Model Glossary: Difference between revisions
No edit summary |
No edit summary |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Source of Reference: official [https:// | '''Source of Reference: official [https://dodcio.defense.gov/CMMC/Documentation/ CMMC Glossary] from Department of Defense Chief Information Officer (DoD CIO).''' | ||
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. | ||
Line 16: | Line 16: | ||
|- | |- | ||
|Access Authority | |Access Authority | ||
|An entity responsible for monitoring and granting access privileges for | |An entity responsible for monitoring and granting access privileges for other authorized entities. | ||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
|- | |- | ||
|Access Control (AC) | |Access Control (AC) | ||
| | |The process of granting or denying specific requests to: | ||
* obtain and use information and related information processing services; and | * obtain and use information and related information processing services; and | ||
* enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). | * enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). | ||
Line 29: | Line 29: | ||
|- | |- | ||
|Access Control Policy (Access Management Policy) | |Access Control Policy (Access Management Policy) | ||
| | |The set of rules that define conditions under which an access may take place. | ||
| | | | ||
* NISTIR 7316 | * NISTIR 7316 | ||
Line 39: | Line 39: | ||
|- | |- | ||
|Accountability | |Accountability | ||
| | |The security goal that generates requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. | ||
| | | | ||
* NIST SP 800-27 | * NIST SP 800-27 | ||
Line 54: | Line 54: | ||
|- | |- | ||
|Advanced Persistent Threat (APT) | |Advanced Persistent Threat (APT) | ||
|An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). | |An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).The se objectives typically include establishing and extending footholds within information technology infrastructure of targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry outThe se objectives in future. advanced persistent threat: | ||
* pursues its objectives repeatedly over an extended period of time; | * pursues its objectives repeatedly over an extended period of time; | ||
* adapts to defenders’ efforts to resist it;, and | * adapts to defenders’ efforts to resist it;, and | ||
Line 104: | Line 104: | ||
|- | |- | ||
|Assessment | |Assessment | ||
| | |The testing or evaluation of security controls to determine extent to which controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements for an information system or organization. | ||
| | | | ||
* NIST SP 800-37 Rev. 2 | * NIST SP 800-37 Rev. 2 | ||
|- | |- | ||
|Assessment | |Assessment | ||
|Assessment is term used by CMMC for activity performed by C3PAO to evaluate CMMC level of a DIB contractor. Self-assessment is term used by CMMC for activity performed by a DIB contractor to | |Assessment is term used by CMMC for activity performed by C3PAO to evaluate CMMC level of a DIB contractor. Self-assessment is term used by CMMC for activity performed by a DIB contractor to evaluateThe ir own CMMC level. | ||
| | | | ||
* CMMC | * CMMC | ||
|- | |- | ||
|Asset (Organizational Asset) | |Asset (Organizational Asset) | ||
|Anything that has value to an organization, including, but not limited to, | |Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). | ||
| | | | ||
* NISTIR 7693 | * NISTIR 7693 | ||
Line 125: | Line 125: | ||
|- | |- | ||
|Asset Management (AM) | |Asset Management (AM) | ||
|Management of | |Management of organizational assets. This may include inventory, configuration, destruction, disposal, and updates to organizational assets. | ||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Line 135: | Line 135: | ||
|- | |- | ||
|Asset Types | |Asset Types | ||
| | |The following asset types should be included when classifying assets: | ||
* People – employees, contractors, vendors, and external service provider personnel; | * People – employees, contractors, vendors, and external service provider personnel; | ||
* Technology – servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems; | * Technology – servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems; | ||
Line 144: | Line 144: | ||
|- | |- | ||
|Attack Surface | |Attack Surface | ||
| | |The set of points on boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from. | ||
| | | | ||
* NIST SP 800-160 Vol. 2 | * NIST SP 800-160 Vol. 2 | ||
Line 175: | Line 175: | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
|- | |- | ||
| | |Authentication | ||
|A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information. | |A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information. | ||
| | | | ||
Line 187: | Line 187: | ||
|- | |- | ||
|Authoritative Source (Trusted Source) | |Authoritative Source (Trusted Source) | ||
|An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider (CSP) can confirm validity of identity evidence supplied by an applicant during identity proofing.An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of agency or CSP before | |An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider (CSP) can confirm validity of identity evidence supplied by an applicant during identity proofing.An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of agency or CSP before the y can be used in identity proofing validation phase. | ||
| | | | ||
* NIST SP 800-63-3 | * NIST SP 800-63-3 | ||
|- | |- | ||
|Authorization | |Authorization | ||
| | |The right or a permission that is granted to a system entity (user, program, or process) to access a system resource. | ||
| | | | ||
* NIST SP 800-82 Rev 2 (adapted) | * NIST SP 800-82 Rev 2 (adapted) | ||
Line 202: | Line 202: | ||
|- | |- | ||
|Awareness and Training Program | |Awareness and Training Program | ||
|Explains proper rules of behavior for use of agency information systems and information. | |Explains proper rules of behavior for use of agency information systems and information.The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50). | ||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Line 257: | Line 257: | ||
** in a representative operational context (e.g., as part of an operational exercise); and | ** in a representative operational context (e.g., as part of an operational exercise); and | ||
** according to rules established and monitored with help of a neutral group refereeing simulation or exercise (i.e., White Team). | ** according to rules established and monitored with help of a neutral group refereeing simulation or exercise (i.e., White Team). | ||
* The term Blue Team is also used for defining a group of individuals who conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review | * The term Blue Team is also used for defining a group of individuals who conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review ofThe ir network security posture. Blue Team identifies security threats and risks in operating environment, and in cooperation with customer, analyzes network environment and its current state of security readiness. Based on Blue Team findings and expertise,The y provide recommendations that integrate into an overall community security solution to increase customer's cyber security readiness posture. Often, a Blue Team is employed by itself or prior to a Red Team employment to ensure that customer's networks are as secure as possible before having Red Team test systems. | ||
| | | | ||
* CNSSI 4009 (adapted) | * CNSSI 4009 (adapted) | ||
Line 273: | Line 273: | ||
! style="width: 20%"| Source | ! style="width: 20%"| Source | ||
|- | |- | ||
Change Control (Change Management) | |Change Control (Change Management) | ||
|The process of regulating and approving changes to hardware, firmware, software, and documentation throughout development and operational life cycle of an information system. | |||
| | | | ||
* NIST SP 800-128 | * NIST SP 800-128 | ||
Change Management | * CNSSI 4009 | ||
See Glossary: Change Control | |- | ||
Cipher | |Change Management | ||
|See Glossary: Change Control | |||
units of plain text, or in which units of plain text are rearranged, or both. | | | ||
|- | |||
|Cipher | |||
| | |||
* Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both. | |||
* A series of transformations that converts plaintext to ciphertext using Cipher Key. | |||
| | | | ||
* FIPS 197 | * FIPS 197 | ||
Ciphertext | |- | ||
A term that describes data in its encrypted form. | |Ciphertext | ||
|A term that describes data in its encrypted form. | |||
| | | | ||
* NIST SP 800-57 Part 1 Rev 3 | * NIST SP 800-57 Part 1 Rev 3 | ||
CMMC Assessment Scope | |- | ||
Includes all assets in contractor’s environment that will be assessed. | |CMMC Assessment Scope | ||
|Includes all assets in contractor’s environment that will be assessed. | |||
| | | | ||
* CMMC | * CMMC | ||
CMMC Asset Categories | |- | ||
CMMC defined five asset categories for scoping activities: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Asset. Asset categories determine: assessment, segmentation, documentation, and management of assets. | |CMMC Asset Categories | ||
|CMMC defined five asset categories for scoping activities: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Asset. Asset categories determine: assessment, segmentation, documentation, and management of assets. | |||
| | |||
* CMMC | * CMMC | ||
Compliance | |- | ||
Conformity in fulfilling official requirements. | |Compliance | ||
|Conformity in fulfilling official requirements. | |||
| | | | ||
* Merriam-Webster | * Merriam-Webster | ||
Component | |- | ||
A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware. | |Component | ||
|A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware. | |||
| | | | ||
* NIST SP 800-171 Rev. 2 under system component NIST SP 800-128 | * NIST SP 800-171 Rev. 2 under system component | ||
* NIST SP 800-128 | |||
|- | |||
|Confidentiality | |||
|Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. | |||
Confidentiality | |||
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. | |||
| | | | ||
* 44 U.S.C. 3542 | * 44 U.S.C. 3542 | ||
Configuration Item (CI) | |- | ||
An aggregation of system components that is designated for configuration management and treated as a single entity in configuration management process. | |Configuration Item (CI) | ||
|An aggregation of system components that is designated for configuration management and treated as a single entity in configuration management process. | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Configuration Management (CM) | |- | ||
A collection of activities focused on establishing and maintaining integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring configurations of those products and systems throughout system development life cycle. | |Configuration Management (CM) | ||
|A collection of activities focused on establishing and maintaining integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring configurations of those products and systems throughout system development life cycle. | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Consequence | |- | ||
Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. | |Consequence | ||
|Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. | |||
| | | | ||
* NIST SP 800-160 | * NIST SP 800-160 | ||
Container (Information Asset Container) | |- | ||
A physical or logical location where assets are stored, transported, and processed.A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or | |Container (Information Asset Container) | ||
|A physical or logical location where assets are stored, transported, and processed.A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or other media such as CDs, disks, and flash drives), and people (including people who might have detailed knowledge about information asset). | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Context Aware | |- | ||
|Context Aware | |||
|The ability of a system or a system component to ga r information about its environment at any given time and adapt behaviors accordingly. Contextual or context-aware computing uses software and hardware to automatically collect and analyze data to guide responses. | |||
| | | | ||
* CMMC | * CMMC | ||
Continuity of Operations | |- | ||
An organization’s ability to sustain assets and services in response to a disruptive event. It | |Continuity of Operations | ||
is typically used interchangeably with service continuity or continuity of service. | |An organization’s ability to sustain assets and services in response to a disruptive event. It is typically used interchangeably with service continuity or continuity of service. | ||
| | | | ||
* CERT RMM v1.2 (adapted) | * CERT RMM v1.2 (adapted) | ||
Consequence | |- | ||
Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. | |Consequence | ||
|Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. | |||
| | | | ||
* NIST SP 800-160 | * NIST SP 800-160 | ||
|- | |||
|Continuous | |||
|Continuing without stopping; ongoing. | |||
Continuous | |||
Continuing without stopping; ongoing. | |||
| | | | ||
* Merriam-Webster (adapted) | * Merriam-Webster (adapted) | ||
Continuous Monitoring | |- | ||
Maintaining ongoing awareness to support organizational risk decisions.Maintaining | |Continuous Monitoring | ||
|Maintaining ongoing awareness to support organizational risk decisions.Maintaining ongoingThe awarenessThe ofThe informationThe security,The vulnerabilities,The andThe threatsThe toThe support organizational risk management decisions. | |||
Contractor Risk Managed Assets | | | ||
Contractor Risk Managed Assets are capable of, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. | * CNSSI 4009-2015 | ||
* NIST SP 800-137 | |||
* NIST SP 800-150 | |||
|- | |||
|Contractor Risk Managed Assets | |||
|Contractor Risk Managed Assets are capable of, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. | |||
| | | | ||
* CMMC | * CMMC | ||
Control | |- | ||
|Control | |||
Note: controls include any process, policy, device, practice, or | |The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. | ||
Note: controls include any process, policy, device, practice, or other actions which modify risk. | |||
| | | | ||
* NISTIR 8053 (adapted) | * NISTIR 8053 (adapted) | ||
Controlled Unclassified Information (CUI) | |- | ||
Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended. | |Controlled Unclassified Information (CUI) | ||
|Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended. | |||
| | | | ||
* NIST SP 800-171 Rev 2 | * NIST SP 800-171 Rev 2 | ||
Covered Defense Information (CDI) | |- | ||
A term used to identify information that requires protection under DFARS Clause 252.204- | |Covered Defense Information (CDI) | ||
7012. Unclassified controlled technical information (CTI) or | |A term used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified controlled technical information (CTI) or other information, as described in CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is: | ||
* Marked or o rwise identified in contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of performance of contract; OR | |||
to contractor by or on behalf of, DoD in support of performance of contract; OR | * Collected, developed, received, transmitted, used, or stored by-or on behalf of-contractor in support of performance of contract. | ||
contractor in support of performance of contract. | |||
| | | | ||
* DFARS Clause 252.204-7012 | * DFARS Clause 252.204-7012 | ||
Cryptographic Hashing Function | |- | ||
|Cryptographic Hashing Function | |||
|The process of using a ma matical algorithm against data to produce a numeric value that is representative of that data. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
|- | |||
|CUI Assets | |||
|Assets that process, store, or transmit CUI. | |||
CUI Assets | |||
Assets that process, store, or transmit CUI. | |||
| | | | ||
* CMMC | * CMMC | ||
Custodian | |- | ||
See Glossary: Asset Custodian | |Custodian | ||
Cybersecurity | |See Glossary: Asset Custodian | ||
Prevention | | | ||
|- | |||
|Cybersecurity | |||
|Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained rein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. | |||
| | | | ||
* NSPD-54/HSPD-23 | * NSPD-54/HSPD-23 | ||
Defense Industrial Base (DIB) | |} | ||
== D == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Defense Industrial Base (DIB) | |||
|The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. | |||
| | | | ||
* DIB Sector-Specific Plan | * DIB Sector-Specific Plan | ||
Dependency | * DHS CISA | ||
When an entity has access to, control of, ownership in, possession of, responsibility for, or | |- | ||
|Dependency | |||
|When an entity has access to, control of, ownership in, possession of, responsibility for, or other defined obligations related to one or more assets or services of organization. | |||
| | | | ||
* CERT RMM v1.2 (adapted) | * CERT RMM v1.2 (adapted) | ||
Demilitarized Zone (DMZ) | |- | ||
A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding internal networks from outside attacks. | |Demilitarized Zone (DMZ) | ||
|A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding internal networks from outside attacks. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Domain | |- | ||
Grouping of like practices based on 14 control families set forth in NIST SP 800-171. | |Domain | ||
|Grouping of like practices based on 14 control families set forth in NIST SP 800-171. | |||
| | | | ||
* CMMC | * CMMC | ||
Encryption | |} | ||
== E == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Encryption | |||
|The process of changing plaintext into cipher text. | |||
| | | | ||
* NISTIR 7621 Rev 1 | * NISTIR 7621 Rev 1 | ||
Encryption Policies | * CNSSI 4009 | ||
Policies that manage use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications. | |- | ||
|Encryption Policies | |||
|Policies that manage use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Endorse | |- | ||
Declare one's public approval or support of. | |Endorse | ||
|Declare one's public approval or support of. | |||
| | | | ||
* Oxford Dictionary | * Oxford Dictionary | ||
Enterprise | |- | ||
An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management. | |Enterprise | ||
|An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Enterprise Architecture | |- | ||
|Enterprise Architecture | |||
|The description of an enterprise’s entire set of information systems: howThe y are configured, howThe y are integrated, howThe y interface to external environment at enterprise’s boundary, howThe y are operated to support enterprise mission, and howThe y contribute to enterprise’s overall security posture. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Environment | |- | ||
See Glossary: Environment of Operations | |Environment | ||
Environment of Operations | |See Glossary: Environment of Operations | ||
| | |||
|- | |||
|Environment of Operations | |||
|The physical and logical surroundings in which an information system processes, stores, and transmits information. | |||
| | | | ||
* NIST 800-53 Rev 5 (adapted) | * NIST 800-53 Rev 5 (adapted) | ||
Establish and Maintain | |- | ||
Whenever “establish and maintain” (or “established and maintained”) is used as a phrase, it refers not only to development and maintenance of object of practice (such as a policy) but to documentation of object and observable usage of object. For example, “Formal agreements with external entities are established and maintained” means that not only are agreements formulated, | |Establish and Maintain | ||
|Whenever “establish and maintain” (or “established and maintained”) is used as a phrase, it refers not only to development and maintenance of object of practice (such as a policy) but to documentation of object and observable usage of object. For example, “Formal agreements with external entities are established and maintained” means that not only are agreements formulated, butThe y also are documented, have assigned ownership, and are maintained relative to corrective actions, changes in requirements, or improvements. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Event | |- | ||
Any observable occurrence in a system and/or network.Events sometimes provide indication that an incident is occurring. | |Event | ||
|Any observable occurrence in a system and/or network.Events sometimes provide indication that an incident is occurring. | |||
See Glossary: Incident | See Glossary: Incident | ||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Event Correlation | |- | ||
Finding relationships between two or more events. | |Event Correlation | ||
|Finding relationships between two or more events. | |||
| | | | ||
* NIST SP 800-92 | * NIST SP 800-92 | ||
Exercise | |- | ||
A simulation of an emergency designed to validate viability of one or more aspects of an information technology plan. | |Exercise | ||
|A simulation of an emergency designed to validate viability of one or more aspects of an information technology plan. | |||
| | | | ||
* NIST SP 800-84 | * NIST SP 800-84 | ||
Facility | |} | ||
Physical means or equipment for facilitating performance of an action, e.g., buildings, instruments, tools. | |||
== F == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Facility | |||
|Physical means or equipment for facilitating performance of an action, e.g., buildings, instruments, tools. | |||
| | | | ||
* NIST SP 800-160 | * NIST SP 800-160 | ||
Federal Contract Information (FCI) | |- | ||
Federal contract information means information, not intended for public release, that is provided by or generated for Government under a contract to develop or deliver a product or service to Government, but not including information provided by Government to public (such as on public websites) or simple transactional information, such as necessary to process payments. | |Federal Contract Information (FCI) | ||
|Federal contract information means information, not intended for public release, that is provided by or generated for Government under a contract to develop or deliver a product or service to Government, but not including information provided by Government to public (such as on public websites) or simple transactional information, such as necessary to process payments. | |||
| | | | ||
* 48 CFR § 52.204-21 | * 48 CFR § 52.204-21 | ||
Federated Trust | |- | ||
Trust established within a federation or organization, enabling each of mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of | |Federated Trust | ||
|Trust established within a federation or organization, enabling each of mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of other mutually trusting realms.This trust can be established across computer systems and networks architectures. | |||
| | | | ||
* NIST SP 800-95 | * NIST SP 800-95 | ||
Federation | |- | ||
A collection of realms (domains) that have established trust | |Federation | ||
|A collection of realms (domains) that have established trust amongThe mselves. level of trust may vary, but typically includes au ntication and may include authorization. | |||
| | | | ||
* NIST SP 800-95 | * NIST SP 800-95 | ||
Firewall | |- | ||
A device or program that controls flow of network traffic between networks or hosts that employ differing security postures. | |Firewall | ||
|A device or program that controls flow of network traffic between networks or hosts that employ differing security postures. | |||
| | | | ||
* NIST SP 800-41 Rev 1 | * NIST SP 800-41 Rev 1 | ||
Flash Drive | |- | ||
A removable storage device that utilizes USB port of a system for data transfer. | |Flash Drive | ||
|A removable storage device that utilizes USB port of a system for data transfer. | |||
| | | | ||
* CMMC | * CMMC | ||
Government Property | |} | ||
All property owned or leased by Government. Government property includes both Government-furnished and Contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software. | |||
== G == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Government Property | |||
|All property owned or leased by Government. Government property includes both Government-furnished and Contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software. | |||
| | | | ||
* FAR 52.245-1 | * FAR 52.245-1 | ||
|} | |||
== H == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
contain sensitive controls, instructions, data used in critical organization operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making it of specific value to criminal, politically motivated, or state sponsored actors for | ! style="width: 20%"| Source | ||
|- | |||
|High-Value Asset (HVA) | |||
|Asset, organization information system, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to organization’s interests, relations, economy, or to employee or stockholder confidence, civil liberties, or health and safety of organization’s people. An HVA may contain sensitive controls, instructions, data used in critical organization operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making it of specific value to criminal, politically motivated, or state sponsored actors for either direct exploitation or to cause a loss of confidence in organization. | |||
| | | | ||
* OMB M-17-09 (adapted) | * OMB M-17-09 (adapted) | ||
High-Value Service | |- | ||
Service on which success of organization’s mission depends. | |High-Value Service | ||
|Service on which success of organization’s mission depends. | |||
| | | | ||
* CERT RMM v.12 | * CERT RMM v.12 | ||
Identification | |} | ||
== I == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Identification | |||
|The process of discovering true identity (i.e., origin, initial history) of a person or item from entire collection of similar persons or items. | |||
| | | | ||
* CNSSI 4009-2015 | * CNSSI 4009-2015 | ||
Identity | * FIPS 201-1 | ||
* NIST SP 800-79-2 | |||
|- | |||
|Identity | |||
|The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity. | |||
Note: This also encompasses non-person entities (NPEs). | Note: This also encompasses non-person entities (NPEs). | ||
| | | | ||
* NIST SP 800-161 | * NIST SP 800-161 | ||
Identity-Based Access Control (IBAC) | * NISTIR 7622 | ||
Access control based on identity of user (typically relayed as a characteristic of process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. | * CNSSI 4009 | ||
|- | |||
|Identity-Based Access Control (IBAC) | |||
|Access control based on identity of user (typically relayed as a characteristic of process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Identity, Credential, and Access Management (ICAM) | |- | ||
Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for individual or NPE in access transactions, and leverage credentials to provide authorized access to an organization‘s resources. | |Identity, Credential, and Access Management (ICAM) | ||
|Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for individual or NPE in access transactions, and leverage credentials to provide authorized access to an organization‘s resources. | |||
See Glossary: Attribute-Based Access Control (ABAC) | See Glossary: Attribute-Based Access Control (ABAC) | ||
| | | | ||
* CNSSI 4009 (adapted) | * CNSSI 4009 (adapted) | ||
Identity Management System | |- | ||
Identity management system comprised of one or more systems or applications that manages identity verification, validation, and issuance process. | |Identity Management System | ||
|Identity management system comprised of one or more systems or applications that manages identity verification, validation, and issuance process. | |||
| | | | ||
* NISTIR 8149 | * NISTIR 8149 | ||
Incident | |- | ||
An occurrence that actually or potentially jeopardizes confidentiality, integrity, or availability of a system or information system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. | |Incident | ||
|An occurrence that actually or potentially jeopardizes confidentiality, integrity, or availability of a system or information system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. | |||
| | | | ||
* NIST SP 800-171 Rev 2 | * NIST SP 800-171 Rev 2 | ||
|- | |||
|Incident Handling (Incident Response) | |||
|The actions organization takes to prevent or contain impact of an incident to organization while it is occurring or shortly after it has occurred. | |||
Incident Handling (Incident Response) | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Incident Response (IR) | |- | ||
See Glossary: Incident Handling | |Incident Response (IR) | ||
Incident Stakeholder | |See Glossary: Incident Handling | ||
A person or organization with a vested interest in management of an incident throughout its life cycle. | | | ||
|- | |||
|Incident Stakeholder | |||
|A person or organization with a vested interest in management of an incident throughout its life cycle. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Industrial Control System (ICS) | |- | ||
General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and | |Industrial Control System (ICS) | ||
|General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as programmable logic controllers (PLCs) found in industrial sectors and critical infrastructures.An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act toge r to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Industrial Internet of Things (IIoT) | |- | ||
See Glossary: Internet of Things (IoT) | |Industrial Internet of Things (IIoT) | ||
Information Asset Container | |See Glossary: Internet of Things (IoT) | ||
See Glossary: Container | | | ||
Information Asset Owner | |- | ||
See Glossary: Asset Owner | |Information Asset Container | ||
Information Flow | |See Glossary: Container | ||
| | |||
|- | |||
|Information Asset Owner | |||
|See Glossary: Asset Owner | |||
| | |||
|- | |||
|Information Flow | |||
|The flow of information or connectivity from one location to another. This can be related to data as well as connectivity from one system to another, or from one security domain to ano r. authorization granting permission for information flow comes from a control authority granting permission to an entity, asset, role, or group. | |||
| | | | ||
* CMMC | * CMMC | ||
Information System (IS) | |- | ||
A | |Information System (IS) | ||
|A discrete set of information resources organized for The collection, processing, maintenance, use, sharing, dissemination, or disposition of information. | |||
| | | | ||
* NIST 800-171 Rev 2 | * NIST 800-171 Rev 2 | ||
Information System Component | |- | ||
A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system, excluding separately authorized | |Information System Component | ||
|A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system, excluding separately authorized systems to which information system is connected. Information system components include commercial information technology products. | |||
systems to which information system is connected. Information system components include commercial information technology products. | |||
| | | | ||
* CNSSI 4009-2015 | * CNSSI 4009-2015 | ||
Insider | * NIST SP 800-53 Rev 4 (adapted) | ||
Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information, equipment, networks, or systems. | |- | ||
|Insider | |||
|Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information, equipment, networks, or systems. | |||
| | | | ||
* CNSSD No. 504 | * CNSSD No. 504 | ||
Insider Threat | |- | ||
|Insider Threat | |||
|The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to security of organization or United States. This threat can include damage to United States through espionage, terrorism, unauthorized disclosure, or through loss or degradation of departmental resources or capabilities. | |||
| | | | ||
* CNSSD No. 504 (adapted) | * CNSSD No. 504 (adapted) | ||
Insider Threat Program | |- | ||
A coordinated collection of capabilities authorized by Department/Agency (D/A) that is organized to deter, detect, and mitigate unauthorized disclosure of sensitive information. | |Insider Threat Program | ||
|A coordinated collection of capabilities authorized by Department/Agency (D/A) that is organized to deter, detect, and mitigate unauthorized disclosure of sensitive information. | |||
| | | | ||
* CNSSD No. 504 | * CNSSD No. 504 | ||
Integrity | |- | ||
|Integrity | |||
|The security objective that generates requirement for protection against ei r intentional or accidental attempts to violate data integrity (The property that data has not been altered in an unauthorized manner) or system integrity (The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). | |||
| | | | ||
* NIST SP 800-33 | * NIST SP 800-33 | ||
Internet of Things (IoT) | |- | ||
Interconnected devices having physical or virtual representation in digital world, sensing/actuation capability, and programmability features. | |Internet of Things (IoT) | ||
|Interconnected devices having physical or virtual representation in digital world, sensing/actuation capability, and programmability features.The y are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors. | |||
| | | | ||
* iot.ieee.org/definition | * iot.ieee.org/definition | ||
Inventory | * NIST SP 800-183 | ||
|- | |||
|Inventory | |||
|The physical or virtual verification of presence of each organizational asset. | |||
| | | | ||
* CNSSI 4005 (adapted) | * CNSSI 4005 (adapted) | ||
Least Privilege | |} | ||
A security principle that restricts access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to minimum necessary to | |||
== L == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Least Privilege | |||
|A security principle that restricts access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to minimum necessary to performThe ir jobs. | |||
| | | | ||
* NIST SP 800-57 Part 2 | * NIST SP 800-57 Part 2 | ||
|- | |||
|Life Cycle | |||
|Evolution of a system, product, service, project, or other human-made entity from conception through retirement. | |||
Life Cycle | |||
Evolution of a system, product, service, project, or | |||
| | | | ||
* NIST SP 800-161 | * NIST SP 800-161 | ||
Maintenance | |} | ||
Any act that ei r prevents failure or malfunction of equipment or restores its operating capability. | |||
== M == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Maintenance | |||
|Any act that ei r prevents failure or malfunction of equipment or restores its operating capability. | |||
| | | | ||
* NIST SP 800-82 Rev 2 | * NIST SP 800-82 Rev 2 | ||
Malicious Code | |- | ||
Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or | |Malicious Code | ||
|Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Malware | |- | ||
Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or | |Malware | ||
|Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware). | |||
| | | | ||
* NIST SP 800-82 Rev 2 | * NIST SP 800-82 Rev 2 | ||
Maturity Model | |- | ||
A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit capabilities of that level. A tool that helps assess current effectiveness of an organization, and supports determining what | |Maturity Model | ||
|A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit capabilities of that level. A tool that helps assess current effectiveness of an organization, and supports determining what capabilitiesThe y need in order to obtain next level of maturity in order to continue progression up levels of model. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Media | |- | ||
Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. | |Media | ||
|Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. | |||
| | | | ||
* FIPS 200 | * FIPS 200 | ||
Media Sanitization | |- | ||
|Media Sanitization | |||
|The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. | |||
| | | | ||
* NIST SP 800-88 Rev 1 | * NIST SP 800-88 Rev 1 | ||
|- | |||
|Mobile Code | |||
|Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by recipient. | |||
Mobile Code | |||
Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by recipient. | |||
Note: Some examples of software technologies that provide mechanisms for production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc. | Note: Some examples of software technologies that provide mechanisms for production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc. | ||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Mobile Device | * NIST SP 800-18 | ||
A portable computing device that: | * CNSSI 4009 | ||
|- | |||
|Mobile Device | |||
information); | |A portable computing device that: | ||
* has a small form factor such that it can easily be carried by a single individual; | |||
* is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); | |||
* possesses local, non-removable data storage; and | |||
* is powered on for extended periods of time with a self-contained power source. | |||
Mobile devices may also include voice communication capabilities, on-board sensors that allow device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations.Examples include smart phones, tablets, and e-readers. | Mobile devices may also include voice communication capabilities, on-board sensors that allow device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations.Examples include smart phones, tablets, and e-readers. | ||
Note: If device only has storage capability and is not capable of processing or | Note: If device only has storage capability and is not capable of processing or transmitting/receiving information,The n it is considered a portable storage device, not a mobile device. | ||
transmitting/receiving information, | |||
See Glossary: Portable Storage Device | See Glossary: Portable Storage Device | ||
Note: Laptops are excluded from scope of this definition (see NIST SP 800-124). | Note: Laptops are excluded from scope of this definition (see NIST SP 800-124). | ||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Monitor | |- | ||
|Monitor | |||
|The act of continually checking, supervising, critically observing, or determining status in order to identify change from performance level required or expected at an organizationally defined frequency and rate. | |||
| | | | ||
* NIST SP 800-160 (adapted) | * NIST SP 800-160 (adapted) | ||
Multifactor | |- | ||
An | |Multifactor Authentication (MFA) | ||
|An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multifactor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. | |||
See Glossary: | The three authentication factors are something you know, something you have, and something you are. | ||
See Glossary: Authenticator | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
|} | |||
== O == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Ongoing Basis | |||
|Actions occurring, indefinitely. Actions that do not stop unless a stop action is purposely put in place. | |||
| | | | ||
* CMMC | * CMMC | ||
Operational Resilience | |- | ||
|Operational Resilience | |||
|The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission- related functions. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Operational Technology (OT) | |- | ||
Hardware and software that detects or causes a change through direct monitoring and/or control of physical devices, processes and events in enterprise. | |Operational Technology (OT) | ||
|Hardware and software that detects or causes a change through direct monitoring and/or control of physical devices, processes and events in enterprise. | |||
| | | | ||
* DOE O 205.1C | * DOE O 205.1C | ||
Organization | * Department of Energy Cyber Security Program | ||
An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). | |- | ||
|Organization | |||
|An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). | |||
See Glossary: Enterprise | See Glossary: Enterprise | ||
| | | | ||
* NIST SP 800-37 Rev 1 | * NIST SP 800-37 Rev 1 | ||
Organization Seeking Certification (OSC) | |- | ||
|Organization Seeking Certification (OSC) | |||
|The entity that is going through CMMC assessment process to receive a level of certification for a given environment. | |||
| | | | ||
* CMMC | * CMMC | ||
Organizational Asset | |- | ||
See Glossary: Asset | |Organizational Asset | ||
|See Glossary: Asset | |||
Organizational System(s) | | | ||
* NISTIR 7693 | |||
* NISTIR 7694 | |||
|- | |||
|Organizational System(s) | |||
|The term organizational system is used in many of CUI security requirements in NIST Special Publication 800-171.This term has a specific meaning regarding scope of applicability for CUI security requirements. requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. appropriate scoping for security requirements is an important factor in determining protection-related investment decisions and managing security risk for nonfederal organizations that have responsibility of safeguarding CUI. | |||
| | | | ||
* NIST SP 800-171 Rev 1 | * NIST SP 800-171 Rev 1 | ||
Organizationally Defined | |- | ||
As determined by contractor being assessed. This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing configuration of a contractor’s solution. | |Organizationally Defined | ||
|As determined by contractor being assessed. This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing configuration of a contractor’s solution. | |||
| | | | ||
* CMMC | * CMMC | ||
Out-of-Scope Asset | |- | ||
Out-of-Scope Assets cannot process, store, or transmit CUI | |Out-of-Scope Asset | ||
|Out-of-Scope Assets cannot process, store, or transmit CUI becauseThe y are physically or logically separated from CUI Assets or are inherently unable to do so. | |||
| | | | ||
* CMMC | * CMMC | ||
|} | |||
== P == | |||
{|class="wikitable" style="width: 85%;" | |||
Patch | ! style="width: 15%"| Term | ||
An update to an operating system, application, or | ! style="width: 65%"| Description | ||
! style="width: 20%"| Source | |||
|- | |||
|Patch | |||
|An update to an operating system, application, or other software issued specifically to correct particular problems with software. | |||
| | | | ||
* NIST SP 800-123 | * NIST SP 800-123 | ||
Penetration Testing (Pentesting) | |- | ||
Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. | |Penetration Testing (Pentesting) | ||
|Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. | |||
| | | | ||
* NIST SP 800-115 | * NIST SP 800-115 | ||
Periodically | |- | ||
Occurring at regular intervals. As used in many practices within CMMC, interval length is organizationally defined to provided contractor flexibility, with an interval length of no more than one year. | |Periodically | ||
|Occurring at regular intervals. As used in many practices within CMMC, interval length is organizationally defined to provided contractor flexibility, with an interval length of no more than one year. | |||
| | | | ||
* Oxford Dictionary (adapted) | * Oxford Dictionary (adapted) | ||
Personally Identifiable Information (PII) | |- | ||
Information that can be used to distinguish or trace an individual’s identity, ei r alone or | |Personally Identifiable Information (PII) | ||
when combined with | |Information that can be used to distinguish or trace an individual’s identity, ei r alone or when combined with other information that is linked or linkable to a specific individual. | ||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Plan | |- | ||
An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and people, funding, and tool resources needed to implement defined CMMC policies. | |Plan | ||
|An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and people, funding, and tool resources needed to implement defined CMMC policies. | |||
| | | | ||
* CMMC | * CMMC | ||
Policy | |- | ||
An artifact or collection of artifacts that establishes governance over implementation of CMMC practices and activities. policy should include stated purpose, defined scope, roles and responsibilities of activities covered by policy, and any included regulatory guidelines. policy should establish or direct establishment of procedures to carry out and meet intent of policy and should be endorsed by senior management to show its support of policy. | |Policy | ||
|An artifact or collection of artifacts that establishes governance over implementation of CMMC practices and activities. policy should include stated purpose, defined scope, roles and responsibilities of activities covered by policy, and any included regulatory guidelines. policy should establish or direct establishment of procedures to carry out and meet intent of policy and should be endorsed by senior management to show its support of policy. | |||
| | | | ||
* CMMC | * CMMC | ||
Portable Storage Device | |- | ||
A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, | |Portable Storage Device | ||
|A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory). | |||
compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory). | |||
| | | | ||
* NIST SP 800-171 Rev 2 | * NIST SP 800-171 Rev 2 | ||
Practice | |- | ||
An activity or set of activities that are performed to meet defined CMMC objectives. | |Practice | ||
|An activity or set of activities that are performed to meet defined CMMC objectives. | |||
| | | | ||
* CMMC | * CMMC | ||
Privilege | |- | ||
A right granted to an individual, a program, or a process. | |Privilege | ||
|A right granted to an individual, a program, or a process. | |||
| | | | ||
* CNSSI 4009, NIST SP 800-12 Rev 1 | * CNSSI 4009, NIST SP 800-12 Rev 1 | ||
Privileged Account | |- | ||
A user, system, or network account authorized (and, | |Privileged Account | ||
|A user, system, or network account authorized (and,The refore, trusted) to perform security- relevant functions that ordinary accounts are not authorized to perform. | |||
| | | | ||
* NIST SP 800-171 Rev. 2 (adapted) | * NIST SP 800-171 Rev. 2 (adapted) | ||
Privileged User | |- | ||
A user who is authorized (and, | |Privileged User | ||
|A user who is authorized (and,The refore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. | |||
| | | | ||
* NIST SP 800-171 Rev. 2 | * NIST SP 800-171 Rev. 2 | ||
Procedure | |- | ||
|Procedure | |||
|The documented details for how an activity is implemented to achieve a desired outcome.A procedure should provide enough detail for a trained individual to perform activity. | |||
| | | | ||
* CMMC | * CMMC | ||
Process | |- | ||
A procedural activity that is performed to implement a defined objective. | |Process | ||
|A procedural activity that is performed to implement a defined objective. | |||
| | | | ||
* CMMC | * CMMC | ||
Proxy (Web Proxy) | |- | ||
An application that “breaks” connection between client and server. proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. | |Proxy (Web Proxy) | ||
Note: This effectively closes straight path between internal and external networks making it more difficult for an attacker to obtain internal addresses and | |An application that “breaks” connection between client and server. proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. | ||
Note: This effectively closes straight path between internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of organization’s internal network. Proxy servers are available for common Internet services; for example, a hypertext transfer protocol (HTTP/HTTPS) proxy used for Web access. | |||
| | | | ||
* CNSSI 4009 (adapted) | * CNSSI 4009 (adapted) | ||
|} | |||
== R == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
Recovery | |- | ||
Actions necessary to restore data files of an information system and computational capability after a system failure. | |Real Time, Real-Time (modifier) | ||
|Pertaining to performance of a computation during actual time that related physical process transpires so that results of computation can be used to guide physical process. | |||
| | |||
* NIST SP 800-82 Rev. 2 | |||
* NISTIR 6859 | |||
|- | |||
|Recovery | |||
|Actions necessary to restore data files of an information system and computational capability after a system failure. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Red Team | |- | ||
A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Red Team’s objective is to improve enterprise Information Assurance by demonstrating impacts of successful attacks and by demonstrating what works for defenders (i.e., Blue Team) in an operational environment. | |Red Team | ||
|A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Red Team’s objective is to improve enterprise Information Assurance by demonstrating impacts of successful attacks and by demonstrating what works for defenders (i.e., Blue Team) in an operational environment. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Red Teaming | |- | ||
|Red Teaming | |||
|The act(s) performed by a “red team” in order to identify weaknesses, vulnerabilities, procedural shortcomings, and misconfigurations within an organization’s cyber environment. Red Teaming includes creation of a “Rules of Engagement” document by which red team honors over course of their actions. It is expected that Red Team will produce a final report at end of event period. | |||
| | | | ||
* CMMC | * CMMC | ||
Regularly | |- | ||
On a regular basis: at regular intervals. | |Regularly | ||
|On a regular basis: at regular intervals. | |||
| | | | ||
* Oxford Dictionary | * Oxford Dictionary | ||
Remote Access | |- | ||
Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., Internet). | |Remote Access | ||
|Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., Internet). | |||
| | | | ||
* NIST SP 800-171 Rev. 2 | * NIST SP 800-171 Rev. 2 | ||
Removable Media | |- | ||
Portable data storage medium that can be added to or removed from a computing device or network. | |Removable Media | ||
Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable | |Portable data storage medium that can be added to or removed from a computing device or network. | ||
Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external/removable disks (floppy, Zip, Jaz, Bernoulli, UMD). | |||
See Glossary: Portable Storage Device | See Glossary: Portable Storage Device | ||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Reporting [forensics] | |- | ||
|Reporting [forensics] | |||
|The final phase of computer and network forensic process, which involves reporting results of analysis; this may include describing actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of The forensic process.The formality of reporting step varies greatly depending on situation. | |||
policies, | |||
| | | | ||
* NIST SP 800-86 | * NIST SP 800-86 | ||
Residual Risk | |- | ||
Portion of risk remaining after security measures have been applied. | |Residual Risk | ||
|Portion of risk remaining after security measures have been applied. | |||
| | | | ||
* NIST SP 800-33 (adapted) | * NIST SP 800-33 (adapted) | ||
Resilience | |- | ||
|Resilience | |||
|The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. | |||
| | | | ||
* PPD 21 | * PPD 21 | ||
Restricted Information Systems | |- | ||
Systems (and associated IT components comprising system) that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas). | |Restricted Information Systems | ||
|Systems (and associated IT components comprising system) that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas). | |||
| | |||
* CMMC | * CMMC | ||
Risk | |- | ||
A measure of extent to which an entity is threatened by a potential circumstance or event, and typically a function of: | |Risk | ||
|A measure of extent to which an entity is threatened by a potential circumstance or event, and typically a function of: | |||
* The adverse impacts that would arise if circumstance or event occurs and | |||
System-related security risks are those risks that arise from loss of confidentiality, integrity, or availability of information or systems. Such risks reflect potential adverse impacts to organizational operations, organizational assets, individuals, | * The likelihood of occurrence. | ||
System-related security risks are those risks that arise from loss of confidentiality, integrity, or availability of information or systems. Such risks reflect potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and Nation. | |||
| | | | ||
* FIPS 200 (adapted) | * FIPS 200 (adapted) | ||
Risk Analysis | |- | ||
|Risk Analysis | |||
|The process of identifying risks to system security and determining likelihood of occurrence, resulting impact, and additional safeguards that mitigate this impact.Part of risk management and synonymous with risk assessment. | |||
| | | | ||
* NIST SP 800-27 | * NIST SP 800-27 | ||
Risk Assessment | |- | ||
|Risk Assessment | |||
functions, image, reputation), organizational assets, individuals, | | | ||
* The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and Nation, resulting from operation of a system. | |||
* Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. | |||
| | | | ||
* NIST SP 800-171 | * NIST SP 800-171 | ||
|- | |||
|Risk Management (RM) | |||
|The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and Nation, and includes: | |||
* establishing context for risk-related activities, | |||
Risk Management (RM) | * assessing risk, | ||
* responding to risk once determined, and | |||
* monitoring risk over time. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Risk Mitigation | |- | ||
Prioritizing, | |Risk Mitigation | ||
|Prioritizing, evaluating, and implementing The appropriate risk-reducing controls/ countermeasures recommended from risk management process. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Risk Mitigation Plan | |- | ||
A strategy for mitigating risk that seeks to minimize risk to an acceptable level. | |Risk Mitigation Plan | ||
|A strategy for mitigating risk that seeks to minimize risk to an acceptable level. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Risk Tolerance | |- | ||
|Risk Tolerance | |||
|The level of risk an entity is willing to assume in order to achieve a potential desired result. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Root-Cause Analysis | |- | ||
An approach for determining underlying causes of events or problems as a means of addressing symptoms of such events | |Root-Cause Analysis | ||
|An approach for determining underlying causes of events or problems as a means of addressing symptoms of such events asThe y manifest in organizational disruptions. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Root Directory | |- | ||
|Root Directory | |||
|The top-level directory in a folder hierarchy. | |||
| | | | ||
* CMMC | * CMMC | ||
Safeguards | |} | ||
== S == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Safeguards | |||
|The protective measures prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. | |||
| | | | ||
* FIPS 200 | * FIPS 200 | ||
Sandboxing | |- | ||
A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which software is authorized. | |Sandboxing | ||
|A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which software is authorized. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
|- | |||
|Scanning | |||
|Sending packets or requests to another system to gain knowledge about asset, processes, services, and operations. | |||
Scanning | |||
Sending packets or requests to | |||
| | | | ||
* CNSSI 4009 (adapted) | * CNSSI 4009 (adapted) | ||
Security Assessment | |- | ||
See Glossary: Security Control Assessment | |Security Assessment | ||
Security Control Assessment (Security Assessment, Security Practice Assessment) | |See Glossary: Security Control Assessment | ||
| | |||
|- | |||
|Security Control Assessment (Security Assessment, Security Practice Assessment) | |||
|The testing or evaluation of security controls to determine extent to which controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements for a system or organization. | |||
| | | | ||
* CNSSI 4009 (adapted) | * CNSSI 4009 (adapted) | ||
Security Domain | |- | ||
An environment or context that includes a set of system resources and a set of system entities that have right to access resources as defined by a common security policy, security model, or security architecture. | |Security Domain | ||
|An environment or context that includes a set of system resources and a set of system entities that have right to access resources as defined by a common security policy, security model, or security architecture. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Security Operations Center (SOC) | |- | ||
A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. | |Security Operations Center (SOC) | ||
|A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. | |||
| | | | ||
* CMMC | * CMMC | ||
Security Policy | |- | ||
Security policies define objectives and constraints for security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent. | |Security Policy | ||
|Security policies define objectives and constraints for security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent. | |||
| | | | ||
* NIST SP 800-82 Rev 2 | * NIST SP 800-82 Rev 2 | ||
Security Protection Assets | |- | ||
Security provide security functions or capabilities within contractor’s CMMC | |Security Protection Assets | ||
Assessment Scope. | |Security provide security functions or capabilities within contractor’s CMMC Assessment Scope. | ||
| | | | ||
* CMMC | * CMMC | ||
Security Practice Assessment | |- | ||
See Glossary: Security Control Assessment | |Security Practice Assessment | ||
Sensitive Information | |See Glossary: Security Control Assessment | ||
Information where loss, misuse, or unauthorized access or modification could adversely affect national interest or conduct of federal programs, or privacy to which individuals are entitled under 5 U.S.C. Section 552a ( | | | ||
|- | |||
|Sensitive Information | |||
|Information where loss, misuse, or unauthorized access or modification could adversely affect national interest or conduct of federal programs, or privacy to which individuals are entitled under 5 U.S.C. Section 552a (The Privacy Act). | |||
| | | | ||
* NIST SP 800-53 Rev 4 (adapted) | * NIST SP 800-53 Rev 4 (adapted) | ||
|- | |||
|Separation of Duties | |||
|Refers to principle that no user should be given enough privileges to misuse system onThe ir own. For example, person authorizing a paycheck should not also be one who can prepareThe m.Separation of duties can be enforced ei r statically (by defining conflicting roles, i.e., roles which cannot be executed by same user) or dynamically (by enforcing control at access time). | |||
Separation of Duties | |||
Refers to principle that no user should be given enough privileges to misuse system | |||
| | | | ||
* NIST SP 800-192 | * NIST SP 800-192 | ||
Service Continuity Plan | |- | ||
A service-specific plan for sustaining services and associated assets under degraded conditions. | |Service Continuity Plan | ||
|A service-specific plan for sustaining services and associated assets under degraded conditions. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
SHA-256 | |- | ||
A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length. | |SHA-256 | ||
|A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length. | |||
| | | | ||
* FIPS 180-4 | * FIPS 180-4 | ||
Situational Awareness (SA) | |- | ||
Within a volume of time and space, perception of an enterprise’s security posture and its threat environment; comprehension/meaning of both taken toge r (risk); and projection | |Situational Awareness (SA) | ||
|Within a volume of time and space, perception of an enterprise’s security posture and its threat environment; comprehension/meaning of both taken toge r (risk); and projection ofThe ir status into near future. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Specialized Asset | |- | ||
|Specialized Asset | |||
|The following are considered specialized assets for CMMC: Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT), and Restricted Information Systems. | |||
| | | | ||
* CMMC | * CMMC | ||
Split Tunneling | |- | ||
|Split Tunneling | |||
|The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at same time as accessing uncontrolled networks. | |||
| | | | ||
* NIST SP 800-171 | * NIST SP 800-171 | ||
Spyware | |- | ||
Software that is secretly or surreptitiously installed into an information system to ga r information on individuals or organizations | |Spyware | ||
|Software that is secretly or surreptitiously installed into an information system to ga r information on individuals or organizations withoutThe ir knowledge; a type of malicious code. | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
|- | |||
|Standards | |||
|A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at achievement of optimum degree of order in a given context. | |||
Note: Standards should be based on consolidated results of science, technology and experience, and aimed at promotion of optimum community benefits. | |||
Standards | |||
A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or | |||
Note: Standards should be based on consolidated results of science, technology and | |||
experience, and aimed at promotion of optimum community benefits. | |||
| | | | ||
* NISTIR 8074 Vol. 2 | * NISTIR 8074 Vol. 2 | ||
Standard Process | |- | ||
An operational definition of basic process that guides establishment of a common process in an organization. A standard process describes fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) | |Standard Process | ||
|An operational definition of basic process that guides establishment of a common process in an organization. A standard process describes fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) amongThe se process elements. | |||
See Glossary: Defined Process | See Glossary: Defined Process | ||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
Subnetwork | |- | ||
A subordinate part of an organization’s enterprise network. | |Subnetwork | ||
|A subordinate part of an organization’s enterprise network. | |||
| | | | ||
* CMMC | * CMMC | ||
Supply Chain | |- | ||
A | |Supply Chain | ||
|A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Supply Chain Attack | |- | ||
Attacks that allow adversary to utilize implants or | |Supply Chain Attack | ||
|Attacks that allow adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during life cycle. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Supply Chain Risk Management (SCRM) | |- | ||
A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout supply chain and developing mitigation strategies to combat those threats whe r presented by supplier, supplied product and its subcomponents, or supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). | |Supply Chain Risk Management (SCRM) | ||
|A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout supply chain and developing mitigation strategies to combat those threats whe r presented by supplier, supplied product and its subcomponents, or supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). | |||
| | | | ||
* CNSSD No. 505 | * CNSSD No. 505 | ||
Sustain | |- | ||
Maintain a desired operational state. | |Sustain | ||
|Maintain a desired operational state. | |||
| | | | ||
* CERT RMM v1.2 | * CERT RMM v1.2 | ||
|- | |||
|System Assets | |||
|Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system. | |||
System Assets | |||
Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
System Boundary | |- | ||
|System Boundary | |||
|The scope of system and environment being assessed. All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which information system is connected. System Boundary is equivalent to defined CMMC Assessment Scope. | |||
See Glossary: CMMC Assessment Scope | See Glossary: CMMC Assessment Scope | ||
| | |||
System Integrity | * CNSSI 4009-2015 under authorization boundary NIST SP 800-53 Rev. 4 | ||
* NIST SP 800-53A Rev. 1 | |||
* NIST SP 800-37 Rev. 1 | |||
|- | |||
|System Integrity | |||
|The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of system, whe r intentional or accidental. | |||
| | | | ||
* NIST SP 800-27 | * NIST SP 800-27 | ||
System Interconnection | |- | ||
A system interconnection is defined as direct connection of two or more IT systems for purpose of sharing data and | |System Interconnection | ||
|A system interconnection is defined as direct connection of two or more IT systems for purpose of sharing data and other information resources. | |||
| | | | ||
* NIST 800-47 | * NIST 800-47 | ||
System Security Plan (SSP) | |- | ||
|System Security Plan (SSP) | |||
|The formal document prepared by information system owner (or common security controlsThe ownerThe forThe inheritedThe controls)The thatThe providesThe anThe overviewThe ofThe security requirements for system and describes security controls in place or planned for meeting those requirements. plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Tampering | |} | ||
An intentional but unauthorized act resulting in modification of a system, components of systems, its intended behavior, or data. | |||
== T == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Tampering | |||
|An intentional but unauthorized act resulting in modification of a system, components of systems, its intended behavior, or data. | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
Test Equipment | |- | ||
Hardware and/or associated IT components used in testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment). | |Test Equipment | ||
|Hardware and/or associated IT components used in testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment). | |||
| | | | ||
* CMMC | * CMMC | ||
|- | |||
|Threat | |||
|Any circumstance or event with potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. | |||
Threat | |||
Any circumstance or event with potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, | |||
| | | | ||
* NIST SP 800-30 Rev 1 | * NIST SP 800-30 Rev 1 | ||
Threat Actor | |- | ||
An individual or a group posing a threat. | |Threat Actor | ||
|An individual or a group posing a threat. | |||
| | | | ||
* NIST SP 800-150 | * NIST SP 800-150 | ||
Threat Intelligence | |- | ||
Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide necessary context for decision-making processes. | |Threat Intelligence | ||
|Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide necessary context for decision-making processes. | |||
| | | | ||
* NIST SP 800-150 | * NIST SP 800-150 | ||
Threat Monitoring | |- | ||
Analysis, assessment, and review of audit trails and | |Threat Monitoring | ||
|Analysis, assessment, and review of audit trails and other information collected for purpose of searching out system events that may constitute violations of system security. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Trigger | |- | ||
A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs. | |Trigger | ||
|A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs. | |||
| | | | ||
* CNSSD No. 504 (adapted) | * CNSSD No. 504 (adapted) | ||
Trojan Horse | |- | ||
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes program. | |Trojan Horse | ||
|A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes program. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Tunneling | |- | ||
Technology enabling one network to send its data via | |Tunneling | ||
|Technology enabling one network to send its data via another network’s connections.Tunneling works by encapsulating a network protocol within packets carried by second network. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Unauthorized Access | |} | ||
Any access that violates stated security policy. | |||
== U == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Unauthorized Access | |||
|Any access that violates stated security policy. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
User | |- | ||
Individual, or (system) process acting on behalf of an individual, authorized to access a system. | |User | ||
|Individual, or (system) process acting on behalf of an individual, authorized to access a system. | |||
| | | | ||
* NIST SP 800-53 Rev 5 | * NIST SP 800-53 Rev 5 | ||
|} | |||
== V == | |||
{|class="wikitable" style="width: 85%;" | |||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
Virus | ! style="width: 20%"| Source | ||
A computer program that can copy itself and infect a computer without permission or knowledge of user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to | |- | ||
|Virus | |||
|A computer program that can copy itself and infect a computer without permission or knowledge of user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. | |||
See Glossary: Malicious Code | See Glossary: Malicious Code | ||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Vulnerability | |- | ||
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. | |Vulnerability | ||
|Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. | |||
| | | | ||
* NIST SP 800-30 Rev 1 | * NIST SP 800-30 Rev 1 | ||
Vulnerability Assessment | |- | ||
Systematic examination of an information system or product to determine adequacy of security measures, identify security deficiencies, provide data from which to predict effectiveness of proposed security measures, and confirm adequacy of such measures after implementation. | |Vulnerability Assessment | ||
|Systematic examination of an information system or product to determine adequacy of security measures, identify security deficiencies, provide data from which to predict effectiveness of proposed security measures, and confirm adequacy of such measures after implementation. | |||
| | | | ||
* CNSSI 4009 | * CNSSI 4009 | ||
Vulnerability Management | |- | ||
An | |Vulnerability Management | ||
|An Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to network. | |||
| | | | ||
* NISTIR 8011 Vol. 1 | * NISTIR 8011 Vol. 1 | ||
Web Proxy | |} | ||
See Glossary: Proxy | |||
Whitelist | == W == | ||
An approved list or register of entities that are provided a particular privilege, service, mobility, access or recognition. | {|class="wikitable" style="width: 85%;" | ||
! style="width: 15%"| Term | |||
! style="width: 65%"| Description | |||
! style="width: 20%"| Source | |||
|- | |||
|Web Proxy | |||
|See Glossary: Proxy | |||
| | |||
|- | |||
|Whitelist | |||
|An approved list or register of entities that are provided a particular privilege, service, mobility, access or recognition. | |||
An implementation of a default deny-all or allow-by-exception policy across an enterprise environment, and a clear, concise, timely process for adding exceptions when required for mission accomplishments. | An implementation of a default deny-all or allow-by-exception policy across an enterprise environment, and a clear, concise, timely process for adding exceptions when required for mission accomplishments. | ||
| | | | ||
* CNSSI 1011 | * CNSSI 1011 | ||
|} | |} |
Latest revision as of 23:31, 30 November 2022
Source of Reference: official CMMC Glossary from Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
A
Term | Description | Source |
---|---|---|
Access | Ability to make use of any information system (IS) resource. |
|
Access Authority | An entity responsible for monitoring and granting access privileges for other authorized entities. |
|
Access Control (AC) | The process of granting or denying specific requests to:
|
|
Access Control Policy (Access Management Policy) | The set of rules that define conditions under which an access may take place. |
|
Access Profile | Association of a user with a list of protected objects user may access. |
|
Accountability | The security goal that generates requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. |
|
Activity / Activities | Set of actions that are accomplished within a practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities. |
|
Administrative Safeguards | Administrative actions and policies and procedures to manage selection, development, implementation, and maintenance of security measures to protect any electronic information that is by definition “protected information” (e.g., protected health information) and to manage conduct of covered entity’s workforce in relation to protection of that information. |
|
Advanced Persistent Threat (APT) | An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).The se objectives typically include establishing and extending footholds within information technology infrastructure of targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry outThe se objectives in future. advanced persistent threat:
|
|
Adversary | Individual, group, organization, or government that conducts or has intent to conduct detrimental activities. |
|
Adversarial Assessment | Assesses ability of an organization equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary. |
|
Air Gap | An interface between two systems that:
|
|
Alert | An internal or external notification that a specific action has been identified within an organization’s information systems. |
|
Anti-Malware Tools | Tools that help identify, prevent execution, and reverse engineer malware. |
|
Anti-Spyware Software | A program that specializes in detecting both malware and non-malware forms of spyware. |
|
Anti-Tamper | Systems engineering activities intended to deter and/or delay exploitation of technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system. |
|
Anti-Virus Software | A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. |
|
Assessment | The testing or evaluation of security controls to determine extent to which controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements for an information system or organization. |
|
Assessment | Assessment is term used by CMMC for activity performed by C3PAO to evaluate CMMC level of a DIB contractor. Self-assessment is term used by CMMC for activity performed by a DIB contractor to evaluateThe ir own CMMC level. |
|
Asset (Organizational Asset) | Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards). |
|
Asset Custodian (Custodian) | A person or group responsible for day-to-day management, operation, and security of an asset. |
|
Asset Management (AM) | Management of organizational assets. This may include inventory, configuration, destruction, disposal, and updates to organizational assets. |
|
Asset Owner (Information Asset Owner) | A person or organizational unit (internal or external to organization) with primary responsibility for viability, productivity, security, and resilience of an organizational asset. For example, accounts payable department is owner of vendor database. |
|
Asset Types | The following asset types should be included when classifying assets:
|
|
Attack Surface | The set of points on boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from. |
|
Attribute-Based Access Control (ABAC) | Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or environment. An access control rule set defines combination of attributes under which an access may take place.
See Glossary: Identity, Credential, and Access Management (ICAM) |
|
Availability | * Ensuring timely and reliable access to and use of information.
|
|
Audit | Independent review and examination of records and activities to assess adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. |
|
Audit Log | A chronological record of system activities.Includes records of system accesses and operations performed in a given period. |
|
Audit Record | An individual entry in an audit log related to an audited event. |
|
Authentication | A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information. |
|
Au nticator | Something that claimant possesses and controls (typically a cryptographic module or password) that is used to au nticate claimant’s identity. This was previously referred to as a token. |
|
Authoritative Source (Trusted Source) | An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider (CSP) can confirm validity of identity evidence supplied by an applicant during identity proofing.An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of agency or CSP before the y can be used in identity proofing validation phase. |
|
Authorization | The right or a permission that is granted to a system entity (user, program, or process) to access a system resource. |
|
Awareness | A learning process that sets stage for training by changing individual and organizational attitudes to realize importance of security and adverse consequences of its failure. |
|
Awareness and Training Program | Explains proper rules of behavior for use of agency information systems and information.The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50). |
|
B
Term | Description | Source |
---|---|---|
Backup | A copy of files and programs made to facilitate recovery, if necessary. |
|
Baseline | Hardware, software, databases, and relevant documentation for an information system at a given point in time. |
|
Baseline Configuration | A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. baseline configuration is used as a basis for future builds, releases, and/or changes. |
|
Baseline Security | The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection. |
|
Baselining | Monitoring resources to determine typical utilization patterns so that significant deviations can be detected. |
|
Blacklist | A list of discrete entities, such as IP addresses, host names, applications, software libraries, and so forth that have been previously determined to be associated with malicious activity thus requiring access or execution restrictions. |
|
Blacklisting Software | A list of applications (software) and software libraries that are forbidden to execute on an organizational asset. |
|
Blue Team |
|
|
Breach | An incident where an adversary has gained access to internal network of an organization or an organizationally owned asset in a manner that breaks organizational policy for accessing cyber assets and results in loss of information, data, or asset. A breach usually consists of loss of an asset due to gained access. |
|
C
Term | Description | Source |
---|---|---|
Change Control (Change Management) | The process of regulating and approving changes to hardware, firmware, software, and documentation throughout development and operational life cycle of an information system. |
|
Change Management | See Glossary: Change Control | |
Cipher |
|
|
Ciphertext | A term that describes data in its encrypted form. |
|
CMMC Assessment Scope | Includes all assets in contractor’s environment that will be assessed. |
|
CMMC Asset Categories | CMMC defined five asset categories for scoping activities: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Asset. Asset categories determine: assessment, segmentation, documentation, and management of assets. |
|
Compliance | Conformity in fulfilling official requirements. |
|
Component | A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware. |
|
Confidentiality | Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. |
|
Configuration Item (CI) | An aggregation of system components that is designated for configuration management and treated as a single entity in configuration management process. |
|
Configuration Management (CM) | A collection of activities focused on establishing and maintaining integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring configurations of those products and systems throughout system development life cycle. |
|
Consequence | Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. |
|
Container (Information Asset Container) | A physical or logical location where assets are stored, transported, and processed.A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or other media such as CDs, disks, and flash drives), and people (including people who might have detailed knowledge about information asset). |
|
Context Aware | The ability of a system or a system component to ga r information about its environment at any given time and adapt behaviors accordingly. Contextual or context-aware computing uses software and hardware to automatically collect and analyze data to guide responses. |
|
Continuity of Operations | An organization’s ability to sustain assets and services in response to a disruptive event. It is typically used interchangeably with service continuity or continuity of service. |
|
Consequence | Effect (change or non-change), usually associated with an event or condition or with system and usually allowed, facilitated, caused, prevented, changed, or contributed to by event, condition, or system. |
|
Continuous | Continuing without stopping; ongoing. |
|
Continuous Monitoring | Maintaining ongoing awareness to support organizational risk decisions.Maintaining ongoingThe awarenessThe ofThe informationThe security,The vulnerabilities,The andThe threatsThe toThe support organizational risk management decisions. |
|
Contractor Risk Managed Assets | Contractor Risk Managed Assets are capable of, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. |
|
Control | The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk.
Note: controls include any process, policy, device, practice, or other actions which modify risk. |
|
Controlled Unclassified Information (CUI) | Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended. |
|
Covered Defense Information (CDI) | A term used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified controlled technical information (CTI) or other information, as described in CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is:
|
|
Cryptographic Hashing Function | The process of using a ma matical algorithm against data to produce a numeric value that is representative of that data. |
|
CUI Assets | Assets that process, store, or transmit CUI. |
|
Custodian | See Glossary: Asset Custodian | |
Cybersecurity | Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained rein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. |
|
D
Term | Description | Source |
---|---|---|
Defense Industrial Base (DIB) | The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. |
|
Dependency | When an entity has access to, control of, ownership in, possession of, responsibility for, or other defined obligations related to one or more assets or services of organization. |
|
Demilitarized Zone (DMZ) | A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding internal networks from outside attacks. |
|
Domain | Grouping of like practices based on 14 control families set forth in NIST SP 800-171. |
|
E
Term | Description | Source |
---|---|---|
Encryption | The process of changing plaintext into cipher text. |
|
Encryption Policies | Policies that manage use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications. |
|
Endorse | Declare one's public approval or support of. |
|
Enterprise | An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management. |
|
Enterprise Architecture | The description of an enterprise’s entire set of information systems: howThe y are configured, howThe y are integrated, howThe y interface to external environment at enterprise’s boundary, howThe y are operated to support enterprise mission, and howThe y contribute to enterprise’s overall security posture. |
|
Environment | See Glossary: Environment of Operations | |
Environment of Operations | The physical and logical surroundings in which an information system processes, stores, and transmits information. |
|
Establish and Maintain | Whenever “establish and maintain” (or “established and maintained”) is used as a phrase, it refers not only to development and maintenance of object of practice (such as a policy) but to documentation of object and observable usage of object. For example, “Formal agreements with external entities are established and maintained” means that not only are agreements formulated, butThe y also are documented, have assigned ownership, and are maintained relative to corrective actions, changes in requirements, or improvements. |
|
Event | Any observable occurrence in a system and/or network.Events sometimes provide indication that an incident is occurring.
See Glossary: Incident |
|
Event Correlation | Finding relationships between two or more events. |
|
Exercise | A simulation of an emergency designed to validate viability of one or more aspects of an information technology plan. |
|
F
Term | Description | Source |
---|---|---|
Facility | Physical means or equipment for facilitating performance of an action, e.g., buildings, instruments, tools. |
|
Federal Contract Information (FCI) | Federal contract information means information, not intended for public release, that is provided by or generated for Government under a contract to develop or deliver a product or service to Government, but not including information provided by Government to public (such as on public websites) or simple transactional information, such as necessary to process payments. |
|
Federated Trust | Trust established within a federation or organization, enabling each of mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of other mutually trusting realms.This trust can be established across computer systems and networks architectures. |
|
Federation | A collection of realms (domains) that have established trust amongThe mselves. level of trust may vary, but typically includes au ntication and may include authorization. |
|
Firewall | A device or program that controls flow of network traffic between networks or hosts that employ differing security postures. |
|
Flash Drive | A removable storage device that utilizes USB port of a system for data transfer. |
|
G
Term | Description | Source |
---|---|---|
Government Property | All property owned or leased by Government. Government property includes both Government-furnished and Contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software. |
|
H
Term | Description | Source |
---|---|---|
High-Value Asset (HVA) | Asset, organization information system, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to organization’s interests, relations, economy, or to employee or stockholder confidence, civil liberties, or health and safety of organization’s people. An HVA may contain sensitive controls, instructions, data used in critical organization operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making it of specific value to criminal, politically motivated, or state sponsored actors for either direct exploitation or to cause a loss of confidence in organization. |
|
High-Value Service | Service on which success of organization’s mission depends. |
|
I
Term | Description | Source |
---|---|---|
Identification | The process of discovering true identity (i.e., origin, initial history) of a person or item from entire collection of similar persons or items. |
|
Identity | The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
Note: This also encompasses non-person entities (NPEs). |
|
Identity-Based Access Control (IBAC) | Access control based on identity of user (typically relayed as a characteristic of process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. |
|
Identity, Credential, and Access Management (ICAM) | Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for individual or NPE in access transactions, and leverage credentials to provide authorized access to an organization‘s resources.
See Glossary: Attribute-Based Access Control (ABAC) |
|
Identity Management System | Identity management system comprised of one or more systems or applications that manages identity verification, validation, and issuance process. |
|
Incident | An occurrence that actually or potentially jeopardizes confidentiality, integrity, or availability of a system or information system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. |
|
Incident Handling (Incident Response) | The actions organization takes to prevent or contain impact of an incident to organization while it is occurring or shortly after it has occurred. |
|
Incident Response (IR) | See Glossary: Incident Handling | |
Incident Stakeholder | A person or organization with a vested interest in management of an incident throughout its life cycle. |
|
Industrial Control System (ICS) | General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as programmable logic controllers (PLCs) found in industrial sectors and critical infrastructures.An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act toge r to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). |
|
Industrial Internet of Things (IIoT) | See Glossary: Internet of Things (IoT) | |
Information Asset Container | See Glossary: Container | |
Information Asset Owner | See Glossary: Asset Owner | |
Information Flow | The flow of information or connectivity from one location to another. This can be related to data as well as connectivity from one system to another, or from one security domain to ano r. authorization granting permission for information flow comes from a control authority granting permission to an entity, asset, role, or group. |
|
Information System (IS) | A discrete set of information resources organized for The collection, processing, maintenance, use, sharing, dissemination, or disposition of information. |
|
Information System Component | A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system, excluding separately authorized systems to which information system is connected. Information system components include commercial information technology products. |
|
Insider | Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information, equipment, networks, or systems. |
|
Insider Threat | The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to security of organization or United States. This threat can include damage to United States through espionage, terrorism, unauthorized disclosure, or through loss or degradation of departmental resources or capabilities. |
|
Insider Threat Program | A coordinated collection of capabilities authorized by Department/Agency (D/A) that is organized to deter, detect, and mitigate unauthorized disclosure of sensitive information. |
|
Integrity | The security objective that generates requirement for protection against ei r intentional or accidental attempts to violate data integrity (The property that data has not been altered in an unauthorized manner) or system integrity (The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). |
|
Internet of Things (IoT) | Interconnected devices having physical or virtual representation in digital world, sensing/actuation capability, and programmability features.The y are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors. |
|
Inventory | The physical or virtual verification of presence of each organizational asset. |
|
L
Term | Description | Source |
---|---|---|
Least Privilege | A security principle that restricts access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to minimum necessary to performThe ir jobs. |
|
Life Cycle | Evolution of a system, product, service, project, or other human-made entity from conception through retirement. |
|
M
Term | Description | Source |
---|---|---|
Maintenance | Any act that ei r prevents failure or malfunction of equipment or restores its operating capability. |
|
Malicious Code | Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. |
|
Malware | Software or firmware intended to perform an unauthorized process that will have adverse impact on confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware). |
|
Maturity Model | A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit capabilities of that level. A tool that helps assess current effectiveness of an organization, and supports determining what capabilitiesThe y need in order to obtain next level of maturity in order to continue progression up levels of model. |
|
Media | Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. |
|
Media Sanitization | The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. |
|
Mobile Code | Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by recipient.
Note: Some examples of software technologies that provide mechanisms for production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc. |
|
Mobile Device | A portable computing device that:
Mobile devices may also include voice communication capabilities, on-board sensors that allow device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations.Examples include smart phones, tablets, and e-readers. Note: If device only has storage capability and is not capable of processing or transmitting/receiving information,The n it is considered a portable storage device, not a mobile device. See Glossary: Portable Storage Device Note: Laptops are excluded from scope of this definition (see NIST SP 800-124). |
|
Monitor | The act of continually checking, supervising, critically observing, or determining status in order to identify change from performance level required or expected at an organizationally defined frequency and rate. |
|
Multifactor Authentication (MFA) | An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multifactor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.
The three authentication factors are something you know, something you have, and something you are. See Glossary: Authenticator |
|
O
Term | Description | Source |
---|---|---|
Ongoing Basis | Actions occurring, indefinitely. Actions that do not stop unless a stop action is purposely put in place. |
|
Operational Resilience | The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission- related functions. |
|
Operational Technology (OT) | Hardware and software that detects or causes a change through direct monitoring and/or control of physical devices, processes and events in enterprise. |
|
Organization | An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).
See Glossary: Enterprise |
|
Organization Seeking Certification (OSC) | The entity that is going through CMMC assessment process to receive a level of certification for a given environment. |
|
Organizational Asset | See Glossary: Asset |
|
Organizational System(s) | The term organizational system is used in many of CUI security requirements in NIST Special Publication 800-171.This term has a specific meaning regarding scope of applicability for CUI security requirements. requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. appropriate scoping for security requirements is an important factor in determining protection-related investment decisions and managing security risk for nonfederal organizations that have responsibility of safeguarding CUI. |
|
Organizationally Defined | As determined by contractor being assessed. This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing configuration of a contractor’s solution. |
|
Out-of-Scope Asset | Out-of-Scope Assets cannot process, store, or transmit CUI becauseThe y are physically or logically separated from CUI Assets or are inherently unable to do so. |
|
P
Term | Description | Source |
---|---|---|
Patch | An update to an operating system, application, or other software issued specifically to correct particular problems with software. |
|
Penetration Testing (Pentesting) | Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. |
|
Periodically | Occurring at regular intervals. As used in many practices within CMMC, interval length is organizationally defined to provided contractor flexibility, with an interval length of no more than one year. |
|
Personally Identifiable Information (PII) | Information that can be used to distinguish or trace an individual’s identity, ei r alone or when combined with other information that is linked or linkable to a specific individual. |
|
Plan | An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and people, funding, and tool resources needed to implement defined CMMC policies. |
|
Policy | An artifact or collection of artifacts that establishes governance over implementation of CMMC practices and activities. policy should include stated purpose, defined scope, roles and responsibilities of activities covered by policy, and any included regulatory guidelines. policy should establish or direct establishment of procedures to carry out and meet intent of policy and should be endorsed by senior management to show its support of policy. |
|
Portable Storage Device | A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory). |
|
Practice | An activity or set of activities that are performed to meet defined CMMC objectives. |
|
Privilege | A right granted to an individual, a program, or a process. |
|
Privileged Account | A user, system, or network account authorized (and,The refore, trusted) to perform security- relevant functions that ordinary accounts are not authorized to perform. |
|
Privileged User | A user who is authorized (and,The refore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. |
|
Procedure | The documented details for how an activity is implemented to achieve a desired outcome.A procedure should provide enough detail for a trained individual to perform activity. |
|
Process | A procedural activity that is performed to implement a defined objective. |
|
Proxy (Web Proxy) | An application that “breaks” connection between client and server. proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it.
Note: This effectively closes straight path between internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of organization’s internal network. Proxy servers are available for common Internet services; for example, a hypertext transfer protocol (HTTP/HTTPS) proxy used for Web access. |
|
R
Term | Description | Source |
---|---|---|
Real Time, Real-Time (modifier) | Pertaining to performance of a computation during actual time that related physical process transpires so that results of computation can be used to guide physical process. |
|
Recovery | Actions necessary to restore data files of an information system and computational capability after a system failure. |
|
Red Team | A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Red Team’s objective is to improve enterprise Information Assurance by demonstrating impacts of successful attacks and by demonstrating what works for defenders (i.e., Blue Team) in an operational environment. |
|
Red Teaming | The act(s) performed by a “red team” in order to identify weaknesses, vulnerabilities, procedural shortcomings, and misconfigurations within an organization’s cyber environment. Red Teaming includes creation of a “Rules of Engagement” document by which red team honors over course of their actions. It is expected that Red Team will produce a final report at end of event period. |
|
Regularly | On a regular basis: at regular intervals. |
|
Remote Access | Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., Internet). |
|
Removable Media | Portable data storage medium that can be added to or removed from a computing device or network.
Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external/removable disks (floppy, Zip, Jaz, Bernoulli, UMD). See Glossary: Portable Storage Device |
|
Reporting [forensics] | The final phase of computer and network forensic process, which involves reporting results of analysis; this may include describing actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of The forensic process.The formality of reporting step varies greatly depending on situation. |
|
Residual Risk | Portion of risk remaining after security measures have been applied. |
|
Resilience | The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. |
|
Restricted Information Systems | Systems (and associated IT components comprising system) that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas). |
|
Risk | A measure of extent to which an entity is threatened by a potential circumstance or event, and typically a function of:
System-related security risks are those risks that arise from loss of confidentiality, integrity, or availability of information or systems. Such risks reflect potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and Nation. |
|
Risk Analysis | The process of identifying risks to system security and determining likelihood of occurrence, resulting impact, and additional safeguards that mitigate this impact.Part of risk management and synonymous with risk assessment. |
|
Risk Assessment |
|
|
Risk Management (RM) | The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and Nation, and includes:
|
|
Risk Mitigation | Prioritizing, evaluating, and implementing The appropriate risk-reducing controls/ countermeasures recommended from risk management process. |
|
Risk Mitigation Plan | A strategy for mitigating risk that seeks to minimize risk to an acceptable level. |
|
Risk Tolerance | The level of risk an entity is willing to assume in order to achieve a potential desired result. |
|
Root-Cause Analysis | An approach for determining underlying causes of events or problems as a means of addressing symptoms of such events asThe y manifest in organizational disruptions. |
|
Root Directory | The top-level directory in a folder hierarchy. |
|
S
Term | Description | Source |
---|---|---|
Safeguards | The protective measures prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. |
|
Sandboxing | A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which software is authorized. |
|
Scanning | Sending packets or requests to another system to gain knowledge about asset, processes, services, and operations. |
|
Security Assessment | See Glossary: Security Control Assessment | |
Security Control Assessment (Security Assessment, Security Practice Assessment) | The testing or evaluation of security controls to determine extent to which controls are implemented correctly, operating as intended, and producing desired outcome with respect to meeting security requirements for a system or organization. |
|
Security Domain | An environment or context that includes a set of system resources and a set of system entities that have right to access resources as defined by a common security policy, security model, or security architecture. |
|
Security Operations Center (SOC) | A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. |
|
Security Policy | Security policies define objectives and constraints for security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent. |
|
Security Protection Assets | Security provide security functions or capabilities within contractor’s CMMC Assessment Scope. |
|
Security Practice Assessment | See Glossary: Security Control Assessment | |
Sensitive Information | Information where loss, misuse, or unauthorized access or modification could adversely affect national interest or conduct of federal programs, or privacy to which individuals are entitled under 5 U.S.C. Section 552a (The Privacy Act). |
|
Separation of Duties | Refers to principle that no user should be given enough privileges to misuse system onThe ir own. For example, person authorizing a paycheck should not also be one who can prepareThe m.Separation of duties can be enforced ei r statically (by defining conflicting roles, i.e., roles which cannot be executed by same user) or dynamically (by enforcing control at access time). |
|
Service Continuity Plan | A service-specific plan for sustaining services and associated assets under degraded conditions. |
|
SHA-256 | A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length. |
|
Situational Awareness (SA) | Within a volume of time and space, perception of an enterprise’s security posture and its threat environment; comprehension/meaning of both taken toge r (risk); and projection ofThe ir status into near future. |
|
Specialized Asset | The following are considered specialized assets for CMMC: Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT), and Restricted Information Systems. |
|
Split Tunneling | The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at same time as accessing uncontrolled networks. |
|
Spyware | Software that is secretly or surreptitiously installed into an information system to ga r information on individuals or organizations withoutThe ir knowledge; a type of malicious code. |
|
Standards | A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at achievement of optimum degree of order in a given context.
Note: Standards should be based on consolidated results of science, technology and experience, and aimed at promotion of optimum community benefits. |
|
Standard Process | An operational definition of basic process that guides establishment of a common process in an organization. A standard process describes fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) amongThe se process elements.
See Glossary: Defined Process |
|
Subnetwork | A subordinate part of an organization’s enterprise network. |
|
Supply Chain | A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers. |
|
Supply Chain Attack | Attacks that allow adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during life cycle. |
|
Supply Chain Risk Management (SCRM) | A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout supply chain and developing mitigation strategies to combat those threats whe r presented by supplier, supplied product and its subcomponents, or supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). |
|
Sustain | Maintain a desired operational state. |
|
System Assets | Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system. |
|
System Boundary | The scope of system and environment being assessed. All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which information system is connected. System Boundary is equivalent to defined CMMC Assessment Scope.
See Glossary: CMMC Assessment Scope |
|
System Integrity | The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of system, whe r intentional or accidental. |
|
System Interconnection | A system interconnection is defined as direct connection of two or more IT systems for purpose of sharing data and other information resources. |
|
System Security Plan (SSP) | The formal document prepared by information system owner (or common security controlsThe ownerThe forThe inheritedThe controls)The thatThe providesThe anThe overviewThe ofThe security requirements for system and describes security controls in place or planned for meeting those requirements. plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan. |
|
T
Term | Description | Source |
---|---|---|
Tampering | An intentional but unauthorized act resulting in modification of a system, components of systems, its intended behavior, or data. |
|
Test Equipment | Hardware and/or associated IT components used in testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment). |
|
Threat | Any circumstance or event with potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. |
|
Threat Actor | An individual or a group posing a threat. |
|
Threat Intelligence | Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide necessary context for decision-making processes. |
|
Threat Monitoring | Analysis, assessment, and review of audit trails and other information collected for purpose of searching out system events that may constitute violations of system security. |
|
Trigger | A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs. |
|
Trojan Horse | A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes program. |
|
Tunneling | Technology enabling one network to send its data via another network’s connections.Tunneling works by encapsulating a network protocol within packets carried by second network. |
|
U
Term | Description | Source |
---|---|---|
Unauthorized Access | Any access that violates stated security policy. |
|
User | Individual, or (system) process acting on behalf of an individual, authorized to access a system. |
|
V
Term | Description | Source |
---|---|---|
Virus | A computer program that can copy itself and infect a computer without permission or knowledge of user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk.
See Glossary: Malicious Code |
|
Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. |
|
Vulnerability Assessment | Systematic examination of an information system or product to determine adequacy of security measures, identify security deficiencies, provide data from which to predict effectiveness of proposed security measures, and confirm adequacy of such measures after implementation. |
|
Vulnerability Management | An Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to network. |
|
W
Term | Description | Source |
---|---|---|
Web Proxy | See Glossary: Proxy | |
Whitelist | An approved list or register of entities that are provided a particular privilege, service, mobility, access or recognition.
An implementation of a default deny-all or allow-by-exception policy across an enterprise environment, and a clear, concise, timely process for adding exceptions when required for mission accomplishments. |
|