Program Plan.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See System Security Plan or Information Security Program Plan.

A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems.

See security plan.

A document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary, the environment in which the system operates, how security requirements are implemented, and the relationships with or connections to other systems.

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See System Security Plan.

system security requirement : see document

System requirement that has security relevance. System security requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system security requirements have been satisfied.

System requirements that have security relevance. System security requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system security requirements have been satisfied. Note: Each system security requirement is expressed in a manner that makes verification possible via analysis, observation, test, inspection, measurement, or other defined and achievable means.

System requirements that have security relevance. System security requirements define the protection capabilities provided by the system, the performance and behavioral characteristics exhibited by the system, and the evidence used to determine that the system security requirements have been satisfied. Note: Each system security requirement is expressed in a manner that makes verification possible via analysis, observation, test, inspection, measurement, or other defined and achievable means.

system service : see document

A capability provided by a system that facilitates information processing, storage, or transmission.

System Test : see document

A test performed on a complete system to evaluate its compliance with specified requirements.

system user : see document

An individual or (system) process acting on behalf of an individual that is authorized to access a system.

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

An individual or (system) process acting on behalf of an individual that is authorized to access information and information systems to perform assigned duties. Note: With respect to SecCM, an information system user is an individual who uses the information system functions, initiates change requests, and assists with functional testing.

systemic bias : see document

A form of bias that results from rules, processes, or norms that advantage certain social groups and disadvantages others.

system-related privacy risk : see document

Those risks that arise from the likelihood that a given operation the system is taking when processing PII could create an adverse effect on individuals—and the potential impact on individuals.

Risk to an individual or individuals associated with the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of their PII. See risk.

system-related security risk : see document

Risk that arises through the loss of confidentiality, integrity, or availability of information or systems and that considers impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See risk.

Systems and Services Acquisition : see document
systems engineering : see document

A transdisciplinary and integrative approach to enable the successful realization, use, and retirement of engineered systems, using systems principles and concepts, and scientific, technological, and management methods.

An engineering discipline whose responsibility is creating and executing an interdisciplinary process to ensure that the customer and all other stakeholder needs are satisfied in a high-quality, trustworthy, cost-efficient, and schedule-compliant manner throughout a system’s entire life cycle.

Interdisciplinary approach governing the total technical and managerial effort required to transform a set of stakeholder needs, expectations, and constraints into a solution and to support that solution throughout its life.

Systems Engineering Body of Knowledge : see document
Systems Management Server : see document
systems privacy engineer : see document

Individual assigned responsibility for conducting systems privacy engineering activities.

systems privacy engineering : see document

Process that captures and refines privacy requirements and ensures their integration into information technology component products and information systems through purposeful privacy design or configuration.

systems security engineer : see document

Individual who practices the discipline of systems security engineering, regardless of their formal title. Additionally, the term systems security engineer refers to multiple individuals who operate on the same team or cooperating teams.

Individual assigned responsibility for conducting systems security engineering activities.

Individual that performs any or all of the activities defined by the systems security engineering process, regardless of their formal title. Additionally, the term systems security engineer refers to multiple individuals operating on the same team or cooperating teams.

systems security engineering : see document

A transdisciplinary and integrative approach to enable the successful secure realization, use, and retirement of engineered systems using systems, security, and other principles and concepts, as well as scientific, technological, and management methods. Systems security engineering is a subdiscipline of systems engineering.

Systems security engineering is a specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance. See also information systems security engineering (ISSE).

Process that captures and refines security requirements and ensures their integration into information technology component products and information systems through purposeful security design or configuration.

A specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance.

Systems security engineering is a specialty engineering discipline of systems engineering that applies scientific, mathematical, engineering, and measurement principles, concepts, and methods to coordinate, orchestrate, and direct the activities of various security engineering specialties and other contributing engineering specialties to provide a fully integrated, system-level perspective of system security.

Systems Security Engineering - Capability Maturity Model : see document
systems security officer (SSO) : see document

See information systems security officer (ISSO).

system-specific control : see document

A security or privacy control for an information system that is implemented at the system level and is not inherited by any other information system.

system-specific security control : see document

A security control for an information system that has not been designated as a common security control or the portion of a hybrid control that is to be implemented within an information system.

A security control for an information system that has not been designated as a common security control.

A security control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an information system.

A security control or privacy control for an information system that has not been designated as a common control or the portion of a hybrid control that is to be implemented within an information system.

Systems-Theoretic Accident Model and Processes : see document
System-Theoretic Process Analysis : see document
T(x, l) : see document

Truncation of the bit string x to the leftmost l bits of x, where l ≤ the length of x in bits

TA : see document

Entity authorized to act as a representative of an Agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.

A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate). A trust anchor may have name or policy constraints limiting its scope.

A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A validating DNSSEC-aware resolver uses this public key or hash as a starting point for building the authentication chain to a signed DNS response. In general, a validating resolver will need to obtain the initial values of its trust anchors via some secure or trusted means outside the DNS protocol. The presence of a trust anchor also implies that the resolver should expect the zone to which the trust anchor points to be signed. This is sometimes referred to as a “secure entry point.”

The analysis of patterns in communications for the purpose of gaining intelligence about a system or its users. Traffic analysis does not require examination of the content of the communications, which may or may not be decipherable. For example, an adversary may be able to detect a signal from a reader that could enable it to infer that a particular activity is occurring (e.g., a shipment has arrived, someone is entering a facility) without necessarily learning an identifier or associated data.

A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate).

Tabletop Exercise : see document

A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.

tabletop materials : see document

Materials designed for a discussion-based exercise in which personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on that scenario.

TACACS : see document
Tactic Technique Procedure : see document
tactical data : see document

Information that requires protection from disclosure and modification for a limited duration as determined by the originator or information owner.

tactical edge : see document

The platforms, sites, and personnel (U. S. military, allied, coalition partners, first responders) operating at lethal risk in a battle space or crisis environment characterized by 1) a dependence on information systems and connectivity for survival and mission success, 2) high threats to the operational readiness of both information systems and connectivity, and 3) users are fully engaged, highly stressed, and dependent on the availability, integrity, and transparency of their information systems.

tactics, techniques, and procedures (TTP) : see document

The behavior of an actor. A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique.

The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.

The behavior of an actor. A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lower-level, highly detailed description in the context of a technique.

The behavior of an actor. A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique.

Tag : see document

A cryptographic checksum on data that is designed to reveal both accidental errors and the intentional modification of the data.

An electronic device that communicates with RFID readers. A tag can function as a beacon or it can be used to convey information such as an identifier.

See Tag

Tag Identifier : see document
Tag Talks First : see document

An RF transaction in which the tag communicates its presence to a reader. The reader may then send commands to the tag.

Tag-Length-Value : see document
TAI : see document
tailored control baseline : see document

A set of controls resulting from the application of tailoring guidance to a control baseline. See tailoring.

A set of controls that result from the application of tailoring guidance to a control baseline. See tailoring.

Tailored Security Control Baseline : see document

A set of security controls resulting from the application of tailoring guidance to the security control baseline. See Tailoring.

A set of security controls resulting from the application of tailoring guidance to a security control baseline. See Tailoring.

tailoring : see document

The process by which xALs and specified controls are modified by considering impacts on privacy, usability, and customer experience of the user population; considering specific threats to the organization; identifying and designating common controls; scoping considerations on the applicability and implementation of specified controls; selecting any compensating controls; assigning specific values to organization-defined security control parameters; supplementing xAL controls with additional controls or control enhancements; and specifying additional information for control implementation.

The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.

The process by which security control baselines are modified by: (i) identifying and designating common controls; (ii) applying scoping considerations on the applicability and implementation of baseline controls; (iii) selecting compensating security controls; (iv) assigning specific values to organization-defined security control parameters; (v) supplementing baselines with additional security controls or control enhancements; and (vi) providing additional specification information for control implementation.

The process by which security control baselines are modified by identifying and designating common controls; applying scoping considerations; selecting compensating controls; assigning specific values to agency-defined control parameters; supplementing baselines with additional controls or control enhancements; and providing additional specification information for control implementation. The tailoring process may also be applied to privacy controls.

The process by which security control baselines are modified by: (i) identifying and designating common controls; (ii) applying scoping considerations on the applicability and implementation of baseline controls; (iii) selecting compensating security controls; (iv) assigning specific values to organization-defined security control parameters; (v) supplementing baselines with additional security controls or control enhancements; and (vi) providing additional specification information for control implementation. [Note: Certain tailoring activities can also be applied to privacy controls.]

The process by which a security control baseline is modified based on (i) the application of scoping guidance, (ii) the specification of compensating security controls, if needed, and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.

The process by which assessment procedures defined in Special Publication 800-53A are adjusted, or scoped, to match the characteristics of the information system under assessment, providing organizations with the flexibility needed to meet specific organizational requirements and to avoid overly-constrained assessment approaches.

Similar in concept to tailoring baselines as described in SP 800-53, a cooperative process that modifies part of a set of assessment elements by: (i) changing the scope of the assessment or risk management level, (ii) adding or eliminating assessment elements, or (iii) modifying the attributes of an assessment element.

The process by which security control baselines are modified by: identifying and designating common controls, applying scoping considerations on the applicability and implementation of baseline controls, selecting compensating security controls, assigning specific values to organization-defined security control parameters, supplementing baselines with additional security controls or control enhancements, and providing additional specification information for control implementation.

The process by which security and privacy control baselines are modified by identifying and designating common controls, applying scoping considerations on the applicability and implementation of baseline controls, selecting compensating controls, assigning specific values to organization-defined control parameters, supplementing baselines with additional controls or control enhancements, and providing additional specification information for control implementation.

An element that specifies profiles to modify the behavior of a benchmark; the top-level element of a tailoring document.

The process by which a security control baseline is modified based on: (i) the application of scoping guidance; (ii) the specification of compensating security controls, if needed; and (iii) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.

tailoring assessment procedures : see document

The process by which assessment procedures defined in SP 800-53A are adjusted or scoped to match the characteristics of a system under assessment, providing organizations with the flexibility needed to meet specific organizational requirements and avoid overly constrained assessment approaches.

tainting : see document

The process of embedding covert capabilities in information, systems, or system components to allow organizations to be alerted to the exfiltration of information.

TAL : see document
Tamper evident : see document

A process which makes alterations to the data easily detectable.

Tamper resistant : see document

A process which makes alterations to the data difficult (hard to perform), costly (expensive to perform), or both.

tampering : see document

An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.

TAP : see document
TAPS : see document
Target : see document

The set of specific IT systems or applications for which a checklist has been created.

Target Data : see document

The data that is ultimately to be protected (e.g., a key or other sensitive data).

The information subject to a given process, typically including most or all information on a piece of storage media.

The data that is to be protected (e.g., a key or other sensitive data).

Target Identification and Analysis Techniques : see document

Information security testing techniques, mostly active and generally conducted using automated tools, that are used to identify systems, ports, services, and potential vulnerabilities. Target identification and analysis techniques include network discovery, network port and service identification, vulnerability scanning, wireless scanning, and application security testing.

Target Name : see document

A single WFN that is the target of a matching process. A matching engine compares a source WFN to a target WFN to determine whether or not there is a source-to-target match. In CPE 2.2 terms a target name is a single item in the list of known values (each N of K) and is equivalent to the N value in the CPE 2.2 Matching algorithm.

target of evaluation (TOE) : see document

In accordance with Common Criteria, an information system, part of a system or product, and all associated documentation, that is the subject of a security evaluation.

Target Operational Environment : see document

The IT product’s operational environment, such as Standalone, Managed, or Custom (with description, such as Specialized Security-Limited Functionality, Legacy, or United States Government). Generally only applicable for security compliance/vulnerability checklists.

Target Platform : see document

The target operating system or application on which a vendor product will be evaluated using a platform-specific validation lab test suite. These platform-specific test suites consist of specialized SCAP content used to perform the test procedures defined in this document.

Target Profile : see document

the desired outcome or ‘to be’ state of cybersecurity implementation

The desired outcome or ‘to be’ state of cybersecurity implementation.

Target Residual Risk : see document

The amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented, direct or focused actions to alter the severity of the risk.

Target Value : see document

A single value that is the target of a matching process. A matching engine compares a source value to a target value to determine whether or not there is a source-to-target match. Source values include AV pairs or set relation values (e.g., superset or subset).

Target Vulnerability Validation Techniques : see document

Active information security testing techniques that corroborate the existence of vulnerabilities. They include password cracking, remote access testing, penetration testing, social engineering, and physical security testing.

targeted poisoning attack : see document

A poisoning attack that changes the prediction on a small number of targeted samples.

Targeted security strength : see document

The security strength that is intended to be supported by one or more implementation-related choices (such as algorithms, primitives, auxiliary functions, parameter sizes, and/or actual parameters) for the purpose of implementing a cryptographic mechanism.

The security strength that is intended to be supported by one or more implementation-related choices (such as algorithms, primitives, auxiliary functions, parameter sizes and/or actual parameters) for the purpose of instantiating a cryptographic mechanism.

The desired security strength for a cryptographic application. The target security strength is selected based upon the amount of security desired for the information protected by the keying material established using this Recommendation.

task : see document

An activity that is directed toward the achievement of organizational objectives.

Required, recommended, or permissible action intended to contribute to the achievement of one or more outcomes of a process.

An activity that is directed toward the achievement of organizational objectives.

A Task is a specific defined piece of work that, combined with other identified Tasks, composes the work in a specific specialty area or work role.

Activities required to achieve a goal. Note that activities can be physical or cognitive.

Required, recommended, or permissible action, intended to contribute to the achievement of one or more outcomes of a process.

Task, Knowledge, and Skill statements : see document
TAXII : see document
Taxonomy : see document

A scheme of classification.

TB : see document
TBC : see document
TBS : see document
TC : see document
TCB : see document

Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.

TCBC : see document

TDEA Cipher Block Chaining Mode of Operation

TCBC-I : see document

TDEA Cipher Block Chaining Mode of Operation - Interleaved

TCFB : see document

TDEA Cipher Feedback Mode of Operation

TCFB-P : see document

TEA Cipher Feedback Mode of Operation - Pipelined

TCG : see document
TCI : see document
TCO : see document
TCP : see document

TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees the delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

TCP Segmentation Offload : see document
TCP/IP : see document
TCP/UDP : see document
TCP-TLS : see document
TCSEC : see document
TD : see document
TDEA : see document

An approved cryptographic algorithm that specifies both the DEA cryptographic engine employed by TDEA and the TDEA algorithm itself.

The algorithm specified in FIPS PUB 46-3 –1999, Data Encryption Algorithm.

Triple Data Encryption Algorithm specified in FIPS 46-3

Triple Data Encryption Algorithm; Triple DEA specified in [NIST SP 800-67].

TDEA Key Wrap : see document
TDES : see document

Triple Data Encryption Standard specified in FIPS 46-3

TDM : see document
TDMA : see document
TE : see document

An event or situation that has the potential for causing undesirable consequences or impact.

Team : see document

A number of persons associated together in work or activity. As used in this publication, a team is a group of individuals that has been assigned by an organization’s management the responsibility and capability to carry out a defined function or set of defined functions. Designations for teams as used in this publication are simply descriptive. Different organizations may have different designations for teams that carry out the functions described herein.

A number of persons associated together in work or activity. As used in this publication, a team is a group of individuals that has been assigned by an organization’s management the responsibility and capability to carry out a defined function or set of defined functions. Designations for teams as used in this publication are simply descriptive. Different organizations may have different designations for teams that carry out the functions described herein.

TECB : see document

TDEA Electronic Codebook Mode of Operation

technical community (TC) : see document

Government/Industry/Academia partnerships formed around major technology areas to act like a standards body for the purpose of creating and maintaining Protection Profiles.

Technical Guidelines Development Committee : see document
Technical Implementation Guidance : see document
Technical Information Paper : see document
Technical Information Report : see document
technical profile : see document

A fully conformant subset of functionality of a protocol or standard. Technical profiles are used to enhance interoperability.

technical reference model (TRM) : see document

A component-driven, technical framework that categorizes the standards and technologies to support and enable the delivery of service components and capabilities.

Technical Report : see document
Technical Review Board : see document
technical risk : see document

The risk associated with the evolution of the design and the production of the system of interest affecting the level of performance necessary to meet the stakeholder expectations and technical requirements.

technical security controls : see document

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

technical security material : see document

Equipment, components, devices, and associated documentation or other media which pertain to cryptography, or to the security of telecommunications and information systems.

Technical Specification : see document
technical surveillance countermeasures (TSCM) : see document

Techniques to detect, neutralize, and exploit technical surveillance technologies and hazards that permit the unauthorized access to or removal of information.

technical vulnerability information : see document

Detailed description of a weakness to include the implementable steps (such as code) necessary to exploit that weakness.

technique : see document

A set or class of technologies and processes intented to acheive one or more objectives by providing capabilities to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources. The definition or statement of a technique describes the capabilities it provides and/or the intended consequences of using technologies to process it includes.

See cyber resiliency technique.

Technology Development : see document
Technology Infrastructure Subcommittee : see document
Technology Partnerships Office : see document
Technology-Based Input Product : see document

Manufactured components used in the organization manufacturing process incorporating information technology and provided by third-parties (e.g. PLC, Sensors, Data Collection Systems, Workstations, Servers, etc).

TEE : see document

An area or enclave protected by a system processor.

TEI : see document
TEK : see document
telecommunications : see document

The term 'telecommunications' means the transmission, between or among points specified by the user, of information of the user's choosing, without change in the form or content of the information as sent and received.

The preparation, transmission, communication, or related processing of information (writing, images, sounds, or other data) by electrical, electromagnetic, electromechanical, electro-optical, or electronic means.

The transmission, between or among points specified by the user, of information of the user's choosing, without change in the form or content of the information as sent and received.

Telecommunications Industry Association. Electronic Industries Alliance : see document
Telecommunications Security : see document
telecommunications security (TSEC) nomenclature : see document

The National Security Agency (NSA) system for identifying the type and purpose of certain items of COMSEC material.

Telecommunications Service Priority : see document
telemetry : see document

The science of measuring a quantity or quantities, transmitting the results to a distant station, and interpreting, indicating, and/or recording the quantities measured.

Telemetry, Tracking, and Command : see document
Temperature Transmitter : see document
TEMPEST : see document

A name referring to the investigation, study, and control of unintentional compromising emanations from telecommunications and automated information systems equipment.

TEMPEST Advisory Group : see document
TEMPEST certified equipment or system : see document

Equipment or systems that have been certified to meet the applicable level of NSTISSAM TEMPEST/1-92 or previous editions. Typically categorized as Level 1 for the highest containment of classified signals; Level II for the moderate containment of classified signals; and Level III for the least containment of classified signals.

TEMPEST zone : see document

Designated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.

Template Attack : see document
Template Generator : see document

In the PIV context a template generator is a software library providing facilities for the conversion of images conformant to FINGSTD to templates conformant to MINUSTD for storage on the PIV card.

Template Matcher : see document

In the PIV context a matcher is a software library providing for the comparison of images conformant to FINGSTD and templates conformant to MINUSTD. The output of the matcher, a similarity score, will be the basis of accept or reject decision.

Temporal Key : see document
Temporal Key Integrity Protocol : see document
Temporal metrics : see document

describe the characteristics of misuse vulnerabilities that can change over time but remain constant across user environments.

Temporal Pairwise Key : see document
Temporary Key : see document
Temporary Mobile Subscriber Identity : see document
Tennessee Eastman : see document
Terabytes : see document
Term of Support : see document

The length of time for which the device will be supported by the manufacturer or supporting parties for such actions and materials as part replacements, software updates, vulnerability notices, technical support questions, etc.

Terminal Access Controller Access Control System : see document
Terrestrial Beacon System : see document
TESLA : see document
Test : see document

A type of assessment method that is characterized by the process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control effectiveness over time.

An evaluation tool that uses quantifiable metrics to validate the operability of a system or system component in an operational environment specified in an IT plan.

A type of assessment method that is characterized by the process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control or privacy control effectiveness over time.

Test Access Points : see document
Test Access Port : see document
test action : see document

The action to be performed based on the response to a particular question. Examples of test actions are asking another question or calculating a result.

Test Director : see document

A person responsible for all aspects of a test, including staffing, development, conduct, and logistics.

Test Evidence : see document
Test Guide : see document

A document that outlines the basic steps involved in conducting a test and includes a list of the participants, a list of individuals and groups who might be affected by the test, and procedures for early termination of the test.

test key : see document

Key intended for testing of COMSEC equipment or systems. If intended for off-the-air, in-shop use, such key is called maintenance key.

Test Plan : see document

A document that outlines the specific steps that will be performed for a particular test, including the required logistical items and expected outcome or response for each step.

Test Tools : see document

are a means of testing to confirm that an IT product, process, or service conforms to the requirements of a standard or standards. Examples of test tools are executable test code or reference data.

Test, Training, and Exercise : see document
Test, Training, and Exercise (TT&E) Event : see document

An event used to support the maintenance of an IT plan by allowing organizations to identify problems related to an IT plan and implement solutions before an adverse situation occurs.

Test, Training, and Exercise (TT&E) Plan : see document

A plan that outlines the steps to be taken to ensure that personnel are trained in their IT plan roles and responsibilities, IT plans are exercised to validate their viability, and IT components or systems are tested to validate their operability in the context of an IT plan.

Test, Training, and Exercise (TT&E) Policy : see document

A policy that outlines an organization’s internal and external requirements associated with training personnel, exercising IT plans, and testing IT components and systems.

Test, Training, and Exercise (TT&E) Program : see document

A means for ensuring that personnel are trained in their IT plan roles and responsibilities; IT plans are exercised to validate their viability; and IT components or systems are tested to validate their operability.

Test, Training, and Exercise (TT&E) Program Coordinator : see document

A person who is responsible for developing a TT&E plan and coordinating TT&E events.

Tested Operational Environment’s Physical Perimeter : see document
Testing : see document

Determination of one or more characteristics of an object of conformity assessment, according to a procedure.

testing data control : see document

A capability with which an attacker controls the testing data input to the machine learning model.

TestResult : see document

The container for XCCDF results. May be the root node of an XCCDF results document.

Text : see document
TF-A : see document
TFC : see document
TFS : see document
TFT : see document
TFTP : see document
TGDC : see document
Thales TCT : see document
Thales Trusted Cyber Technologies : see document
THC : see document
The Common Rule : see document
The Hacker’s Choice : see document
The Ultimate Collection of Forensic Software : see document
Thin Film Transistor : see document
Third Extended Filesystem : see document
Third-party Providers : see document

Service providers, integrators, vendors, telecommunications, and infrastructure support that are external to the organization that operates the manufacturing system.

Third-Party Relationships : see document

relationships with external entities. External entities may include, for example, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.

Relationships with external entities. External entities may include, for example, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.

Third-party testing : see document

Independent testing by an organization that was not involved in the design and implementation of the object being tested (e.g., a system or device) and is not intended as the eventual user of that object.

Thousandth of an inch : see document
Thread : see document

A defined group of instructions executing apart from other similarly defined groups, but sharing memory and resources of the process to which they belong.

Threat Agent/Source : see document

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Agent.

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Either: (i) intent and method targeted at the intentional exploitation of a vulnerability; or (ii) a situation and method that may accidentally trigger a vulnerability.

Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) the situation and method that may accidentally trigger a vulnerability.

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. See threat agent.

threat analysis : see document

Formal description and evaluation of threat to a system or organization.

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.

Formal description and evaluation of threat to an information system.

See threat assessment.

The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

Assessment to evaluate the actual or potential effect of a threat to a system. Note: The threat assessment may include identifying and describing the nature of the threat.

Assessment to evaluate the actual or potential effect of a threat to a system. Note: The threat assessment may include identifying and describing the nature of the threat.

Threat Assessment/Analysis : see document

Formal description and evaluation of threat to a system or organization.

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.

Formal description and evaluation of threat to an information system.

See threat assessment.

The examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

Assessment to evaluate the actual or potential effect of a threat to a system. Note: The threat assessment may include identifying and describing the nature of the threat.

Assessment to evaluate the actual or potential effect of a threat to a system. Note: The threat assessment may include identifying and describing the nature of the threat.

threat event outcome : see document

The effect a threat acting upon a vulnerability has on the confidentiality, integrity, and/or availability of the organization’s operations, assets, or individuals.

threat information : see document

Analytical insights into trends, technologies, or tactics of an adversarial nature affecting information systems security.

Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor. Major types of threat information include indicators, TTPs, security alerts, threat intelligence reports, and tool configurations.

Any information related to a threat that might help an organization protect itself against the threat or detect the activities of an actor. Major types of threat information include indicators, TTPs, security alerts, threat intelligence reports, and tool configurations.

threat intelligence : see document

Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Threat Intelligence Report : see document

A prose document that describes TTPs, actors, types of systems and information being targeted, and other threat-related information.

threat modeling : see document

A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.

threat monitoring : see document

Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.

threat scenario : see document

A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time.

A set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time. Synonym for Threat Campaign.

Threat Shifting : see document

The response of actors to perceived safeguards and/or countermeasures (i.e., security controls), in which actors change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.

Response from adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which the adversaries change some characteristic of their intent to do harm in order to avoid and/or overcome those safeguards/countermeasures.

Threat Signaling : see document

Real-time signaling of DDoS-related telemetry and threat-handling requests and data between elements concerned with DDoS attack detection, classification, trace back, and mitigation.

Real-time signaling of DDoS-related telemetry and threat-handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation.

three-dimensional : see document
Three-key Triple Data Encryption Algorithm : see document

Three-key Triple Data Encryption Algorithm specified in [NIST SP 800-67].

Thresholds : see document

Values used to establish concrete decision points and operational control limits to trigger management action and response escalation.

TIA/EIA : see document
TiB : see document

240 bytes.

TIC : see document
TID : see document
Tier 0 (central facility) (COMSEC) : see document

The composite facility approved, managed, and operated under National Security Agency (NSA) oversight that includes: a. National COMSEC Material Generation and Production facilities for physical and electronic keys, both traditional and modern. b. Central Office of Record (COR) services for NSA, contractor, and select Civil Agency accounts. c. National Distribution Authority (NDA) for U.S. accounts worldwide. d. National Registration Authority for all non-military accounts on U.S. systems. e. National Credential Manager for all electronic key management system (EKMS) accounts on U.S. systems. f. EKMS Defense Courier Service (DCS) data administrator.

Tier 1/common tier 1 (CT1) (COMSEC) : see document

The composite of the electronic key management system (EKMS) Common Tier 1 (CT1) systems that is a tool used by the military service central offices of record (CORs) to support their accounts and by the Civil Agency CORs requesting CT1 support. The CT1 also provides generation and distribution of many types of traditional keying material for large nets. The CT1 consists of two Primary Tier 1 sites, one Extension Tier 1 site, and other Physical Material Handling Segments (PMHS) at several service sites providing the following services: a. Common military traditional electronic keying material generation and distribution facilities. b. Common keying material ordering interface for all types of keying material required by military accounts. c. Registration Authority for U.S. military accounts. d. Ordering Privilege Manager for U.S. military accounts. e. Management for the military’s COMSEC vaults, depots, and logistics system facilities.

Tier 2 (COMSEC) : see document

The layer of the electronic key management system (EKMS) comprising COMSEC accounts and subaccounts managing keying material and other COMSEC material. Automated EKMS Tier 2s consist of a Service- or Agency-provided Local Management Device (LMD) running the Local COMSEC Management Software (LCMS), a Key Processor (KP), and a secure terminal equipment (STE) or other secure communication device(s).

Tier 3 (COMSEC) : see document

The lowest tier or layer of electronic key management system (EKMS) architecture comprising hand-receipt holders who use an electronic fill device (e.g., the Data Transfer Device (DTD), Secure DTD2000 System (SDS), Simple Key Loader (SKL)) and all other means to issue key to End Cryptographic Units (ECUs). Tier 3 elements receive keying material from Tier 2 activities by means of electronic fill devices or in canisters (for physical keying material).

Tier I Checklist : see document

A checklist in the National Checklist Repository that is prose-based, such as narrative descriptions of how a person can manually alter a product’s configuration.

Tier II Checklist : see document

A checklist in the National Checklist Repository that documents the recommended security settings in a machine-readable but non-standard format, such as a proprietary format or a product-specific configuration script.

Tier III Checklist : see document

A checklist in the National Checklist Repository that uses SCAP to document the recommended security settings in machine-readable standardized SCAP formats that meet the definition of “SCAP Expressed” specified in NIST SP 800-126. SCAP Validated products should be able to process Tier III checklists.

Tier IV Checklist : see document

A checklist in the National Checklist Repository that is considered production-ready and has been validated by NIST or a NIST-recognized authoritative entity to ensure, to the maximum extent possible, interoperability with SCAP-validated products. Tier IV checklists also demonstrate the ability to map low-level security settings (for example, standardized identifiers for individual security configuration issues) to high -level security requirements as represented in various security frameworks (e.g., SP 800-53 controls for FISMA), and the mappings have been vetted with the appropriate authority.

tiered label : see document

Indicates the degree to which a product has satisfied a specific standard, sometimes based on attaining increasing levels of performance against specified criteria. Tiers or grades are often represented by colors (e.g., red-yellow-green), numbers of icons (e.g., stars or security shields), or other appropriate metaphors (e.g., precious metals: gold-silver-bronze).

TIG : see document
time bomb : see document

Resident computer program that triggers an unauthorized act at a predefined time.

Time Division Multiple Access : see document
Time Division Multiplexing : see document
time interval : see document

The elapsed time between two events. In time and frequency metrology, time interval is usually measured in small fractions of a second, such as milliseconds, microseconds, or nanoseconds. Higher resolution time interval measurements are often made with a time interval counter.

time scale : see document

An agreed upon system for keeping time. All time scales use a frequency source to define the length of the second, which is the standard unit of time interval. Seconds are then counted to measure longer units of time interval, such as minutes, hours, or days. Modern time scales, such as UTC, define the second based on an atomic property of the cesium atom, and thus standard seconds are produced by cesium oscillators. Earlier time scales (including earlier versions of Universal Time) were based on astronomical observations that measured the frequency of the Earth’s rotation.

Time Slotted Channel Hopping : see document
Time to Live : see document
time-compliance date : see document

Date by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.

Timed Efficient Stream Loss-Tolerant Authentication : see document
time-dependent password : see document

Password that is valid only at a certain time of day or during a specified interval of time.

Timestamp : see document

A token or packet of information that is used to provide assurance of timeliness; the timestamp contains timestamped data, including a time, and a signature generated by a Trusted Timestamp Authority (TTA).

A token of information that is used to provide assurance of timeliness; contains timestamped data, including time, and a signature generated by a Trusted Timestamp Authority (TTA).

Timestamp Packet : see document

A unit of information that is transmitted by a TTA that contains timestamped_data and a timestamp_signature.

Timestamp Token : see document
TIP : see document
TIPC : see document
TIR : see document
TIS : see document
TK : see document
TKIP : see document
TKIP Sequence Counter : see document
TKS : see document
TKW : see document
TLC : see document
TLD : see document
TLP : see document
TLS : see document

An authentication and encryption protocol widely implemented in browsers and Web servers. HTTP traffic transmitted using TLS is known as HTTPS.

TLS Certificate Association (Resource Record) : see document
TLS/SSL : see document
TLSA : see document
TLV : see document
TMOVS : see document

TDEA Modes of Operation Validation System

TMSAD : see document
TMSH : see document
TMSI : see document
TNC : see document
TOE : see document
TOE Security Functions : see document
TOEPP : see document
TOFB : see document

TDEA Output Feedback Mode of Operation

TOFB-I : see document

TDEA Output Feedback Mode of Operation – Interleaved

token : see document

Something the cardholder possesses and controls (e.g., PIV Card or derived PIV credential) that is used to authenticate the cardholder’s identity.

An entity that facilitates authentication of other entities attached to the same LAN using a public key certificate.

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

See authenticator type and multi-factor authenticator.

The means used to confirm the identity of a user, process, or device (e.g., user password or token).

Something that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim. See cryptographic token.

Something that the Claimant possesses and controls (typically a key or password) that is used to authenticate the Claimant’s identity.

The means used to confirm the identity of a user, processor, or device (e.g., user password or token).

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as atoken.

See Authenticator.

A portable, user-controlled, physical device (e.g., smart card or memory stick) used to store cryptographic information and possibly also perform cryptographic functions.

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.

See Authenticator

Something the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. In previous editions of SP 800-63, this was referred to as a token.

Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

Either information that is only known to the person and the verifier, or a hardware device that can generate information that the verifier knows can only come from that device

A physical object a user possesses and controls that is used to authenticate the user’s identity.

A representation of a particular asset that typically relies on a blockchain or other types of distributed ledgers.

Something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity.

Token Factory Contract : see document

A smart contract that defines and issues a token.

Token Taxonomy Initiative : see document
Tool Configuration : see document

A recommendation for setting up and using tools that support the automated collection, exchange, processing, analysis, and use of threat information.

Toolchain Infrastructure : see document
Top-level Domain : see document
Top-of-Rack : see document
ToR : see document
TOS : see document
Total Cost of Ownership : see document
Total Risk : see document

the potential for the occurrence of an adverse event if no mitigating action istaken (i.e., the potential for any applicable threat to exploit a system vulnerability). (See Acceptable Risk, Residual Risk, and Minimum Level of Protection.)

TPC : see document
TPDU : see document
TPer : see document
TPI : see document
TPK : see document
TPM : see document
TPO : see document
TPP : see document

The Venafi Machine Identity Protection platform used in the example implementation described in this practice guide.

TR : see document
traceability : see document

Discernible association among two or more logical entities, such as requirements, system elements, verifications, or tasks.

traceability matrix : see document

A matrix that records the relationship between two or more products of the development process (e.g., a matrix that records the relationship between the requirements and the design of a given software component).

A matrix that records the relationship between two or more products of the development process (e.g., a matrix that records the relationship between the requirements and the design of a given software component). Note 1: A traceability matrix can record the relationship between a set of requirements and one or more products of the development process and can be used to demonstrate completeness and coverage of an activity or analysis based upon the requirements contained in the matrix. Note 2: A traceability matrix may be conveyed as a set of matrices representing requirements at different levels of decomposition. Such a traceability matrix enables the tracing of requirements stated in their most abstract form (e.g., statement of stakeholder requirements) through decomposition steps that result in the implementation that satisfies the requirements.

A matrix that records the relationship between two or more products of the development process (e.g., a matrix that records the relationship between the requirements and the design of a given software component). Note 1: A traceability matrix can record the relationship between a set of requirements and one or more products of the development process and can be used to demonstrate completeness and coverage of an activity or analysis based upon the requirements contained in the matrix. Note 2: A traceability matrix may be conveyed as a set of matrices representing requirements at different levels of decomposition. Such a traceability matrix enables the tracing of requirements stated in their most abstract form (e.g., statement of stakeholder requirements) through decomposition steps that result in the implementation that satisfies the requirements.

traceability, metrological : see document

Property of a measurement result whereby the result can be related to a reference through a documented, unbroken chain of calibrations, each contributing to the measurement uncertainty.

Traceable : see document

Information that is sufficient to make a determination about a specific aspect of an individual's activities or status.

tradecraft identity : see document

An identity used for the purpose of work-related interactions that may or may not be synonymous with an individual’s true identity.

trade-off : see document

Decision-making actions that select from various requirements and alternative solutions on the basis of net benefit to the stakeholders.

trade-off analysis : see document

Determining the effect of decreasing one or more key factors and simultaneously increasing one or more other key factors in a decision, design, or project.

traditional key : see document

Term used to reference symmetric key wherein both ends of a link or all parties in a cryptonet have the same exact key. 256-bit advanced encryption standard (AES), high assurance internet protocol encryptor (HAIPE) pre-placed, and authenticated pre-placed key are examples of traditional key.

traffic encryption key (TEK) : see document

Key used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text.

Traffic Filter : see document

An entry in an access control list that is installed on the router or switch to enforce access controls on the network.

Traffic Flow Confidentiality (TFC) Padding : see document

Dummy data added to real data in order to obfuscate the length and frequency of information sent over IPsec.

traffic flow security (TFS) : see document

Techniques to counter Traffic Analysis.

Traffic Light Protocol : see document
Traffic Management Shell : see document
traffic padding : see document

The generation of spurious instances of communication, spurious data units, and/or spurious data within data units. Note: May be used to disguise the amount of real data units being sent.

Traffic Selector for the Initiator : see document
Traffic Selector for the Responder : see document
Training : see document

Instruction or learning activity to enhance the employee’s capacity to perform specific job functions and tasks by focusing on skills, concepts, knowledge, and attitudes related to performing a job. It is designed to change what employees know and how they work.

The ‘Training’ level of the learning continuum strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).

teaching people the knowledge and skills that will enable them to perform theirjobs more effectively.

Informing personnel of their roles and responsibilities within a particular IT plan and teaching them skills related to those roles and responsibilities.

Teaching people the knowledge and relevant and needed cybersecurity skills and competencies that will enable them to understand how to use and configure the IoT devices to enable them to most securely use the IoT devices.

training data control : see document

A capability in which an attacker controls some or all of the training data of a machine learning model.

training data extraction : see document

The ability of an attacker to extract the training data of a generative model by prompting the model with specific inputs.

training key : see document

Key intended for use for over-the-air or off-the-air training.

training stage : see document

The stage of a machine learning pipeline in which a model learns parameters that minimize its error against an objective function based on training data.

tranquility : see document

Property whereby the security level of an object cannot change while the object is being processed by an information system.

Transaction : see document

A discrete digital event between a user and a system that supports a business or programmatic purpose.

A discrete event between a user and a system that supports a business or programmatic purpose. A government digital system may have multiple categories or types of transactions, which may require separate analysis within the overall digital identity risk assessment.

A discrete event between a user and a system that supports a business or programmatic purpose. A government digital system may have multiple categories or types of transactions, which may require separate analysis within the overall digital identity risk assessment.

A recording of an event, such as the transfer of assets (digital currency, units of inventory, etc.) between parties, or the creation of new assets.

A recording of an event, such as the transfer of tokens between parties, or the creation of new assets.

Transaction fee : see document

An amount of cryptocurrency charged to process a blockchain transaction. Given to publishing nodes to include the transaction within a block.

Transaction Signature : see document
transdisciplinary : see document

Creating a unity of intellectual frameworks beyond the disciplinary perspectives.

Transducer : see document

A portion of an IoT device capable of interacting directly with a physical entity of interest. The two types of transducers are sensors and actuators.

Transducer Capabilities : see document

Capabilities that provide the ability for computing devices to interact directly with physical entities of interest. The two types of transducer capabilities are sensing and actuating.

TRANSEC : see document
transfer cross domain solution : see document

A type of cross domain solution (CDS) that facilitates the movement of data between information systems operating in different security domains.

transfer key encryption key (TrKEK) : see document

A key used to move key from a Key Processor to a data transfer device (DTD)/secure DTD2000 system (SDS)/simple key loader (SKL).

transfer of accountability : see document

The process of transferring accountability for COMSEC material from the COMSEC account of the shipping organization to the COMSEC account of the receiving organization.

transformation : see document

The conversion of one state or format into another state or format.

Transforming Application : see document

An application that transforms a CBEFF Basic Data Structure from one Patron Format into another Patron Format. This can include processing of the content of the BDB, but need not. CBEFF defines rules for migrat ing the values in Standard Biometric Header fields.

Transition Security Network : see document
transmission : see document

The state that exists when information is being electronically sent from one location to one or more other locations.

Transmission Control Protocol/Internet Protocol : see document
Transmission Control Protocol/User Datagram Protocol : see document
Transmission Control Protocol-Transport Layer Security : see document
transmission security : see document

Measures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.

Transmitter Address : see document
transparency : see document

Amount of information that can be gathered about a supplier, product, or service and how far through the supply chain this information can be obtained.

A property of openness and accountability throughout the supply chain.

Transparent Inter-Process Communication : see document
Transparent Secure Memory Encryption : see document
Transparent Supply Chain : see document
Transponder : see document

An electronic device that communicates with RFID readers. A tag can function as a beacon or it can be used to convey information such as an identifier.

See Tag

Transport Control Protocol : see document
Transport Layer : see document

Layer of the TCP/IP protocol stack that is responsible for reliable connection-oriented or connectionless end-to-end communications.

Transport Layer Security (TLS) : see document

An authentication and security protocol that is widely implemented in browsers and web servers. TLS provides confidentiality, certificate-based authentication of the receiving (server) endpoint, and certificate-based authentication of the originating (client) endpoint. TLS is specified in [RFC8446] and [SP800-52].

Provides privacy and data integrity between two communicating applications. It is designed to encapsulate other protocols, such as HTTP. TLS v1.0 was released in 1999, providing slight modifications to SSL 3.0.

A security protocol providing privacy and data integrity between two communicating applications. The protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.

Provides privacy and reliability between two communicating applications. It is designed to encapsulate other protocols, such as HTTP. SSL v3.0 was released in 1996. It has been succeeded by IETF's TLS.

See Transport Layer Security (TLS).

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246. TLS is similar to the older SSL protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, specifies how TLS is to be used in government applications.

An authentication and security protocol that is widely implemented in browsers and web servers. TLS is defined by RFC 5246 and RFC 8446. TLS is similar to the older Secure Sockets Layer (SSL) protocol, and TLS 1.0 is effectively SSL version 3.1. [NIST SP 800-52] specifies how TLS is to be used in government applications.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246. TLS is similar to the older SSL protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations [NIST SP 800-52], specifies how TLS is to be used in government applications.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by RFC 5246 and RFC 8446.

An authentication and encryption protocol widely implemented in browsers and Web servers. HTTP traffic transmitted using TLS is known as HTTPS.

An authentication and security protocol widely implemented in browsers and web servers. SSL has been superseded by the newer Transport Layer Security (TLS) protocol; TLS 1.0 is effectively SSL version 3.1.

An authentication and security protocol widely implemented in browsers and web servers. TLS is defined by [RFC 2246], [RFC 3546], and [RFC 5246]. TLS is similar to the older Secure Sockets Layer (SSL) protocol, and TLS 1.0 is effectively SSL version 3.1. NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations specifies how TLS is to be used in government applications.

Transport Layer Security/Secure Sockets Layer : see document
Transport Mode : see document

IPsec mode that does not create a new IP header for each protected packet.

An IPsec mode that does not create an additional IP header for each protected packet.

Transport Protocol Data Unit : see document
Transportation Security Administration : see document
trap door : see document

1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. See backdoor.

2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.

TRB : see document
trigger : see document

1) <insider threat> A set of logic statements to be applied to a data stream that produces an alert when an anomalous incident or behavior occurs

2) An event that causes the system to initiate a response. Note: Also known as triggering event.

Triple Data Encryption Algorithm : see document

An approved cryptographic algorithm that specifies both the DEA cryptographic engine employed by TDEA and the TDEA algorithm itself.

The algorithm specified in FIPS PUB 46-3 –1999, Data Encryption Algorithm.

Triple Data Encryption Algorithm specified in FIPS 46-3

Triple Data Encryption Algorithm; Triple DEA specified in [NIST SP 800-67].

Triple Data Encryption Algorithm Wrapping : see document
Triple Data Encryption Standard : see document

An implementation of the data encryption standard (DES) algorithm that uses three passes of the DES algorithm instead of one as used in ordinary DES applications. Triple DES provides much stronger encryption than ordinary DES but it is less secure than advanced encryption standard (AES). Rationale: The terminology has been changed by NIST.

Triple Data Encryption Standard specified in FIPS 46-3

Tripwire Enterprise : see document
Tripwire Log Center : see document
Trivial File Transfer Protocol : see document
TrKEK : see document
TRM : see document
TRNG : see document
trojan : see document

In the machine learning context, a malicious modification to a model that is difficult to detect, may appear harmless, but that can alter the intended function of the system upon a signal from an attacker to cause a malicious behavior desired by the attacker. For Trojan attacks to be effective, the trigger must be rare in the normal operating environment so that it does not affect the normal effectiveness of the AI and raise the suspicions of users. In the machine learning context, trojan may be used interchangeably with backdoor pattern.

True Random Number Generator : see document
trust : see document

A belief that an entity meets certain expectations and therefore, can be relied upon.

The willingness to take actions expecting beneficial outcomes, based on assertions by other parties.

The confidence one element has in another, that the second element will behave as expected.

A characteristic of an entity that indicates its ability to perform certain functions or services correctly, fairly and impartially, along with assurance that the entity and its identifier are genuine.

An ISCM capability that ensures that untrustworthy persons are prevented from being trusted with network access (to prevent insider attacks).

See Capability, Trust Management.

The confidence one element has in another that the second element will behave as expected.

Trust Agent : see document
trust agreement : see document

A set of conditions under which a CSP, IdP, and RP are allowed to participate in a federation transaction to establish an authentication session between the subscriber and the RP.

trust anchor : see document

A public or symmetric key that is trusted because it is built directly into hardware or software or securely provisioned via out-of-band means rather than because it is vouched for by another trusted entity (e.g., in a public-key certificate). A trust anchor may have name or policy constraints that limit its scope.

A CA with one or more trusted certificates containing public keys that exist at the base of a tree of trust or as the strongest link in a chain of trust and upon which a Public Key Infrastructure is constructed. “Trust anchor” also refers to the certificate of this CA.

1. An authoritative entity for which trust is assumed. In a PKI, a trust anchor is a certification authority, which is represented by a certificate that is used to verify the signature on a certificate issued by that trust-anchor. The security of the validation process depends upon the authenticity and integrity of the trust anchor's certificate. Trust anchor certificates are often distributed as self-signed certificates.

2. The self-signed public key certificate of a trusted CA.

A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate). A trust anchor may have name or policy constraints limiting its scope.

A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A validating DNSSEC-aware resolver uses this public key or hash as a starting point for building the authentication chain to a signed DNS response. In general, a validating resolver will need to obtain the initial values of its trust anchors via some secure or trusted means outside the DNS protocol. The presence of a trust anchor also implies that the resolver should expect the zone to which the trust anchor points to be signed. This is sometimes referred to as a “secure entry point.”

An authoritative entity represented by a public key and associated data (see RFC 5914).

An established point of trust (usually based on the authority of some person, office, or organization) from which an entity begins the validation of an authorized process or authorized (signed) package. A "trust anchor" is sometimes defined as just a public key used for different purposes (e.g., validating a certification authority (CA), validating a signed software package or key, validating the process (or person) loading the signed software or key).

1. An authoritative entity for which trust is assumed. In a PKI, a trust anchor is a certification authority, which is represented by a certificate that is used to verify the signature on a certificate issued by that trust-anchor. The security of the validation process depends upon the authenticity and integrity of the trust anchor’s certificate. Trust anchor certificates are often distributed as self-signed certificates. 2. The self-signed public key certificate of a trusted CA.

The key for a certificate authority who issues certificates or authorizes others to do so on its behalf

A public key and the name of a certification authority that is used to validate the first certificate in a sequence of certificates. The trust anchor’s public key is used to verify the signature on a certificate issued by a trust-anchor certification authority. The security of the validation process depends upon the authenticity and integrity of the trust anchor. Trust anchors are often distributed as self-signed certificates.

A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate).

Trust Anchor Locator : see document
trust assumption : see document

An assumption that characterizes how one expects a specific party to behave when given access to sensitive data.

Trust Domain : see document
Trust Framework : see document

The “rules” underpinning federated identity management, typically consisting of: system, legal, conformance, and recognition.

Trust Framework Operators : see document

The entity responsible for the governance and administration of an identity federation.

See Federation Administrators.

Trust Framework Providers : see document

The entity responsible for the governance and administration of an identity federation.

See Federation Administrators.

trust list : see document

Collection of trusted certificates used by Relying Parties to authenticate other certificates.

Trust Management : see document

An ISCM capability that ensures that untrustworthy persons are prevented from being trusted with network access (to prevent insider attacks).

See Capability, Trust Management.

trust model : see document

A collection of assumptions that characterize the trustworthiness of each component in a system.

Trust Model for Security Automation Data : see document
Trust Protection Platform : see document

The Venafi Machine Identity Protection platform used in the example implementation described in this practice guide.

trust relationship : see document

An agreed upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets.

Policies that govern how entities in differing domains honor each other’s authorizations. An authority may be completely trusted—for example, any statement from the authority will be accepted as a basis for action—or there may be limited trust, in which case only statements in a specific range are accepted.

The access relationship that is granted by an authorized key in an account on one system (server) and a corresponding identity key in an account on another system (client). Once deployed, these two keys establish a persistent trust relationship between the two accounts/systems that enables ongoing access.

An agreed upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets. Note: This refers to trust relationships between system elements implemented by hardware, firmware, and software.

An agreed upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets. Note: This refers to trust relationships between system elements implemented by hardware, firmware, and software.

Trusted : see document

An element that another element relies upon to fulfill critical requirements on its behalf.

trusted agent (TA) : see document

1. An individual explicitly aligned with one or more registration authority (RA) officers who has been delegated the authority to perform a portion of the RA functions. A trusted agent (TA) does not have privileged access to certification authority system (CAS) components to authorize certificate issuance, certificate revocation, or key recovery.

2. Entity authorized to act as a representative of an Agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.

Entity authorized to act as a representative of an Agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.

Trusted Application : see document
Trusted association : see document

Assurance of the integrity of an asserted relationship between items of information that may be provided by cryptographic or non-cryptographic (e.g., physical) means. Also see Binding.

Trusted Automated eXchange of Indicator Information : see document
Trusted boot : see document

A system boot where aspects of the hardware and firmware are measured and compared against known good values to verify their integrity and thus their trustworthiness.

trusted certificate : see document

A certificate that is trusted by the relying party on the basis of secure and authenticated delivery. The public keys included in trusted certificates are used to start certification paths. Also known as a “trust anchor.”

A certificate that is trusted by the Relying Party on the basis of secure and authenticated delivery. The public keys included in trusted certificates are used to start certification paths. Also known as a "trust anchor".

A certificate that is trusted by the Relying Party on the basis of secure and authenticated delivery. The public keys included in trusted certificates are used to start certification paths. Also known as a “trust anchor”.

trusted channel : see document

A protected communication link established between the cryptographic module and a sender or receiver (including another cryptographic module) to securely communicate and verify the validity of plaintext CSPs, keys, authentication data, and other sensitive data. Also called a secure channel.

A channel where the endpoints are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include transport layer security (TLS), IP security (IPSec), and secure physical connection.

Trusted compute pool : see document

A physical or logical grouping of computing hardware in a data center that is tagged with specific and varying security policies. Within a trusted compute pool, the access and execution of applications and workloads are monitored, controlled, audited, etc.

trusted computer system : see document

A system that has the necessary security functions and assurance that the security policy will be enforced and that can process a range of information sensitivities (i.e. classified, controlled unclassified information (CUI), or unclassified public information) simultaneously.

Trusted Computer System Evaluation Criteria : see document
trusted computing base (TCB) : see document

Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.

Trusted Computing Group : see document
trusted data recipient : see document

an entity that has limited access to the data that it receives as a result of being bound by some administrative control such as a law, regulation, or data use agreement

Trusted Enterprise Infrastructure : see document
Trusted Execution Environment : see document

An area or enclave protected by a system processor.

Trusted Execution Technology : see document
Trusted Firmware-A : see document
trusted foundry : see document

Facility that produces integrated circuits with a higher level of integrity assurance.

Trusted Identities Group : see document
Trusted Internet Connection : see document
Trusted Network Connect : see document
trusted operating system : see document

An operating system in which there exists a level of confidence (based on rigorous analysis and testing) that the security principals and mechanisms (e.g., separation, isolation, least privilege, discretionary and non-discretionary access control, trusted path, authentication, and security policy enforcement) are correctly implemented and operate as intended even in the presence of adversarial activity.

An operating system that manages data to make sure that it cannot be altered, moved, or viewed except by entities having appropriate and authorized access rights.

Trusted Party : see document

A party that can be expected to keep sensitive data safe and not disclose it to others.

A party that is trusted by its clients to generate cryptographic keys.

A trusted party is a party that is trusted by an entity to faithfully perform certain services for that entity. An entity could be a trusted party for itself.

A party that is trusted by an entity to faithfully perform certain services for that entity. An entity may choose to act as a trusted party for itself.

trusted path : see document

A mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.

A mechanism by which a user (through an input device) can communicate directly with the security functions of the system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the system and cannot be imitated by untrusted software.

Trusted Peripheral : see document
Trusted Platform Module (TPM) : see document

A tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.

trusted pool : see document

A physical or logical grouping of computing hardware in a data center that is tagged with specific and varying security policies. Within a trusted compute pool, the access and execution of applications and workloads are monitored, controlled, audited, etc.

trusted process : see document

Process that has been tested and verified to operate only as intended.

trusted recovery : see document

Ability to ensure recovery without compromise after a system failure.

trusted referee : see document

An agent of the CSP who is trained to make risk-based decisions regarding an applicant’s identity proofing case when that applicant is unable to meet the expected requirements of a defined IAL proofing process.

Trusted Service Identity : see document
Trusted Third Party : see document

An entity other than the owner and verifier that is trusted by the owner, the verifier or both to provide certain services.

An entity other than the key pair owner and verifier that is trusted by the owner or the verifier or both. Sometimes shortened to “trusted party.”

An entity other than the key pair owner and the verifier that is trusted by the owner, the verifier, or both. Sometimes shortened to “trusted party.”

A third party, such as a CA, that is trusted by its clients to perform certain services. (By contrast, in a key establishment transaction, the participants, parties U and V, are considered to be the first and second parties.)

A third party, such as a CA, that is trusted by its clients to perform certain services. (By contrast, the two participants in a key-establishment transaction are considered to be the first and second parties.)

A third party, such as a CA, that is trusted by its clients to perform certain services. (By contrast, for example, the sender and receiver in a scheme are considered to be the first and second parties in a key-establishment transaction).

trusted timestamp : see document

A digitally signed assertion by a trusted authority that a specific digital object existed at a particular time.

A timestamp that has been signed by a TTA.

A timestamp that has been signed by a Trusted Timestamp Authority.

Trusted Timestamp Authority (TTA) : see document

An entity that is trusted to provide accurate time information.

trustworthiness : see document

The interdependent combination of attributes of a person, system, or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. The degree to which a system (including the technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity.

The degree to which the behavior of a component is demonstrably compliant with its stated requirements.

The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.

Computer hardware, software and procedures that— 1) are reasonably secure from intrusion and misuse; 2) provide a reasonable level of availability, reliability, and correct operation; 3) are reasonably suited to performing their intended functions; and 4) adhere to generally accepted security procedures.

The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is a system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, business function, enterprise, or other entity.

Computer hardware, software and procedures that: (1) are reasonably secure from intrusion and misuse; (2) provide a reasonable level of availability, reliability, and correct operation; (3) are reasonably suited to performing their intended functions; and (4) adhere to generally accepted security procedures.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity. Note: From a privacy perspective, a trustworthy system is a system that meets specific privacy requirements in addition to meeting other critical requirements.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity. Note From a privacy perspective, a trustworthy system is a system that meets specific privacy requirements in addition to meeting other critical requirements.

Worthy of being trusted to fulfill whatever critical requirements may be needed.

Security decision with respect to extended investigations to determine and confirm qualifications, and suitability to perform specific tasks and responsibilities.

The degree to which the security behavior of a component is demonstrably compliant with its stated functionality.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity. Note: From a security perspective, a trustworthy system is a system that meets specific security requirements in addition to meeting other critical requirements.

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity. Note: From a security perspective, a trustworthy system is a system that meets specific security requirements in addition to meeting other critical requirements.

trustworthiness (system) : see document

The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats and individuals’ privacy.

The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is believed to operate within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

trustworthy information system : see document

An information system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

TS : see document
TSA : see document
TSC : see document
TSCH : see document
TSCM : see document
TSEC : see document
TSEC nomenclature : see document

The NSA system for identifying the type and purpose of certain items of COMSEC material.

TSF : see document
TSi : see document
TSI : see document
TSIG : see document
TSIG Key : see document

A string used to generate the message authentication hash stored in a TSIG RR and used to authenticate an entire DNS message. This is not the same as signing a message, which involves a cryptographic operation.

TSME : see document
TSN : see document
TSO : see document
TSP : see document
TSr : see document
TST : see document
TT : see document
TT&C : see document
TT&E : see document
TTA : see document

An entity that is trusted to provide accurate time information.

TTF : see document

An RF transaction in which the tag communicates its presence to a reader. The reader may then send commands to the tag.

TTI : see document
TTL : see document
TTLS : see document
TTP : see document

An entity other than the owner and verifier that is trusted by the owner, the verifier or both to provide certain services.

An entity other than the key pair owner and verifier that is trusted by the owner or the verifier or both. Sometimes shortened to “trusted party.”

TTX : see document

A discussion-based exercise where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation. A facilitator initiates the discussion by presenting a scenario and asking questions based on the scenario.

TUCOFS : see document
Tunnel Mode : see document

IPsec mode that creates a new IP header for each protected packet.

An IPsec mode that creates an additional outer IP header for each protected packet.

Tunnel VPN : see document

An SSL connection that allows a remote user to securely access a wide variety of protocols and applications, through a tunnel that is running under SSL, via a Web browser, generally augmented by a client application or plug-in..

Tunneled Transport Layer Security : see document
tunneling : see document

Technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.

Tuple Density : see document

Sum of t and the fraction of the covered (t+1)-tuples out of all possible (t+1)-tuples.

Turing complete : see document

A system (computer system, programming language, etc.) that can be used for any algorithm, regardless of complexity, to find a solution.

Tweakable Block Cipher : see document
two-dimensional : see document
Two-Factor Authentication : see document

Proof of the possession of a physical or software token in combination with some memorized secret knowledge.

Two-key Triple Data Encryption Algorithm : see document

Two-key Triple Data Encryption Algorithm specified in [NIST SP 800-67].

two-person control : see document

The continuous surveillance and control of material at all times by a minimum of two authorized individuals, each capable of detecting incorrect or unauthorized procedures with respect to the task being performed and each familiar with established security requirements.

two-person integrity : see document

A system of storage and handling designed to prohibit individual access to certain material by requiring the presence of at least two authorized persons for the task to be performed.

The system of storage and handling designed to prohibit individual access to certain COMSEC keying material by requiring the presence of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. Note: Two-Person Control refers to the handling of Nuclear Command and Control COMSEC material while Two-Person Integrity refers only to the handling of COMSEC keying material.

TXT : see document
type accreditation : see document

A form of accreditation that is used to authorize multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment. In situations where a major application or general support system is installed at multiple locations, a type accreditation will satisfy Certification and Accreditation (C&A) requirements only if the application or system consists of a common set of tested and approved hardware, software, and firmware. See type authorization.

type authorization : see document

An official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.

type certification : see document

The certification acceptance of replica information systems based on the comprehensive evaluation of the technical and non-technical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.

Type Length Value : see document
U : see document

One party in a key-establishment scheme.

U.S. Coast Guard Navigation Center : see document
U.S. Computer Emergency Readiness Team : see document
U.S. Department of Health, Education, and Welfare : see document
U.S. Government : see document
U.S. Government Configuration Baseline : see document
U.S. Government Federal Radionavigation Plan : see document
U.S. national interests : see document

Matters of vital interest to the United States to include national security, public safety, national economic security, the safe and reliable functioning of “critical infrastructure”, and the availability of “key resources”.

U.S. person : see document

U.S. person means a person (as defined in 22 CFR 120.14) who is a lawful permanent resident as defined by 8 U.S.C. 1101(a) (20) or who is a protected individual as defined by 8 U.S.C. 1324b(a) (3). It also means any corporation, business association, partnership, society, trust, or any other entity, organization or group that is incorporated to do business in the United States. It also includes any governmental (federal, state or local) entity. It does not include any foreign person as defined in 22 CFR 120.16.

U.S. Securities and Exchange Commission : see document
U.S.C. : see document
U.S.-controlled facility : see document

A base or building, access to which is physically controlled by U.S. citizens or resident aliens who are authorized U.S. Government or U.S. Government contractor employees.

U.S.-controlled space : see document

A space (e.g., room or floor) within a facility other than a U.S.-controlled facility, access to which is physically controlled by U.S. citizens or resident aliens who are authorized U.S. Government or U.S. Government contractor employees. Keys or combinations to locks controlling entrance to the U.S.-controlled space must be under the exclusive control of U.S. citizens or resident aliens who are U.S. Government or U.S. Government contractor employees.

U1 : see document
U2F : see document
UA : see document
UAC : see document
UAF : see document
UART : see document
UAS : see document
UAV : see document
UBR : see document
UCC : see document
UCDSMO : see document
UCE : see document
UCS : see document
UDA : see document
UDDI : see document
UDF : see document
UDLR : see document
UDM : see document
UDP : see document
UE : see document
UEA : see document
UEBA : see document
UEFI : see document
UEFI Secure Boot : see document
UEM : see document
UFS : see document
UHF : see document
UI : see document

The physical or logical means by which users interact with a system, device or process.

UI/UX : see document
UIA : see document
UICC : see document

An integrated circuit card that securely stores the international mobile subscriber identity (IMSI) and the related cryptographic key used to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a: SIM, USIM, RUIM or CSIM, and is used interchangeably with those terms.

UIRP : see document
UIS : see document
UK : see document
UK Research and Innovation : see document
UKAN : see document
UKRI : see document
UL : see document
Ultra High Frequency : see document
Ultraviolet : see document
Ultrawideband : see document
umbilical cord : see document

The cable that connects the space vehicle to the launch pad during pre-launch to monitor the vehicle health and is disconnected or cut when the vehicle launches; enables the exchange of data with ground launch mission systems.

UMD : see document
UMTS : see document

a third-generation (3G) mobile phone technologies standardized by the 3GPP as the successor to GSM.

UMTS Encryption Algorithm : see document
UMTS Integrity Algorithm : see document
UMTS Subscriber Identity Module (USIM) : see document

A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks.

UN/CEFACT : see document
unattended : see document

A facility is unattended when there is no human presence. Use of roaming guards and/or an intrusion detection system is not enough to consider a facility attended. Having a trusted individual sitting at the entrance to a vault does make the vault attended.

unauthorized disclosure : see document

An event involving the exposure of information to entities not authorized access to the information.

Unbalanced Oil and Vinegar : see document
Unbalanced Oil-Vinegar Digital Signature Scheme : see document
Unbiased : see document

A value that is chosen from a sample space is said to be unbiased if all potential values have the same probability of being chosen. Contrast with biased.

A value that is chosen from a sample space is said to be unbiased if all potential values have the same probability of being chosen. (Contrast with biased.)

Unbind : see document

To deterministically transform a binding into its logical-form construct.

unbounded differential privacy : see document

A unit of privacy variant that calls two datasets D1 and D2 neighbors if it is possible to construct D2 from D1 by adding or removing one person’s data. Under unbounded differential privacy, neighboring datasets have different sizes.

UNC : see document
unclassified : see document

Information that does not require safeguarding or dissemination controls pursuant to Executive Order (E.O.) 13556 (Controlled Unclassified Information) and has not been determined to require protection against unauthorized disclosure pursuant to E.O. 13526 (Classified National Security Information), or any predecessor or successor Order, or the Atomic Energy Act of 1954, as amended. See controlled unclassified information (CUI), and classified national security information.

Underwriters Laboratories : see document
unencrypted key : see document

Key that has not been encrypted in a system approved by the National Security Agency (NSA) for key encryption or encrypted key in the presence of its associated key encryption key (KEK) or transfer key encryption key (TrKEK). Encrypted key in the same fill device as its associated KEK or TrKEK is considered unencrypted. (Unencrypted key is also known as RED key).

Unicast Reverse Path Forwarding : see document
UniCERT Programmatic Interface : see document
Unified Computing System : see document
Unified Cross Domain Services Management Office : see document
Unified Endpoint Management : see document
Unified Extensible Firmware Interface (UEFI) : see document

A possible replacement for the conventional BIOS that is becoming widely deployed in new x86-based computer systems. The UEFI specifications were preceded by the EFI specifications.

Unified Threat Management : see document
Uniform Code Council : see document
Uniform Resource Identifier : see document

A uniform resource identifier, or URI, is a short string containing a name or address which refers to an object in the "web."

A compact sequence of characters that identifies an abstract or physical resource available on the Internet. The syntax used for URIs is defined in.

Uniform Resource Locator : see document

A uniform resource locator, or URL, is a short string containing an address which refers to an object in the "web." URLs are a subset of URIs.

A reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address.

A reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (hypertext transfer protocol [http]), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address.

Uniform Resource Name : see document
Uninstantiate : see document

The termination of a DRBG instantiation.

Uninterruptible Power Supply : see document

A device with an internal battery that allows connected devices to run for at least a short time when the primary power source is lost.

unit of privacy : see document

The choice of definition for neighboring datasets.

United Kingdom : see document
United Kingdom Advocacy Network : see document
United Nations Centre for Trade Facilitation and Electronic Business : see document
United States Citizenship and Immigration Services : see document
United States Code : see document
United States Department of Agriculture : see document
United States Government : see document
United States government configuration baseline (USGCB) : see document

The United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain effective configuration settings focusing primarily on security.

United States Government Configuration Baseline (USGCB) : see document

The United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

United States Government Environment : see document

A Custom environment that contains federal government systems to be secured according to prescribed configurations as mandated by policy.

United States Naval Observatory : see document
United States Nuclear Regulatory Commission : see document
Universal Asynchronous Receiver/Transmitter : see document
Universal Authentication Framework : see document
Universal Business Registry : see document
Universal Data Manager : see document
Universal Description, Discovery, and Integration (UDDI) : see document

An XML-based lookup service for locating Web services in an Internet Topology. UDDI provides a platform-independent way of describing and discovering Web services and Web service providers. The UDDI data structures provide a framework for the description of basic service information, and an extensible mechanism to specify detailed service access information using any standard description language.

Universal Disk Format : see document
Universal Distributed Logical Router : see document
Universal Integrated Circuit Card : see document

An integrated circuit card that securely stores the international mobile subscriber identity (IMSI) and the related cryptographic key used to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a: SIM, USIM, RUIM or CSIM, and is used interchangeably with those terms.

Universal Mobile Telecommunications System (UMTS) : see document

A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM.

a third-generation (3G) mobile phone technologies standardized by the 3GPP as the successor to GSM.

Universal Naming Convention : see document
Universal Plug and Play : see document
Universal Principal Name : see document
Universal Resource Identifier : see document

A uniform resource identifier, or URI, is a short string containing a name or address which refers to an object in the "web."

Universal Resource Locator : see document

A uniform resource locator, or URL, is a short string containing an address which refers to an object in the "web." URLs are a subset of URIs.

Universal Second Factor : see document
Universal Serial Bus (USB) : see document

A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices.

Type of standard cable, connector, and protocol for connecting computers, electronic devices, and power sources.

Universal Statistical Test : see document

The purpose of the test is to detect whether or not the sequence can be significantly compressed without loss of information. A compressible sequence is considered to be non random.

Universal Subscriber Identity Module : see document
Universally Unique Identifier : see document
University of Maryland : see document
University of Texas-San Antonio : see document
UNIX Timesharing System : see document
unkeyed : see document

COMSEC equipment containing no key or containing key that has been protected from unauthorized use by removing the cryptographic ignition key (CIK) or deactivating the personal identification number (PIN).

unknown inclusion re-identification probability : see document
Unmanaged Device : see document

A device inside the assessment boundary that is either unauthorized or, if authorized, not assigned to a person to administer.

Unmanned Aerial Systems : see document
Unmanned Aerial Vehicle : see document
Unmanned Aircraft System : see document
Unpredictable : see document

In the context of random bit generation, an output bit is unpredictable if an adversary has only a negligible advantage (that is, essentially not much better than chance) in predicting it correctly.

Unsigned Zone : see document

A zone that is not signed.

Unsolicited Commercial Email : see document
Unspent Transaction Output : see document
unstructured data : see document

Data formats that often lack explicit structure that relates data to individuals, such as text, pictures, audio, and video.

Unstructured Supplementary Service Data : see document
unsupervised data augmentation : see document
unsupervised learning : see document

A type of machine learning in which a model learns based on patterns in unlabeled data, such as learning a function to cluster or group data points.

untrusted party : see document

A party that cannot be expected to keep sensitive data safe or refrain from disclosing it to others.

untrusted process : see document

Process that has not been evaluated or examined for correctness and adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.

unwrapping function : see document

The inverse of the wrapping function.

UOCAVA Systems : see document

Information technology systems which support various aspects of the UOCAVA voting process?

UOV : see document
Update : see document

New, improved, or fixed software, which replaces older versions of the same software. For example, updating an operating system brings it up-to-date with the latest drivers, system utilities, and security software. The software publisher often provides updates free of charge.

New, improved, or fixed software, which replaces older versions of the same software. For example, updating an OS brings it up-to-date with the latest drivers, system utilities, and security software. Updates are often provided by the software publisher free of charge.

A patch, upgrade, or other modification to code that corrects security and/or functionality problems in software.

update (a certificate) : see document

2. The process of creating a new certificate with a new serial number that differs in one or more fields from the old certificate. The new certificate may have the same or different subject public key.

1. The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate.

The act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate.

update (a key) : see document

Automatic or manual cryptographic process that irreversibly modifies the state of a COMSEC key, equipment, device, or system.

Update Server : see document

A server that provides patches and other software updates to IoT devices.

A server that provides patches and other software updates to Internet of Things devices.

Upgrade Management System : see document

The hardware and software used to communicate and manage the Upgrade Process. The Upgrade Management System may be included in the Network Management System.

Upgrading : see document

An authorized increase in the level of protection to be provided to specified information, e.g., from a Low impact-level to a Moderate impact-level.

UPI : see document
uplink : see document

Communication that originates from the ground to the satellite.

UPN : see document

In Windows Active Directory, this is the name of a system user in email address format, i.e., a concatenation of username, the “@” symbol, and domain name.

UPnP : see document
UPS : see document

A device with an internal battery that allows connected devices to run for at least a short time when the primary power source is lost.

URI : see document

A uniform resource identifier, or URI, is a short string containing a name or address which refers to an object in the "web."

A compact sequence of characters that identifies an abstract or physical resource available on the Internet. The syntax used for URIs is defined in.

URL : see document

A uniform resource locator, or URL, is a short string containing an address which refers to an object in the "web." URLs are a subset of URIs.

URN : see document
uRPF : see document
Usability : see document

The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use.

Per ISO/IEC 9241-11: Extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use.

Extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use.

The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.

USB : see document

Type of standard cable, connector, and protocol for connecting computers, electronic devices, and power sources.

USC : see document
USCIS : see document
USDA : see document
user : see document

A person, team, or organization that accesses or otherwise uses an OLIR.

A person or entity with authorized access.

Individual or (system) process authorized to access an information system.

A person or entity with authorized access.

2. An individual who is required to use COMSEC material in the performance of his/her official duties and who is responsible for safeguarding that COMSEC material. See hand receipt holder and local element.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. See Organizational User and Non-Organizational User.

Individual, or (system) process acting on behalf of an individual, authorized to access a system.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. See Organizational User and Non-Organizational User.

1. Individual, or (system) process acting on behalf of an individual, authorized to access an information system.

An individual (person), organization, device or process. Used interchangeably with “party”.

An individual (person), organization, device or a combination thereof. “Party” is a synonym. In this Recommendation, an entity may be a functional unit that executes certain processes.

See Information System User

The term user refers to an individual, group, host, domain, trusted communication channel, network address/port, another netwoik, a remote system (e.g., operations system), or a process (e.g., service or program) that accesses the network, or is accessed by it, including any entity that accesses a network support entity to perform OAM&Prelated tasks. Regardless of their role, users must be required to successfully pass an identification and authentication (I&A) mechanism. For example, I&A would be required for a security or system administrator. For customers, I&A could be required for billing purposes. For some services (e.g.. Emergency Services) a customer may not need to be authenticated by the system.

An individual (person), organization, device, or process.

An FCKMS role that utilizes the key-management services offered by an FCKMS service provider.

An individual (person), organization, device, or process. “Party” is a synonym.

An individual (person), organization, device or process.

A human (person/individual/user), organization, device or process.

See Entity.

A human entity.

An individual (person), organization, device or process. Used interchangeably with “party.”

See system user.

Individual, or (system) process acting on behalf of an individual, authorized to access an information system. [Note: With respect to SecCM, an information system user is an individual who uses the information system functions, initiates change requests, and assists with functional testing.]

An individual (person). Also see Entity.

An individual (person), organization, device, or process; used interchangeably with “party.”

See organizational user and non-organizational user.

Person who interacts with the product.

A person, organization, or other entity which requests access to and uses the resources of a computer system or network.

The entity, human or machine, that is identified by the userID, authenticated prior to system access, the subject of all access control decisions, and held accountable via the audit reporting system.

the set of people, both trusted (e.g., administrators) and untrusted, who use the system.

A consumer of the services offered by an RP.

A person, device, service, network, domain, manufacturer, or other party who might interact with an IoT device.

A person, team, or organization that accesses or otherwise uses an Online Informative Reference.

Individual or group that interacts with a system or benefits from a system during its utilization.

User Access Control : see document
user activity monitoring : see document

The technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. Government information in order to detect insider threat and to support authorized investigations.

User Agent : see document
user agreement : see document

A user-based agreement that is similar to rules of behavior. It specifies user responsibilities when exchanging information or accessing information or systems that contain the exchanged information. Also known as access agreement or acceptable use agreement.

User and Entity Behavior Analytics : see document
User Applications Software : see document
User Configuration Set : see document
User Datagram Protocol : see document
User Equipment : see document
User Execute Never : see document
user ID : see document

Unique symbol or character string used by an information system to identify a specific user.

User interface : see document

The physical or logical means by which users interact with a system, device or process.

User Interface System : see document
user interface/user experience : see document
User Key : see document

A key that is used for granting access to a user account via the SSH protocol (as opposed to a host key, which does not grant access to anything but serves to authenticate a host). Both authorized keys and identity keys are user keys. A user key is the equivalent of an access token.

User Principal Name : see document

In Windows Active Directory, this is the name of a system user in email address format, i.e., a concatenation of username, the “@” symbol, and domain name.

user representative (COMSEC) : see document

The key management entity (KME) authorized by an organization and registered by the Central Facility Finksburg (CFFB) to order asymmetric key (including secure data network system (SDNS) key and message signature key (MSK)).

user representative (risk management) : see document

The person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.

user‐level privacy : see document

A unit of privacy that defines neighboring databases as those that differ in one user’s data.

USG : see document
USG FRP : see document
USGCB : see document
USIM : see document

A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks.

USNO : see document
USSD : see document
UTC : see document
Utilities Telecom Council : see document
utility : see document

The degree to which a dataset or statistic is useful for a specific purpose.

UTM : see document
UTS : see document
UTSA : see document
UTXO : see document
Uu : see document
UUID : see document
UV : see document
UWB : see document
UXN : see document
V : see document

Another party in a key-establishment scheme.

V&V : see document

The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements.

V2G : see document
VA : see document
Valid Data Element : see document

A payload, an associated data string, or a nonce that satisfies the restrictions of the formatting function.

valid length : see document

A length for a plaintext or ciphertext input that is allowed for an implementation of the authenticated-encryption function or the authenticated-decryption function.

Validate : see document

The step in the media sanitization process flowchart which involves testing the media to ensure the information cannot be read.

Validated ROA Payload : see document

Validated ROA Payload contains {prefix, max length, origin AS} information from an X.509 validated ROA.

Validating Cache : see document
validation : see document

Confirmation (through the provision of strong, sound, and objective evidence and demonstration) that requirements for a specific intended use or application have been fulfilled and that the system, while in use, fulfills its mission or business objectives while being able to provide adequate protection for stakeholder and mission or business assets, minimize or contain asset loss and associated consequences, and achieve its intended use in its intended operational environment with the desired level of trustworthiness.

The process of evaluating a system or component during or at the end of the development process to determine whether it satisfies specified requirements (INCOSE).

The process or act of confirming that a set of attributes are accurate and associated with a real-life identity.

The process or act of confirming that a set of attributes are accurate and associated with a real-life identity.

The process or act of checking and confirming that the evidence and attributes supplied by an applicant are authentic, accurate, and associated with a real-life identity.

Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).

Confirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled.

The process of determining that an object or process is acceptable according to a pre-defined set of tests and the results of those tests.

Confirmation (through the provision of strong, sound, and objective evidence and demonstration) that requirements for a specific intended use or application have been fulfilled and that the system, while in use, fulfills its mission or business objectives while being able to provide adequate protection for stakeholder and mission or business assets, minimize or contain asset loss and associated consequences, and achieve its intended use in its intended operational environment with the desired level of trustworthiness.

The process of demonstrating that the system under consideration meets in all respects the specification of that system.

Confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.

Validation and ID Protection : see document
validation model : see document

The synthetic data user is provided with some statistics computed directly on the confidential data using the same statistical formulas that were applied to the synthetic data.

Validator : see document

A component that validates DNSSEC signatures. Usually not a separate component but part of a DNSSEC-aware recursive server (sometimes referred to as a validating resolver or validating recursive server).

Validity period : see document

The period of time during which a certificate is intended to be valid; the period of time between the start date and time and end date and time in a certificate.

Value : see document

A named data value that can be substituted into other items’ properties or into checks.

Value String : see document

A value assigned to an attribute of a WFN. It must be a non-empty contiguous string of bytes encoded using printable Unicode Transformation Format-8 (UTF-8) characters with hexadecimal values between x00 and x7F.

Value-Added Reseller : see document
VAR : see document
variable : see document

A logical entity that holds a single value.

Variable Air Volume : see document
Variable-value configuration : see document

For a set of t variables, a variable-value configuration is a set of t valid values, one for each of the variables.

Variable-value configuration coverage : see document

For a given combination of t variables, variable-value configuration coverage is the proportion of variable-value configurations that are covered by at least one test case in a test set.

variant : see document

One of two or more code symbols having the same plain text equivalent.

VAV : see document
VB : see document
VB.NET : see document
VBA : see document
VBScript : see document
VC : see document
Vcc : see document
vCenter Server : see document
VCI : see document
vCPU : see document
vCS : see document
VCU : see document
VDI : see document
VDP : see document
VDPO : see document

The entity with which an agency coordinates internally to resolve reported vulnerabilities.

VDS : see document
Vector Oblivious Linear Evaluation in the Head : see document
vehicle : see document

Space operational items that include the launching items used to place the satellite, bus, and/or payload into orbit.

Vehicle Control Unit : see document
Vehicle-To-Grid : see document
Vendor : see document

A commercial supplier of software or hardware.

Vendor Evidence : see document
Vendor Neutral Archive : see document
Veraison : see document
verification and validation : see document

The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements.

verification key : see document

The cryptographic key used to verify a signature. In asymmetric cryptography, the verification key refers to the public key of the cryptographic key pair. In symmetric cryptography, the verification key is the symmetric key.

verification model : see document

The synthetic data user is provided with statistics that measure the similarity of the synthetic data result to the same output computed from the confidential data.

VERificAtIon of atteStatiON : see document
verifier : see document

The entity that verifies the authenticity of a digital signature using the public key of the signatory.

The entity that verifies the authenticity of a digital signature using the public key.

An entity that confirms the claimant’s identity by verifying the claimant’s possession and control of one or more authenticators using an authentication protocol. To do this, the verifier needs to confirm the binding of the authenticators with the subscriber account and check that the subscriber account is active.

An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.

The entity that verifies the authenticity of a digital signature using the public key.

The Bluetooth device that validates the identity of the claimant during the Bluetooth connection process.

An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of one or two authenticators using an authentication protocol. To do this, the verifier may also need to validate credentials that link the authenticator(s) to the subscriber’s identifier and check their status.

The party trying to assess the authenticity of an identity

An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.

Verifier Impersonation : see document

Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites).

An attack in which the subscriber is lured (usually through an email) to interact with a counterfeit verifier/RP and tricked into revealing information that can be used to masquerade as that subscriber to the real verifier/RP.

A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.

A scenario where the attacker impersonates the verifier in an authentication protocol, usually to capture information that can be used to masquerade as a subscriber to the real verifier. In previous editions of SP 800-63, authentication protocols that are resistant to verifier impersonation have been described as “strongly MitM resistant”.

Version Scanning : see document

The process of identifying the service application and application version currently in use.

Very High Frequency : see document
Very Secure File Transfer Protocol Daemon : see document
VHD : see document
VHDX : see document
VHF : see document
Vi : see document
VIB : see document
view : see document

Representation of a whole system from the perspective of a related set of concerns.

A classification of elements in which each element is associated with exactly one item of the classification.

viewpoint : see document

Specification of the conventions for constructing and using a view.

VIP : see document
Virtual Central Processing Unit : see document
Virtual Contact Interface : see document
Virtual Desktop Infrastructure : see document
Virtual Desktop Interface : see document
Virtual Distributed Switch : see document
Virtual Edition : see document
Virtual eXtensible Local Area Network : see document
Virtual Hard Drive : see document
Virtual Link Tunnel Interconnect : see document
Virtual Local Area Network : see document

A broadcast domain that is partitioned and isolated within a network at the data link layer. A single physical local area network (LAN) can be logically partitioned into multiple, independent VLANs; a group of devices on one or more physical LANs can be configured to communicate within the same VLAN, as if they were attached to the same physical LAN.

A broadcast domain that is partitioned and isolated within a network at the data link layer. A single physical local area network (LAN) can be logically partitioned into multiple, independent VLANs; a group of devices on one or more physical LANs can be configured to communicate within the same VLAN as if they were attached to the same physical LAN.

Virtual Machine (VM) : see document

A simulated environment created by virtualization.

Software that allows a single host to run one or more guest operating systems.

A software-defined complete execution stack consisting of virtualized hardware, operating system (guest OS), and applications.

A virtual data processing system that appears to be at the disposal of a particular user but whose functions are accomplished by sharing the resources of a real data processing system

Virtual Machine Extensions : see document
Virtual Machine IDentifier : see document
Virtual machine monitor (VMM) : see document

See “hypervisor”.

Virtual Machines : see document
Virtual Mobile Infrastructure : see document
virtual network : see document
Virtual Network Computing : see document
Virtual Network Interface Card : see document
Virtual Private Cloud : see document
virtual private network (VPN) : see document

A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

Protected information system link utilizing tunneling, security controls, and endpoint address translation giving the impression of a dedicated line.

Protected information system link utilizing tunneling, security controls (see information assurance (IA)), and endpoint address translation giving the impression of a dedicated line.

A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

A logical network that is established at the network layer of the OSI model. The logical network typically provides authentication and data confidentiality services for some subset of a larger physical network.

A data network that enables two or more parties to communicate securely across a public network by creating a private connection, or “tunnel,” between them.

Virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

A virtual network built on top of existing physical networks that can provide a secure communications mechanism for data and IP information transmitted between networks or between different nodes on the same network.

A tunnel that connects the teleworker’s computer to the organization’s network.

Virtual Private Network Consortium : see document
Virtual Private Networking : see document
virtual reality : see document
Virtual Router Redundancy Protocol : see document
Virtual Smart Card : see document
Virtual Tape Library : see document
Virtualization : see document

The simulation of the software and/or hardware upon which other software runs.

A methodology for emulation or abstraction of hardware resources that enables complete execution stacks including software applications to run on it.

The use of an abstraction layer to simulate computing hardware so that multiple operating systems can run on a single computer.

The simulation of the software and/or hardware upon which other software runs; this simulated environment is called a virtual machine

Virtualized Host : see document

The physical host on which the virtualization software such as the Hypervisor is installed. Usually, the virtualized host will contain a special hardware platform that assists virtualization - specifically Instruction Set and Memory virtualization.

Virtualized Network Interface : see document
virtual-led : see document

When instruction occurs in a virtual or simulated environment and is presented or facilitated by an instructor in real time.

Visibility : see document

Amount of information that can be gathered about a supplier, product, or service and how far through the supply chain this information can be obtained.

A property of openness and accountability throughout the supply chain.

A property of openness and accountability throughout the supply chain.

Visual : see document
Visual Basic : see document
Visual Basic for Applications : see document
Visual Basic Script : see document
Visual Basic.NET : see document
VLAN : see document

A broadcast domain that is partitioned and isolated within a network at the data link layer. A single physical local area network (LAN) can be logically partitioned into multiple, independent VLANs; a group of devices on one or more physical LANs can be configured to communicate within the same VLAN, as if they were attached to the same physical LAN.

VLTi : see document
VM : see document

A simulated environment created by virtualization.

Memory that loses its content when power is turned off or lost.

Software that allows a single host to run one or more guest operating systems.

A virtual data processing system that appears to be at the disposal of a particular user but whose functions are accomplished by sharing the resources of a real data processing system

VMI : see document
VMID : see document
VMM : see document
VMware Validated Design : see document
VMX : see document
VNA : see document
VNC : see document
VnE : see document
VNet : see document
VNI : see document
vNIC : see document
VNID : see document
VOA : see document
Voice of the Adversary : see document
voice over internet protocol (VoIP) : see document

A term used to describe the transmission of packetized voice using the internet protocol (IP) and consists of both signaling and media protocols.

Voice over LTE : see document
Volatile Data : see document

Data on a live system that is lost after a computer is powered down.

Volatile Memory : see document

Memory that loses its content when power is turned off or lost.

VOLEitH : see document
Voltage at the Common Collector : see document
VoLTE : see document
Volume Shadowcopy Services : see document
Voluntary Voting Systems Guidelines : see document
VPC : see document
VPN : see document

A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.

Protected information system link utilizing tunneling, security controls, and endpoint address translation giving the impression of a dedicated line.

A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

Virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

VPNC : see document
VR : see document
vRA : see document
vRB : see document
VRDX-SIG : see document
vRealize Automation : see document
vRealize Business for Cloud : see document
vRealize Log Insight : see document
vRealize Operations Manager : see document
vRealize Orchestrator : see document
VRF : see document

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).

The process of testing the media to ensure the information cannot be read.

Internal phase within the NVD where a second, usually more experienced, NVD Analyst verifies the work completed during the Initial Analysis.

Process of producing objective evidence that sufficiently demonstrates that the system satisfies its security requirements and security characteristics with the level of assurance that applies to the system.

See “Identity Verification”.

vRLI : see document
vRO : see document
vROPS : see document
VRP : see document

Validated ROA Payload contains {prefix, max length, origin AS} information from an X.509 validated ROA.

VRRP : see document
VSC : see document
vsftpd : see document
vSphere Distributed Switch : see document
vSphere Installation Bundle : see document
vSphere Replication : see document
vSphere Update Manager : see document
VSS : see document
VTEP : see document
VTL : see document
vulnerability analysis : see document

Systematic examination of a system or product or supply chain element to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Formal description and evaluation of the vulnerabilities in an information system.

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

See vulnerability assessment.

Systematic examination of an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide data from which to predict the effectiveness of proposed security and privacy measures, and confirm the adequacy of such measures after implementation.

Vulnerability and Exposure : see document
vulnerability assessment : see document

Systematic examination of a system or product or supply chain element to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Formal description and evaluation of the vulnerabilities in an information system.

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

See vulnerability assessment.

Systematic examination of an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide data from which to predict the effectiveness of proposed security and privacy measures, and confirm the adequacy of such measures after implementation.

Vulnerability Disclosure Policy : see document
Vulnerability Disclosure Program Office : see document

The entity with which an agency coordinates internally to resolve reported vulnerabilities.

Vulnerability Management : see document

An ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

See Capability, Vulnerability Management.

Vulnerability Reporting and Data eXchange SIG : see document
vulnerability scanner : see document

(As used in this volume) A network tool (hardware and/or software) that scans network devices to identify generally known and organization specific CVEs. It may do this based on a wide range of signature strategies.

A tool (hardware and/or software) used to identify hosts/host attributes and associated vulnerabilities (CVEs, CWEs, and others).

Vulnerability Scanning : see document

A technique used to identify hosts/host attributes and associated vulnerabilities.

VUM : see document
VVD : see document
VVSG : see document
VXLAN : see document
VXLAN Network Identifier : see document
VXLAN Tunnel Endpoint : see document
W3C : see document
WAAP : see document
WaaS : see document
WAAS : see document
WAF : see document
Wallet : see document

Software used to store and manage asymmetric-keys and addresses used for transactions.

An application used to generate, manage, store or use private and public keys. A wallet can be implemented as a software or hardware module.

WAN : see document

A physical or logical network that provides data communications to a larger number of independent users than are typically served by a local area network (LAN) and that is usually spread over a larger geographic area than that of a LAN.

wander : see document

The long-term variations—random walk frequency noise—of the significant instants of a digital signal from their ideal position in time (where long-term implies that these variations are of frequency less than 10 Hz).

WAP : see document

A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices.

WAP identity module : see document

a security module implemented in the SIM that provides a trusted environment for using WAP related applications and services on a mobile device via a WAP gateway.

WAR : see document
Warfighting Mission Area : see document
warm site : see document

An environmentally conditioned work space that is partially equipped with information systems and telecommunications equipment to support relocated operations in the event of a significant disruption.

warning banner : see document

The opening screen that informs users of the implications of accessing a computer resource (e.g., consent to monitor). A security banner. System use notification.

WASM : see document
WaSP : see document
Watering Hole : see document

Watering hole attacks involve attackers compromising one or more legitimate Web sites with malware in an attempt to target and infect visitors to those sites.

watering hole attack : see document

In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly.

A security exploit where the attacker infects websites that are frequently visited by members of the group being attacked, with a goal of infecting a computer used by one of the targeted group when they visit the infected website.

Wavelet Scalar Quantization : see document
WAYF : see document
WD : see document
WDV : see document
weakest judgment algorithm : see document

An inter-level judgment conflict resolution algorithm where the weakest judgment is taken as the result.

Weapons System : see document

A 'weapons system' is a combination of one or more weapons with all related equipment, materials, services, personnel, and means of delivery and deployment (if applicable) required for self- sufficiency.

A combination of one or more weapons with all related equipment, materials, services, personnel, and means of delivery and deployment (if applicable) required for self-sufficiency.

web application and API protection : see document
Web Application Archive : see document
Web Application Firewall : see document
Web Application Proxy : see document
Web Archive : see document
Web Browser : see document

Client software used to view Web content.

A software program that allows a user to locate, access, and display web pages.

web bug : see document

Malicious code, invisible to a user, placed on web sites in such a way that it allows third parties to track use of web servers and collect information about the user, including internet protocol (IP) address, host name, browser type and version, operating system name and version, and web browser cookie.

A tiny image, invisible to a user, placed on Web pages in such a way to enable third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and cookies.

Web Ontology Language for Web Services : see document
Web Portal : see document

Provides a single point of entry into the SOA for requester entities, enabling them to access Web services transparently from any device at virtually any location.

Web Proxy Auto Discovery : see document
Web Security Appliance : see document
Web Server : see document

A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server.”

A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server”.

Web Server Administrator : see document

The Web server equivalent of a system administrator. Web server administrators are system architects responsible for the overall design, implementation, and maintenance of Web servers. They may or may not be responsible for Web content, which is traditionally the responsibility of the Webmaster.

Web Service : see document

A software component or system designed to support interoperable machine- or application- oriented interaction over a network. A Web service has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.

Web Service Interoperability (WS-I) Basic Profile : see document

A set of standards and clarifications to standards that vendors must follow for basic interoperability with SOAP products.

Web Services : see document
Web Services Description Language (WSDL) : see document

An XML format for describing network services as a set of endpoints operating on messages containing either document- oriented or procedure-oriented information. WSDL complements the UDDI standard by providing a uniform way of describing the abstract interface and protocol bindings and deployment details of arbitrary network services.

Web Services Interoperability : see document
Web Services Security (WS -Security) : see document

A mechanism for incorporating security information into SOAP messages. WS-Security uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality.

Web Services Security for Java : see document
Web Standards Project : see document
Web3 : see document

Web3 is a restructuring of the internet that places ownership and operation into the hands of users themselves, thus changing the structure from organization-centric to user-centric.Web3 proposes several changes to the existing web architecture:<ul><li>Users own their data and are responsible for their data, data security, and data privacy.</li><li>Decentralized and distributed systems are used, and users can host and run applications.</li><li>Applications and organizations request data directly from users.</li><li>Users can supply applications and organizations with actual data or verifiable credentials/verifiable presentations of their data or choose to deny applications and organizations access to their data.</li><li>Applications and organizations may offer incentives for users to provide data.</li><li>Data can be tokenized and transferred directly between users.</li><li>Application execution and transaction fees are paid for with web-native currencies (e.g., cryptocurrencies).</li><li>Users who execute application logic and maintain the state of systems can receive payment in web-native currencies (e.g., cryptocurrencies).</li></ul>

WebAssembly : see document
WebAssembly for Proxies : see document
web-based training : see document

An internet-based session that allows learners to study independently and at their own pace with video, audio, and/or interactive techniques (e.g., drag-and-drop or fill in the blank). Built-in testing and accountability features can gauge performance.

Webmaster : see document

A person responsible for the implementation of a Web site. Webmasters must be proficient in HTML and one or more scripting and interface languages, such as JavaScript and Perl. They may or may not be responsible for the underlying server, which is traditionally the responsibility of the Web administrator (see above).

Website : see document

A set of related web pages that are prepared and maintained as a collection in support of a single purpose.

Well-formed : see document

An SCAP-conformant data stream or stream component.

Well-Formed CPE Name : see document

A logical construct that constitutes an unordered list of A-V pairs that collectively describe or identify one or more operating systems, software applications, or hardware devices. Unordered means that there is no prescribed order in which A-V pairs should be listed, and there is no specified relationship (hierarchical, set-theoretic, or otherwise) among attributes. WFNs must satisfy the criteria specified in the CPE Naming specification [CPE23-N:5.2]. For a full description and usage constraints on WFN logical attribute values, see Section 5 of the CPE Naming specification [CPE23-N:5].

WEP : see document
Western Information Security and Privacy Research Laboratory : see document
WFA : see document
WG : see document
WGS 84 : see document

An Earth-centered, Earth-fixed terrestrial reference system and geodetic datum. WGS 84 is based on a consistent set of constants and model parameters that describe the Earth’s size, shape, gravity, and geomagnetic fields. WGS 84 is the standard U.S. Department of Defense definition of a global reference system for geospatial information and is the reference system for GPS. It is consistent with the International Terrestrial Reference System (ITRS).

whaling : see document

A specific kind of phishing that targets high-ranking members of organizations.

what you see is what you get : see document
Where Are You From? : see document
WHISPERLAB : see document
White Box Testing : see document

A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.

See Comprehensive Testing.

(also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).

White Team : see document

1. The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. The White Team helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement. The White Team normally has responsibility for deriving lessons-learned, conducting the post engagement assessment, and promulgating results.

2. Can also refer to a small group of people who have prior knowledge of unannounced Red Team activities. The White Team acts as observers during the Red Team activity and ensures the scope of testing does not exceed a pre-defined threshold.

Wide Area Augmentation System : see document
WIDPS : see document
WIDS : see document
Wi-Fi : see document

a generic term that refers to a wireless local area network that observes the IEEE 802.11 protocol.

Wi-Fi Alliance : see document
Wi-Fi Multimedia : see document
Wi-Fi Protected Access : see document
Wi-Fi Protected Access version 3 : see document
Wi-Fi Protected Setup : see document
WiMAX : see document

A wireless metropolitan area network (WMAN) technology based on the IEEE 802.16 family of standards used for a variety of purposes, including, but not limited to, fixed last-mile broadband access, long-range wireless backhaul, and access layer technology for mobile wireless subscribers operating on telecommunications networks.

WinCE : see document
Windows as a Service : see document
Windows CE : see document
Windows Management Instrumentation : see document
Windows NT File System : see document
Windows Online Troubleshooting Service : see document
Windows Preinstallation Environment : see document
Windows Remote Management : see document
Windows Scripting Host : see document
Windows Server Update Services : see document
WinPE : see document
WinRM : see document
WINS : see document
Winternitz One-Time Signature Plus : see document
Wiping : see document

Overwriting media or portions of media with random or constant values to hinder the collection of data.

Wireless : see document
wireless access point (WAP) : see document

A device that allows wireless devices to connect to a wired network using wi-fi, or related standards.

wireless application protocol (WAP) : see document

A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices.

Wireless Fidelity (WiFi) : see document

A term describing a wireless local area network that observes the IEEE 802.11 protocol.

a generic term that refers to a wireless local area network that observes the IEEE 802.11 protocol.

Wireless Intrusion Detection and Prevention System : see document
wireless intrusion detection system (WIDS) : see document

A commercial wireless technology that assists designated personnel with the monitoring of specific parts of the radio frequency (RF) spectrum to identify unauthorized wireless transmissions and/or activities.

Wireless LAN Controller : see document
Wireless Local Area Network (WLAN) : see document

A group of wireless access points and associated infrastructure within a limited geographic area, such as an office building or building campus, that is capable of radio communications. WLANs are usually implemented as extensions of existing wired LANs to provide enhanced user mobility.

A group of wireless APs and associated infrastructure within a limited geographic area, such as an office building or building campus, that is capable of radio communications. WLANs are usually implemented as extensions of existing wired LANs to provide enhanced user mobility.

Wireless Markup Language : see document

a stripped down version of HTML to allow mobile devices to access Web sites and pages that have been converted from HTML to the more basic text format supported.

Wireless Metropolitan Area Network : see document
Wireless Network Management : see document
Wireless Personal Area Network (WPAN) : see document

A small-scale wireless network that requires little or no infrastructure and operates within a short range. A WPAN is typically used by a few devices in a single room instead of connecting the devices with cables.

Wireless Personal Area Networks : see document
wireless power transfer : see document
wireless technology : see document

Technology that permits the transfer of information between separated points without physical connection. Note: Currently wireless technologies use infrared, acoustic, radio frequency, and optical.

Technology that permits the transfer of information between separated points without physical connection. Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth.

Technology that permits the transfer of information between separated points without physical connection.

Wireless Vulnerabilities and Exploits : see document
Wireless Wide Area Network : see document
witness : see document

An appropriately cleared (if applicable) and designated individual, other than the COMSEC Account Manager, who observes and testifies to the inventory or destruction of COMSEC material.

WLAN : see document
WLC : see document
WLM : see document
WLS : see document
WMA : see document
WMAN : see document
WMI : see document
WMM : see document
WNM : see document
Word : see document

A group of 32 bits that is treated either as a single entity or as an array of 4 bytes.

A predefined substring consisting of a fixed pattern/template (e.g., 010, 0110).

work factor : see document

Estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure.

Work Role : see document

A way of describing a grouping of work for which someone is responsible or accountable.

A grouping of work for which an individual or team is responsible or accountable.

A grouping of work for which someone is responsible or accountable. Not synonymous with a job title or occupation, though they may coincide, depending on the organization. For example, the work role of “software developer” may apply to those with varying job titles, such as software engineers, coders, and application developers. Conversely, multiple roles could be combined to create a particular job. This additive approach supports improved modularity and illustrates the fact that all learners in the workforce perform numerous tasks in various roles, regardless of their job titles.

workcraft identify : see document

Synonymous with tradecraft identity.

Workflow Management System : see document

A computerized information system that is responsible for scheduling and synchronizing the various tasks within the workflow, in accordance with specified task dependencies, and for sending each task to the respective processing entity (e.g., Web server or database server). The data resources that a task uses are called work items.

Working Draft : see document
working folder : see document

The Windows folder that contains all the ISCMAx assessment files to be merged into an organizational assessment.

Working Group : see document
Working State : see document

A subset of the internal state that is used by a DRBG mechanism to produce pseudorandom bits at a given point in time. The working state (and thus, the internal state) is updated to the next state prior to producing another string of pseudorandom bits.

Workload Management : see document
Workload Service : see document
World Geodetic System 1984 : see document

An Earth-centered, Earth-fixed terrestrial reference system and geodetic datum. WGS 84 is based on a consistent set of constants and model parameters that describe the Earth’s size, shape, gravity, and geomagnetic fields. WGS 84 is the standard U.S. Department of Defense definition of a global reference system for geospatial information and is the reference system for GPS. It is consistent with the International Terrestrial Reference System (ITRS).

World Institute of Nuclear Security : see document
World Wide Web : see document
World Wide Web Consortium : see document
World Wide Web Publishing Service : see document
Worldwide Interoperability for Microwave Access : see document

A wireless metropolitan area network (WMAN) technology based on the IEEE 802.16 family of standards used for a variety of purposes, including, but not limited to, fixed last-mile broadband access, long-range wireless backhaul, and access layer technology for mobile wireless subscribers operating on telecommunications networks.

World-Wide Name : see document
WORM Disk Volume : see document
WOTS : see document
WOTS+ : see document
WPA : see document
WPA2 : see document
WPA3 : see document
WPAD : see document
WPAN : see document
WPANs : see document
WPS : see document
WPT : see document
Wrapped keying material : see document

Keying material that has been encrypted and its integrity protected using an approved key wrapping algorithm and a key wrapping key in order to disguise the value of the underlying plaintext key.

wrapping function : see document

The keyed, length-preserving permutation that is applied to an enlarged form of the plaintext within the authenticated-encryption function to produce the ciphertext.

Write : see document

Fundamental operations of an information system that results only in the flow of information from an actor to storage media.

Write Once, Read Many : see document

Write-Once Read Many. Also see CD-R.

Write Protection : see document

Hardware or software methods of preventing data from being written to a disk or other medium.

Write-Blocker : see document

A device that allows investigators to examine media while preventing data writes from occurring on the subject media.

A tool that prevents all computer storage media connected to a computer from being written to or modified.

WS : see document

A computer used for tasks such as programming, engineering, and design.

WSA : see document
WSDL : see document
WSH : see document
WS-I : see document
WSQ : see document
WSS4J : see document
WSUS : see document
WSVC : see document
WVE : see document
WWAN : see document
WWN : see document
WWW : see document
WYSIWYG : see document
x ´ y : see document

The product of x and y.

X.509 certificate : see document

The X.509 public-key certificate or the X.509 attribute certificate, as defined by the ISO/ITU-T X.509 standard. Most commonly (including in this document), an X.509 certificate refers to the X.509 public-key certificate.

The X.509 public-key certificate or the X.509 attribute certificate, as defined by the ISO/ITU-T[9] X.509 standard. Most commonly (including in this document), an X.509 certificate refers to the X.509 public-key certificate.

Public key certificates that contain three nested elements: 1) the tamper-evident envelope (digitally signed by the source), 2) the basic certificate content (e.g., identifying information and public key), and 3) extensions that contain optional certificate information.

X.509 public key certificate : see document

The public key for a user (or device) and a name for the user (or device), together with some other information, rendered unforgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard. Also known as X.509 Certificate.

A digital certificate containing a public key for an entity and a name for that entity, together with some other information that is rendered un-forgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.

A digital certificate containing a public key for an entity and a unique name for that entity together with some other information that is rendered un-forgeable by the digital signature of the certification authority that issued the certificate, which is encoded in the format defined in the ISO/ITU-T X.509 standard.

A digital certificate containing a public key for entity and a name for the entity, together with some other information that is rendered un- forgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.

XACML : see document

A general purpose language for specifying access control policies.

XAE : see document
XAP : see document
XAUTH : see document
XCCDF : see document
XCCDF Content : see document

A file conforming to the XCCDF schema.

XDR : see document
XEX : see document
XFC : see document
XIP : see document
XKMS : see document
XLSX : see document
XML : see document

a flexible text format designed to describe data for electronic publishing.

XML Administration Protocol : see document
XML Encryption : see document

A process/mechanism for encrypting and decrypting XML documents or parts of documents. World Wide Web Consortium (W3C) XML Encryption Syntax and Processing, http://www.w3.org/TR/xmlenc-core

XML Information Security Marking (XML-ISM) : see document

Provides definitions of and implementation of the XML attributes used as containers for Controlled Access Program Coordination Office (CAPCO)-defined sensitivity and classification markings to be applied to all or part of an XML document. The markings are implemented using ICML.

XML Key Management Service : see document
XML Schema : see document

A language for describing the defining the structure, content and semantics of XML documents.

XML Signature : see document

A mechanism for ensuring the origin and integrity of XML documents. XML Signatures provide integrity, message authentication, or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.

XML Style Sheet : see document
XML-ISM : see document
XMPP Standards Foundation : see document
XMSS : see document
XMSSMT : see document
XOF : see document

A function on bit strings in which the output can be extended to any desired length. Approved XOFs (e.g., those specified in FIPS 202) are designed to satisfy the following properties as long as the specified output length is sufficiently long to prevent trivial attacks1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output.2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

A function on bit strings in which the output can be extended to any desired length.

XOFs : see document
XOR Encrypt XOR : see document
XPath : see document

Used to define the parts of an XML document, using path expressions.

XPN : see document
XQuery : see document

Provides functionality to query an XML document.

XRES : see document
XrML : see document
XRP : see document
XSF : see document
XSL : see document
XSLT : see document
XSS : see document

Cross-Site Scripting is a security flaw found in some Web applications that enables unauthorized parties to cause client-side scripts to be executed by other users of the Web application.

XTS : see document
xy : see document

The product of x and y.

YAML : see document
YAML Ain't Markup Language : see document
YANG : see document
Yet Another Markup Language : see document
Yet Another Next Generation : see document
zero day attack : see document

An attack that exploits a previously unknown hardware, firmware, or software vulnerability.

zero fill : see document

To fill unused storage locations in an information system with a numeric value of zero.

Zero Trust : see document

A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

Zero Trust Architecture : see document

A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The zero trust security model eliminates implicit trust in any one element, component, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.

An enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

zero trust network access : see document
zeroization : see document

An action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered.

A method of erasing electronically stored data, cryptographic keys, and credentials service providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.

In this Recommendation, to destroy is an action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered.

A method of erasing electronically stored data, cryptographic keys, and critical stored parameters by altering or deleting the contents of the data storage to prevent recovery of the data.

In this Recommendation, an action applied to a key or a piece of secret data. After a key or a piece of secret data is destroyed, no information about its value can be recovered. Also known as zeroization in FIPS 140.

A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

An action applied to a key or a piece of (secret) data. In this Recommendation, after a key or a piece of data is destroyed, no information about its value can be recovered.

zeroize : see document

To remove or eliminate the key from a cryptographic equipment or fill device.

Overwrite a memory location with data consisting entirely of bits with the value zero so that the data is destroyed and not recoverable. This is often contrasted with deletion methods that merely destroy reference to data within a file system rather than the data itself.

Zero-Knowledge Proof : see document

A cryptographic scheme where a prover is able to convince a verifier that a statement is true, without providing any more information than that single bit (that is, that the statement is true rather than false).

Zero-Knowledge Proof of Knowledge : see document
ZKP : see document

A cryptographic scheme where a prover is able to convince a verifier that a statement is true, without providing any more information than that single bit (that is, that the statement is true rather than false).

ZKPoK : see document
zone of control : see document

Three dimensional space surrounding equipment that processes classified and/or controlled unclassified information (CUI) within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists.

Zone Signing Key (ZSK) : see document

An authentication key that corresponds to a private key used to sign a zone. Typically a zone signing key will be part of the same DNSKEY RRSet as the key signing key whose corresponding private key signs this DNSKEY RRSet, but the zone signing key is used for a slightly different purpose and may differ from the key signing key in other ways, such as validity lifetime. Designating an authentication key as a zone signing key is purely an operational issue: DNSSEC validation does not distinguish between zone signing keys and other DNSSEC authentication keys, and it is possible to use a single key as both a key signing key and a zone signing key. See also “key signing key.”

ZSK : see document
ZT : see document

A collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

ZTA : see document

A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The zero trust security model eliminates implicit trust in any one element, component, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.

An enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

ZTNA : see document