Glossary
Cable Modem
High speed internet access provided by cable companies usually delivered by coax cable.
Cache
A special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching
Call Back (NIST)
Procedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.
SOURCE: CNSSI-4009
Call Processing Language (CPL)
An IETF Internet Draft, XML-based language that can be used to describe and control Internet telephony services. It is not tied to any particular signaling architecture or protocol; it is anticipated
to be used with both the SIP and H.323. CPL is powerful enough to describe a large number of services and features, but it is limited enough in power so that it can run safely in Internet telephony servers.
CAM
Customer Account Manager – The AZNet team of customer service representatives who assist agencies with small projects and pricing quotes.
Canister (NIST)
Type of protective package used to contain and dispense keying material in punched or printed tape form.
SOURCE: CNSSI-4009
Capacity Management
The process of determining the system capacity needed to deliver specific performance levels through quantification and analysis of current and projected workload.
Capstone Policies (NIST)
Those policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.
SOURCE: NISTIR-7497
Capture (NIST)
The method of taking a biometric sample from an end user.
Source: FIPS 201
Card Skimmer
A physical device, often attached to a legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card.
SOURCE: PCI DSS GLOSSARY
Card Verification Value (CVV/CVV2)
Both of these terms are commonly used to refer to the number printed on a card to help secure "card not present" transactions - other terms include CVC, CID and CSC. To be precise, the code printed on the card is actually the CVV2 - and the CVV is integrity-check data encoded on the magnetic strip - but both terms are widely used online.
SOURCE: VERIZON PCI SECURITY
Cardholder (NIST)
An individual possessing an issued Personal Identity Verification (PIV) card.
Source: FIPS 201
Cardholder Data Environment (CDE)
All people, processes and technologies that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD).
SOURCE: VERIZON PCI SECURITY
Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
A media access control method used most notably in local area networking. It uses a carrier sensing scheme in which a transmitting data station detects other signals while transmitting a frame, and stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame.
SOURCE: WIKIPEDIA
Carrier Services
Carrier Services are telephone and data communications through some type of high-speed network channels to transport data between points in a Wide Area Network (WAN). Over time, as communications equipment becomes more sophisticated, the distinction between the types of traffic carried will cease.
Cascading (NIST)
Downward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.
SOURCE: CNSSI-4009
Cascading Style Sheet (CSS)
A style sheet language used for describing the look and formatting of a document written in a markup language.
SOURCE: WIKIPEDIA
Category (NIST)
Restrictive label applied to classified or unclassified information to limit access.
SOURCE: CNSSI-4009
The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Categories include "Asset Management," "Access Control," and "Detection Processes."
SOURCE: NIST CYBERSECURITY FRAMEWORK
CBC/MAC (NIST)
See Cipher Block Chaining-Message Authentication Code
CCM (NIST)
See Counter with Cipher-Block Chaining-Message Authentication Code
Cell
the basic data unit for ATM switching and multiplexing. Cells contain identifiers that specify the data stream to which they belong. Each cell consists of a 5-byte header and 48 bytes of payload.
Cell Relay
a network technology based on the use of small, fixed-size packets, or cells. Because cells are fixedlength, they can be processed and switched in hardware at high speeds. Cell relay is the basis for many high-speed network protocols including ATM, IEEE 802.6, and Switched Multimegabit Data Service (SMDS).
Certificate (NIST)
A digital representation of information which at least
1) identifies the certification authority issuing it,
2) names or identifies its subscriber,
3) contains the subscriber's public key,
4) identifies its operational period, and
5) is digitally signed by the certification authority issuing it.
SOURCE: SP 800-32
A set of data that uniquely identifies an entity, contains the entity’s public key and possibly other information, and is digitally signed by a trusted party, thereby binding the public key to the entity.
Additional information in the certificate could specify how the key is used and its cryptoperiod.
SOURCE: SP 800-21
A digitally signed representation of information that 1) identifies the authority issuing it, 2) identifies the subscriber, 3) identifies its valid operational period (date issued / expiration date). In the information assurance (IA) community, certificate usually implies public key certificate and can have the following types:
cross certificate – a certificate issued from a CA that signs the public key of another CA not within its trust hierarchy that establishes a trust relationship between the two CAs.
encryption certificate – a certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing, protecting, and escrowing the private component of the key pair associated with the encryption certificate.
identity certificate – a certificate that provides authentication of the identity claimed. Within the National Security Systems (NSS) PKI, identity certificates may be used only for authentication or may be used for both authentication and digital signatures.
SOURCE: CNSSI-4009
A set of data that uniquely identifies a key pair and an owner that is authorized to use the key pair. The certificate contains the owner’s public key and possibly other information, and is digitally signed by a Certification Authority (i.e., a trusted party), thereby binding the public key to the owner.
SOURCE: FIPS 186
Certificate Management (NIST)
Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed.
SOURCE: CNSSI-4009
Certificate Management Authority – (CMA) (NIST)
A Certification Authority (CA) or a Registration Authority (RA).
SOURCE: SP 800-32
Certificate of authority
A security certificate that accompanies most software and OEM products. It contains anticounterfeiting devices, such as a latent image to prevent the production of counterfeiting software products.
Certificate Policy
A formal document that describes the various roles involved in creating, maintaining, and validating digital certificates. It also specifies obligations associated with the roles and which parts of the process may be delegated.
Certificate Policy (CP) (NIST)
A specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security
services required by particular applications.
SOURCE: CNSSI-4009; SP 800-32
Certificate Revocation List (CRL) (NIST)
A list of revoked public key certificates created and digitally signed by a Certification Authority.
SOURCE: SP 800-63; FIPS 201
A list of revoked but un-expired certificates issued by a CA.
SOURCE: SP 800-21
A list of revoked public key certificates created and digitally signed by a Certification Authority.
SOURCE: CNSSI-4009
Certificate Status Authority (NIST)
A trusted entity that provides online verification to a Relying Party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.
SOURCE: SP 800-32; CNSSI-4009
Certificate-Based Authentication
The use of SSL and certificates to authenticate and encrypt HTTP traffic
Certificate-Related Information (NIST)
Information, such as a subscriber's postal address, that is not included in a certificate. May be used by a Certification Authority (CA) managing certificates.
SOURCE: SP 800-32
Data, such as a subscriber's postal address that is not included in a certificate. May be used by a Certification Authority (CA) managing certificates.
SOURCE: CNSSI-4009
Certification (NIST)
A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security
requirements for the system.
SOURCE: FIPS 200
The process of verifying the correctness of a statement or claim and issuing a certificate as to its correctness.
SOURCE: FIPS 201
Comprehensive evaluation of the technical and nontechnical security safeguards of an information system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. See Security Control Assessment.
SOURCE: CNSSI-4009
Certification Authority (CA)
A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate, is in fact, who he/she claims to be.
Certification Authority (CA) (NIST)
A trusted entity that issues and revokes public key certificates.
SOURCE: FIPS 201
The entity in a public key infrastructure (PKI) that is responsible for issuing certificates and exacting compliance to a PKI policy.
SOURCE: SP 800-21; FIPS 186
1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements
2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.
SOURCE: CNSSI-4009
Certification Authority Facility (NIST)
The collection of equipment, personnel, procedures and structures that are used by a Certification Authority to perform certificate issuance and revocation.
SOURCE: SP 800-32
Certification Package (NIST)
Product of the certification effort documenting the detailed results of the certification activities.
SOURCE: CNSSI-4009
Chain of Custody (NIST)
A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
SOURCE: SP 800-72; CNSSI-4009
Chain of Evidence (NIST)
A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The "sequencing" of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.
SOURCE: CNSSI-4009
Challenge and Reply (NIST)
Prearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply.
SOURCE: CNSSI-4009
Challenge-Handshake Authentication Protocol (CHAP)
Uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks.
Challenge-Response Protocol (NIST)
An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.
SOURCE: SP 800-63
Change
The addition, modification or removal of anything that could have an effect on IT services. The scope should include changes to all architectures, processes, tools, metrics and documentation, as well as changes to IT services and other configuration items.
SOURCE: ITIL V3
CHANGE CONTROL
A formal process used to ensure that a process, product, service, or technology component is modified only in accordance with agreed-upon rules. Many organizations have formal Change Control Boards that review and approve proposed modifications to technology infrastructures, systems, and applications. Data Governance programs often strive to extend the scope of change control to include additions, modifications, or deletions to data models and values for reference/master data.
SOURCE: Data Governance Institute
Change Control Board (CCB)
A committee that makes decisions regarding whether or not proposed changes to a software project should be implemented. In short any changes to the Baseline Requirements agreed with the client, should be taken up by project team on approval from this committee. If any change is agreed by the committee, it is communicated to the project team and client and the requirement is Baselined with the change. The change control board is constituted of project stakeholders or their representatives. The authority of the change control board may vary from project to project, but decisions reached by the change control board are often accepted as final and binding. The decision of acceptance of the changes also depends upon the stage or phase of the project. The main objective is to ensure acceptance of the project (deliverable) by the client.
SOURCE: WIKIPEDIA
Check Word (NIST)
Cipher text generated by cryptographic logic to detect failures in cryptography.
SOURCE: CNSSI-4009
Checksum (NIST)
Value computed on data to detect error or manipulation.
SOURCE: CNSSI-4009
Chief Information Officer (CIO) (NIST)
Agency official responsible for:
1) Providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency;
2) Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and
3) Promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency.
SOURCE: FIPS 200; Public Law 104-106, Sec. 5125(b); CNSSI-4009; SP 800-53
Chief Information Security Officer – (CISO)
See Senior Agency Information Security Officer
Cipher (NIST)
Series of transformations that converts plaintext to ciphertext using the Cipher Key.
SOURCE: FIPS 197
Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.
SOURCE: CNSSI-4009
Cipher Block Chaining-Message Authentication Code – (CBC-MAC) (NIST)
A secret-key block-cipher algorithm used to encrypt data and to generate a Message Authentication Code (MAC) to provide assurance that the payload and the associated data are authentic.
SOURCE: SP 800-38C
Cipher Suite (NIST)
Negotiated algorithm identifiers. Cipher suites are identified in human-readable form using a pneumonic code.
SOURCE: SP 800-52
Cipher Text Auto-Key (CTAK) (NIST)
Cryptographic logic that uses previous cipher text to generate a key stream.
SOURCE: CNSSI-4009
Ciphertext (NIST)
Data output from the Cipher or input to the Inverse Cipher.
SOURCE: FIPS 197
Data in its enciphered form.
SOURCE: SP 800-56B
Claimant (NIST)
A party whose identity is to be verified using an authentication protocol.
SOURCE: SP 800-63; FIPS 201
An entity that is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])
SOURCE: FIPS 196
An entity (user, device or process) whose assertion is to be verified using an authentication protocol.
SOURCE: CNSSI-4009
Class of Service (CoS)
A parameter used in data and voice protocols to differentiate the types of payloads contained in the packet being transmitted. The objective of such differentiation is generally associated with assigning priorities to the data payload or access levels to the telephone call.
Clear (NIST)
To use software or hardware products to overwrite storage space on the media with nonsensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. See comments on Clear/Purge Convergence.
SOURCE: SP 800-88
Clear Text (NIST)
Information that is not encrypted.
SOURCE: SP 800-82
Clearing (NIST)
Removal of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.
SOURCE: CNSSI-4009
Client
A system entity that requests and uses a service provided by another system entity, called a "server." In some cases, the server may itself be a client of some other server.
Client (NIST)
A system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.
SOURCE: SP 800-32
Client/Server
Client/Server describes the relationship between two devices or applications in which one device or application, the client, makes a service request from another device or application, the server, which fulfills the request. Although the client/server model is used by applications within a single device, in a network, the client/server model provides a convenient way to interconnect devices or applications that are distributed efficiently across different locations. Also referred to as “two-tier application architecture.”
Closed Security Environment (NIST)
Environment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.
SOURCE: CNSSI-4009
Closed Storage (NIST)
Storage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.
SOURCE: CNSSI-4009
Cloud Computing (NIST)
A model for enabling on-demand network access to a shared pool of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them. This cloud model is composed of five essential characteristics (on-demand self- service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Cloud Software as a Service [SaaS], Cloud Platform as a Service [PaaS], and Cloud Infrastructure as a Service [IaaS]); and four models for enterprise access (Private cloud, Community cloud, Public cloud, and Hybrid cloud).
Note: Both the user's data and essential security services may reside in and be managed within the network cloud.
SOURCE: CNSSI-4009
COBOL
A compiled computer programming language designed for business. It is imperative, procedural and, object-oriented.
SOURCE: WIKIPEDIA
Cold Site (NIST)
Backup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services.
SOURCE: CNSSI-4009
A backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event that the user has to move from their main computing location to an alternate site.
SOURCE: SP 800-34
Cold Start (NIST)
Procedure for initially keying crypto-equipment.
SOURCE: CNSSI-4009
Collision (NIST)
Two or more distinct inputs produce the same output. Also see Hash Function.
SOURCE: SP 800-57 Part 1
Comingling
The presence of FTI and non-FTI data together on the same paper or electronic media.
SOURCE: IRS PUB 1075
Commodity Service (NIST)
An information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.
SOURCE: SP 800-53
Common Business Oriented Language (COBOL)
The first widely used high-level programming language for business applications. COBOL was an effort to make a programming language that was like natural English, easy to write, and easier tto read code. While COBOL has been updated over the years to combine COBOL programming with relational databases and the Internet, some factions in industry still perceive it as out-of-date
and COBOL programs are generally viewed as legacy applications.
Common Carrier (NIST)
In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.
SOURCE: SP 800-53
Common Configuration Enumeration (CCE) (NIST)
A SCAP specification that provides unique, common identifiers for configuration settings found in a wide variety of hardware and software products.
SOURCE: SP 800-128
Common Configuration Scoring System (CCSS) (NIST)
A set of measures of the severity of software security configuration issues.
SOURCE: NISTIR 7502
A SCAP specification for measuring the severity of software security configuration issues.
SOURCE: SP 800-128
Common Gateway Interface (CGI)
This mechanism is used by HTTP servers (web servers) to pass parameters to executable scripts in order to generate responses dynamically
Common Platform Enumeration – (CPE) (NIST)
A SCAP specification that provides a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names that can be shared by multiple parties and solutions to refer to the same specific platform type.
SOURCE: SP 800-128
Common Vulnerabilities and Exposures (CVE) (NIST)
A dictionary of common names for publicly known information system vulnerabilities.
SOURCE: SP 800-51; CNSSI-4009
An SCAP specification that provides unique, common names for publicly known information system vulnerabilities.
SOURCE: SP 800-128
Common Vulnerability Scoring System (CVSS) (NIST)
An SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.
SOURCE: SP 800-128
Communications Security – (COMSEC) (NIST)
A component of Information Assurance that deals with measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes crypto security, transmission security, emissions security, and physical security of
COMSEC material.
SOURCE: CNSSI-4009
Comparison (NIST)
The process of comparing a biometric with a previously stored reference.
SOURCE: FIPS 201
Compensating Security Control (NIST)
A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
NIST SP 800-53: A management, operational, and technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of the recommended control in the baselines described in NIST Special Publication 800-53 or in CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.
SOURCE: CNSSI-4009
Compensating Security Controls (NIST)
The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.
SOURCE: SP 800-37
The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the baselines described in NIST Special Publication 800-53 and CNSS Instruction 1253, that provide equivalent or comparable protection for an information system.
SOURCE: SP 800-53A; SP 800-53
Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA)
A type of challenge-response test used in computing to determine whether the user is human.
SOURCE: WIKIPEDIA
COMPLIANCE
A discipline, set of practices, and/or organizational group that deals with adhering to laws, regulations, standards, and contractual arrangements. Also, the adherence to requirements. Data Governance programs often support many types of compliance requirements: Regulatory compliance, contractual compliance, adherence to internal standards, policies, and architectures, and conformance to rules for data management, project management, and other disciplines.
SOURCE: Data Governance Institute
Compliance Checking
In the context of the Information Security Policy, includes: an audit; risk and controls review; security review; and monitoring of an information system.
Comprehensive Testing (NIST)
A test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.
SOURCE: SP 800-53A
Compromise (NIST)
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
SOURCE: SP 800-32; CNSSI-4009
The unauthorized disclosure, modification, substitution, or use of sensitive data (including plaintext cryptographic keys and other CSPs).
SOURCE: FIPS 140-2
Computer Cryptography (NIST)
Use of a crypto-algorithm program by a computer to authenticate or encrypt/decrypt information.
SOURCE: CNSSI-4009
Computer Emergency Response Team (CERT)
Acronym for Carnegie Mellon University's "Computer Emergency Response Team." The CERT Program develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
SOURCE: PCI DSS GLOSSARY
Computer Emergency Response Team (CERT)
An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security
Computer Incident Response Team – (CIRT)(NIST)
Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team).
SOURCE: CNSSI-4009
Computer Network Attack (CNA) (NIST)
Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.
SOURCE: CNSSI-4009
Computer Network Defense(CND) (NIST)
Actions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.
SOURCE: CNSSI-4009
Computer Network Exploitation – (CNE) (NIST)
Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.
SOURCE: CNSSI-4009
Computer Network Operations – (CNO) (NIST)
Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.
SOURCE: CNSSI-4009
Computer Security (COMPUSEC) (NIST)
Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.
SOURCE: CNSSI-4009
Computer Security Incident (NIST)
See incident.
Computer Security Incident Response Team (CSIRT) (NIST)
A capability set up for the purpose of assisting in responding to computer security-related incidents; also called a Computer Incident Response Team (CIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability).
SOURCE: SP 800-61
Computer Security Object (CSO) (NIST)
A resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.
SOURCE: FIPS 188; CNSSI-4009
Computer Security Objects Register (NIST)
A resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.
SOURCE: FIPS 188; CNSSI-4009
Computer Security Objects Register (NIST)
A collection of Computer Security Object names and definitions kept by a registration authority.
SOURCE: FIPS 188; CNSSI-4009
Confidential Data
Data that is protected from unauthorized disclosure based on laws, regulations, and other legal agreements.
Confidentiality
Information is not made available or disclosed to unauthorized individuals, entities or processes.
Confidentiality (NIST)
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP 800-27; SP 800-
60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE: FIPS 140-2
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
SOURCE: CNSSI-4009
Configuration Change Control
Defined procedure for adding, removing, or revising all or part of a document, plan, application, or piece of equipment that includes a review and approval cycle prior to implementation.
Configuration Control (NIST)
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.
SOURCE: CNSSI-4009; SP 800-37; SP 800-53
Configuration Control Board – (CCB) (NIST)
A group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.
SOURCE: CNSSI-4009
Configuration Item
Any component or other service asset that needs to be managed in order to deliver an IT service.
SOURCE: ITIL V3
Configuration Management
A structured process of managing and controlling changes to hardware, software, firmware, communications, and documentation throughout the system development life cycle.
SOURCE: IRS PUB 1075
Configuration Management
Establish a known baseline condition and manage it
Container (NIST)
The file used by a virtual disk encryption technology to encompass and protect other files.
SOURCE: SP 800-111
Contamination (NIST)
Type of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.
SOURCE: CNSSI-4009
Content Filtering (NIST)
The process of monitoring communications such as email and Web pages, analyzing them for suspicious content, and preventing the delivery of suspicious content to users.
SOURCE: SP 800-114
Contingency Plan (NIST)
Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.
SOURCE: CNSSI-4009
See also Information System Contingency Plan.
Continuity of Operations (COOP) Plan (NIST)
A predetermined set of instructions or procedures that describe how an organization’s mission essential functions will be sustained within 12 hours and for up to 30 days as a result of an disaster event before returning to normal operations.
SOURCE: SP 800-34
Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan.
SOURCE: CNSSI-4009
Continuous Monitoring (NIST)
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
SOURCE: CNSSI-4009
Maintaining ongoing awareness to support organizational risk decisions.
SOURCE: SP 800-137
CONTROL
A means of managing a risk or ensuring that an objective is achieved. Controls can be preventative, detective, or corrective and can be fully automated, procedural, or technology-assisted human-initiated activates. They can include actions, devices, procedures, techniques, or other measures.
SOURCE: Data Governance Institute
Control (of a record)
The power or authority to manage the record throughout its life cycle, including restricting, regulating and administering its use or disclosure.
Control Information (NIST)
Information that is entered into a cryptographic module for the purposes of directing the operation of the module.
SOURCE: FIPS 140-2
Controlled Access Area (NIST)
Physical area (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance.
SOURCE: CNSSI-4009
Controlled Area (NIST)
Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.
SOURCE: SP 800-53
Controlled Interface (NIST)
A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems.
SOURCE: CNSSI-4009; SP 800-37
Cookie (NIST)
A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests.
SOURCE: SP 800-28
Data exchanged between an HTTP server and a browser (a client of the server) to store state information on the client side and retrieve it later for server use.
SOURCE: CNSSI-4009
Cooperative Key Generation (NIST)
Electronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See Per-Call Key.
SOURCE: CNSSI-4009
Corrective Action Plan (CAP)
A report required to be filed semi-annually, detailing the agency’s planned and completed actions to resolve findings identified during an IRS safeguard review.
SOURCE: IRS PUB 1075
Corruption
A threat action that undesirably alters system operation by adversely modifying system functions or data.
Counter with Cipher Block Chaining-Message Authentication Code (CCM) (NIST)
A mode of operation for a symmetric key block cipher algorithm. It combines the techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm to provide assurance of the confidentiality and the authenticity of computer data.
SOURCE: SP 800-38C
Countermeasures (NIST)
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
SOURCE: SP 800-53; SP 800-37; FIPS 200
Covert Channels
The means by which information can be communicated between two parties in a covert fashion using normal system operations. For example by changing the amount of hard drive space that is available on a file server can be used to communicate information.
Covert Testing (NIST)
Testing performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.
SOURCE: SP 800-115
Credential (NIST)
An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.
SOURCE: SP 800-63
Evidence attesting to one’s right to credit or authority.
SOURCE: FIPS 201
Evidence or testimonials that support a claim of identity or assertion of an attribute and usually are intended to be used more than once.
SOURCE: CNSSI-4009
Crisis Management Plan (CMP)
Establishing metrics to define what scenarios constitute a crisis and should consequently trigger the necessary response mechanisms. Communication that occurs within the response phase of emergency-management scenarios. Crisis-management methods of a business or an organization are called a crisis-management plan.
SOURCE: WIKIPEDIA
Critical (or mission critical)
Refers to those information resources whose unavailability or improper use has the potential to adversely affect the ability of an agency to accomplish its mission.
Critical Infrastructure (NIST)
System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]
SOURCE: CNSSI-4009
Criticality (NIST)
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.
SOURCE: SP 800-60
Cross-Site Scripting (XSS)
Vulnerability that is created from insecure coding techniques, resulting in improper input validation. Often used in conjunction with CSRF and/or SQL injection.
SOURCE: PCI DSS GLOSSARY
CRUD
Create, Read, Update, Delete. Used to describe access rights for data.
SOURCE: Data Governance Institute
Cryptographic Algorithm (NIST)
A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.
SOURCE: SP 800-21; CNSSI-4009
Cryptographic Hash Function (NIST)
A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties:
1) (One-way) It is computationally infeasible to find any input which maps to any pre-specified output, and
2) (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.
SOURCE: SP 800-21
Cryptographic Key (NIST)
A value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification.
SOURCE: SP 800-63
A binary string used as a secret parameter by a cryptographic algorithm.
SOURCE: SP 800-108
A parameter used in conjunction with a cryptographic algorithm that determines the specific operation of that algorithm.
SOURCE: FIPS 201; FIPS 198
A parameter used in conjunction with a cryptographic algorithm that determines
* the transformation of plaintext data into ciphertext data,
* the transformation of ciphertext data into plaintext data,
* a digital signature computed from data,
* the verification of a digital signature computed from data,
* an authentication code computed from data, or
* an exchange agreement of a shared secret.
SOURCE: FIPS 140-2
Cryptographic Keys
A piece of information that controls the operation of a cryptography algorithm. In encryption, a key specifies the particular transformation of data into encrypted data and the transformation of encrypted data into data during decryption. The cryptographic algorithm ensures that only someone with knowledge of the key can reproduce or reverse the transformation of data.
Cryptographic Token (NIST)
A token where the secret is a cryptographic key.
SOURCE: SP 800-63
A portable, user-controlled physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions.
SOURCE: CNSSI-4009
Cryptography (NIST)
The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.
SOURCE: SP 800-59
The discipline that embodies principles, means, and methods for providing information security, including confidentiality, data integrity, non-repudiation, and authenticity.
SOURCE: SP 800-21
Is categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties. The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography that makes use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key [FIPS 140-1]. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret.
SOURCE: FIPS 191
Art or science concerning the principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form.
SOURCE: CNSSI-4009
Cryptology (NIST)
The science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.
SOURCE: SP 800-60
The mathematical science that deals with cryptanalysis and cryptography.
SOURCE: CNSSI-4009
CSA
Central Security Architecture – A modular architecture that offers security for common services including Remote Access, Internet Access, SPAM, and Anti-Virus email filtering, and other services.
CSI
Carrier Savings Initiative – A potential carrier (voice and data) savings opportunities identified by AZNet and presented to agencies for approval to implement.
CTI
Computer Telephone Integration – An operating environment when a telephone switch is connected to a computer, server or Local Area Network, especially in a Call Center environment. CTI allows an agent receiving calls to view a screen pop on his/her computer which displays information about the caller.
Custody (of a record)
Having physical possession of a record, even though the public body does not necessarily have responsibility for the record. Physical possession normally includes responsibility for access, managing, maintaining, preserving, disposing and providing security.
CUSTOMER DATA INTEGRATION
An approach to managing multiple records containing information about an organization’s customers. In this approach, instead of combining all information into a single repository, a combination of technologies, processes and services are used to align information in multiple repositories.
SOURCE: Data Governance Institute
Customer Information Control System (CICS)
An online transaction processing (OLTP) program that, together with the COBOL programming language, has formed over the past several decades the most common set of tools for building customer transaction applications in large enterprise, mainframe computing. A large number of the legacy applications still in use are COBOL/CICS applications.
Cyber Attack (NIST)
An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
SOURCE: CNSSI-4009
Cyber Incident (NIST)
Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.
SOURCE: CNSSI-4009
Cyber Infrastructure (NIST)
Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition–SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.
SOURCE: NISTIR 7628
Cybersecurity (NIST)
The ability to protect or defend the use of cyberspace from cyber attacks.
SOURCE: CNSSI-4009
The process of protecting information by preventing, detecting, and responding to attacks.
SOURCE: NIST CYBERSECURITY FRAMEWORK
CYBERSECURITY EVENT (NIST)
A change that may have an impact on organizational operations (including mission, capabilities, or reputation).
SOURCE: NIST CYPERSECURITY FRAMEWORK
Cyberspace (NIST)
A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
SOURCE: CNSSI-4009
Cyclical Redundancy Check – (CRC) (NIST)
A method to ensure data has not been altered after being sent through a communication channel.
SOURCE: SP 800-72
Error checking mechanism that verifies data integrity by computing a polynomial algorithm based checksum.
SOURCE: CNSSI-4009