ABSTRACT

Acceptable risk A concern that is acceptable to responsible management, due to the cost and magnitude of implementing countermeasures. [NIST SP 800-18]

Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. [NIST SP 800-30]

Accreditation The official management decision given by a senior organization official to authorize operation of an information system and to explicitly accept the risk to organization operations (including mission, functions, image, or reputation), assets, or individuals, based on the implementation of an agreed-upon set of security controls. [NIST SP 800-37]

Accreditation boundary All components of an information system to be accredited by designated approving authority and excluding separately accredited systems, to which the information system is connected. [NIST SP 800-37]

Accreditation letter The accreditation letter documents the decision of the authorizing official and the rationale for the accreditation decision and is documented in the final accreditation package, which consists of the accreditation letter and supporting documentation. [NIST SP 800-37]

Accreditation package The evidence provided to the designated approving authority to be used in the security accreditation decision process. Evidence includes, but is not limited to (1) the system security plan; (2) the assessment results from the security certification; and (3) the plan of action and milestones. [NIST SP 800-37]

Accrediting authority See authorizing official. Application The use of information resources (information and information technology)

to satisfy a specific set of user requirements. [OMB Circular A-130, Appendix III] Assurance Grounds for confidence that the other four security goals (integrity,

availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass. [NIST SP 800-30]

Authorization See accreditation. Authorize processing See accreditation. Authorizing official Official with the authority to formally assume responsibility for

operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. [NIST SP 800-37]

Availability The security goal that generates the requirement for protection against intentional or accidental attempts to perform unauthorized deletion of data, or

otherwise deny service or data; and protection against unauthorized use of system resources. [NIST SP 800-30]

Awareness Awareness programs set the stage for training by changing organizational attitudes toward realization of the importance of security and the adverse consequences of its failure. [NIST SP 800-18]

Business impact analysis An analysis of an information technology (IT) system’s requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. [NIST SP 800-34]

Certification A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. [NIST SP 800-37]

Certification agent The individual, group, or organization responsible for conducting a system security certification. [NIST SP 800-37]

Certification level A combination of techniques and procedures used during a certification and accreditation process to verify the correctness and effectiveness of security controls in an information technology system. Security certification levels represent increasing levels of intensity and rigor in the verification process and include such techniques as reviewing and examining documentation; interviewing personnel; conducting demonstrations and exercises; conducting functional, regression, and penetration testing; and analyzing system design documentation. [NIST SP 800-37]

Certification package Product of the certification effort documenting the detailed results of the certification activities. The certification package includes the security plan, developmental or operational certification test reports, risk assessment report, and certifier’s statement. [NIST SP 800-37]

Certification statement The certifier’s statement provides an overview of the security status of the system and brings together all of the information necessary for the DAA to make an informed, risk-based decision. The statement documents that the security controls are correctly implemented and effective in their application. The report also documents the security controls not implemented and provides corrective actions. [NIST SP 800-37]

Certifier See certification agent. CEO Chief executive officer. CFO Chief financial officer. CIO Chief information officer. CISM Certified information security manager. CISO Chief information security officer. CISSP Certified information systems security professional. Clinger-Cohen Act of 1996 Also known as the Information Technology Management

Reform Act. A statute that substantially revised the way that information technology resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of information technology investments. [NIST SP 800-64]

Common security control A security control that can be applied to one or more organization information systems and has the following properties: (1) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and (2) the results from the assessment of the control can be used to support the security certification and accreditation processes of an organization information system where that control has been applied. [NIST SP 800-37]

Confidentiality The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit. [NIST SP 800-30]

Contingency plan/planning Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. [NIST SP 800-34]

Countermeasure See safeguard. Criticality See mission criticality. Data owner See information owner. Denial of service The prevention of authorized access to resources or the delaying of

time-critical operations. [NIST SP 800-30] Designated approving authority See authorizing official. DITSCAP Department of Defense Information Technology Security Certification and

Accreditation Process. DOD Department of Defense. Due care Managers and their organizations have a duty to provide for information

security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. [NIST SP 800-30]

FIPS Federal information processing standard. FISMA Federal Information Security Management Act. General support system An interconnected set of information resources under the same

direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. [OMB Circular A-130, Appendix III]

GLBA Gramm-Leach-Bliley Act. HBPAA Health Insurance Portability and Accountability Act. Information owner An official having statutory or operational authority for specified

information and having responsibility for establishing controls for its generation, collection, processing, dissemination, and disposal. [CNSS Inst. 4009]

Information system A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., Sec. 3502; OMB Circular A-130, Appendix III]

Information system owner (or program manager) See system owner. Information system security A system characteristic and a set of mechanisms that span

the system both logically and physically. [NIST SP 800-30] Information system security officer Individual responsible to the OA ISSO, designated

approving authority, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or a closely related group of systems. [CNSS Inst. 4009, Adapted]

Integrity The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). [NIST SP 800-30]

Interconnection security agreement An agreement established between the organizations that own and operate connected information technology systems to document the technical requirements of the interconnection. The ISA also supports a memorandum of understanding or agreement (MOU/A) between the organizations. [NIST SP 800-47]

Interim accreditation Temporary authorization granted by a designated approving authority for an information technology system to process, store, and transmit information based on preliminary results of security certification of the system. [NIST SP 800-37]

ISACA Information Systems Audit and Control Association. ISSO Information system security officer. Major application An application that requires special attention to security due to the

risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. [OMB Circular A-130, Appendix III]

Management controls The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. [NIST SP 800-18]

Memorandum of understanding/agreement A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. [NIST SP 800-47]

Minimum security baseline A set of minimum acceptable security controls, which are applicable to a range of information technology systems.