Committee on National Security Systems
`
`
`
`
`
`
`
`
`
` CNSSI No. 4009
` April 6, 2015
`
`
`
`
`
`
`
`
`
`
`
`Committee on National Security Systems
`(CNSS) Glossary
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS
` YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER
` IMPLEMENTATION
`
`
`
`
`
`
`
`1
`
`
`CELLSPIN
`EX. 2015, Page 1
`
`

`

`
`
` National Manager
`
`
`
`
` FOREWORD
`
`
`
`
`1. The Committee on National Security Systems (CNSS) Glossary Working Group
`
`convened to review and update the Committee on National Security Systems (CNSS) Glossary,
`Committee on National Security Systems Instruction (CNSSI) No. 4009, dated April 2010. This
`revision of CNSSI No. 4009 incorporates many new terms submitted by the CNSS Membership.
`Most of the terms from the 2010 version of the Glossary remain, but a number of terms have
`updated definitions in order to remove inconsistencies among the communities.
`
`
`
`2. The Glossary Working Group set several overall objectives for itself in producing this
`version:
` Use authoritative sources for definitions of terms. It is preferred that definitions
`originate from current authoritative sources, as this demonstrates both that the term is in active
`use and that the definition has been vetted by subject matter experts. Listing sources for terms
`also provides context and a reference for additional information. The glossary still contains
`terms where sources are not specified. For these terms, definitions will be considered organic.
`The majority of unsourced terms are from the CNSSI No. 4009 (2010) version, although some
`are newly introduced. These new terms are primarily emerging terms judged to be valuable to
`include in the glossary, but for whatever reason have not yet been defined in a published
`authoritative source.
` Continue to resolve differences between the definitions of terms used by the
`Department of Defense (DoD), Intelligence Community (IC), and Civil Agencies (e.g. National
`Institute of Standards and Technology (NIST)); enabling all three to use the same glossary. This
`will allow for use of consistent terminology in documentation, policy, and process across these
`communities.
` Ensure consistency among related and dependent terms. These terms are linked
`through a suggestion to see the related term.
` Ensure any acronyms used in the terms and definitions also appear in the Acronyms
`appendix, and remove any acronyms judged to be outside of the scope of the glossary or no
`longer relevant.
` Ensure all documents referenced as sources in the terms and definitions also appear
`in the References appendix. Because of this, the number of references has grown from 29 in the
`2010 version to over 150 in the current version. References not used as the source of terms and
`definitions were removed.
`
`3. Many cyber terms are emerging. The Glossary Working Group has tried to include
`
`significant terms and definitions that have a useful distinction when compared to existing
`Information Assurance terms. All terms currently defined in CNSS issuances were reviewed for
`either inclusion or to replace current definitions in the Glossary. Not all terms appearing in
`CNSS issuances are within the scope of the CNSS Glossary or are relevant to a broad audience.
`
`4. Some terms and definitions recommended by the community for inclusion were not
`
`2
`
`
`CELLSPIN
`EX. 2015, Page 2
`
`

`

`
`
`added to this version of the glossary. The main reasons for not adding new terms or definitions
`were ones of scope or lack of an authoritative source, where an organic definition was not
`deemed appropriate.
`
`
`5. Many terms that are outdated or no longer necessary were removed from the glossary.
`Some of these had been labeled as Candidates for Deletion (C.F.D.) for several versions of the
`glossary, but continue to remain in this version. A term labeled "C.F.D." may be obsolete;
`however without the term, rationale and possible linkage to a new term, users of the glossary
`would have no indication the term is outdated or has been replaced by a new term.
`
`
`6. We recognize an effective glossary must be in a continuous state of coordination and
`improvement. We encourage further community review and comments as new terms become
`significant and old terms fall into disuse or change meaning. The goal of the Glossary Working
`Group is to keep the CNSS Glossary relevant and a tool for commonality across the IA
`community.
`
`7. Representatives of the CNSS may obtain copies of this instruction on the CNSS Web
`
`Page at http://www.cnss.gov.
`
`
`
`
`
`FOR THE NATIONAL MANAGER:
`
`
`
`
`
`
`
`
`/s/
`
`
`CURTIS W. DUKES
`
`
`
`
`
`
`
`
`
`
`CNSS Secretariat (IE414). National Security Agency. 9800 Savage Road, STE 6716. Ft Meade, MD 20755-6716 Office: (410) 854-6805
`Unclassified FAX: (410) 854-6814
`CNSS@nsa.gov
`
`3
`
`
`CELLSPIN
`EX. 2015, Page 3
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THIS PAGE INTENTIONALLY LEFT BLANK
`
`
`
`
`
`4
`
`
`CELLSPIN
`EX. 2015, Page 4
`
`

`

`
`
`
`
`Table of Contents
`
`
`Terms and Definitions......................................................................................................................1
`
`Annex A: Acronyms ................................................................................................................... 134
`
`Annex B: References .................................................................................................................. 150
`
`5
`
`
`CELLSPIN
`EX. 2015, Page 5
`
`

`

`
`
`National Information Assurance (IA) Glossary
`
`Terms and Definitions
`
`This instruction applies to all U.S. Government Departments, Agencies, Bureaus and Offices;
`supporting contractors and agents; that collect, generate process, store, display, transmit or receive
`classified or controlled unclassified information or that operate, use, or connect to National Security
`Systems (NSS), as defined herein.
`
`Term
`
`access
`
`access authority
`
`access control
`
`access control list
`(ACL)
`
`access control
`mechanism
`
`access cross domain
`solution
`
`access level
`
`access list
`
`access profile
`
`access type
`
`
` Definition
`
`Ability to make use of any information system (IS) resource.
`
`Source: NIST SP 800-32
`
`An entity responsible for monitoring and granting access privileges for other authorized
`entities.
`
`The process of granting or denying specific requests: 1) for obtaining and using
`information and related information processing services; and 2) to enter specific physical
`facilities (e.g., Federal buildings, military establishments, and border crossing entrances).
`
`Source: FIPS PUB 201-1 (adapted)
`
`A list of permissions associated with an object. The list specifies who or what is allowed
`to access the object and what operations are allowed to be performed on the object.
`
`Security safeguards (i.e., hardware and software features, physical controls, operating
`procedures, management procedures, and various combinations of these) designed to
`detect and deny unauthorized access and permit authorized access to an information
`system.
`
`A type of cross domain solution (CDS) that provides access to a computing platform,
`application, or data residing on different security domains from a single device.
`
`Source: CNSSI No. 1253F Attachment 3
`
`A category within a given security classification limiting entry or system connectivity to
`only authorized persons.
`
`Roster of individuals authorized admittance to a controlled area.
`
`Association of a user with a list of protected objects the user may access.
`
`Privilege to perform action on an object. Read, write, execute, append, modify, delete,
`and create are examples of access types.
`
`
`1
`
`
`CELLSPIN
`EX. 2015, Page 6
`
`

`

`accountability
`
`accounting legend
`code (ALC)
`
`accounting number
`
`1. The principle that an individual is entrusted to safeguard and control equipment,
`keying material, and information and is answerable to proper authority for the loss or
`misuse of that equipment or information.
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`2. The security goal that generates the requirement for actions of an entity to be traced
`uniquely to that entity. This supports non-repudiation, deterrence, fault isolation,
`intrusion detection and prevention, and after-action recovery and legal action.
`
`Source: NIST SP 800-27 Rev A
`
`A numeric code used to indicate the minimum accounting controls required for items of
`accountable COMSEC material within the COMSEC material control system (CMCS).
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`A number assigned to an individual item of COMSEC material to facilitate its handling
`and accounting.
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`accreditation (C.F.D.) Formal declaration by a designated accrediting authority (DAA) or principal accrediting
`authority (PAA) that an information system is approved to operate at an acceptable level
`of risk, based on the implementation of an approved set of technical, managerial, and
`procedural safeguards.
`
`See authorization to operate (ATO).
`
`Rationale: The Risk Management Framework uses a new term to refer to this concept,
`and it is called authorization.
`
`1. Identifies the information resources covered by an accreditation decision, as
`distinguished from separately accredited information resources that are interconnected or
`with which information is exchanged via messaging. Synonymous with Security
`Perimeter.
`
`2. For the purposes of identifying the Protection Level for confidentiality of a system to
`be accredited, the system has a conceptual boundary that extends to all intended users of
`the system, both directly and indirectly connected, who receive output from the system.
`See authorization boundary.
`
`Rationale: The Risk Management Framework uses a new term to refer to the concept of
`accreditation, and it is called authorization. Extrapolating, the accreditation boundary
`would then be referred to as the authorization boundary.
`
`Product comprised of a system security plan (SSP) and a report documenting the basis
`for the accreditation decision.
`
`Rationale: The RMF uses a new term to refer to this concept, and it is called RMF
`security authorization package.
`
`
`accreditation
`boundary (C.F.D.)
`
`accreditation package
`(C.F.D.)
`
`
`
`2
`
`
`CELLSPIN
`EX. 2015, Page 7
`
`

`

`accrediting authority
`(C.F.D.)
`
`acquirer
`
`activation data
`
`active attack
`
`active content
`
`active cyber defense
`
`activities
`(assessment)
`
`add-on security
`(C.F.D.)
`
`adequate security
`
`administrative
`incident (COMSEC)
`
`Synonymous with designated accrediting authority (DAA). See also authorizing official.
`
`Rationale: The Risk Management Framework uses a new term to refer to this concept,
`and it is called authorizing official (AO).
`
`Stakeholder that acquires or procures a product or service.
`
`Source: NIST IR 7622, ISO/IEC 15288 (adapted)
`
`A pass-phrase, personal identification number (PIN), biometric data, or other
`mechanisms of equivalent authentication robustness used to protect access to any use of a
`private key, except for private keys associated with System or Device certificates.
`
`Source: CNSSI No. 1300
`
`An attack on the authentication protocol where the Attacker transmits data to the
`Claimant, Credential Service Provider, Verifier, or Relaying Party. Examples of active
`attacks include man-in-the middle, impersonation, and session hijacking.
`
`Source: NIST SP 800-63-2
`
`Electronic documents that can carry out or trigger actions automatically on a computer
`platform without the intervention of a user.
`
`Source: NIST SP 800-28
`
`Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and
`vulnerabilities.
`
`Source: DSOC 2011
`
`An assessment object that includes specific protection related pursuits or actions
`supporting an information system that involve people (e.g., conducting system backup
`operations, monitoring network traffic).
`
`Source: NIST SP 800-53A Rev 1
`
`Incorporation of new or additional hardware, software, or firmware safeguards in an
`operational information system.
`
`Security commensurate with the risk and the magnitude of harm resulting from the loss,
`misuse, or unauthorized access to or modification of information.
`
`Source: OMB Circular A-130
`
`A violation of procedures or practices dangerous to security that is not serious enough to
`jeopardize the integrity of a controlled cryptographic item (CCI), but requires corrective
`action to ensure the violation does not recur or possibly lead to a reportable COMSEC
`incident.
`
`Source: CNSSI No. 4001 (adapted)
`
`
`
`
`3
`
`
`CELLSPIN
`EX. 2015, Page 8
`
`

`

`advanced encryption
`standard
` (AES)
`
`advanced key
`processor (AKP)
`
`advanced persistent
`threat (APT)
`
`adversary
`
`advisory (C.F.D.)
`
`agency
`
`air gap
`
`A U.S. Government-approved cryptographic algorithm that can be used to protect
`electronic data. The AES algorithm is a symmetric block cipher that can encrypt
`(encipher) and decrypt (decipher) information.
`
`Source: FIPS PUB 197 (adapted)
`
`A cryptographic device that performs all cryptographic functions for a management
`client node and contains the interfaces to 1) exchange information with a client platform,
`2) interact with fill devices, and 3) connect a client platform securely to the primary
`services node (PRSN).
`
`An adversary with sophisticated levels of expertise and significant resources, allowing it
`through the use of multiple different attack vectors (e.g., cyber, physical, and deception)
`to generate opportunities to achieve its objectives, which are typically to establish and
`extend footholds within the information technology infrastructure of organizations for
`purposes of continually exfiltrating information and/or to undermine or impede critical
`aspects of a mission, program, or organization, or place itself in a position to do so in the
`future; moreover, the advanced persistent threat pursues its objectives repeatedly over an
`extended period of time, adapting to a defender’s efforts to resist it, and with
`determination to maintain the level of interaction needed to execute its objectives.
`
`Source: NIST SP 800-39
`
`Individual, group, organization, or government that conducts or has the intent to conduct
`detrimental activities.
`
`Source: NIST SP 800-30 Rev 1
`
`Notification of significant new trends or developments regarding the threat to the
`information systems of an organization. This notification may include analytical insights
`into trends, intentions, technologies, or tactics of an adversary targeting information
`systems.
`
`Rationale: General definition of a commonly understood term.
`
`Any executive department, military department, government corporation, government
`controlled corporation, or other establishment in the executive branch of the government
`(including the Executive Office of the President), or any independent regulatory agency,
`but does not include -
`(i) the General Accounting Office;
`(ii) Federal Election Commission;
`(iii) the governments of the District of Columbia and of the territories and possessions of
`the United States, and their various subdivisions; or
`(iv) Government-owned contractor-operated facilities, including laboratories engaged in
`national defense research and production activities.
`See also executive agency.
`
`Source: 44 U.S.C., Sec. 3502
`
`An interface between two systems at which (a) they are not connected physically and (b)
`any logical connection is not automated (i.e., data is transferred through the interface
`only manually, under human control).
`
`Source: IETF RFC 4949 Ver 2
`
`
`
`
`4
`
`
`CELLSPIN
`EX. 2015, Page 9
`
`

`

`alert
`
`allied nation
`
`allocation
`
`all-source
`intelligence
`
`Notification that a specific attack has been directed at an organization’s information
`systems.
`
`A nation allied with the U.S. in a current defense effort and with which the U.S. has
`certain treaties. For an authoritative list of allied nations, contact the Office of the
`Assistant Legal Adviser for Treaty Affairs, Office of the Legal Adviser, U.S. Department
`of State, or see the list of U.S. Collective Defense Arrangements at www.state.gov.
`
`Source: CNSSI No. 4005 (COMSEC)
`
`The process an organization employs to determine whether security controls are defined
`as system-specific, hybrid, or common.
`
`The process an organization employs to assign security controls to specific information
`system components responsible for providing a particular security capability (e.g., router,
`server, remote sensor).
`
`Source: NIST SP 800-37 Rev 1
`
`Intelligence products and/or organizations and activities that incorporate all sources of
`information, most frequently human resources intelligence, imagery intelligence,
`measurement and signature intelligence, signals intelligence, and open source data in the
`production of finished intelligence.
`
`Source: DoD JP 1-02 (adapted); NIST SP 800-53 Rev 4 (adapted)
`
`The primary alternate COMSEC Account Manager is an individual designated by proper
`authority to perform the duties of the COMSEC Account Manager during the temporary
`authorized absence of the COMSEC Account Manager. Additional alternate COMSEC
`Account Managers may be appointed, as necessary, to assist the COMSEC Account
`Manager and maintain continuity of operations.
`
`Source: CNSSI No. 4005 (COMSEC)
`
`Individual designated by proper authority to perform the duties of the COMSEC
`custodian during the temporary absence of the COMSEC custodian.
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`The approach used to define the orientation or starting point of the risk assessment, the
`level of detail in the assessment, and how risks due to similar threat scenarios are treated.
`
`Source: NIST SP 800-30 Rev 1
`
`The result of measures to resist attempts to interfere with communications reception.
`
`Source: CNSSI No. 1200
`
`anti-signal fingerprint Result of measures used to resist attempts to uniquely identify a particular transmitter
`based on its signal parameters.
`
`Source: CNSSI No. 1200
`
`
`alternate COMSEC
`account manager
`
`alternate COMSEC
`custodian (C.F.D.)
`
`analysis approach
`
`anti-jam
`
`
`
`5
`
`
`CELLSPIN
`EX. 2015, Page 10
`
`

`

`anti-signal spoof
`
`anti-spoof
`
`anti-tamper (AT)
`
`application
`
`application-specific
`integrated circuits
`(ASICs)
`
`approval to operate
`(ATO) (C.F.D.)
`
`assembly
`
`assessment
`
`assessment approach
`
`assessment findings
`
`Result of measures used to resist attempts to achieve imitative or manipulative
`communications deception based on signal parameters.
`
`Source: CNSSI No. 1200
`
`Countermeasures taken to prevent the unauthorized use of legitimate identification &
`authentication (I&A) data, however it was obtained, to mimic a subject different from the
`attacker.
`
`Systems engineering activities intended to deter and/or delay exploitation of critical
`technologies in a U.S. defense system in order to impede countermeasure development,
`unintended technology transfer, or alteration of a system.
`
`See tampering.
`
`Source: DoDI 5200.39
`
`A software program hosted by an information system.
`
`Source: NIST SP 800-37 Rev 1
`
`Custom-designed and/or custom-manufactured integrated circuits.
`
`Source: CNSSD No. 505
`
`The official management decision issued by a designated accrediting authority (DAA) or
`principal accrediting authority (PAA) to authorize operation of an information system
`and to explicitly accept the residual risk to agency operations (including mission,
`functions, image, or reputation), agency assets, or individuals. See authorization to
`operate (ATO).
`
`Rationale: Term has been replaced by the term “authorization to operate (ATO)”.
`
`An item forming a portion of an equipment, that can be provisioned and replaced as an
`entity and which normally incorporates replaceable parts and groups of parts.
`
`Source: DoD 4140.1-R; CNSSI No. 4033
`
`See security control assessment or risk assessment.
`
`Source: NIST SP 800-30 Rev 1
`
`The approach used to assess risk and its contributing risk factors, including
`quantitatively, qualitatively, or semi-quantitatively.
`
`Source: NIST SP 800-30 Rev 1
`
`Assessment results produced by the application of an assessment procedure to a security
`control or control enhancement to achieve an assessment objective; the execution of a
`determination statement within an assessment procedure by an assessor that results in
`either a satisfied or other than satisfied condition.
`
`Source: NIST SP 800-53A Rev 1
`
`
`
`
`6
`
`
`CELLSPIN
`EX. 2015, Page 11
`
`

`

`assessment method
`
`assessment object
`
`assessor
`
`asset
`
`One of three types of actions (i.e., examine, interview, test) taken by assessors in
`obtaining evidence during an assessment.
`
`Source: NIST SP 800-53A Rev 1
`
`The item (i.e., specifications, mechanisms, activities, individuals) upon which an
`assessment method is applied during an assessment.
`
`Source: NIST SP 800-53A Rev 1
`
`assessment objective A set of determination statements that expresses the desired outcome for the assessment
`of a security control or control enhancement.
`
`Source: NIST SP 800-53A Rev 1
`
`assessment procedure A set of assessment objectives and an associated set of assessment methods and
`assessment objects.
`
`Source: NIST SP 800-53A Rev 1
`
`See security control assessor or risk assessor.
`
`Source: NIST SP 800-30 Rev 1
`
`A major application, general support system, high impact program, physical plant,
`mission critical system, personnel, equipment, or a logically related group of systems.
`
`asset reporting format A format for expressing the transport format of information about assets and the
`relationships between assets and reports.
`
`Source: NIST SP 800-126 Rev 2
`
`The grounds for confidence that the set of intended security controls in an information
`system are effective in their application.
`
`Source: NIST SP 800-27 Rev A (adapted)
`
`A structured set of arguments and a body of evidence showing that an information
`system satisfies specific claims with respect to a given quality attribute.
`
`Source: NIST SP 800-39; NIST SP 800-53 Rev 4
`
`The ability to confidently share information with those who need it, when and where they
`need it, as determined by operational need and an acceptable level of security risk.
`
`Computer application that has been designed, developed, analyzed and tested using
`processes, tools, and techniques that establish a level of confidence in it.
`
`See public key cryptography (PKC).
`
`Two related keys, a public key and a private key that are used to perform complementary
`operations, such as encryption and decryption or signature generation.
`
`Source: FIPS PUB 201-1; NIST IR 7298 Rev 2
`
`
`assurance
`
`assurance case
`
`assured information
`sharing
`
`assured software
`
`asymmetric
`cryptography
`asymmetric key
`
`
`
`7
`
`
`CELLSPIN
`EX. 2015, Page 12
`
`

`

`attack
`
`attack sensing and
`warning
` (AS&W)
`
`attack signature
`
`attack tree
`
`attended
`
`attribute
`
`attribute-based access
`control (ABAC)
`
`attribute-based
`authorization
`
`audit
`
`audit log
`
`audit record
`
`audit reduction tools
`
`Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy
`information system resources or the information itself.
`
`Detection, correlation, identification, and characterization of intentional unauthorized
`activity with notification to decision makers so that an appropriate response can be
`developed.
`
`A specific sequence of events indicative of an unauthorized access attempt.
`
`Source: NIST SP 800-12
`
`A branching, hierarchical data structure that represents a set of potential approaches to
`achieving an event in which system security is penetrated or compromised in a specified
`way.
`
`Source: IETF RFC 4949 Ver 2
`
`Under continuous positive control of personnel authorized for access or use.
`
`Source: CNSSI No. 4005 (COMSEC); NSA/CSS Manual Number 3-16 (COMSEC)
`
`An attribute is any distinctive feature, characteristic, or property of an object that can be
`identified or isolated quantitatively or qualitatively by either human or automated means.
`Source: ISO/IEC 27000
`
`Access control based on attributes associated with and about subjects, objects, targets,
`initiators, resources, or the environment. An access control rule set defines the
`combination of attributes under which an access may take place.
`
`See also identity, credential, and access management (ICAM).
`
`A structured process that determines when a user is authorized to access information,
`systems, or services based on attributes of the user and of the information, system, or
`service.
`
`Independent review and examination of records and activities to assess the adequacy of
`system controls and ensure compliance with established policies and operational
`procedures.
`
`A chronological record of system activities. Includes records of system accesses and
`operations performed in a given period.
`
`An individual entry in an audit log related to an audited event.
`
`Source: NIST SP 800-53 Rev 4
`
`Preprocessors designed to reduce the volume of audit records to facilitate manual review.
`Before a security review, these tools can remove many audit records known to have little
`security significance.
`
`Source: NIST SP 800-12
`
`
`
`
`8
`
`
`CELLSPIN
`EX. 2015, Page 13
`
`

`

`audit trail
`
`authenticate
`
`authentication
`
`1. A chronological record that reconstructs and examines the sequence of activities
`surrounding or leading to a specific operation, procedure, or event in a security relevant
`transaction from inception to final result.
`
`2. A record showing who has accessed an information technology (IT) system and what
`operations the user has performed during a given period.
`
`Source: NIST SP 800-47
`
`To confirm the identity of an entity when that identity is presented.
`
`Source: NIST SP 800-32
`
`1. Verifying the identity of a user, process, or device, often as a prerequisite to allowing
`access to resources in an information system.
`
`Source: FIPS PUB 200; NIST SP 800-27 Rev A
`
`2. A security measure designed to protect a communications system against acceptance
`of fraudulent transmission or simulation by establishing the validity of a transmission,
`message, originator, or a means of verifying an individual's eligibility to receive specific
`categories of information.
`
`Source: CNSSI No. 4005 (COMSEC); NSA/CSS Manual Number 3-16 (COMSEC)
`
`Hardware or software-based mechanisms that force users to prove their identity before
`accessing data on a device.
`
`Source: NIST SP 800-72
`
`authentication period The period between any initial authentication process and subsequent re-authentication
`processes during a single terminal session or during the period data is being accessed.
`
`1. A well specified message exchange process between a claimant and a verifier that
`enables the verifier to confirm the claimant’s identity.
`
`2. A defined sequence of messages between a Claimant and a Verifier that demonstrates
`that the Claimant has possession and control of a valid token to establish his/her identity,
`and optionally, demonstrates to the Claimant that he or she is communicating with the
`intended Verifier.
`
`Source: NIST SP 800-63-2
`
`The means used to confirm the identity of a user, process, or device (e.g., user password
`or token).
`
`Source: NIST SP 800-53 Rev 4
`
`The property of being genuine and being able to be verified and trusted; confidence in the
`validity of a transmission, a message, or message originator. See authentication.
`
`Source: NIST SP 800-53 Rev 4; NIST SP 800-53A Rev 1; NIST SP 800-39
`
`
`authentication
`mechanism
`
`authentication
`protocol
`
`authenticator
`
`authenticity
`
`
`
`9
`
`
`CELLSPIN
`EX. 2015, Page 14
`
`

`

`authority (C.F.D.)
`
`authorization
`
`authorization
`boundary
`
`authorization to
`operate (ATO)
`
`authorize processing
`
`authorized ID
`
`authorized user
`
`authorized vendor
`
`Person(s) or established bodies with rights and responsibilities to exert control in an
`administrative sphere.
`
`Rationale: General definition of a commonly understood term.
`
`Access privileges granted to a user, program, or process or the act of granting those
`privileges.
`
`All components of an information system to be authorized for operation by an
`authorizing official and excludes separately authorized systems, to which the information
`system is connected.
`
`Source: NIST SP 800-53 Rev 4; NIST SP 800-53A Rev 1; NIST SP 800-37 Rev 1
`
`authorization package See security authorization package
`
`The official management decision given by a senior organizational official to authorize
`operation of an information system and to explicitly accept the risk to organizational
`operations (including mission, functions, image, or reputation), organizational assets,
`individuals, other organizations, and the Nation based on the implementation of an
`agreed-upon set of security controls.
`
`Source: NIST SP 800-53 Rev 4; NIST SP 800-53A Rev 1; NIST SP 800-37 Rev 1
`
`See authorization.
`
`Source: NIST SP 800-53 Rev 4; NIST SP 800-37 Rev 1
`
`The key management entity (KME) authorized to order against a traditional short title.
`
`Source: CNSSI No. 4005 (COMSEC)
`
`Any appropriately cleared individual with a requirement to access an information system
`(IS) for performing or assisting in a lawful government purpose.
`
`Source: DoDD 8570.01 (adapted)
`
`Manufacturer of information security (INFOSEC) equipment authorized to produce
`quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible
`buyers are typically U.S. Government organizations or U.S. Government contractors.
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`A senior (federal) official or executive with the authority to formally assume
`responsibility for operating an information system at an acceptable level of risk to
`organizational operations (including mission, functions, image, or reputation),
`organizational assets, individuals, other organizations, and the Nation.
`
`Source: NIST SP 800-37 Rev 1; NIST SP 800-53 Rev 4
`
`An organizational official acting on behalf of an authorizing official in carrying out and
`coordinating the required activities associated with security authorization.
`
`Source: NIST SP 800-37 Rev 1; DoDI 8510
`
`
`authorizing official
`
`authorizing official
`designated
`representative
`
`
`
`10
`
`
`CELLSPIN
`EX. 2015, Page 15
`
`

`

`automated security
`monitoring
`
`automatic remote
`rekeying
`
`availability
`
`backdoor
`
`backup
`
`banner
`
`baseline
`
`baseline
`configuration
`
`basic testing
`
`bastion host
`
`behavior analysis
`
`benign environment
`
`Use of automated procedures to ensure security controls are not circumvented or the use
`of these tools to track actions taken by subjects suspected of misusing the information
`system.
`
`See information security continuous monitoring.
`
`Procedure to rekey distant cryptographic equipment electronically without specific
`actions by the receiving terminal operator. See manual remote rekeying.
`
`1. Ensuring timely and reliable access to and use of information.
`
`Source: 44 U.S.C. Sec 3542
`
`2. Timely, reliable access to data and information services for authorized users.
`
`Source: NSA/CSS Manual Number 3-16 (COMSEC)
`
`An undocumented way of gaining access to computer system. A backdoor is a potential
`security risk.
`
`Source: NIST SP 800-82 Rev 1
`
`A copy of files and programs made to facilitate recovery, if necessary.
`
`Source: NIST SP 800-34 Rev 1
`
`Display on an information system that sets parameters for system or data use.
`
`Hardware, software, and relevant documentation for an information system at a given
`point in time.
`
`A documented set of specifications for an information system, or a configuration item
`within a system, that has been formally reviewed and agreed on at a given point in time,
`and which can be changed only through change control procedures.
`
`Source: NIST SP 800-53 Rev 4
`
`A test methodology that assumes no knowledge of the internal structure and
`implementation detail of the assessment object. Also known as black box testing.
`
`Source: NIST SP 800-53A Rev 1
`
`A special purpose computer on a network where the computer is specifically designed
`and configured to withstand attacks.
`
`The act of examining malware interactions within its operating environment including
`file systems, the registry (if on Win