`
`Exhibit C
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 2 of 9 PageID #: 620
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Committee on National Security Systems
`
`
`
`
`CNSSI 4009
`March 2, 2022
`
`
`009
`
`Committee on National Security Systems
`(CNSS) Glossary
`
`THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS.
`
`YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER
`IMPLEMENTATION.
`
`
`
`
`
`i
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 3 of 9 PageID #: 621
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`National Manager
`
`FOREWORD
`
`1. The Committee on National Security Systems (CNSS) Glossary Working Group convened
`to review and update the Committee on National Security Systems (CNSS) Glossary,
`Committee on National Security Systems Instruction (CNSSI) No. 4009, dated April
`2015. This revision of CNSSI No. 4009 incorporates many new terms submitted by the
`CNSS Membership. Most of the terms from the 2015 version of the Glossary remain, but a
`number of terms have updated definitions in order to remove inconsistencies among the
`communities.
`
`2. The Glossary Working Group set several overall objectives for itself in producing this
`version:
` Use authoritative sources for definitions of terms. It is preferred that definitions
`originate from current authoritative sources, as this demonstrates both that the term is
`in active use and that the definition has been vetted by subject matter experts. Listing
`sources for definitions also provides context and a reference for additional
`information.
` Continue to resolve differences between the definitions of terms used by the
`Department of Defense (DoD), Intelligence Community (IC), and Civil Agencies (e.g.,
`National Institute of Standards and Technology (NIST)); enabling all three to use the
`same glossary. This will allow for use of consistent terminology in documentation,
`policy, and process across these communities.
` Ensure consistency among related and dependent terms. These terms are linked
`through a suggestion to see the related term, shown in italics (e.g., See assurance).
` Ensure any acronyms used in the terms and definitions also appear in the Acronyms
`appendix, and remove any acronyms judged to be outside of the scope of the glossary
`or no longer relevant.
` Ensure all documents referenced as sources in the terms and definitions also appear in
`the References appendix. Because of this, the number of references has grown from 29
`in the 2010 version to over 200 in the current version. References not used as the
`source of terms and definitions were removed.
`
`3. The glossary still contains definitions where sources are not specified. For these terms,
`definitions will be considered organic. These new terms are often emerging terms judged
`to be valuable to include in the glossary, but have not yet been defined in a published
`authoritative source, or terms where an adequate original definition source could not be
`identified.
`
`4. Some definitions originate from an obsolete, withdrawn, or superseded source. In most
`cases, terms with no alternative definitions were found to be obsolete and deleted. In cases
`
`ii
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 4 of 9 PageID #: 622
`
`where the term was deemed relevant, but no current authoritative source could be found,
`the obsolete source is shown as italicized and with an asterisk (e.g., *NCSC-TG-004) in
`the table and labeled as withdrawn or superseded in the reference section. This allows for
`easier tracking of the etymology of a term and for understanding context.
`
`5. Some sources list a given document and then note "(adapted)"-for example, the term
`"acquisition" states as its source "NSA/CSS Policy 3-4 (adapted)." "Adapted" indicates a
`definition derived from a source, but not verbatim from that source. An adapted definition
`given in CNSSI 4009 may be truncated from the original source's definition because of
`extraneous information, or it may be re-worded for clarity or accuracy, or it may be
`constructed using content from the original source (e.g., defining Controlled
`Cryptographic Item by using material from CNSSI No. 4001 and citing "CNSSI No. 4001
`(adapted)" as the source).
`
`6. Many cyber terms are emerging. The Glossary Working Group has tried to include
`significant terms and definitions that have a useful distinction when compared to existing
`cybersecurity (CS) terms. All terms currently defined in CNSS issuances were reviewed
`for either inclusion or to replace current definitions in the Glossary. Not all terms
`appearing in CNSS issuances are within the scope of the CNSS Glossary or are relevant to
`the intended audience.
`
`7. Some terms and definitions recommended by the community for inclusion were not added
`to this version of the glossary. The main reasons for not adding new terms or definitions
`were ones of scope or lack of an authoritative source, where an organic definition was not
`deemed appropriate.
`
`8. Many terms that are outdated or no longer necessary were removed from the glossary.
`Some of these had been labeled as Candidates for Deletion (C.F.D.) for several versions of
`the glossary, but continue to remain in this version either because they are still used in
`certain communities, or to provide users with traceability to the newer terms.
`
`9. The format of the glossary has been updated from previous versions. This format allows
`an easier distinction between definitions with notes, notes added for this glossary, and
`multiple definitions from different sources (listed in alphabetical order). Context was also
`added to many terms and is shown in brackets (e.g., assessment [general context]). In
`addition, throughout the glossary, references to similar or updated terms are made. When
`that term exists in this document, it is italicized (e.g. See assurance); when the term is not
`in this document, it is put into quotes (e.g., Also known as "assurance").
`
`10. We recognize an effective glossary must be in a continuous state of coordination and
`improvement. We encourage further community review and comments as new terms
`become significant and old terms fall into disuse or change meaning. The goal of the
`Glossary Working Group is to keep the CNSS Glossary relevant and a tool for
`commonality across the CS community.
`
`11. Representatives of the CNSS may obtain copies of this instruction on the CNSS Web Page
`at https://www.cnss.gov.
`
`iii
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 5 of 9 PageID #: 623
`
`FOR THE NATIONAL MANAGER:
`
` /s/
`
` ROBERT E. JOYCE
`
`Deputy National Manager for National Security Systems
`
`CNSS Secretariat (C07). National Security Agency. 9800 Savage Road, STE 6165. Ft Meade, MD 20755-6716
`Office Phone Number: (410) 854-6805; Unclassified FAX Number: (410) 854-6814
`CNSS@nsa.gov
`
`iv
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 6 of 9 PageID #: 624
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 6 of 9 PagelD #: 624
`
`THIS PAGE INTENTIONALLY LEFT BLANK
`THIS PAGE INTENTIONALLY LEFT BLANK
`
`v
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 7 of 9 PageID #: 625
`
`Table of Contents
`
`Terms and Definitions .................................................................................................................. 1
`
`Annex A: Acronyms .................................................................................................................. 156
`
`Annex B: References ................................................................................................................. 170
`
`vi
`
`
`
`
`
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 8 of 9 PageID #: 626
`
`Committee on National Security Systems (CNSS) Glossary
`
`Terms and Definitions
`
`This instruction applies to all: U.S. Government Departments, Agencies, Bureaus and Offices,
`supporting contractors and agents that collect, generate, process, store, display, transmit or receive
`classified or controlled unclassified information, or that operate, use, or connect to National Security
`Systems (NSS), as defined herein.
`
`Term
`
`access
`
`access and amendment [privacy context]
`
`access authority
`
`access control
`
`Definition
`
`Source
`
`Ability to make use of any information
`system (IS) resource.
`
`NIST SP 800-32
`
`To make contact with one or more discrete
`functions of an online, digital service.
`
`NIST SP 800-63-3
`
`A privacy principle (FIPP) that refers to an
`organization's requirements to provide
`individuals with appropriate access to
`personally identifiable information (PII) and
`appropriate opportunity to correct or amend
`PII.
`
`An entity responsible for monitoring and
`granting access privileges for other
`authorized entities.
`
`
`
`The process of granting or denying specific
`requests: 1) obtain and use information and
`related information processing services; and
`2) enter specific physical facilities (e.g.,
`Federal buildings, military establishments,
`border crossing entrances).
`
`OMB Circular A-
`130 (adapted)
`
`FIPS 201-2
`
`1
`
`
`
`
`
`
`
`Case 2:22-cv-00263-JRG-RSP Document 24-1 Filed 11/21/22 Page 9 of 9 PageID #: 627
`
`government off the shelf (GOTS)
`
`gray box testing
`
`graylist
`
`gray market
`
`group authenticator
`
`guard (system)
`
`A software and/or hardware product that is
`developed by the technical staff of a
`Government organization for use by the
`U.S. Government. GOTS software and
`hardware may be developed by an external
`entity, with specification from the
`Government organization to meet a specific
`Government purpose, and can normally be
`shared among Federal agencies without
`additional cost. GOTS products and
`systems are not commercially available to
`the general public. Sales and distribution of
`GOTS products and systems are controlled
`by the Government.
`
`A test methodology that assumes some
`knowledge of the internal structure and
`implementation detail of the assessment
`object. Also known as focused testing.
`
`A list of discrete entities, such as hosts,
`email addresses, network port numbers,
`runtime processes, or applications, that
`have not yet been established as benign or
`malicious; more information is needed to
`move graylist items onto a whitelist or a
`blacklist.
`
`
`
`Compare with whitelist and blacklist.
`
`Distribution channels which, while legal,
`are unofficial, unauthorized, or unintended
`by the original manufacturer.
`
`Used, sometimes in addition to a sign-on
`authenticator, to allow access to specific
`data or functions that may be shared by all
`members of a particular group.
`
`A computer system that (a) acts as gateway
`between two information systems operating
`under different security policies and (b) is
`trusted to mediate information data
`transfers between the two.
`
`See transfer cross domain solution.
`
`
`
`
`
`
`
`NSA/CSS Policy 3-
`14
`
`NIST SP 800-167
`(adapted)
`
`USDC DIB
`Assessment:
`Counterfeit
`Electronics
`(adapted)
`
`IETF RFC 4949
`Ver 2
`
`
`
`96
`
`