GLOSSARY

Accreditation: Formal declaration by an authorizing official or designated approving authority (DAA) that an information system (IS) is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. (CNSSI 4009)

Acquisition category: A designation for a program of development or acquisition based on cost, determining both the level of review required by law and the level at which the milestone (e.g. progress to the next development or acquisition level) decision authority rests in DOD.

Authorizing official: A senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation.

Assurance: Grounds for confidence that an information technology system or product meets security objectives. (DOD Directive 8500.01E)

Authentication: Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information. (DOD Directive 8500.01E)

Authorization: See accreditation.

Availability: Timely, reliable access to date and information services for authorized users. (DOD Directive 8500.01E)

Capital assets: Land, structures, equipment, intellectual property (e.g. software), and information technology including IT service contracts used by the federal government and having an estimated useful life of two years or more.

Certification: Comprehensive evaluation of the technical and non-technical security features of an information system (IS), and other safeguards made in support of the accreditation process, establishing the extent to which a particular design and implementation meets a set of specified security requirements. (CNSSI 4009)

Community of interest (COI): An inclusive term used to describe groups of individuals who share information relative to common goals, interests, missions, or business processes. (DODI 8510.01)

Compusec (computer security): a term used largely by the US military to denote measures required for ensuring secure entry, management and storage of information in computer systems.

Computer network defense (CND): Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks. The unauthorized activity may include disruption, denial, degradation, destruction, exploitation, or access to computer networks, information systems or their contents, or theft of information. (DOD Directive 8530.1)

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Assurance information is not disclosed to unauthorized entities or processes. (DOD Directive 8500.01E)

Configuration: Functional and physical characteristics of hardware or software as set forth in technical documentation or achieved in a product.

Configuration control: The systematic proposal, justification, evaluation, coordination, approval, or disapproval of proposed changes and the implementation of all approved changes in the configuration after the baseline has been established.

Configuration management: Management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test fixtures, and test documentation throughout the life cycle of an IS. (CNSSI 4009)

Control: See information systems security control.

Defense in depth: The DOD approach for establishing an adequate security posture in a shared risk environment that shares mitigation by: integration of people, technology, and operations; layering of security solutions; and the selection of security functions based on their relative level of robustness.

General support system (GSS): An interconnected set of information resources under the same direct management control which shares common (functionality). (OMB A-130)

Global information grid (GIG): Globally interconnected, end-to-end set of DOD information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating and managing information on demand to warfighters, policy makers, and support personnel. It is the organizing and transforming construct for managing information technology throughout the Department of Defense. (DOD Directive 8100.1)

Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, 6(a))

Information assurance (IA): Measures protecting and defending information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities. Used almost exclusively in the US DOD. (DOD Instruction 8500.01E)

Information assurance (IA) control: See information systems security control.

Information system: Any telecommunication or computer-related equipment or interconnected system or subsystems of equipment used in the acquisition, storage, manipulation, management, movement, control, display, transmission of voice and/or data; includes firmware, hardware, and software.

Information systems security: Measures and controls designed to ensure confidentiality, integrity, and availability of information processed and stored by automated information systems (AIS).¹¹⁹ AIS security considers all hardware and software functions, characteristics and features; operational procedures; accountability procedures; and access controls at the central computer facility, remote computer, and terminal facilities; management constraints; physical structures and devices, such as computers, transmission lines, and power sources; and personnel and communications controls needed to provide an acceptable level of risk for the automated information system and for the data and information contained in the system. AIS security also includes the totality of security safeguards needed to provide an acceptable protection level for an automated information system and for the data handled by an automated information system.

Information systems security control: An objective security condition achieved through the application of specific security safeguards or through the regulation of specific activities. The objective security condition is verifiable, compliance is measurable, and the activities required to achieve the security control are assignable and, consequently, accountable.

Infosec: Defined by the National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 4009 as the protection of information systems against unauthorized access to or modification of information, denial of service to unauthorized users, and provision of service to authorized users. Often used interchangeably with information systems security.

Integrity: Quality of an information system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures

and the stored data; protection against unauthorized modification or destruction of information. (DOD Directive 8500.01E)

Joint accreditation: Occurs when different operational or mission-related components of an information system are under the jurisdiction of different AOs, requiring them to collectively accredit the information system.

Major application (MA): An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)

Major investment: A system or acquisition requiring special management attention because of its importance to the mission or function of the agency, a component of the agency or another organization; is for financial management and obligates more than $500,000 annually; has significant program or policy implications; has high executive visibility; has high development, operating, or maintenance costs; is funded through other than direct appropriations; or is defined as major by the agency’s capital planning and investment control process. (OMB Circular A-11)

Major system: IT investments that are reported on Capital Asset Plan and Business Case, Exhibit 300. They include projects that fit any of the following criteria:

Projects that are e-government in nature or use e-business technologies must be identified as major projects regardless of the costs.

Major projects should account for at least 60 percent of the IT investment portfolio for FY 2004 reporting. If you are unsure about what systems to consider as major, consult your CIO.

Mission assurance category (MAC): The mission assurance category reflects the importance of information in order to achieve DOD goals and objectives, particularly in support of the warfighters’ combat mission. Mission assurance categories are based on the determined requirements for information and information system availability and integrity.

Mission critical information system: A system meeting the definition of information system and national security system, the loss of which would stop warfighter operations or the direct mission support to warfighter operations. The designation must be made by a DOD component head.

Mission essential information system: A system meeting the definition of information system and which is basic and necessary for the accomplishment of the organization’s mission. The designation must be made by a DOD component head.

Mission support system: A system handling information important to the support of deployed or contingency forces. It must be accurate, but can sustain minimal delay without seriously affecting operational readiness or mission effectiveness.

National security system (NSS): Any computer system (including any telecommunications system) used or operated by an agency, the function of which involves intelligence activities, cryptologic activities, command and control of military forces, equipment which is an integral part of a weapon or weapons system, or is critical to the direct fulfillment of military or intelligence missions. (Section 5142b, Clinger Cohen Act of 1996)

Non-repudiation: Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. (DOD Directive 8500.01E)

Personally-identifiable information (PII): Information in an information system, online, or otherwise maintained (e.g. documents) that directly or indirectly identifies an individual. NOTE: an individual can be a US citizen, permanent legal resident, visitor to the US, and even an organization.

Plan of action and milestones (POA&M): As defined in OMB Memorandum 02-01, a plan of action and milestones (POA&M), also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. (OMB Circular A-11)

Portfolio management: The management of selected groupings of IT investments using strategic planning, architectures, and outcome-based performance measures to achieve a mission capability.

Privacy impact assessment (PIA): An analysis of how personally-identifiable information is collected, stored, protected, shared, and managed.

Program: Organized activity that contains any number of basic elements such as conducting risk assessments; conducting IT security training; establishing an incident response capability; writing, establishing, and enforcing policies and procedures; and processes for planning, implementing, evaluating, and implementing remedial action for addressing weaknesses. (Defined in Title III of the E-Government Act)

Program of record (POR): An acquisition program that has been approved through the official DOD budget process and is listed in the Future Years Defense Program (FYDP). These information systems are typically weapons systems, command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) systems and other systems procured through the processes of DODD 5000.1, Defense Acquisition.

Public information: Official DOD information reviewed and approved for public release by the information owner in accordance with DOD Directive 5230.9. (DOD Directive 8500.1)

Risk assessment: The element of the continuous risk management process that analyzes threat, vulnerabilities, and costs in order to assign relative priorities for mitigation plans and implementation.

Risk management: The ongoing process of identifying these risks and implementing plans to address them. The process by which resources are planned, organized, directed, and controlled to ensure the risk of operating a system remains within acceptable bounds at optimal cost.

Sensitive information: Information in which the loss, misuse, or unauthorized access to or modification of, could adversely affect the national interest or the conduct of a federal program, or the privacy to which individuals are entitled under Section 552a of Title 5, US Code, but which has not been specifically authorized under criteria established by executive order or act of Congress to be kept secret in the interest of national defense or foreign policy. Examples of sensitive information include payroll, finance, and logistics. (DOD Directive 8500.1)

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C)

System life cycle (SLC): A formal model of a hardware or software project that depicts the scope of and relationship among activities, products, reviews, approvals, and resources. In addition, the period that begins when a need is identified (initiation) and ends when a system ceases to be available for use (disposal). NOTE: activities associated with a system include the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal (that may instigate another system initiation). (Defined in NIST SP 800-34, Appendix E)

Threat agent: An entity that may act to cause a threat event to occur by exploiting the vulnerability(ies) in an information system.

Vulnerability: A flaw or weakness in a system’s security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. (Defined in NIST SP 800-47, Appendix D)