148 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162External System Service Provider - A provider of external system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.External Network - A network not controlled by the organization. Federal Information System - An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.FIPS-validated cryptography - A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP).Firewall - A gateway that limits access between networks in accordance with local security policy.Firmware - Computer programs and data stored in hardware, typically in read-only memory (ROM) or programmable read-only memory (PROM), such that the programs and data cannot be dynamically written or modified during execution of the programs.Gateway - An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks.Hacker - A person who circumvents security and breaks into a network, computer, file, etc., usually with malicious intent.Hardware - The physical components of a system.Identifier - Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers. A unique label used by a system to indicate a specific entity, object, or group.Impact - The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system.Impact Value - The assessed potential impact resulting from a compromise of the confidentiality of information (e.g., CUI) expressed as a value of low, moderate, or high.Incident - An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.Industrial Control System (ICS) – A general term that encompasses several types of control systems and associated instrumentation used in industrial production technology, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS),  

149 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162and other smaller control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. Information - 1) Facts and ideas, which can be represented (encoded) as various forms of data. 2) Knowledge, e.g., data, instructions, in any medium or form that can be communicated betweensystem entities.Information Assurance - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Information Flow Control - Procedure to ensure that information transfers within a system are not made in violation of the security policy.Information Resources - Information and related resources, such as personnel, equipment, funds, and information technology.Information Security - The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability.Information Security Policy - Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. Information Security Risk - The risk to company operations (including mission, functions, image, reputation), company assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or a system. Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.Information Technology - (A) With respect to an executive agency means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use - 1) of that equipment or 2) of that equipment to a significant extent in the performance of a service or the furnishing of a product; (B) Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but (C) does not include any equipmentacquired by a federal contractor incidental to a federal contract.Insider Threat - The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the  

150 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.Internal Network - A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization controlled endpoints, provides the same effect (with regardto confidentiality and integrity). An internal network is typically organization-owned, yet may be organization- controlled while not being organization-owned.Intrusion Detection System (IDS) - Software that automates the intrusion detection process. Key - A parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1) the computation of a digital signature from data, and 2) the verification of a digital signature.Key Management - The activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, includingtheir generation, storage, establishment, entry and output, use, and destruction. Keystroke Monitoring - The process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.Least Privilege - The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform itsfunction. Link Encryption - Encryption of information between nodes of a communications system.Local Access - Access to an organizational system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Logic Bomb - A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. Malicious Code - Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.Malware - See Malicious Code. Media - Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system.Mobile Code - Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. 

151 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162Mobile Device - A portable computing device that has a small-form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable/removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information, or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.Multifactor Authentication - Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).Network - A system implemented with a collection of interconnected components. Suchcomponents may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.Network Access - Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, internet).Node - In data communication, a physical network node may either be a data communication equipment (DCE) such as a modem, hub, bridge or switch; or a data terminal equipment (DTE) such as a digital telephone handset, a printer or a computer, workstation, or a server. Nonce - A time-varying value that has at most a negligible chance of repeating – for example, a random value that is generated anew for each use, a timestamp, a sequence number, or some combination of these. Nonfederal Organization - An entity that owns, operates, or maintains a nonfederal informationsystem. Nonfederal System - A system that does not meet the criteria for a federal system.Nonlocal Maintenance - Maintenance activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network.Password - A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.Penetration Performance Testing - A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.Phishing - A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.Portable Storage Device - A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid state devices (e.g., floppy disks, compact/digital video disks, flash/ thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).Potential Impact - The loss of confidentiality, integrity, or availability could be expected to have: 1) a limited adverse effect (FIPS Publication 199 low); 2) a serious adverse effect (FIPS  

152 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162Publication 199 moderate); or 3) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals. Private Key - A cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. Privilege - A right granted to an individual, a program, or a process.Privileged Account - A system account with authorizations of a privileged user. Privileged User - A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.Public Key - A cryptographic key used with a public key cryptographic algorithm that is uniquely associated with an entity and that may be made public.Public Key Cryptography - Encryption system that uses a public-private key pair for encryption and/or digital signature.Public Key Infrastructure (PKI) - A Framework that is established to issue, maintain, and revoke public key certificates.Ransomware - Ransomware is a type of malware that blocks access to a device or data until a ransom is paid. Reciprocity - Mutual agreement among participating enterprises to accept each other’s security assessments to reuse information system resources and/or to accept each other’s assessed securityposture to share information. Records - The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that theorganization and the system are performing as intended. Also, used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain thecomplete set of information on particular items).Remote Access - Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the internet).Remote Maintenance - Maintenance activities conducted by individuals communicating through an external network (e.g., the internet).Replay Resistance - Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access. Risk - A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: 1) the adverse impacts that would arise if the circumstance or event occurs and 2) the likelihood of occurrence. Note: System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems and reflect the potential adverse impacts to company operations (including mission, functions, image, or reputation), company assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to systems that support critical  

153 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security. Risk Assessment - The process of identifying risks to company operations (including mission, functions, image, and reputation), company assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threatand vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with Risk Analysis. Risk Management - The program and supporting processes to manage information security risk to company operations (including mission, functions, image, reputation), company assets, individuals, other organizations, and the Nation, and includes: 1) establishing the context for risk-related activities, 2) assessing risk, 3) responding to risk once determined, and 4) monitoring risk over time.Risk Management Framework (RMF) - A structured approach used to oversee and manage risk for an enterprise. Role - A job function or employment position to which people or other system entities may be assigned in a system.Safeguards - Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for a system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. Sanitization - Actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. Process to remove information from media such that data recovery is not possible. It includes removing all classified labels, markings, and activity logs.Secret Key - A cryptographic key, used with a secret key cryptographic algorithm, that is uniquely associated with one or more entities and should not be made public. Security - A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.Security Control Assessment - The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.Security Controls - The management, operational, and technical controls, i.e., safeguards or countermeasures) prescribed for a system to protect the confidentiality, integrity, and availability of the system and its information. Security Engineering - An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.Security Functionality - The security-related features, functions, mechanisms, services,procedures, and architectures implemented within organizational systems or the environments in which those systems operate.Security Functions - The hardware, software, or firmware of the system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.Security Label - The means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Security Relevance - Functions or mechanisms that are relied upon, directly or indirectly, to enforce a security policy that governs confidentiality, integrity, and availability protections.Sensitivity - A measure of the importance assigned to information by its owner for the purpose of denoting its need for protection. Signature - A recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.SMiShing (SMS phishing) - A security attack in which the user is tricked into downloading a Trojan horse, virus, or other malware onto his cellular phone or other mobile device.Spam - Electronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.Split Tunneling - The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remotedevices (e.g., a networked printer) at the same time as accessing uncontrolled networks.Spyware - Software that is secretly or surreptitiously installed into a system to gather information on individuals or organizations without their knowledge; a type of malicious code.Supplemental Guidance - Statements used to provide additional explanatory information for security controls or security control enhancements.System - Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. Note: Systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. System Component - A discrete, identifiable information technology asset (hardware, software, firmware) that represents a building block of a system. System components include commercial information technology products. System Integrity - The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. 

155 This publication is available free of charge from: https://doi.org/10.6028/NIST.HB.162System Security Plan - Formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.Tailoring - The process by which a security control baseline is modified based on: 1) the application of scoping guidance, 2) the specification of compensating security controls, if needed, and 3) the specification of organization-defined parameters in the security controls via explicit assignment and selection statements.