Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 1 of 253 PageID #: 361
`
`Exhibit C
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 2 of 253 PageID #: 362
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Committee on National Security Systems
`
`
`
`
`CNSSI 4009
`March 2, 2022
`
`
`009
`
`Committee on National Security Systems
`(CNSS) Glossary
`
`THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS.
`
`YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER
`IMPLEMENTATION.
`
`
`
`
`
`i
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 3 of 253 PageID #: 363
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`National Manager
`
`FOREWORD
`
`1. The Committee on National Security Systems (CNSS) Glossary Working Group convened
`to review and update the Committee on National Security Systems (CNSS) Glossary,
`Committee on National Security Systems Instruction (CNSSI) No. 4009, dated April
`2015. This revision of CNSSI No. 4009 incorporates many new terms submitted by the
`CNSS Membership. Most of the terms from the 2015 version of the Glossary remain, but a
`number of terms have updated definitions in order to remove inconsistencies among the
`communities.
`
`2. The Glossary Working Group set several overall objectives for itself in producing this
`version:
` Use authoritative sources for definitions of terms. It is preferred that definitions
`originate from current authoritative sources, as this demonstrates both that the term is
`in active use and that the definition has been vetted by subject matter experts. Listing
`sources for definitions also provides context and a reference for additional
`information.
` Continue to resolve differences between the definitions of terms used by the
`Department of Defense (DoD), Intelligence Community (IC), and Civil Agencies (e.g.,
`National Institute of Standards and Technology (NIST)); enabling all three to use the
`same glossary. This will allow for use of consistent terminology in documentation,
`policy, and process across these communities.
` Ensure consistency among related and dependent terms. These terms are linked
`through a suggestion to see the related term, shown in italics (e.g., See assurance).
` Ensure any acronyms used in the terms and definitions also appear in the Acronyms
`appendix, and remove any acronyms judged to be outside of the scope of the glossary
`or no longer relevant.
` Ensure all documents referenced as sources in the terms and definitions also appear in
`the References appendix. Because of this, the number of references has grown from 29
`in the 2010 version to over 200 in the current version. References not used as the
`source of terms and definitions were removed.
`
`3. The glossary still contains definitions where sources are not specified. For these terms,
`definitions will be considered organic. These new terms are often emerging terms judged
`to be valuable to include in the glossary, but have not yet been defined in a published
`authoritative source, or terms where an adequate original definition source could not be
`identified.
`
`4. Some definitions originate from an obsolete, withdrawn, or superseded source. In most
`cases, terms with no alternative definitions were found to be obsolete and deleted. In cases
`
`ii
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 4 of 253 PageID #: 364
`
`where the term was deemed relevant, but no current authoritative source could be found,
`the obsolete source is shown as italicized and with an asterisk (e.g., *NCSC-TG-004) in
`the table and labeled as withdrawn or superseded in the reference section. This allows for
`easier tracking of the etymology of a term and for understanding context.
`
`5. Some sources list a given document and then note "(adapted)"-for example, the term
`"acquisition" states as its source "NSA/CSS Policy 3-4 (adapted)." "Adapted" indicates a
`definition derived from a source, but not verbatim from that source. An adapted definition
`given in CNSSI 4009 may be truncated from the original source's definition because of
`extraneous information, or it may be re-worded for clarity or accuracy, or it may be
`constructed using content from the original source (e.g., defining Controlled
`Cryptographic Item by using material from CNSSI No. 4001 and citing "CNSSI No. 4001
`(adapted)" as the source).
`
`6. Many cyber terms are emerging. The Glossary Working Group has tried to include
`significant terms and definitions that have a useful distinction when compared to existing
`cybersecurity (CS) terms. All terms currently defined in CNSS issuances were reviewed
`for either inclusion or to replace current definitions in the Glossary. Not all terms
`appearing in CNSS issuances are within the scope of the CNSS Glossary or are relevant to
`the intended audience.
`
`7. Some terms and definitions recommended by the community for inclusion were not added
`to this version of the glossary. The main reasons for not adding new terms or definitions
`were ones of scope or lack of an authoritative source, where an organic definition was not
`deemed appropriate.
`
`8. Many terms that are outdated or no longer necessary were removed from the glossary.
`Some of these had been labeled as Candidates for Deletion (C.F.D.) for several versions of
`the glossary, but continue to remain in this version either because they are still used in
`certain communities, or to provide users with traceability to the newer terms.
`
`9. The format of the glossary has been updated from previous versions. This format allows
`an easier distinction between definitions with notes, notes added for this glossary, and
`multiple definitions from different sources (listed in alphabetical order). Context was also
`added to many terms and is shown in brackets (e.g., assessment [general context]). In
`addition, throughout the glossary, references to similar or updated terms are made. When
`that term exists in this document, it is italicized (e.g. See assurance); when the term is not
`in this document, it is put into quotes (e.g., Also known as "assurance").
`
`10. We recognize an effective glossary must be in a continuous state of coordination and
`improvement. We encourage further community review and comments as new terms
`become significant and old terms fall into disuse or change meaning. The goal of the
`Glossary Working Group is to keep the CNSS Glossary relevant and a tool for
`commonality across the CS community.
`
`11. Representatives of the CNSS may obtain copies of this instruction on the CNSS Web Page
`at https://www.cnss.gov.
`
`iii
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 5 of 253 PageID #: 365
`
`FOR THE NATIONAL MANAGER:
`
` /s/
`
` ROBERT E. JOYCE
`
`Deputy National Manager for National Security Systems
`
`CNSS Secretariat (C07). National Security Agency. 9800 Savage Road, STE 6165. Ft Meade, MD 20755-6716
`Office Phone Number: (410) 854-6805; Unclassified FAX Number: (410) 854-6814
`CNSS@nsa.gov
`
`iv
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 6 of 253 PageID #: 366
`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 6 of 253 PagelD #: 366
`
`THIS PAGE INTENTIONALLY LEFT BLANK
`THIS PAGE INTENTIONALLY LEFT BLANK
`
`v
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 7 of 253 PageID #: 367
`
`Table of Contents
`
`Terms and Definitions .................................................................................................................. 1
`
`Annex A: Acronyms .................................................................................................................. 156
`
`Annex B: References ................................................................................................................. 170
`
`vi
`
`
`
`
`
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 8 of 253 PageID #: 368
`
`Committee on National Security Systems (CNSS) Glossary
`
`Terms and Definitions
`
`This instruction applies to all: U.S. Government Departments, Agencies, Bureaus and Offices,
`supporting contractors and agents that collect, generate, process, store, display, transmit or receive
`classified or controlled unclassified information, or that operate, use, or connect to National Security
`Systems (NSS), as defined herein.
`
`Term
`
`access
`
`access and amendment [privacy context]
`
`access authority
`
`access control
`
`Definition
`
`Source
`
`Ability to make use of any information
`system (IS) resource.
`
`NIST SP 800-32
`
`To make contact with one or more discrete
`functions of an online, digital service.
`
`NIST SP 800-63-3
`
`A privacy principle (FIPP) that refers to an
`organization's requirements to provide
`individuals with appropriate access to
`personally identifiable information (PII) and
`appropriate opportunity to correct or amend
`PII.
`
`An entity responsible for monitoring and
`granting access privileges for other
`authorized entities.
`
`
`
`The process of granting or denying specific
`requests: 1) obtain and use information and
`related information processing services; and
`2) enter specific physical facilities (e.g.,
`Federal buildings, military establishments,
`border crossing entrances).
`
`OMB Circular A-
`130 (adapted)
`
`FIPS 201-2
`
`1
`
`
`
`
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 9 of 253 PageID #: 369
`
`
`
`The decision to permit or deny a subject
`access to system objects (network, data,
`application, service, etc.)
`
`
`
`See also authorization.
`
`NIST SP 800-162
`(adapted)
`
`access control list (ACL)
`
`access control mechanism
`
`IETF RFC 4949
`Ver 2
`
`NIST SP 800-162
`and NIST SP 800-
`192 (adapted)
`
`A mechanism that implements access control
`for a system resource by enumerating the
`system entities that are permitted to access
`the resource and stating, either implicitly or
`explicitly, the access modes granted to each
`entity.
`
`As an implementation of formal access
`control policy based on a formal access
`control model, this is the logical component
`that serves to receive the access request from
`the subject, to decide, and to enforce the
`access decision. Access control mechanisms
`can be designed to adhere to the properties
`of the model by machine implementation
`using protocols, architecture, or formal
`languages such as program code.
`
`
`
`2
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 10 of 253 PageID #:
`370
`
`
`
`*NCSC-TG-004
`
`Security safeguards (i.e., hardware and
`software features, physical controls,
`operating procedures, management
`procedures, and various combinations of
`these) designed to detect and deny
`unauthorized access and permit authorized
`access to an information system.
`
`access cross domain solution
`
`access level
`
`access list
`
`access profile
`
`access type
`
`CNSSI No. 1253F
`Attachment 3
`(adapted)
`
`*NCSC-TG-004
`
`A type of transfer cross domain solution
`(CDS) that provides access to a computing
`platform, application, or data residing in
`different security domains without transfer
`of user data between the domains.
`
`
`
`Note: The access function is implemented by
`transferring keyboard and mouse data down
`to the lower security domain and sending
`video/image data up to the higher security
`domain.
`
`A category within a given security
`classification limiting entry or system
`connectivity to only authorized persons.
`
`A list of users, programs, and/or processes
`and the specifications of access categories to
`which each is assigned.
`
`Roster of individuals authorized admittance
`to a controlled area.
`
`Association of a user with a list of protected
`objects the user may access.
`
`Privilege to perform action on an object.
`Read, write, execute, append, modify, delete,
`and create are examples of access types.
`
`
`
`
`
`
`
`
`
`The nature of an access right to a particular
`device, program, or file (e.g., read, write,
`execute, append, modify, delete, or create).
`
`*NCSC-TG-004
`
`
`
`3
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 11 of 253 PageID #:
`371
`
`accountability [cryptographic context]
`
`The principle that an individual is entrusted
`to safeguard and control equipment, keying
`material, and information and is answerable
`to proper authority for the loss or misuse of
`that equipment or information.
`
`CNSSI No. 4005
`
`accountability [general context]
`
`Property that ensures that the actions of an
`entity may be traced uniquely to the entity.
`
`ISO/IEC 7498-
`2:1989
`
`accountability [privacy context]
`
`A privacy principle (FIPP) that refers to an
`organization's requirements to demonstrate
`their implementation of the FIPPs and
`applicable privacy requirements.
`
`OMB Circular A-
`130 (adapted)
`
`accountability [systems security context]
`
`accounting legend code (ALC)
`
`accounting number
`
`accreditation [information security
`context] (C.F.D.)
`
`*NIST SP 800-33
`(adapted)
`
`CNSSI No. 4005
`
`FIPS 200
`
`The security objective that generates the
`requirement for actions of an entity to be
`traced uniquely to that entity. This supports
`non-repudiation, deterrence, fault isolation,
`intrusion detection and prevention, and after-
`action recovery and legal action.
`
`A numeric code used to indicate the
`minimum accounting controls required for
`items of accountable COMSEC material
`within the COMSEC material control system
`(CMCS).
`
`A number assigned to an individual item of
`COMSEC material at its point of origin to
`facilitate its handling and accounting.
`
`The official management decision given by a
`senior agency official to authorize operation
`of an information system and to explicitly
`accept the risk to agency operations
`(including mission, functions, image, or
`reputation), agency assets, or individuals,
`based on the implementation of an agreed-
`upon set of security controls.
`
`See authorization to operate (ATO).
`
`Note: For the information security context,
`this term was replaced in 2010 by the term
`authorization, but it is still seen occasionally
`in contracts and in organizations that rely on
`FIPS 200.
`
`
`
`
`
`
`
`
`
`4
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 12 of 253 PageID #:
`372
`
`
`
`C.F.D. Rationale: The Risk Management
`Framework uses the term authorization, but
`FIPS 200 and other documents still use the
`term accreditation.
`
`
`
`accreditation [testing & evaluation
`context]
`
`Formal recognition that a laboratory is
`competent to carry out specific tests or
`calibrations or types of tests or calibrations.
`
`NIST Handbook
`150; NIST
`NVLAP
`
`acquirer
`
`acquisition
`
`activation data
`
`active attack
`
`Stakeholder that acquires or procures a
`product or service.
`
`The process associated with obtaining
`products or services, typically through
`contracts involving the expenditure of
`financial resources, as well as to products or
`services that may be obtained on a cost-free
`basis via other mechanisms (e.g., the
`downloading of public domain software
`products and other software products with
`limited or no warranty, such as those
`commonly known as freeware or shareware
`from the commercial Internet).
`
`A pass-phrase, personal identification
`number (PIN), biometric data, or other
`mechanisms of equivalent authentication
`robustness used to protect access to any use
`of a private key, except for private keys
`associated with System or Device
`certificates.
`
`An attack on a secure communication
`protocol where the attacker transmits data to
`the claimant, Credential Service Provider
`(CSP), verifier, or Relying Party (RP).
`Examples of active attacks include man-in-
`the middle (MitM), impersonation, and
`session hijacking.
`
`NIST SP 800-161;
`ISO/IEC
`15288:2015
`(adapted)
`
`NSA/CSS Policy
`3-4 (adapted)
`
`CNSSI No. 1300
`
`NIST SP 800-63-3
`(adapted)
`
`
`
`5
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 13 of 253 PageID #:
`373
`
`
`
`active content
`
`active cyber defense (ACD)
`
`adequate security
`
`administrative incident (COMSEC)
`
`advanced encryption standard (AES)
`
`advanced key processor (AKP)
`
`
`
`NIST SP 800-30 Rev. 1, Appendix E
`provides a representative list of threat events,
`including attacks. Active and passive attacks
`may include: Denial of Service (DoS);
`Distributed Denial of Service (DDoS);
`Cross-site Request Forgery (CSRF); Cross-
`site Scripting (XSS); manipulative
`communications deception; phishing;
`laboratory attacks; side channel attacks;
`spear phishing; whaling; and Trojan Horses.
`
`
`
`See also passive attack
`
`Electronic documents that can carry out or
`trigger actions automatically on a computer
`platform without the intervention of a user.
`
`NIST SP 800-28
`Version 2
`
`Synchronized, real-time capability to
`discover, detect, analyze, and mitigate
`threats and vulnerabilities.
`
`DSOC
`
`Security commensurate with the risk and the
`magnitude of harm resulting from the loss,
`misuse, or unauthorized access to or
`modification of information.
`
`OMB Circular A-
`130, Appendix III
`
`CNSSI No. 4001
`(adapted)
`
`FIPS 197
`(adapted)
`
`A violation of procedures or practices
`dangerous to security that is not serious
`enough to jeopardize the integrity of a
`controlled cryptographic item (CCI), but
`requires corrective action to ensure the
`violation does not recur or possibly lead to a
`reportable COMSEC incident.
`
`A U.S. Government-approved cryptographic
`algorithm that can be used to protect
`electronic data. The AES algorithm is a
`symmetric block cipher that can encrypt
`(encipher) and decrypt (decipher)
`information.
`
`
`
`A cryptographic device that performs all
`cryptographic functions for a management
`client node and contains the interfaces to 1)
`exchange information with a client platform,
`2) interact with fill devices, and 3) connect a
`client platform securely to the primary
`services node (PRSN).
`
`
`
`6
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 14 of 253 PageID #:
`374
`
`advanced persistent threat (APT)
`
`adversary
`
`agency
`
`NIST SP 800-39
`
`An adversary that possesses sophisticated
`levels of expertise and significant resources
`which allow it to create opportunities to
`achieve its objectives by using multiple
`attack vectors (e.g., cyber, physical, and
`deception). These objectives typically
`include establishing and extending footholds
`within the information technology
`infrastructure of the targeted organizations
`for purposes of exfiltrating information,
`undermining or impeding critical aspects of
`a mission, program, or organization; or
`positioning itself to carry out these
`objectives in the future. The advanced
`persistent threat: (i) pursues its objectives
`repeatedly over an extended period of time;
`(ii) adapts to defenders' efforts to resist it;
`and (iii) is determined to maintain the level
`of interaction needed to execute its
`objectives.
`
`Person, group, organization, or government
`that conducts or has the intent to conduct
`detrimental activities.
`
`NIST SP 800-30
`Rev. 1 (adapted);
`DHS Lexicon
`
`44 U.S.C. Sec.
`3502
`
`Any executive department, military
`department, government corporation,
`government controlled corporation, or other
`establishment in the executive branch of the
`government (including the Executive Office
`of the President), or any independent
`regulatory agency, but does not include -
`
`(i) the General Accounting Office;
`
`(ii) Federal Election Commission;
`
`(iii) the governments of the District of
`Columbia and of the territories and
`possessions of the United States, and their
`various subdivisions; or
`
`(iv) Government-owned contractor-operated
`facilities, including laboratories engaged in
`national defense research and production
`activities.
`
`
`
`
`
`
`
`
`
`See also executive agency.
`
`
`
`
`
`7
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 15 of 253 PageID #:
`375
`
`air gap
`
`alert
`
`allied nation
`
`allocation
`
`all-source intelligence
`
`An interface between two systems at which
`(a) they are not connected physically and (b)
`any logical connection is not automated (i.e.,
`data is transferred through the interface only
`manually, under human control).
`
`A brief, usually human-readable, technical
`notification regarding current vulnerabilities,
`exploits, and other security issues. Also
`known as an advisory, bulletin, or
`vulnerability note.
`
`A nation allied with the U.S. in a current
`defense effort and with which the U.S. has
`certain treaties. For an authoritative list of
`allied nations, contact the Office of the
`Assistant Legal Adviser for Treaty Affairs,
`Office of the Legal Adviser, U.S.
`Department of State, or see the list of U.S.
`Collective Defense Arrangements at
`https://www.state.gov.
`
`The process an organization employs to
`assign security or privacy requirements to an
`information system or its environment of
`operation; or to assign controls to specific
`system elements responsible for providing a
`security or privacy capability (e.g., router,
`server, remote sensor).
`
`The process an organization employs to
`determine whether security controls are
`defined as system-specific, hybrid, or
`common.
`
`
`
`In intelligence collection, a phrase that
`indicates that in the satisfaction of
`intelligence requirements, all collection,
`processing, exploitation, and reporting
`systems and resources are identified for
`possible use and those most capable are
`tasked.
`
`Intelligence products and/or organizations
`and activities that incorporate all sources of
`information, most frequently human
`resources intelligence, imagery intelligence,
`measurement and signature intelligence,
`signals intelligence, and open source data in
`the production of finished intelligence.
`
`IETF RFC 4949
`Ver 2
`
`NIST SP 800-150
`
`CNSSI No. 4005
`
`NIST SP 800-37
`Rev. 2
`
`DoD JP 2-0
`
`NIST SP 800-53
`Rev. 5 (adapted)
`
`
`
`8
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 16 of 253 PageID #:
`376
`
`
`
`alternate COMSEC account manager
`
`analysis approach
`
`anti-jam
`
`anti-signal fingerprint
`
`anti-signal spoof
`
`anti-spoof
`
`Note: Intelligence is limited to the products,
`activities, and organizations within the
`Intelligence Community. Related products,
`activities, and organizations outside of the
`Intelligence Community are called
`"information" or "data".
`
`See intelligence.
`
`
`
`
`
`The primary alternate COMSEC Account
`Manager is an individual designated by
`proper authority to perform the duties of the
`COMSEC Account Manager during the
`temporary authorized absence of the
`COMSEC Account Manager. Additional
`Alternate COMSEC Account Managers may
`be appointed, as necessary, to assist the
`COMSEC Account Manager and maintain
`continuity of operations.
`
`The approach used to define the orientation
`or starting point of the risk assessment, the
`level of detail in the assessment, and how
`risks due to similar threat scenarios are
`treated.
`
`CNSSI No. 4005
`
`NIST SP 800-30
`Rev. 1
`
`The result of measures to resist attempts to
`interfere with communications reception.
`
`CNSSI No. 1200
`
`Result of measures used to resist attempts to
`uniquely identify a particular transmitter
`based on its signal parameters.
`
`CNSSI No. 1200
`
`CNSSI No. 1200
`
`Result of measures used to resist attempts to
`achieve imitative or manipulative
`communications deception based on signal
`parameters.
`
`Countermeasures taken to prevent the
`unauthorized use of legitimate identification
`& authentication (I&A) data, however it was
`obtained, to mimic a subject different from
`the attacker.
`
`
`
`
`
`9
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 17 of 253 PageID #:
`377
`
`anti-tamper (AT)
`
`application
`
`application-specific integrated circuits
`(ASICs) (C.F.D.)
`
`Systems engineering activities intended to
`prevent physical manipulation or delay
`exploitation of critical program information
`in U.S. defense systems in domestic and
`export configurations to impede
`countermeasure development, unintended
`technology transfer, or alteration of a system
`due to reverse engineering.
`
`See tampering.
`
`A software program hosted by an
`information system.
`
`A digital or analog circuit, custom-designed
`and/or custom-manufactured to perform a
`specific function. An ASIC is not
`reconfigurable and cannot contain additional
`instructions.
`
`C.F.D. Rationale: term is outdated and not
`regularly used.
`
`approval to operate (ATO)
`
`See authorization to operate.
`
`DoDI 5200.39
`(adapted)
`
`NIST SP 800-37
`Rev. 2
`
`Encyclopedia
`Britannica
`(adapted)
`
`
`
`
`
`
`
`approved cryptography
`
`Federal Information Processing Standard
`(FIPS)-approved or NIST recommended.
`An algorithm or technique that is either 1)
`specified in a FIPS or NIST
`Recommendation, or 2) adopted in a FIPS or
`NIST Recommendation.
`
`NIST SP 800-63-3
`
`
`
`10
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 18 of 253 PageID #:
`378
`
`artificial intelligence
`
`assembly
`
`assertion
`
`assessment activities [information system
`context]
`
`assessment approach [risk]
`
`(1) Any artificial system that performs tasks
`under varying and unpredictable
`circumstances without significant human
`oversight, or that can learn from experience
`and improve performance when exposed to
`data sets. (2) An artificial system developed
`in computer software, physical hardware, or
`other context that solves tasks requiring
`human-like perception, cognition, planning,
`learning, communication, or physical action.
`(3) An artificial system designed to think or
`act like a human, including cognitive
`architectures and neural networks. (4) A set
`of techniques, including machine learning,
`that is designed to approximate a cognitive
`task. (5) An artificial system designed to act
`rationally, including an intelligent software
`agent or embodied robot that achieves goals
`using perception, planning, reasoning,
`learning, communicating, decision making,
`and acting.
`
`An item forming a portion of an equipment,
`that can be provisioned and replaced as an
`entity and which normally incorporates
`replaceable parts and groups of parts.
`
`A statement from a verifier to a Relying
`Party (RP) that contains information about a
`subscriber. Assertions also may contain
`verified attributes.
`
`An assessment object that includes specific
`protection related pursuits or actions
`supporting an information system that
`involve people (e.g., conducting system
`backup operations, monitoring network
`traffic).
`
`The approach used to assess risk and its
`contributing risk factors, including
`quantitatively, qualitatively, or semi-
`quantitatively.
`
`Public Law 115-
`232, Sec. 238
`
`DoDM 4140.01,
`Volume 2
`
`NIST SP 800-63-3
`
`NIST SP 800-53A
`Rev. 4 (adapted)
`
`NIST SP 800-30
`Rev. 1
`
`
`
`11
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 19 of 253 PageID #:
`379
`
`assessment findings
`
`assessment [general context]
`
`assessment method
`
`assessment object
`
`assessment objective
`
`assessment procedure
`
`Assessment results produced by the
`application of an assessment procedure to a
`security control, privacy control, or control
`enhancement to achieve an assessment
`objective; the execution of a determination
`statement within an assessment procedure by
`an assessor that results in either a satisfied or
`other than satisfied condition.
`
`An evidence-based evaluation and
`judgement on the nature, characteristics,
`quality, effectiveness, intent, impact, or
`capabilities of an item, organization, group,
`policy, activity, or person.
`
`Note: Assessments are generally
`informational in nature and used to support
`decision making and to inform formal
`inspections or audits. Assessments may
`consider information garnered from past
`audits, inspections, risk analyses, incident
`reports, intelligence collection, and other
`related activities, but are considered separate
`from these activities.
`
`See also threat assessment, risk assessment,
`assessment (security control). Contrast with
`inspection, audit (general).
`
`One of three types of actions (i.e., examine,
`interview, test) taken by assessors in
`obtaining evidence during an assessment.
`
`The item (i.e., specifications, mechanisms,
`activities, individuals) upon which an
`assessment method is applied during an
`assessment.
`
`A set of determination statements that
`expresses the desired outcome for the
`assessment of a security control, privacy
`control, or control enhancement.
`
`A set of assessment objectives and an
`associated set of assessment methods and
`assessment objects.
`
`assessment (risk)
`
`See risk assessment.
`
`NIST SP 800-53A
`Rev. 4
`
`
`
`
`
`
`
`
`
`NIST SP 800-53A
`Rev. 4
`
`NIST SP 800-53A
`Rev. 4
`
`NIST SP 800-53A
`Rev. 4
`
`NIST SP 800-53A
`Rev. 4
`
`
`
`12
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 20 of 253 PageID #:
`380
`
`assessment (security control)
`
`NIST SP 800-37
`Rev. 2
`
`The testing or evaluation of the controls in
`an information system or an organization to
`determine the extent to which the controls
`are implemented correctly, operating as
`intended, and producing the desired outcome
`with respect to meeting the security or
`privacy requirements for the system or the
`organization.
`
`assessment (threat)
`
`See threat assessment.
`
`
`
`assessor
`
`asset
`
`
`
`
`
`
`
`NIST SP 800-37
`Rev. 2
`
`DoDD 3020.40
`
`The individual, group, or organization
`responsible for conducting a security or
`privacy assessment.
`
`See control assessor and risk assessor.
`
`A distinguishable entity that provides a
`service or capability. Assets are people,
`physical entities, or information located
`either within or outside the United States and
`employed, owned, or operated by domestic,
`foreign, public, or private sector
`organizations.
`
`An item of value to the achievement of
`organizational mission/business objectives.
`
`NIST SP 800-160
`Vol. 1 (adapted)
`
`Note 1: Assets have interrelated
`characteristics that include value, criticality,
`and the degree to which they are relied upon
`to achieve organizational mission/business
`objectives. From these characteristics,
`appropriate protections are to be engineered
`into solutions employed by the organization.
`
`Note 2: An asset may be tangible (e.g.,
`physical item such as hardware, software,
`firmware, computing platform, network
`device, or other technology components) or
`intangible (e.g., information, data,
`trademark, copyright, patent, intellectual
`property, image, or reputation).
`
`asset reporting format (ARF)
`
`A format for expressing the transport format
`of information about assets and the
`relationships between assets and reports.
`
`NIST SP 800-126
`Rev. 3
`
`
`
`13
`
`

`

`Case 2:22-cv-00263-JRG-RSP Document 22-4 Filed 11/21/22 Page 21 of 253 PageID #:
`381
`
`assurance
`
`assurance case
`
`assured information sharing
`
`assured pipeline (AP)
`
`The grounds for confidence that a [security
`or privacy] claim has been or will be
`achieved
`
`NIST SP 800-37
`Rev. 2
`
`A structured set of arguments and a body of
`evidence showing that an information system
`satisfies specific claims with respect to a
`given quality attribute.
`
`The ability to confidently share information
`with those who need it, when and where they
`need it, as determined by operational need
`and an acceptable level of security risk.
`
`A set of filter processes that are arranged in a
`linear order using one-way inter-process
`communications to transfer data between
`processes. The linear flow is enforced with
`mandatory and discretionary access control
`mechanisms.
`
`NIST SP 800-39
`
`NIST SP 800-57
`Part 2 Rev. 1
`
`FIPS 201-2
`
`
`
`
`
`
`
`
`
`
`
`asymmetric cryptography
`
`See public key cryptography (PKC).
`
`asymmetric key algorithm
`
`asymmetric keys
`
`Asymmetric key algorithms (often called
`public key algorithms) use a pair of keys
`(i.e., a key pair): a public key and a private
`key that are mathematically related to each
`other. In asymmetric key cryptography, only
`one key in the key pair, the private key, must
`be kept secret; the other key can be made
`public. Asymmetric key cryptography is
`commonly used to protect the integrity and
`authenticity of information and to establish
`symmetric keys.
`
`Two related keys, a public key and a private
`key that are used to perform complementary
`operations, such as encryption and
`decryption or signature generation and
`signature verification.
`
`attack
`
`See cyber attack [national security]
`
`attack sensing and warning (AS&W)
`
`Detection, correlation, identification, and
`characterization of intentional unauthorized
`activity with notification to decision makers
`so that an appropria