AA Accreditation Authority ACAS Assured Compliance Assessment Solution Access Opportunity to make use of an information system (IS) resource. CNSS Instruction No. 4009 Access Control Limiting access to information system resources only to authorized users, programs, processes, or other systems. CNSS Instruction No. 4009 Access Control List (ACL) Mechanism implementing discretionary and/or mandatory access control between subjects and objects. CNSS Instruction No. 4009 Access Control Mechanism Security safeguard designed to detect and deny unauthorized access and permit authorized access in an IS. CNSS Instruction No. 4009 Access Level Hierarchical portion of the security level used to identify the sensitivity of IS data and the clearance or authorization of users. Access level, in conjunction with the non-hierarchical categories, forms the sensitivity label of an object. See category. CNSS Instruction No. 4009 Access List (IS) Compilation of users, programs, or processes and the access levels and types to which each is authorized. (COMSEC)-Roster of persons authorized admittance to a controlled area. CNSS Instruction No. 4009 Access Profile Associates each user with a list of protected objects the user may access. CNSS Instruction No. 4009 Access Type Privilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. CNSS Instruction No. 4009 Accountability (IS) Process of tracing IS activities to a responsible source. (COMSEC) Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. CNSS Instruction No. 4009 Accounting Legend Code (ALC) Numeric code used to indicate the minimum accounting controls required for items of accountable COMSEC material within the COMSEC Material Control System. CNSS Instruction No. 4009 Accounting Number Number assigned to an item of COMSEC material to facilitate its control. CNSS Instruction No. 4009 Accreditation Formal declaration by a Designated Accrediting Authority (DAA) that an IS is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. CNSS Instruction No. 4009 Accreditation Boundary 1. (IA)Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. (Synonymous with Security Perimeter.) 2. (IC) For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system. CNSS Instruction No. 4009 Accreditation Package Product comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision. CNSS Instruction No. 4009 Accrediting Authority Synonymous with Designated Accrediting Authority (DAA). CNSS Instruction No. 4009 ACL Access Control List CNSS Instruction No. 4009 ACO (C.F.D) Access Control Officer CNSS Instruction No. 4009 Add-on-Security Incorporation of new hardware, software, or firmware safeguards in an operational IS. CNSS Instruction No. 4009 Adequate Security Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. CNSS Instruction No. 4009 Advanced Encryption Standard (AES) FIPS approved cryptographic algorithm that is a symmetric block cypher using cryptographic key sizes of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. CNSS Instruction No. 4009 Advisory Notification of significant new trends or developments regarding the threat to the IS of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting ISs. CNSS Instruction No. 4009 AES Advanced Encryption Standard CNSS Instruction No. 4009 AIG Address Indicator Group CNSS Instruction No. 4009 AIN Advanced Intelligence Network CNSS Instruction No. 4009 AK Automatic Remote Rekeying CNSS Instruction No. 4009 AKD/RCU Automatic Key Distribution/Rekeying Control Unit CNSS Instruction No. 4009 ALC Accounting Legend Code CNSS Instruction No. 4009 Alert Notification of a specific attack directed at the IS of an organization. CNSS Instruction No. 4009 Alternate COMSEC Custodian Individual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian. CNSS Instruction No. 4009 Alternative Work Site Government-wide, national program allowing Federal employees to work at home or at geographically convenient satellite offices for part of the work week. CNSS Instruction No. 4009 AMS 1. Auto-Manual System 2. Autonomous Message Switch CNSS Instruction No. 4009 ANDVT Advanced Narrowband Digital Voice Terminal CNSS Instruction No. 4009 ANSI American National Standards Institute CNSS Instruction No. 4009 Anti-jam Measures ensuring that transmitted information can be received despite deliberate jamming attempts. CNSS Instruction No. 4009 Anti-spoof Measures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker. AO Authorizing Official APC Adaptive Predictive Coding CNSS Instruction No. 4009 Application Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges. CNSS Instruction No. 4009 APU Auxiliary Power Unit CNSS Instruction No. 4009 ASCII American Standard Code for Information Interchange CNSS Instruction No. 4009 Assurance Measure of confidence that the security features, practices, procedures, and architecture of an IS accurately mediates and enforces the security policy. CNSS Instruction No. 4009 Assured Software Software that has been designed, developed, analyzed and tested using processes, tools, and techniques that establish a level of confidence in its trustworthiness appropriate for its intended use. CNSS Instruction No. 4009 ASU Approval for Service Use CNSS Instruction No. 4009 AS&W Attack Sensing and Warning CNSS Instruction No. 4009 ATM Asynchronous Transfer Mode CNSS Instruction No. 4009 Attack Attempt to gain unauthorized access to an IS's services, resources, or information, or the attempt to compromise an IS's integrity, availability, or confidentiality. CNSS Instruction No. 4009 Attack Sensing and Warning (AS&W) Detection, correlation, identification, and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed. CNSS Instruction No. 4009 Audit Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. CNSS Instruction No. 4009 Audit Trail Chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event. CNSS Instruction No. 4009 Authenticate To verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an IS, or to establish the validity of a transmission. CNSS Instruction No. 4009 Authentication The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data. NIST SP 800-53: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. CNSS Instruction No. 4009 Authentication System Cryptosystem or process used for authentication. CNSS Instruction No. 4009 Authenticator Means used to confirm the identity of a station, originator, or individual. CNSS Instruction No. 4009 Authorization Access privileges granted to a user, program, or process. CNSS Instruction No. 4009 Authorized Vendor Manufacturer of INFOSEC equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. Government organizations or U.S. Government contractors. CNSS Instruction No. 4009 Authorized Vendor Program (AVP) Program in which a vendor, producing an INFOSEC product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. Government organizations or U.S. Government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL). CNSS Instruction No. 4009 AUTODIN Automatic Digital Network CNSS Instruction No. 4009 Automated Security Monitoring Use of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the IS. CNSS Instruction No. 4009 Automatic Remote Rekeying Procedure to rekey distant crypto-equipment electronically without specific actions by the receiving terminal operator. CNSS Instruction No. 4009 Availability Timely, reliable access to data and information services for authorized users. CNSS Instruction No. 4009 AVP Authorized Vendor Program CNSS Instruction No. 4009

Back Door Hidden software or hardware mechanism used to circumvent security controls. Synonymous with trap door. CNSS Instruction No. 4009 Backup Copy of files and programs made to facilitate recovery, if necessary. CNSS Instruction No. 4009 Banner Display on an IS that sets parameters for system or data use. CNSS Instruction No. 4009 BCP Business Continuity Plan Benign Condition of cryptographic data that cannot be compromised by human access. CNSS Instruction No. 4009 Benign Environment Nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural security countermeasures. CNSS Instruction No. 4009 Binding Process of associating a specific communications terminal with a specific cryptographic key or associating two related elements of information. CNSS Instruction No. 4009 Biometrics Automated methods of authenticating or verifying an individual based upon a physical or behavioral characteristic. CNSS Instruction No. 4009 Bit Error Rate Ratio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system. CNSS Instruction No. 4009 BLACK Designation applied to information systems, and to associated areas, circuits, components, and equipment, in which national security information is not processed. CNSS Instruction No. 4009 Boundary Software, hardware, or physical barrier that limits access to a system or part of a system. CNSS Instruction No. 4009 Brevity List List containing words and phrases used to shorten messages. CNSS Instruction No. 4009 Browsing Act of searching through IS storage to locate or acquire information, without necessarily knowing the existence or format of information being sought. CNSS Instruction No. 4009 Bulk Encryption Simultaneous encryption of all channels of a multichannel telecommunications link. CNSS Instruction No. 4009

C2 1. Command and Control 2. Controlled Access Protection (C.F.D.) CNSS Instruction No. 4009 C3 Command, Control, and Communications CNSS Instruction No. 4009 C3I Command, Control, Communications and Intelligence CNSS Instruction No. 4009 C4 Command, Control, Communications and Computers CNSS Instruction No. 4009 CA 1. Controlling Authority 2. Cryptanalysis 3. COMSEC Account 4. Command Authority 5. Certification Authority CNSS Instruction No. 4009 Certification and Accreditation CNSS Instruction No. 4009 Call Back Procedure for identifying and authenticating a remote IS terminal, whereby the host system disconnects the terminal and re-establishes contact. Synonymous with dial back. CNSS Instruction No. 4009 Canister Type of protective package used to contain and dispense key in punched or printed tape form. CNSS Instruction No. 4009 Cascading Downward flow of information through a range of security levels greater than the accreditation range of a system network or component. CNSS Instruction No. 4009 Category Restrictive label applied to classified or unclassified information to limit access. CNSS Instruction No. 4009 CAW Certificate Authority Workstation CNSS Instruction No. 4009 CC Common Criteria CNSS Instruction No. 4009 CCEP Commercial COMSEC Endorsement Program CNSS Instruction No. 4009 CCI Controlled Cryptographic Item CNSS Instruction No. 4009 CCI Assembly Device embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate. CNSS Instruction No. 4009 CCI Component Part of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function. CNSS Instruction No. 4009 CCI Equipment Telecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate. CNSS Instruction No. 4009 CCO Circuit Control Officer CNSS Instruction No. 4009 CD Cyberspace Defense Central Office of Record (COR) Office of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversight. CNSS Instruction No. 4009 CEOI Communications Electronics Operating Instruction CNSS Instruction No. 4009 CEPR Compromising Emanation Performance Requirement CNSS Instruction No. 4009 CER 1. Cryptographic Equipment Room 2. Communication Equipment Room CNSS Instruction No. 4009 CERT Computer Emergency Response Team CNSS Instruction No. 4009 Certificate Digitally signed document that binds a public key with an identity. The certificate contains, at a minimum, the identity of the issuing Certification Authority, the user identification information, and the user's public key. CNSS Instruction No. 4009 Certificate Management Process whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed. CNSS Instruction No. 4009 Certificate Revocation List List of invalid certificates (as defined above) that have been revoked by the issuer. CNSS Instruction No. 4009 Certification Comprehensive evaluation of the technical and nontechnical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements. CNSS Instruction No. 4009 Certification Authority (C&A) Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements.(PKI)Trusted entity authorized to create, sign, and issue public key certificates. By digitally signing each certificate issued, the user's identity is certified, and the association of the certified identity with a public key is validated. CNSS Instruction No. 4009 Certification Authority Workstation Commercial-off-the-shelf (COTS) workstation with a trusted operating system and special purpose application software that is used to issue certificates. CNSS Instruction No. 4009 Certification Package Product of the certification effort documenting the detailed results of the certification activities. CNSS Instruction No. 4009 Certification Test and Evaluation (CT&E) Software and hardware security tests conducted during development of an IS. CNSS Instruction No. 4009 Certified TEMPEST Technical Authority (CTTA) An experienced, technically qualified U.S. Government employee who has met established certification requirements in accordance with CNSS (NSTISSC)-approved criteria and has been appointed by a U.S. Government Department or Agency to fulfill CTTA responsibilities. CNSS Instruction No. 4009 Certifier Individual responsible for making a technical judgment of the system's compliance with stated requirements, identifying and assessing the risks associated with operating the system, coordinating the certification activities, and consolidating the final certification and accreditation packages. CNSS Instruction No. 4009 CFD Common Fill Device CNSS Instruction No. 4009 Challenge and Reply Authentication Prearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply. CNSS Instruction No. 4009 Checksum Value computed on data to detect error or manipulation during transmission. See hash total. CNSS Instruction No. 4009 Check Word Cipher text generated by cryptographic logic to detect failures in cryptography. CNSS Instruction No. 4009 CIAC Computer Incident Assessment Capability CNSS Instruction No. 4009 CIK Crypto-Ignition Key CNSS Instruction No. 4009 CIO Chief Information Officer Cipher Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both. CNSS Instruction No. 4009 Cipher Text Enciphered information. CNSS Instruction No. 4009 Cipher Text Auto-Key (CTAK) Cryptographic logic that uses previous cipher text to generate a key stream. CNSS Instruction No. 4009 Ciphony Process of enciphering audio information, resulting in encrypted speech. CNSS Instruction No. 4009 CIRT Computer Security Incident Response Team CNSS Instruction No. 4009 CKG Cooperative Key Generation CNSS Instruction No. 4009 Classified Information Information that has been determined pursuant to Executive Order 12958 or any predecessor Order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status. CNSS Instruction No. 4009 Classified Information Spillage Security incident that occurs whenever classified data is spilled either onto an unclassified IS or to an IS with a lower level of classification. CNSS Instruction No. 4009 Clearance Formal security determination by an authorized adjudicative office that an individual is authorized access, on a need to know basis, to a specific level of collateral classified information (TOP SECRET, SECRET, CONFIDENTIAL). CNSS Instruction No. 4009 Clearing Removal of data from an IS, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., keyboard strokes); however, the data may be reconstructed using laboratory methods. Cleared media may be reused at the same classification level or at a higher level. Overwriting is one method of clearing. CNSS Instruction No. 4009 Client Individual or process acting on behalf of an individual who makes requests of a guard or dedicated server. The client's requests to the guard or dedicated server can involve data transfer to, from, or through the guard or dedicated server. CNSS Instruction No. 4009 Closed Security Environment Environment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an IS life cycle. Closed security is based upon a system's developers operators, and maintenance personnel having sufficient clearances, authorization, and configuration control. CNSS Instruction No. 4009 CM configuration management CMCS COMSEC Material Control System CNSS Instruction No. 4009 CNA Computer Network Attack CNSS Instruction No. 4009 CND Computer Network Defense CNSS Instruction No. 4009 CNSS Committee on National Security Systems CNSS Instruction No. 4009 COA course of action Code (COMSEC) System of communication in which arbitrary groups of letters, numbers, or symbols represent units of plain text of varying length. CNSS Instruction No. 4009 Code Book Document containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique. CNSS Instruction No. 4009 Code Group Group of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence. CNSS Instruction No. 4009 Code Vocabulary Set of plain text words, numerals, phrases, or sentences for which code equivalents are assigned in a code system. CNSS Instruction No. 4009 COI community of interest Cold Start Procedure for initially keying crypto-equipment. CNSS Instruction No. 4009 Collaborative Computing Applications and technology (e.g., whiteboarding, group conferencing) that allow two or more individuals to share information real time in an inter- or intra-enterprise environment. CNSS Instruction No. 4009 Command Authority Individual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges. CNSS Instruction No. 4009 Commercial COMSEC Endorsement Program (CCEP) Relationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices. CNSS Instruction No. 4009 Common Criteria Provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems. (International Standard ISO/IEC 5408, Common Criteria for Information Technology Security Evaluation [ITSEC]) CNSS Instruction No. 4009 Common Fill Device One of a family of devices developed to read-in, transfer, or store key. CNSS Instruction No. 4009 Communications Cover Concealing or altering of characteristic communications patterns to hide information that could be of value to an adversary. CNSS Instruction No. 4009 Communications Deception Deliberate transmission, retransmission, or alteration of communications to mislead an adversary's interpretation of the communications. See imitative communications deception and manipulative communications deception. CNSS Instruction No. 4009 Communications Profile Analytic model of communications associated with an organization or activity. The model is prepared from a systematic examination of communications content and patterns, the functions they reflect, and the communications security measures applied. CNSS Instruction No. 4009 Communications Security (COMSEC) Measures and controls taken to deny unauthorized individuals information derived from telecommunications and to ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material. CNSS Instruction No. 4009 Community Risk Probability that a particular vulnerability will be exploited within an interacting population and adversely impact some members of that population. CNSS Instruction No. 4009 Compartmentalization A nonhierarchical grouping of sensitive information used to control access to data more finely than with hierarchical security classification alone. CNSS Instruction No. 4009 Compartmented Mode INFOSEC mode of operation wherein each user with direct or indirect access to a system, its peripherals, remote terminals, or remote hosts has all of the following: a. Valid security clearance for the most restricted information processed in the system\s b. Formal access approval and signed non-disclosure agreements for that information to which a user is to have access\s and c. Valid need-to-know for information to which a user is to have access. CNSS Instruction No. 4009 Compromise Type of incident where information is disclosed to unauthorized individuals or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred. CNSS Instruction No. 4009 Compromising Emanations Unintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST. CNSS Instruction No. 4009 COMPUSEC Computer Security CNSS Instruction No. 4009 Computer Abuse Intentional or reckless misuse, alteration, disruption, or destruction of information processing resources. CNSS Instruction No. 4009 Computer Cryptography Use of a crypto-algorithm program by a computer to authenticate or encrypt/decrypt information. CNSS Instruction No. 4009 Computer Security Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware, and information being processed, stored, and communicated. CNSS Instruction No. 4009 Computer Security Incident See incident. CNSS Instruction No. 4009 Computer Security Subsystem Hardware/software designed to provide computer security features in a larger system environment. CNSS Instruction No. 4009 Computing Environment Workstation or server (host) and its operating system, peripherals, and applications. CNSS Instruction No. 4009 COMSEC Communications Security CNSS Instruction No. 4009 COMSEC Account Administrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material. CNSS Instruction No. 4009 COMSEC Account Audit Examination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded. CNSS Instruction No. 4009 COMSEC Aid COMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids. CNSS Instruction No. 4009 COMSEC Assembly Group of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment. CNSS Instruction No. 4009 COMSEC Boundary Definable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation and key handling and storage. CNSS Instruction No. 4009 COMSEC Chip Set Collection of NSA approved microchips. CNSS Instruction No. 4009 COMSEC Control Program Computer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication. CNSS Instruction No. 4009 COMSEC Custodian Person designated by proper authority to be responsible for the receipt, transfer, accounting safeguarding, and destruction of COMSEC material assigned to a COMSEC account. CNSS Instruction No. 4009 COMSEC Demilitarization Process of preparing COMSEC equipment for disposal by extracting all CCI, classified, or CRYPTO marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk. CNSS Instruction No. 4009 COMSEC Element Removable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts. CNSS Instruction No. 4009 COMSEC End-Item Equipment or combination of components ready for use in a COMSEC application. CNSS Instruction No. 4009 COMSEC Equipment Equipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients\s also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptoproduction equipment, and authentication equipment. CNSS Instruction No. 4009 COMSEC Facility Authorized and approved space used for generating, storing, repairing, or using COMSEC material. CNSS Instruction No. 4009 COMSEC Incident See incident. CNSS Instruction No. 4009 COMSEC Insecurity COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information. CNSS Instruction No. 4009 COMSEC Manager Person who manages the COMSEC resources of an organization. CNSS Instruction No. 4009 COMSEC Material Item designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions. CNSS Instruction No. 4009 COMSEC Material Control System (CMCS) Logistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, cryptologistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the COMSEC Material Control System. CNSS Instruction No. 4009 COMSEC Modification See information systems security equipment modification. CNSS Instruction No. 4009 COMSEC Module Removable component that performs COMSEC functions in a telecommunications equipment or system. CNSS Instruction No. 4009 COMSEC Monitoring Act of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security. CNSS Instruction No. 4009 COMSEC Profile Statement of COMSEC measures and materials used to protect a given operation, system, or organization. CNSS Instruction No. 4009 COMSEC Survey Organized collection of COMSEC and communications information relative to a given operation, system, or organization. CNSS Instruction No. 4009 COMSEC System Data Information required by a COMSEC equipment or system to enable it to properly handle and control key. CNSS Instruction No. 4009 COMSEC Training Teaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment. CNSS Instruction No. 4009 Concept of Operations (CONOP) Document detailing the method, act, process, or effect of using an IS. CNSS Instruction No. 4009 Confidentiality Assurance that information is not disclosed to unauthorized persons, processes, or devices. CNSS Instruction No. 4009 Configuration Control Process of controlling modifications to hardware, firmware, software, and documentation to ensure the IS is protected against improper modifications prior to, during, and after system implementation. CNSS Instruction No. 4009 Configuration Management Management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an IS. CNSS Instruction No. 4009 Confinement Channel See covert channel. CNSS Instruction No. 4009 CONOP Concept of Operations CNSS Instruction No. 4009 Contamination Type of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category. CNSS Instruction No. 4009 Contingency Key Key held for use under specific operational conditions or in support of specific contingency plans. CNSS Instruction No. 4009 Contingency Plan Plan maintained for emergency response, backup operations, and post-disaster recovery for an IS, to ensure the availability of critical resources and to facilitate the continuity of operations in an emergency situation. CNSS Instruction No. 4009 Continuity of Operations Plan (COOP) Plan for continuing an organization's (usually a headquarters element) essential functions at an alternate site and performing those functions for the duration of an event with little or no loss of continuity before returning to normal operations. CNSS Instruction No. 4009 Controlled Access Area Physical area, (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance. CNSS Instruction No. 4009 Controlled Access Protection Minimum set of security functionality that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-related events, and resource isolation. CNSS Instruction No. 4009 Controlled Interface Mechanism that facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system). CNSS Instruction No. 4009 Controlled Cryptographic Item (CCI) Secure telecommunications or information handling equipment, or associated cryptographic component, that is unclassified but governed by a special set of control requirements. Such items are marked "CONTROLLED CRYPTOGRAPHIC ITEM" or, where space is limited, "CCI. CNSS Instruction No. 4009 Controlled Space Three-dimensional space surrounding IS equipment, within which unauthorized persons are denied unrestricted access and are either escorted by authorized persons or are under continuous physical or electronic surveillance. CNSS Instruction No. 4009 Controlling Authority Official responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet. CNSS Instruction No. 4009 COOP Continuity of Operations Plan Cooperative Key Generation Electronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. CNSS Instruction No. 4009 Cooperative Remote Rekeying Synonymous with manual remote rekeying. CNSS Instruction No. 4009 COP common operational picture COR 1. Central Office of Record (COMSEC) 2. Contracting Officer Representative CNSS Instruction No. 4009 Correctness Proof A mathematical proof of consistency between a specification and its implementation. CNSS Instruction No. 4009 COTS Commercial-off-the-shelf CNSS Instruction No. 4009 Countermeasure Action, device, procedure, technique, or other measure that reduces the vulnerability of an IS. CNSS Instruction No. 4009 Covert Channel Unintended and/or unauthorized communications path that can be used to transfer information in a manner that violates an IS security policy. See overt channel and exploitable channel. CNSS Instruction No. 4009 Covert Channel Analysis Determination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information. CNSS Instruction No. 4009 Covert Storage Channel Covert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. CNSS Instruction No. 4009 Covert Timing Channel Covert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process. CNSS Instruction No. 4009 CPS COMSEC Parent Switch CNSS Instruction No. 4009 CPU Central Processing Unit CNSS Instruction No. 4009 Credentials Information, passed from one entity to another, used to establish the sending entity's access rights. CNSS Instruction No. 4009 Critical Infrastructures Systems and assets, whether the physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national public health or safety, or any combination of those matters. CNSS Instruction No. 4009 CRL Certificate Revocation List CNSS Instruction No. 4009 Cross Domain Solution Information assurance solution that provides the ability to access of transfer information between two or more security domains. CNSS Instruction No. 4009 Cryptanalysis Operations performed in converting encrypted messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption. CNSS Instruction No. 4009 CRYPTO Marking or designator identifying COMSEC keying material used to secure or authenticate telecommunications carrying classified or sensitive U.S. Government or U.S. Government-derived information. CNSS Instruction No. 4009 Crypto-Alarm Circuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm. CNSS Instruction No. 4009 Crypto-Algorithm Well-defined procedure or sequence of rules or steps, or a series of mathematical equations used to describe cryptographic processes such as encryption/decryption, key generation, authentication, signatures, etc. CNSS Instruction No. 4009 Crypto-Ancillary Equipment Equipment designed specifically to facilitate efficient or reliable operation of crypto-equipment, without performing cryptographic functions itself. CNSS Instruction No. 4009 Crypto-Equipment Equipment that embodies a cryptographic logic. CNSS Instruction No. 4009 Cryptographic Pertaining to, or concerned with, cryptography. CNSS Instruction No. 4009 Cryptographic Component Hardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items. CNSS Instruction No. 4009 Cryptographic Equipment Room Controlled-access room in which cryptosystems are located. CNSS Instruction No. 4009 Cryptographic Initialization Function used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode. CNSS Instruction No. 4009 Cryptographic Logic The embodiment of one (or more) crypto-algorithm(s) along with alarms, checks, and other processes essential to effective and secure performance of the cryptographic process(es). CNSS Instruction No. 4009 Cryptographic Randomization Function that randomly determines the transmit state of a cryptographic logic. CNSS Instruction No. 4009 Cryptography Art or science concerning the principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form. CNSS Instruction No. 4009 Crypto-Ignition Key (CIK) Device or electronic key used to unlock the secure mode of crypto-equipment. CNSS Instruction No. 4009 Cryptology Field encompassing both cryptography and cryptanalysis. CNSS Instruction No. 4009 Cryptonet Stations holding a common key. CNSS Instruction No. 4009 Cryptoperiod Time span during which each key setting remains in effect. CNSS Instruction No. 4009 Cryptosecurity Component of COMSEC resulting from the provision of technically sound cryptosystems and their proper use. CNSS Instruction No. 4009 Cryptosynchronization Process by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic. CNSS Instruction No. 4009 Cryptosystem Associated INFOSEC items interacting to provide a single means of encryption or decryption. CNSS Instruction No. 4009 Cryptosystem Analysis Process of establishing the exploitability of a cryptosystem, normally by reviewing transmitted traffic protected or secured by the system under study. CNSS Instruction No. 4009 Cryptosystem Evaluation Process of determining vulnerabilities of a cryptosystem. CNSS Instruction No. 4009 Cryptosystem Review Examination of a cryptosystem by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution. CNSS Instruction No. 4009 Cryptosystem Survey Management technique in which actual holders of a cryptosystem express opinions on the system's suitability and provide usage information for technical evaluations. CNSS Instruction No. 4009 CSE Communications Security Element CNSS Instruction No. 4009 CSP Cybersecurity Service Provider CSS 1. COMSEC Subordinate Switch 2. Constant Surveillance Service (Courier) 3. Continuous Signature Service (Courier) 4. Coded Switch System CNSS Instruction No. 4009 CSSO Contractor Special Security Officer CNSS Instruction No. 4009 CSTVRP Computer Security Technical Vulnerability Report Program CNSS Instruction No. 4009 CTAK Cipher Text Auto-Key CNSS Instruction No. 4009 Certification Test and Evaluation CNSS Instruction No. 4009 CTTA Certified TEMPEST Technical Authority CNSS Instruction No. 4009 CUI Controlled Unclassified Information CUP COMSEC Utility Program CNSS Instruction No. 4009 Cybersecurity The ability to protect or defend the use of cyberspace from cyber attacks. CNSS Instruction No. 4009 Cyberspace Defense Actions taken to defend against unauthorized activity within computer networks. Cyberspace defense includes protection, monitoring, detection and analysis, response and sustainment services. Cyclic Redundancy Check Error checking mechanism that checks data integrity by computing a polynomial algorithm based checksum. CNSS Instruction No. 4009

DAA Designated Accrediting Authority DAA Designated Approving Authority DAC Discretionary Access Control CNSS Instruction No. 4009 DAMA Demand Assigned Multiple Access CNSS Instruction No. 4009 Data Aggregation Compilation of unclassified individual data systems and data elements that could result in the totality of the information being classified or of beneficial use to an adversary. CNSS Instruction No. 4009 Data Encryption Standard (DES) Cryptographic algorithm, designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46. CNSS Instruction No. 4009 Data Flow Control Synonymous with information flow control. CNSS Instruction No. 4009 Data Integrity Condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. CNSS Instruction No. 4009 Data Origin Authentication Corroborating the source of data is as claimed. CNSS Instruction No. 4009 Data Security The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. CNSS Instruction No. 4009 Data Transfer Device (DTD) Fill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems. CNSS Instruction No. 4009 DCID Director Central Intelligence Directive CNSS Instruction No. 4009 DCIO Defense Criminal Investigative Office DCS 1. Defense Communications System 2. Defense Courier Service CNSS Instruction No. 4009 DDS Dual Driver Service (Courier) CNSS Instruction No. 4009 Decertification Revocation of the certification of an IS item or equipment for cause. CNSS Instruction No. 4009 Decipher Convert enciphered text to plain text by means of a cryptographic system. CNSS Instruction No. 4009 Decode Convert encoded text to plain text by means of a code. CNSS Instruction No. 4009 Decrypt Generic term encompassing decode and decipher. CNSS Instruction No. 4009 Dedicated Mode IS security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within the system\s b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs)\s and c. valid need-to-know for all information contained within the IS. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time. CNSS Instruction No. 4009 Default Classification Temporary classification reflecting the highest classification being processed in an IS. Default classification is included in the caution statement affixed to an object. CNSS Instruction No. 4009 Defense-in-depth IA strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks. Synonymous with security-in-depth. CNSS Instruction No. 4009 Degaussing Procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing. CNSS Instruction No. 4009 Delegated Development Program INFOSEC program in which the Director, National Security Agency, delegates, on a case by case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency. CNSS Instruction No. 4009 Denial of Service Any action or series of actions that prevents any part of an IS from functioning. CNSS Instruction No. 4009 Department of Defense information networks (DoDIN) The globally interconnected, end-to-end set of information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, including owned and leased communications and computing systems and services, software (including applications), data, and security. Joint Publication 1-02 DES Data Encryption Standard CNSS Instruction No. 4009 Descriptive Top-Level Specification Top-level specification written in a natural language (e.g., English), and informal design notation, or a combination of the two. Descriptive top-level specification, required for a class B2 and B3 (as defined in the Orange Book, Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD) information system, completely and accurately describes a trusted computing base. See formal top-level specification. CNSS Instruction No. 4009 Designated Approval Authority Official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with authorizing official, designated accrediting authority, and delegated accrediting authority. CNSS Instruction No. 4009 DIA Defense Intelligence Agency Dial Back Synonymous with call back. CNSS Instruction No. 4009 Digital Signature Cryptographic process used to assure message originator authenticity, integrity, and nonrepudiation. CNSS Instruction No. 4009 Digital Signature Algorithm Procedure that appends data to, or performs a cryptographic transformation of, a data unit. The appended data or cryptographic transformation allows reception of the data unit and protects against forgery, e.g., by the recipient. CNSS Instruction No. 4009 Direct Shipment Shipment of COMSEC material directly from NSA to user COMSEC accounts. CNSS Instruction No. 4009 DISA Defense Information Systems Agency Disaster Recovery Plan Provides for the continuity of system operations after a disaster. CNSS Instruction No. 4009 Discretionary Access Control (DAC) Means of restricting access to objects based on the identity and need-to-know of users and/or groups to which the object belongs. Controls are discretionary in the sense that a subject with the certain access permission is capable of passing that permission (directly or indirectly) to any other subject. See mandatory access control. CNSS Instruction No. 4009 DISN Defense Information System Network CNSS Instruction No. 4009 Distinguished Name Globally unique identifier representing an individual's identity. CNSS Instruction No. 4009 DITSCAP DoD Information Technology Security Certification and Accreditation Process CNSS Instruction No. 4009 DLED Dedicated Loop Encryption Device CNSS Instruction No. 4009 DMA Direct Memory Access CNSS Instruction No. 4009 DMS Direct Memory System CNSS Instruction No. 4009 DMZ (Demilitarized Zone) Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network's IA policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. A DMZ is also called a "screened subnet. CNSS Instruction No. 4009 DNI Director of National Intelligence CNSS Instruction No. 4009 DoD Department of Defense DoDIN Department of Defense information networks Joint Publication 1-02 Domain System or group of systems operating under a common security policy. CNSS Instruction No. 4009 DPL Degausser Products List (a section in the INFOSEC Products and Services Catalogue) CNSS Instruction No. 4009 Drop Accountability Procedure under which a COMSEC account custodian initially receipts a COMSEC material and then provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See accounting legend code. CNSS Instruction No. 4009 DRP Disaster Recovery Plan DSA Digital Signature Algorithm CNSS Instruction No. 4009 DSN Defense Switched Network CNSS Instruction No. 4009 DSVT Digital Subscriber Voice Terminal CNSS Instruction No. 4009 DTD Data Transfer Device CNSS Instruction No. 4009 DTLS Descriptive Top-Level Specification CNSS Instruction No. 4009 DTS Diplomatic Telecommunications Service CNSS Instruction No. 4009 DUA Directory User Agent CNSS Instruction No. 4009

EAM Emergency Action Message CNSS Instruction No. 4009 ECCM Electronic Counter-Countermeasures CNSS Instruction No. 4009 ECM Electronic Countermeasures CNSS Instruction No. 4009 ECPL Endorsed Cyptographic Products List (a section in the Information Systems Security Products and Services Catalogue) CNSS Instruction No. 4009 EDAC Error Detection and Correction CNSS Instruction No. 4009 EFD Electronic Fill Device CNSS Instruction No. 4009 EFTO Encrypt For Transmission Only CNSS Instruction No. 4009 EKMS Electronic Key Management System CNSS Instruction No. 4009 Electronic Generated Key Key generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key. CNSS Instruction No. 4009 Electronic Key Management System (EKMS) Interoperable collection of systems being developed by services and agencies of the U.S. Government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material. CNSS Instruction No. 4009 Electronic Messaging Services Services providing interpersonal messaging capability\s meeting specific functional, management, and technical requirements\s and yielding a business-quality electronic mail service suitable for the conduct of official government business. CNSS Instruction No. 4009 Electronic Security (ELSEC) Protection resulting from measures designed to deny unauthorized persons information derived from the interception and analysis of noncommunications electromagnetic radiations. CNSS Instruction No. 4009 Electronic Signature See digital signature. CNSS Instruction No. 4009 Element Removable item of COMSEC equipment, assembly, or subassembly\s normally consisting of a single piece or group of replaceable parts. CNSS Instruction No. 4009 ELINT Electronic Intelligence CNSS Instruction No. 4009 Embedded Computer Computer system that is an integral part of a larger system. CNSS Instruction No. 4009 Embedded Cryptographic System Cryptosystem performing or controlling a function as an integral element of a larger system or subsystem. CNSS Instruction No. 4009 Embedded Cryptography Cryptography engineered into an equipment or system whose basic function is not cryptographic. CNSS Instruction No. 4009 Emissions Security (EMSEC) Protection resulting from measures taken to deny unauthorized persons information derived from intercept and analysis of compromising emanations from crypto-equipment or an IS. CNSS Instruction No. 4009 E Model Engineering Development Model CNSS Instruction No. 4009 Encipher Convert plain text to cipher text by means of a cryptographic system. CNSS Instruction No. 4009 Enclave Collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security. CNSS Instruction No. 4009 Enclave Boundary Point at which an enclave's internal network service layer connects to an external network's service layer, i.e., to another enclave or to a Wide Area Network (WAN). CNSS Instruction No. 4009 Encode Convert plain text to cipher text by means of a code. CNSS Instruction No. 4009 Encrypt Generic term encompassing encipher and encode. CNSS Instruction No. 4009 Encryption Algorithm Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key. CNSS Instruction No. 4009 End-Item Accounting Accounting for all the accountable components of a COMSEC equipment configuration by a single short title. CNSS Instruction No. 4009 Endorsed for Unclassified Cryptographic Item Unclassified cryptographic equipment that embodies a U.S. Government classified cryptographic logic and is endorsed by NSA for the protection of national security information. See type 2 product. CNSS Instruction No. 4009 Endorsement NSA approval of a commercially developed product for safeguarding national security information. CNSS Instruction No. 4009 End-to-End Encryption Encryption of information at its origin and decryption at its intended destination without intermediate decryption. CNSS Instruction No. 4009 End-to-End Security Safeguarding information in an IS from point of origin to point of destination. CNSS Instruction No. 4009 Entrapment Deliberate planting of apparent flaws in an IS for the purpose of detecting attempted penetrations. CNSS Instruction No. 4009 Environment Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an IS. CNSS Instruction No. 4009 EPL Evaluated Products List (a section in the INFOSEC Products and Services Catalogue) CNSS Instruction No. 4009 Erasure Process intended to render magnetically stored information irretrievable by normal means. CNSS Instruction No. 4009 ERTZ Equipment Radiation TEMPEST Zone CNSS Instruction No. 4009 ETA Education, Training, and Awareness ETPL Endorsed TEMPEST Products List CNSS Instruction No. 4009 Evaluation Assurance Level (EAL) Set of assurance requirements that represent a point on the Common Criteria predefined assurance scale. CNSS Instruction No. 4009 Event Occurrence, not yet assessed, that may affect the performance of an IS. CNSS Instruction No. 4009 Executive State One of several states in which an IS may operate, and the only one in which certain privileged instructions may be executed. Such privileged instructions cannot be executed when the system is operating in other (e.g., user) states. Synonymous with supervisor state. CNSS Instruction No. 4009 Exercise Key Key used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises. CNSS Instruction No. 4009 Exploitable Channel Channel that allows the violation of the security policy governing an IS and is usable or detectable by subjects external to the trusted computing base. See covert channel. CNSS Instruction No. 4009 Extraction Resistance Capability of crypto-equipment or secure telecommunications equipment to resist efforts to extract key. CNSS Instruction No. 4009 Extranet Extension to the intranet allowing selected outside users access to portions of an organization's intranet. CNSS Instruction No. 4009

Fail Safe Automatic protection of programs and/or processing systems when hardware or software failure is detected. CNSS Instruction No. 4009 Fail Soft Selective termination of affected nonessential processing when hardware or software failure is determined to be imminent. CNSS Instruction No. 4009 Failure Access Unauthorized access to data resulting from hardware or software failure. CNSS Instruction No. 4009 Failure Control Methodology used to detect imminent hardware or software failure and provide fail safe or fail soft recovery. CNSS Instruction No. 4009 FDIU Fill Device Interface Unit CNSS Instruction No. 4009 File Protection Aggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents. CNSS Instruction No. 4009 File Security Means by which access to computer files is limited to authorized users only. CNSS Instruction No. 4009 Fill Device COMSEC item used to transfer or store key in electronic form or to insert key into a crypto-equipment. CNSS Instruction No. 4009 FIPS Federal Information Processing Standard CNSS Instruction No. 4009 FIREFLY Key management protocol based on public key cryptography. CNSS Instruction No. 4009 Firewall System designed to defend against unauthorized access to or from a private network. CNSS Instruction No. 4009 Firmware Program recorded in permanent or semipermanent computer memory. CNSS Instruction No. 4009 Fixed COMSEC Facility COMSEC facility located in an immobile structure or aboard a ship. CNSS Instruction No. 4009 Flaw Error of commission, omission, or oversight in an IS that may allow protection mechanisms to be bypassed. CNSS Instruction No. 4009 Flaw Hypothesis Methodology System analysis and penetration technique in which the specification and documentation for an IS are analyzed to produce a list of hypothetical flaws. The list is prioritized on the basis of the estimated probability that a flaw exists on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to perform penetration testing of a system. CNSS Instruction No. 4009 Flooding Type of incident involving insertion of a large volume of data resulting in denial of service. CNSS Instruction No. 4009 FOCI Foreign Owned, Controlled or Influenced CNSS Instruction No. 4009 Formal Access Approval Process for authorizing access to classified or sensitive information with specified access requirements, such as Sensitive Compartmented Information (SCI) or Privacy Data, based on the specified access requirements and a determination of the individual's security eligibility and need-to-know. CNSS Instruction No. 4009 Formal Development Methodology Software development strategy that proves security design specifications. CNSS Instruction No. 4009 Formal Method Mathematical argument which verifies that the system satisfies a mathematically described security policy. CNSS Instruction No. 4009 Formal Proof Complete and convincing mathematical argument presenting the full logical justification for each proof step and for the truth of a theorem or set of theorems. CNSS Instruction No. 4009 Formal Security Policy Model Mathematically precise statement of a security policy. CNSS Instruction No. 4009 Formal Top-Level Specification Top-level specification written in a formal mathematical language to allow theorems, showing the correspondence of the system specification to its formal requirements, to be hypothesized and formally proven. CNSS Instruction No. 4009 Formal Verification Process of using format proofs to demonstrate the consistency between formal specification of a system and formal security policy model (design verification) or between formal specification and its high-level program implementation (implementation verification). CNSS Instruction No. 4009 FOUO For Official Use Only CNSS Instruction No. 4009 Frequency Hopping Repeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications. CNSS Instruction No. 4009 Front-End Security Filter Security filter logically separated from the remainder of an IS to protect system integrity. Synonymous with firewall. CNSS Instruction No. 4009 FSRS Functional Security Requirements Specification CNSS Instruction No. 4009 FSTS Federal Secure Telephone Service CNSS Instruction No. 4009 FTAM File Transfer Access Management CNSS Instruction No. 4009 FTLS Formal Top-Level Specification CNSS Instruction No. 4009 Full Maintenance Complete diagnostic repair, modification, and overhaul of INFOSEC equipment, including repair of defective assemblies by piece part replacement. Also known as depot maintenance. See limited maintenance. CNSS Instruction No. 4009 Functional Proponent See network sponsor. CNSS Instruction No. 4009 Functional Testing Segment of security testing in which advertised security mechanisms of an IS are tested under operational conditions. CNSS Instruction No. 4009

Gateway Interface providing a compatibility between networks by converting transmission speeds, protocols, codes, or security measures. CNSS Instruction No. 4009 GCCS Global Command and Control System CNSS Instruction No. 4009 GENSER general service GETS Government Emergency Telecommunications Service CNSS Instruction No. 4009 Global Information Grid The globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to war fighters, policy makers, and support personnel. CNSS Instruction No. 4009 Global Information Infrastructure Worldwide interconnections of the information systems of all countries, international and multinational organizations, and international commercial communications. CNSS Instruction No. 4009 GOTS Government-Off-The-Shelf CNSS Instruction No. 4009 GPS Global Positioning System CNSS Instruction No. 4009 GTS Global Telecommunications Service CNSS Instruction No. 4009 Guard Mechanism limiting the exchange of information between systems. CNSS Instruction No. 4009 GWEN Ground Wave Emergency Network CNSS Instruction No. 4009 Gypsy Verification Environment Integrated set of software tools for specifying, coding, and verifying programs written in the Gypsy language. CNSS Instruction No. 4009

Hacker Unauthorized user who attempts or gains access to an IS. CNSS Instruction No. 4009 Handshaking Procedures Dialogue between two IS's for synchronizing, identifying, and authenticating themselves to one another. CNSS Instruction No. 4009 Hard Copy Key Physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM). CNSS Instruction No. 4009 Hardwired Key Permanently installed key. CNSS Instruction No. 4009 Hash Total Value computed on data to detect error or manipulation. See checksum. CNSS Instruction No. 4009 Hashing Computation of a hash total. CNSS Instruction No. 4009 Hashword Memory address containing hash total. CNSS Instruction No. 4009 HBSS host-based security system HIDS host-based intrusion detection system High Assurance Guard Device comprised of both hardware and software that is designed to enforce security rules during the transmission of X.400 message and X.500 directory traffic between enclaves of different classification levels (e.g., UNCLASSIFIED and SECRET). CNSS Instruction No. 4009

IA Information Assurance CNSS Instruction No. 4009 I&A Identification and Authentication CNSS Instruction No. 4009 IA Architecture Framework that assigns and portrays IA roles and behavior among all IT assets, and prescribes rules for interaction and interconnection. CNSS Instruction No. 4009 IA-Enabled Information Technology Product Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. CNSS Instruction No. 4009 IAM information assurance manager IATO Interim Approval to Operate CNSS Instruction No. 4009 IAVA information assurance vulnerability alert IAVB information assurance vulnerability bulletin IAVM information assurance vulnerability management IBAC Identity based Access Control CNSS Instruction No. 4009 IC Intelligence Community CNSS Instruction No. 4009 ICU Interface Control Unit CNSS Instruction No. 4009 Identification Process that an IS uses to recognize an entity. CNSS Instruction No. 4009 Identity Token Smart card, metal key, or other physical object used to authenticate identity. CNSS Instruction No. 4009 Identity Validation Tests enabling an IS to authenticate users or resources. CNSS Instruction No. 4009 IDM/CS Information Dissemination Management/Content Staging IDS Intrusion Detection System CNSS Instruction No. 4009 IEMATS Improved Emergency Message Automatic Transmission System CNSS Instruction No. 4009 IFF Identification, Friend or Foe CNSS Instruction No. 4009 IFFN Identification, Friend, Foe, or Neutral CNSS Instruction No. 4009 ILS Integrated Logistics Support CNSS Instruction No. 4009 Imitative Communications Deception Introduction of deceptive messages or signals into an adversary's telecommunications signals. See communications deception and manipulative communications deception. CNSS Instruction No. 4009 Impersonating Form of spoofing. CNSS Instruction No. 4009 Implant Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations. CNSS Instruction No. 4009 Inadvertent Disclosure Accidental exposure of information to a person not authorized access. CNSS Instruction No. 4009 Incident (IS) Assessed occurrence having actual or potentially adverse effects on an IS. (COMSEC) Occurrence that potentially jeopardizes the security of COMSEC material or the secure electronic transmission of national security information. CNSS Instruction No. 4009 Incomplete Parameter Checking System flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration. CNSS Instruction No. 4009 Indicator Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack. CNSS Instruction No. 4009 Individual Accountability Ability to associate positively the identity of a user with the time, method and degree of access to an IS. CNSS Instruction No. 4009 INFOCON Information Operation Condition Informal Security Policy Natural language description, possibly supplemented by mathematical arguments, demonstrating the correspondence of the functional specification to the high level design. CNSS Instruction No. 4009 Information Assurance (IA) Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. CNSS Instruction No. 4009 Information Assurance Manager (IAM) See information systems security manager. CNSS Instruction No. 4009 Information Assurance Officer (IAO) See information systems security officer. CNSS Instruction No. 4009 Information Assurance Product Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data) correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices. CNSS Instruction No. 4009 Information Environment Aggregate of individuals, organizations, or systems that collect, process or disseminate information, also included is the information itself. CNSS Instruction No. 4009 Information Flow Control Procedure to ensure that information transfers within an IS are not made from a higher security level object to an object of a lower security level. CNSS Instruction No. 4009 Information Operations Actions taken to affect adversary information and ISs while defending one's own information and ISs. CNSS Instruction No. 4009 Information Owner Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. CNSS Instruction No. 4009 Information Security Policy Aggregate of directives, regulations, rules, and practices that prescribe how an organization manages, protects, and distributes information. CNSS Instruction No. 4009 Information System (IS) Set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. CNSS Instruction No. 4009 Information Systems Security (INFOSEC) Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. CNSS Instruction No. 4009 Information Systems Security Engineering (ISSE) Process that captures and refines information protection requirements and ensures their integration into IT acquisition processes through purposeful security design or configuration. CNSS Instruction No. 4009 Information Systems Security Equipment Modification Modification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: Mandatory (to include human safety)\s optional/special mission modifications\s and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability. CNSS Instruction No. 4009 Information Systems Security Manager (ISSM) Individual responsible for a program, organization, system, or enclave's information assurance program. CNSS Instruction No. 4009 Information Systems Security Officer (ISSO) Individual responsible to the ISSM for ensuring the appropriate operational IA posture is maintained for a system, program, or enclave. CNSS Instruction No. 4009 Information Systems Security Product Item (chip, module, assembly, or equipment), technique, or service that performs or relates to information systems security. CNSS Instruction No. 4009 INFOSEC Information Systems Security CNSS Instruction No. 4009 Initialize Setting the state of a cryptographic logic prior to key generation, encryption, or other operating mode. CNSS Instruction No. 4009 Inspectable Space Three dimensional space surrounding equipment that process classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists. Synonymous with zone of control. CNSS Instruction No. 4009 Integrity The property whereby an entity has not been modified in an unauthorized manner. NIST SP 800-53: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. CNSS Instruction No. 4009 Integrity Check Value Checksum capable of detecting modification of an IS. CNSS Instruction No. 4009 Interconnection Security Agreement Written management authorization to interconnect information systems based upon acceptance of risk and implementation of established controls. CNSS Instruction No. 4009 Inter-domain Connections Connections between domains of different classifications for the purpose of transferring data through controlled interfaces. CNSS Instruction No. 4009 Interface Common boundary between independent systems or modules where interactions take place. CNSS Instruction No. 4009 Interface Control Document Technical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the IS lifecycle. CNSS Instruction No. 4009 Interim Approval to Operation (IATO) Temporary authorization granted by a DAA for an IS to process information based on preliminary results of a security evaluation of the system. CNSS Instruction No. 4009 Interim Approval to Test (IATT) Temporary authorization to test an information system in a specified operational information environment within the timeframe and under the conditions and constraints enumerated in the written authorization. IS to process information based on preliminary results of a security evaluation of the system. CNSS Instruction No. 4009 Internal Security Controls Hardware, firmware, or software features within an IS that restrict access to resources only to authorized subjects. CNSS Instruction No. 4009 Internet Protocol (IP) Standard protocol for transmission of data from source to destinations in packet-switched communications network and interconnected systems of such networks. CNSS Instruction No. 4009 Internetwork Private Line Interface Network cryptographic unit that provides secure connections, singularly or in simultaneous multiple connections, between a host and a predetermined set of corresponding hosts. CNSS Instruction No. 4009 IO Information Operations CNSS Instruction No. 4009 IP Internet Protocol CNSS Instruction No. 4009 IPM Interpersonal Messaging CNSS Instruction No. 4009 IPS Intrusion Protection System IPSO Internet Protocol Security Option CNSS Instruction No. 4009 IS Information System CNSS Instruction No. 4009 ISDN Integrated Services Digital Network CNSS Instruction No. 4009 ISO International Standards Organization CNSS Instruction No. 4009 ISS Information Systems Security CNSS Instruction No. 4009 ISSE Information System Security Engineer CNSS Instruction No. 4009 ISSM Information System Security Manager CNSS Instruction No. 4009 ISSO Information System Security Officer CNSS Instruction No. 4009 IT Information Technology CNSS Instruction No. 4009 ITAR International Traffic in Arms Regulation CNSS Instruction No. 4009 ITSEC Information Technology Security Evaluation Criteria CNSS Instruction No. 4009 I&W Indications and Warnings

JIE Joint Information Environment Charter for the Joint Information Environment Management Construct JIMS Joint Incident Management System Joint Information Environment (JIE) A secure joint information environment comprised of shared information technology (IT) infrastructure, enterprise services, and a single security architecture to achieve full spectrum superiority, improve mission effectiveness, increase security and realize IT efficiencies. Charter for the Joint Information Environment Management Construct JWICS Joint Worldwide Intelligence Communications System

KAK Key-Auto-Key CNSS Instruction No. 4009 KEK Key Encryption Key CNSS Instruction No. 4009 Key Usually a sequence of random or pseudorandom bits used initially to set up and periodically change the operations performed in crypto-equipment for the purpose of encrypting or decrypting electronic signals, or for determining electronic counter-countermeasures patterns, or for producing other key. CNSS Instruction No. 4009 Key-Auto-Key Cryptographic logic using previous key to produce key. CNSS Instruction No. 4009 Key Distribution Center (KDC) COMSEC facility generating and distributing key in electrical form. CNSS Instruction No. 4009 Key-Encryption-Key (KEK) Key that encrypts or decrypts other key for transmission or storage. CNSS Instruction No. 4009 Key Exchange Process of exchanging public keys (and other information) in order to establish secure communications. CNSS Instruction No. 4009 Key List Printed series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format. CNSS Instruction No. 4009 Key Management Infrastructure (KMI) Framework and services that provide the generation, production, storage, protection, distribution, control, tracking, and destruction for all cryptographic key material, symmetric keys as well as public keys and public key certificates. CNSS Instruction No. 4009 Key Pair Public Key and its corresponding private key as used in public key cryptography. CNSS Instruction No. 4009 Key Production Key (KPK) Key used to initialize a keystream generator for the production of other electronically generated key. CNSS Instruction No. 4009 Key Recovery Mechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentially. CNSS Instruction No. 4009 Key Stream Sequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key. CNSS Instruction No. 4009 Key Tag Identification information associated with certain types of electronic key. CNSS Instruction No. 4009 Key Tape Punched or magnetic tape containing key. Printed key in tape form is referred to as a key list. CNSS Instruction No. 4009 Key Updating Irreversible cryptographic process for modifying key. CNSS Instruction No. 4009 Keying Material Key code or authentication information in physical or magnetic form. CNSS Instruction No. 4009 KG Key Generator CNSS Instruction No. 4009 KMC Key Management Center CNSS Instruction No. 4009 KMI Key Management Infrastructure CNSS Instruction No. 4009 KMID Key Management Identification Number CNSS Instruction No. 4009 KMODC Key Management Ordering and Distribution Center CNSS Instruction No. 4009 KMP Key Management Protocol CNSS Instruction No. 4009 KMS Key Management System CNSS Instruction No. 4009 KP Key Processor CNSS Instruction No. 4009 KPK Key Production Key CNSS Instruction No. 4009 KSD Key Storage Device CNSS Instruction No. 4009

Label See security label. CNSS Instruction No. 4009 Labeled Security Protections Elementary-level mandatory access control protection features and intermediate-level discretionary access control features in a TCB that uses sensitivity labels to make access control decisions. CNSS Instruction No. 4009 Laboratory Attack Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media. CNSS Instruction No. 4009 LEAD Low-Cost Encryption/Authentication Device CNSS Instruction No. 4009 Least Privilege Principle requiring that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. Application of this principle limits the damage that can result from accident, error, or unauthorized use of an IS. CNSS Instruction No. 4009 LE/CI Law Enforcement/Counterintelligence Level of Concern Rating assigned to an IS indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each IS for confidentiality, integrity, and availability. CNSS Instruction No. 4009 Level of Protection Extent to which protective measures, techniques, and procedures must be applied to ISs and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are 1. Basic - IS and networks requiring implementation of standard minimum security countermeasures. 2. Medium - IS and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High - IS and networks requiring the most stringent protection and rigorous security countermeasures. CNSS Instruction No. 4009 Limited Maintenance COMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See full maintenance. CNSS Instruction No. 4009 Line Conditioning Elimination of unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line. CNSS Instruction No. 4009 Line Conduction Unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line. CNSS Instruction No. 4009 Link Encryption Encryption of information between nodes of a communications system. CNSS Instruction No. 4009 List-Oriented IS protection in which each protected object has a list of all subjects authorized to access it. See also ticket-oriented. CNSS Instruction No. 4009 LMD Local Management Device CNSS Instruction No. 4009 LMD/KP Local Management Device/Key Processor CNSS Instruction No. 4009 Local Authority Organization responsible for generating and signing user certificates. CNSS Instruction No. 4009 Local Management Device/Key Processor (LMD/KP) EKMS platform providing automated management of COMSEC material and generating key for designated users. CNSS Instruction No. 4009 LOCK Logical Co-Processing Kernel CNSS Instruction No. 4009 Lock and Key Protection System Protection system that involves matching a key or password with a specific access requirement. CNSS Instruction No. 4009 Logic Bomb Resident computer program triggering an unauthorized act when particular states of an IS are realized. CNSS Instruction No. 4009 Logical Completeness Measure Means for assessing the effectiveness and degree to which a set of security and access control mechanisms meets security specifications. CNSS Instruction No. 4009 Long Title Descriptive title of a COMSEC item. CNSS Instruction No. 4009 Low Probability of Detection Result of measures used to hide or disguise intentional electromagnetic transmissions. CNSS Instruction No. 4009 Low Probability of Intercept Result of measures to prevent the intercept of intentional electromagnetic transmissions. CNSS Instruction No. 4009 LPC Linear Predictive Coding CNSS Instruction No. 4009 LPD Low Probability of Detection CNSS Instruction No. 4009 LPI Low Probability of Intercept CNSS Instruction No. 4009 LRIP Limited Rate Initial Preproduction CNSS Instruction No. 4009 LSI Large Scale Integration CNSS Instruction No. 4009

MAC 1. Mandatory Access Control 2. Message Authentication Code CNSS Instruction No. 4009 Magnetic Remanence Magnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See clearing. CNSS Instruction No. 4009 Maintenance Hook Special instructions (trapdoors) in software allowing easy maintenance and additional features development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation. CNSS Instruction No. 4009 Maintenance Key Key intended only for in-shop use. CNSS Instruction No. 4009 Malicious Applets Small application programs automatically downloaded and executed that perform an unauthorized function on an IS. CNSS Instruction No. 4009 Malicious Code Software or firmware capable of performing an unauthorized function on an IS. CNSS Instruction No. 4009 Malicious Logic Hardware, software, or firmware capable of performing an unauthorized function on an IS. MAN 1. Mandatory Modification 2. Metropolitan Area Network CNSS Instruction No. 4009 Mandatory Access Control (MAC) Means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) or subjects to access information of such sensitivity. See discretionary access control. CNSS Instruction No. 4009 Mandatory Modification Change to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See optional modification. CNSS Instruction No. 4009 Manipulative Communications Deception Alteration or simulation of friendly telecommunications for the purpose of deception. See communications deception and imitative communications deception. CNSS Instruction No. 4009 Manual Cryptosystem Cryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices. CNSS Instruction No. 4009 Manual Remote Rekeying Procedure by which a distant crypto-equipment is rekeyed electrically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. Also see automatic remote keying. CNSS Instruction No. 4009 Masquerading Form of spoofing. CNSS Instruction No. 4009 Master Crypto-Ignition key Key device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset. CNSS Instruction No. 4009 Memory Scavenging The collection of residual information from data storage. CNSS Instruction No. 4009 MER Minimum Essential Requirements CNSS Instruction No. 4009 Message Authentication Code Data associated with an authenticated message allowing a receiver to verify the integrity of the message. CNSS Instruction No. 4009 Message Externals Information outside of the message text, such as the header, trailer, etc. CNSS Instruction No. 4009 Message Indicator Sequence of bits transmitted over a communications system for synchronizing crypto-equipment. Some off-line cryptosystems, such as the KL-51 and one-time pad systems, employ message indicators to establish decryption starting points. CNSS Instruction No. 4009 MHS Message Handling System CNSS Instruction No. 4009 MI Message Indicator CNSS Instruction No. 4009 MIB Management Information Base CNSS Instruction No. 4009 Mimicking Form of spoofing. CNSS Instruction No. 4009 MINTERM Miniature Terminal CNSS Instruction No. 4009 MISSI Multilevel Information Systems Security Initiative CNSS Instruction No. 4009 MLS Multilevel Security CNSS Instruction No. 4009 MOA Memorandum of Agreement Mobile Code Software modules obtained from remote systems, transferred across a network, and then downloaded and executed on local systems without explicit installation or execution by the recipient. CNSS Instruction No. 4009 Mode of Operation Description of the conditions under which an IS operates based on the sensitivity of information processed and the clearance levels, format access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information\s dedicated mode, system-high mode, compartmented/partitioned mode, and multilevel mode. CNSS Instruction No. 4009 MSE Mobile Subscriber Equipment CNSS Instruction No. 4009 Multilevel Device Equipment trusted to properly maintain and separate data of different security categories. CNSS Instruction No. 4009 Multilevel Mode INFOSEC mode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts\s a. some users do not have a valid security clearance for all the information processed in the IS\s b. all users have the proper security clearance and appropriate formal access approval for that information to which they have access\s and c. all users have a valid need-to-know only for information to which they have access. CNSS Instruction No. 4009 Multilevel Security (MLS) Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.(See cross domain solution.) CNSS Instruction No. 4009 Multi-Security Level (MSL) Capability to process information of different security classifications or categories by using periods processing or peripheral sharing. CNSS Instruction No. 4009 Mutual Suspicion Condition in which two IS's need to rely upon each other to perform a service, yet neither trusts the other to properly protect shared data. CNSS Instruction No. 4009

NACAM National COMSEC Advisory Memorandum CNSS Instruction No. 4009 NACSI National COMSEC Instruction CNSS Instruction No. 4009 NACSIM National COMSEC Information Memorandum CNSS Instruction No. 4009 NAK Negative Acknowledge CNSS Instruction No. 4009 National Information Assurance Partnership (NIAP) Joint initiative between NSA and NIST responsible for security testing needs of both IT consumers and producers and promoting the development of technically sound security requirements for IT products and systems and appropriate measures for evaluating those products and services. CNSS Instruction No. 4009 National Information Infrastructure (NII) Nationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the Internet, the public switched network, and cable, wireless, and satellite communications. CNSS Instruction No. 4009 National Security Information Information that has been determined pursuant to Executive Order 12958 (as amended) or any predecessor order to require protection against unauthorized disclosure. CNSS Instruction No. 4009 National Security System Any information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which I. involves intelligence activities, II. Involves cryptologic activities related to national security, III. involves command and control of military forces, IV. Involves equipment that is an integral part of a weapon or weapon system, or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.) CNSS Instruction No. 4009 NCCD Nuclear Command and Control Document CNSS Instruction No. 4009 NCOW net-centric operations and warfare NCS 1. National Communications System 2. National Cryptologic School 3. Net Control Station CNSS Instruction No. 4009 NCSC National Computer Security Center CNSS Instruction No. 4009 Need-to-know The necessity for access to, or knowledge or possession of, specific information required to carry out official duties. CNSS Instruction No. 4009 Need to Know Determination Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties. CNSS Instruction No. 4009 NetOps Network Operations Network IS implemented with a collection of interconnected network nodes. CNSS Instruction No. 4009 Network Front-End Device implementing protocols that allow attachment of a computer system to a network. CNSS Instruction No. 4009 Network Reference Monitor See reference monitor. CNSS Instruction No. 4009 Network Security See information systems security. CNSS Instruction No. 4009 Network Security Officer See Information System Security Officer. CNSS Instruction No. 4009 Network Sponsor Individual or organization responsible for stating the security policy enforced by the network, designing the network security architecture to properly enforce that policy, and ensuring the network is implemented in such a way that the policy is enforced. CNSS Instruction No. 4009 Network System System implemented with a collection of interconnected components. A network system is based on a coherent security architecture and design. CNSS Instruction No. 4009 Network Weaving Penetration technique in which different communication networks are linked to access an IS to avoid detection and trace-back. CNSS Instruction No. 4009 NII Networks and Information Integration NIPC National Infrastructure Protection Center NIPRNET Nonsecure Internet Protocol Router Network NISAC National Industrial Security Advisory Committee CNSS Instruction No. 4009 NIST National Institute of Standards and Technology CNSS Instruction No. 4009 NLZ No-lone zone CNSS Instruction No. 4009 No-Lone Zone Area, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See-two-person integrity. CNSS Instruction No. 4009 Nonrepudiation Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data. CNSS Instruction No. 4009 NSA National Security Agency CNSS Instruction No. 4009 NSD National Security Directive CNSS Instruction No. 4009 NSDD National Security Decision Directive CNSS Instruction No. 4009 NSEP National Security Emergency Preparedness CNSS Instruction No. 4009 NSI National Security Information CNSS Instruction No. 4009 NSTAC National Security Telecommunications Advisory Committee CNSS Instruction No. 4009 NSTISSAM National Security Telecommunications and Information Systems Security Advisory/Information Memorandum CNSS Instruction No. 4009 NSTISSC National Security Telecommunications and Information Systems Security Committee CNSS Instruction No. 4009 NSTISSD National Security Telecommunications and Information Systems Security Directive CNSS Instruction No. 4009 NSTISSI National Security Telecommunications And Information Systems Security Instruction CNSS Instruction No. 4009 NSTISSP National Security Telecommunications and Information Systems Security Policy CNSS Instruction No. 4009 NTIA National Telecommunications and Information Administration CNSS Instruction No. 4009 NTISSAM National Telecommunications and Information Systems Security Advisory/Information Memorandum CNSS Instruction No. 4009 NTISSD National Security Telecommunications and Information Systems Security Directive CNSS Instruction No. 4009 NTISSI National Security Telecommunications and Information Systems Security Instruction CNSS Instruction No. 4009 NTISSP National Telecommunications and Information Systems Security Policy CNSS Instruction No. 4009 Null Dummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes. CNSS Instruction No. 4009

OADR Originating Agency's Determination Required CNSS Instruction No. 4009 OASD Office of the Assistant Secretary of Defense Object Passive entity containing or receiving information. Access to an object implies access to the information it contains. CNSS Instruction No. 4009 Object Reuse Reassignment and re-use of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium. CNSS Instruction No. 4009 Official Information All information in the custody and control of a U.S. Government department or agency that was acquired by U.S. Government employees as a part of their official duties or because of their official status and has not been cleared for public release. CNSS Instruction No. 4009 Off-Line Cryptosystem Cryptosystem in which encryption and decryption are performed independently of the transmission and reception functions. CNSS Instruction No. 4009 One-Part Code Code in which plain text elements and their accompanying code groups are arranged in alphabetical, numerical, or other systematic order, so one listing serves for both encoding and decoding. One-part codes are normally small codes used to pass small volumes of low-sensitivity information. CNSS Instruction No. 4009 One-Time Cryptosystem Cryptosystem employing key used only once. CNSS Instruction No. 4009 One-Time Pad Manual one-time cryptosystem produced in pad form. CNSS Instruction No. 4009 One-Time Tape Punched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems. CNSS Instruction No. 4009 On-Line Cryptosystem Cryptosystem in which encryption and decryption are performed in association with the transmitting and receiving functions. CNSS Instruction No. 4009 OPCODE Operations Code CNSS Instruction No. 4009 Open Storage Storage of classified information within an accredited facility, but not in General Services Administration approved secure containers, while the facility is unoccupied by authorized personnel. CNSS Instruction No. 4009 Operational Key Key intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams. CNSS Instruction No. 4009 Operational Vulnerability Information Information that describes the presence of a vulnerability within a specific operational setting or network. CNSS Instruction No. 4009 Operational Waiver Authority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification. CNSS Instruction No. 4009 Operations Code Code composed largely of words and phrases suitable for general communications use. CNSS Instruction No. 4009 Operations Security (OPSEC) Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures. CNSS Instruction No. 4009 OPSEC Operations Security CNSS Instruction No. 4009 Optional Modification NSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See mandatory modification. CNSS Instruction No. 4009 ORA Organizational Registration Authority CNSS Instruction No. 4009 Organizational Maintenance Limited maintenance performed by a user organization. CNSS Instruction No. 4009 Organizational Registration Authority (ORA) Entity within the PKI that authenticates the identity and the organizational affiliation of the users. CNSS Instruction No. 4009 OTAD Over-the-Air Key Distribution CNSS Instruction No. 4009 OTAR Over-the-Air Rekeying CNSS Instruction No. 4009 OTAT Over-the-Air Transfer CNSS Instruction No. 4009 OTP One-Time Pad CNSS Instruction No. 4009 OTT One-Time Tape CNSS Instruction No. 4009 Over-The-Air Key Distribution Providing electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation. CNSS Instruction No. 4009 Over-The-Air Key Transfer Electronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished. CNSS Instruction No. 4009 Over-The-Air Rekeying (OTAR) Changing traffic encryption key or transmission security key in remote crypto-equipment by sending new key directly to the remote crypto-equipment over the communications path it secures. CNSS Instruction No. 4009 Overt Channel Communications path within a computer system or network designed for the authorized transfer of data. See covert channel. CNSS Instruction No. 4009 Overwrite Procedure Process of writing patterns of data on top of the data stored on a magnetic medium. CNSS Instruction No. 4009

PAA Policy Approving Authority CNSS Instruction No. 4009 PAL Permissive Action Link CNSS Instruction No. 4009 Parity Bit(s) used to determine whether a block of data has been altered. CNSS Instruction No. 4009 Partitioned Security Mode IS security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an IS. CNSS Instruction No. 4009 Password Protected/private alphanumeric string used to authenticate an identity or to authorize access to data. CNSS Instruction No. 4009 PC Personal Computer CNSS Instruction No. 4009 PCA Policy Certification Authority CNSS Instruction No. 4009 PCIPB President's Critical Infrastructure Protection Board CNSS Instruction No. 4009 PCMCIA Personal Computer Memory Card International Association CNSS Instruction No. 4009 PDA Portablie Digital Assistant CNSS Instruction No. 4009 PDR Preliminary Design Review CNSS Instruction No. 4009 PDS 1. Protected Distribution Systems 2. Practices Dangerous to Security CNSS Instruction No. 4009 PED Portable Electronic Device CNSS Instruction No. 4009 Penetration See intrusion. CNSS Instruction No. 4009 Penetration Testing Security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. CNSS Instruction No. 4009 Per-Call Key Unique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See cooperative key generation. CNSS Instruction No. 4009 Periods Processing Processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next. CNSS Instruction No. 4009 Perimeter Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. CNSS Instruction No. 4009 Permuter Device used in crypto-equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits. CNSS Instruction No. 4009 PES Positive Enable System CNSS Instruction No. 4009 PII Personally Identifiable Information CNSS Instruction No. 4009 PIR Priority intelligence requirements PKC Public Key Cryptography CNSS Instruction No. 4009 PKI Public Key Infrastructure CNSS Instruction No. 4009 PKSD Programmable Key Storage Device CNSS Instruction No. 4009 Plain Text Unencrypted information. CNSS Instruction No. 4009 PM program manager P Model Preproduction Model CNSS Instruction No. 4009 PNEK Post-Nuclear Event Key CNSS Instruction No. 4009 POA&M plan of action and milestones Policy Approving Authority (PAA) First Level of the PKI Certification Management Authority that approves the security policy of each PCA. CNSS Instruction No. 4009 Policy Certification Authority (PCA) Second level of the PKI Certification Management Authority that formulates the security policy under which it and its subordinate CAs will issue public key certificates. CNSS Instruction No. 4009 Positive Control Material Generic term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices. CNSS Instruction No. 4009 PPL Preferred Products List (a section in the INFOSEC Products and Services Catalogue) CNSS Instruction No. 4009 PRBAC Partition Rule Base Access Control CNSS Instruction No. 4009 Preproduction Model Version of INFOSEC equipment employing standard parts and suitable for complete evaluation of form, design, and performance. Preproduction models are often referred to as beta models. CNSS Instruction No. 4009 Principal Accrediting authority (PAA) Senior official with authority and responsibility for all intelligence systems within an agency. CNSS Instruction No. 4009 Print Suppression Eliminating the display of characters in order to preserve their secrecy. CNSS Instruction No. 4009 Privacy System Commercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack. CNSS Instruction No. 4009 Privileged User Individual who has access to system control, monitoring, or administration functions (e.g., system administrator, system ISSO, maintainers, system programmers, etc.) CNSS Instruction No. 4009 Probe Type of incident involving an attempt to gather information about an IS for the apparent purpose of circumventing its security controls. CNSS Instruction No. 4009 Production Model INFOSEC equipment in its final mechanical and electrical form. CNSS Instruction No. 4009 PROPIN Proprietary Information CNSS Instruction No. 4009 Proprietary Information Material and information relating to or associated with a company's products, business or activities, including but not limited to: financial information\s data or statements\s trade secrets\s product research and development\s existing and future product designs and performance specification\s marketing plans or techniques\s schematics\s client lists, computer programs, processes and know-how that have been clearly identified and properly marked by the company as proprietary information, trade secrets or company confidential information. The information must have been developed by the company and not be available to the government or to the public without restriction from another source. CNSS Instruction No. 4009 Protected Distribution Systems (PDS) Wire line or fiber optic distribution system used to transmit unencrypted classified national security information through an area of lesser classification or control. CNSS Instruction No. 4009 Protection Philosophy Informal description of the overall design of an IS delineating each of the protection mechanisms employed. Combination of formal and informal techniques, appropriate to the evaluation class, used to show the mechanisms are adequate to enforce the security policy. CNSS Instruction No. 4009 Protection Profile Common Criteria specification that represents an implementation-independent set of security requirements for a category of Target of Evaluations(TOE)that meets specific consumer needs. CNSS Instruction No. 4009 Protection Ring One of a hierarchy of privileged modes of an IS that gives certain access rights to user programs and processes that are authorized to operate in a given mode. CNSS Instruction No. 4009 Protective Packaging Packaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use. CNSS Instruction No. 4009 Protective Technologies Special tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material. CNSS Instruction No. 4009 Protocol Set of rules and formats, semantic and syntactic, permitting ISs to exchange information. CNSS Instruction No. 4009 Proxy Software agent that performs a function or operation on behalf of another application or system while hiding the details involved. CNSS Instruction No. 4009 Public Domain Software Software not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator. CNSS Instruction No. 4009 Public Key Certificate Contains the name of a user, the public key component of the user, and the name of the issuer who vouches that the public key component is bound to the named user. CNSS Instruction No. 4009 Public Key Cryptography (PKC) Encryption system using a linked pair of keys. What one pair of keys encrypts, the other pair decrypts. CNSS Instruction No. 4009 Public Key Infrastructure (PKI) Framework established to issue, maintain, and revoke public key certificates accommodating a variety of security technologies, including the use of software. CNSS Instruction No. 4009 Purging Rendering stored information unrecoverable. See sanitize. CNSS Instruction No. 4009 PWDS Protected Wireline Distribution System CNSS Instruction No. 4009 PWS Performance Work Statement

QUADRANT Short name referring to technology that provides tamper-resistant protection to crypto-equipment. CNSS Instruction No. 4009

RAMP Rating Maintenance Program CNSS Instruction No. 4009 Randomizer Analog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator. CNSS Instruction No. 4009 Read Fundamental operation in an IS that results only in the flow of information from an object to a subject. CNSS Instruction No. 4009 Read Access Permission to read information in an IS. CNSS Instruction No. 4009 Real Time Reaction Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access. CNSS Instruction No. 4009 Recovery Procedures Actions necessary to restore data files of an IS and computational capability after a system failure. CNSS Instruction No. 4009 RED Designation applied to information systems, and associated areas, circuits, components, and equipment in which national security information is being processed. CNSS Instruction No. 4009 RED/BLACK Concept Separation of electrical and electronic circuits, components, equipment, and systems that handle national security information (RED), in electrical form, from those that handle non-national security information (BLACK) in the same form. CNSS Instruction No. 4009 Red Team Interdisciplinary group of individuals authorized to conduct an independent and focused threat-based effort as a simulated adversary to expose and exploit system vulnerabilities for the purpose of improving the security posture of information systems. CNSS Instruction No. 4009 RED Signal Any electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered. CNSS Instruction No. 4009 Reference Monitor Concept of an abstract machine that enforces Target of Evaluation (TOE) access control policies. CNSS Instruction No. 4009 Release Prefix Prefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations and "U.S." designates material intended exclusively for U.S. use. CNSS Instruction No. 4009 Remanence Residual information remaining on storage media after clearing. See magnetic remanence and clearing. CNSS Instruction No. 4009 Remote Access Access for authorized users external to an enclave established through a controlled access point at the enclave boundary. CNSS Instruction No. 4009 Remote Rekeying Procedure by which a distant crypto-equipment is rekeyed electrically. See automatic remote rekeying and manual remote rekeying. CNSS Instruction No. 4009 Repair Action NSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label marking, or control but must be fully documented by changes to the maintenance manual. CNSS Instruction No. 4009 Reserve Keying Material Key held to satisfy unplanned needs. See contingency key. CNSS Instruction No. 4009 Residual Risk Portion of risk remaining after security measures have been applied. CNSS Instruction No. 4009 Residue Data left in storage after information processing operations are complete, but before degaussing or overwriting has taken place. CNSS Instruction No. 4009 Resource Encapsulation Method by which the reference monitor mediates accesses to an IS resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage. CNSS Instruction No. 4009 Risk Possibility that a particular threat will adversely impact an IS by exploiting a particular vulnerability. CNSS Instruction No. 4009 Risk Analysis Examination of information to identify the risk to an IS. CNSS Instruction No. 4009 Risk Assessment Process of analyzing threats to and vulnerabilities of an IS, and the potential impact resulting from the loss of information or capabilities of a system. This analysis is used as a basis for identifying appropriate and cost-effective security countermeasures. CNSS Instruction No. 4009 Risk Index Difference between the minimum clearance or authorization of IS users and the maximum sensitivity (e.g., classification and categories) of data processed by the system. CNSS Instruction No. 4009 Risk Management Process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. NIST Special Pub 800-53. CNSS Instruction No. 4009 R&T research & technology

SA System Administrator CNSS Instruction No. 4009 SABI Secret and Below Interoperability CNSS Instruction No. 4009 Safeguard 1. Protection included to counteract a known or expected condition. 2. Incorporated countermeasure or set of countermeasures within a base release. CNSS Instruction No. 4009 Safeguarding Statement Statement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized person. Synonymous with banner. CNSS Instruction No. 4009 Sanitize Process to remove information from media such that data recovery is not possible. It includes removing all classified labels markings, and activity logs. See purging. CNSS Instruction No. 4009 SAO Special Access Office CNSS Instruction No. 4009 SAP 1. System Acquisition Plan 2. Special Access Program CNSS Instruction No. 4009 SARK SAVILLE Advanced Remote Keying CNSS Instruction No. 4009 SBU Sensitive But Unclassified CNSS Instruction No. 4009 SCADA supervisory control and data acquisition Scavenging Searching through object residue to acquire data. CNSS Instruction No. 4009 SCCVI Secure Configuration and Compliance Validation Initiative SCI Sensitive Compartmented Information CNSS Instruction No. 4009 SCIF Sensitive Compartmented Information Facility CNSS Instruction No. 4009 SDNS Secure Data Network System CNSS Instruction No. 4009 SDR System Design Review CNSS Instruction No. 4009 Secure Communications Telecommunications deriving security through use of type 1 products and/or PDSs. CNSS Instruction No. 4009 Secure Hash Standard Specification for a secure hash algorithm that can generate a condensed message representation called a message digest. CNSS Instruction No. 4009 Secure State Condition in which no subject can access any object in an unauthorized manner. CNSS Instruction No. 4009 Secure Subsystem Subsystem containing its own implementation of the reference monitor concept for those resources it controls. Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects. CNSS Instruction No. 4009 Security Controls Management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. NIST Special Pub 800-53. CNSS Instruction No. 4009 Security Features Users Guide (SFUG) Guide or manual explaining how the security mechanisms in a specific system work. CNSS Instruction No. 4009 Security Filter IS trusted subsystem that enforces security policy on the data passing through it. CNSS Instruction No. 4009 Security in Depth Synonymous with defense in depth. CNSS Instruction No. 4009 Security Inspection Examination of an IS to determine compliance with security policy, procedures, and practices. CNSS Instruction No. 4009 Security Kernel Hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct. CNSS Instruction No. 4009 Security Label Information representing the sensitivity of a subject or object, such as UNCLASSIFIED or its hierarchical classification (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable nonhierarchical security categories (e.g., sensitive compartmented information, critical nuclear weapon design information). CNSS Instruction No. 4009 Security Net Control Station Management system overseeing and controlling implementation of network security policy. CNSS Instruction No. 4009 Security Perimeter Boundary where security controls are in effect to protect assets. CNSS Instruction No. 4009 Security Range Highest and lowest security levels that are permitted in or on an IS, system component, subsystem, or network. CNSS Instruction No. 4009 Security Requirements Types and levels of protection necessary for equipment, data, information, applications, and facilities to meet IS security policy. CNSS Instruction No. 4009 Security Requirements Baseline Description of the minimum requirements necessary for an IS to maintain an acceptable level of security. CNSS Instruction No. 4009 Security Safeguard Protective measures and controls prescribed to meet the security requirements specified for an IS. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. See accreditation. CNSS Instruction No. 4009 Security Specification Detailed description of the safeguards required to protect an IS. CNSS Instruction No. 4009 Security Target Common Criteria specification that represents a set of security requirements to be used as the basis of an evaluation of an identified Target of Evaluation (TOE). CNSS Instruction No. 4009 Security Test and Evaluation (ST&E) Examination and analysis of the safeguards required to protect an IS, as they have been applied in an operational environment, to determine the security posture of that system. CNSS Instruction No. 4009 Security Testing Process to determine that an IS protects data and maintains functionality as intended. CNSS Instruction No. 4009 Seed Key Initial key used to start an updating or key generation process. CNSS Instruction No. 4009 Sensitive Compartmented Information (SCI) Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of Central Intelligence. CNSS Instruction No. 4009 Sensitive Compartmented Information Facility (SCIF) Accredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed. CNSS Instruction No. 4009 Sensitive Information Information, the loss, misuse, or unauthorized access to modification of which would adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of the national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L. 100-235).) CNSS Instruction No. 4009 Sensitivity Label Information representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. CNSS Instruction No. 4009 SFA Security Fault Analysis CNSS Instruction No. 4009 SFUG Security Features Users Guide CNSS Instruction No. 4009 SHA Secure Hash Algorithm CNSS Instruction No. 4009 Shielded Enclosure Room or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations. CNSS Instruction No. 4009 Short Title Identifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling. CNSS Instruction No. 4009 SI Special Intelligence CNSS Instruction No. 4009 Simple Security Property Bell-La Padula security model rule allowing a subject read access to an object, only if the security level of the subject dominates the security level of the object. CNSS Instruction No. 4009 Single Point Keying Means of distributing key to multiple, local crypto-equipment or devices from a single fill point. CNSS Instruction No. 4009 SIPRNET SECRET Internet Protocol Router Network SISS Subcommittee on Information Systems Security CNSS Instruction No. 4009 SLA service level agreement SMU Secure Mobile Unit CNSS Instruction No. 4009 Sniffer Software tool that audits and identifies network traffic packets. CNSS Instruction No. 4009 SOP standard operating procedures Software Assurance Level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner. CNSS Instruction No. 4009 Software System Test and Evaluation Process Process that plans, develops, and documents the quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements. CNSS Instruction No. 4009 Special Access Program (SAP) Sensitive program, approved in writing by a head of agency with original top secret classification authority, that imposes need-to-know and access controls beyond those normally provided for access to Confidential, Secret, or Top Secret information. The level of controls is based on the criticality of the program and the assessed hostile intelligence threat. The program may be an acquisition program, an intelligence program, or an operations and support program. Joint Pub 1-02, 12 Apr 2001. CNSS Instruction No. 4009 Special Access Program Facility (SAPF) Facility formally accredited by an appropriate agency in accordance with DCID 6/9 in which SAP information may be processed. CNSS Instruction No. 4009 Spillage See classified information spillage.. CNSS Instruction No. 4009 SPK Single Point Key(ing) CNSS Instruction No. 4009 Split Knowledge Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. CNSS Instruction No. 4009 Spoofing CNSS Instruction No. 4009 Spread Spectrum Telecommunications techniques in which a signal is transmitted in a bandwidth considerably greater than the frequency content of the original information. Frequency hopping, direct sequence spreading, time scrambling, and combinations of these techniques are forms of spread spectrum. CNSS Instruction No. 4009 SRR Security Requirements Review CNSS Instruction No. 4009 SSO Staff Security Officer CNSS Instruction No. 4009 SSP System Security Plan CNSS Instruction No. 4009 Security Test and Evaluation CNSS Instruction No. 4009 State Variable Variable representing either the state of an IS or the state of some system resource. CNSS Instruction No. 4009 Storage Object Object supporting both read and write accesses to an IS. CNSS Instruction No. 4009 Strong Authentication Layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information. CNSS Instruction No. 4009 STE Secure Terminal Equipment CNSS Instruction No. 4009 STS Subcommittee on Telecommunications Security CNSS Instruction No. 4009 STU Secure Telephone Unit CNSS Instruction No. 4009 Subassembly Major subdivision of an assembly consisting of a package of parts, elements, and circuits that perform a specific function. CNSS Instruction No. 4009 Subject Generally an individual, process, or device causing information to flow among objects or change to the system state. CNSS Instruction No. 4009 Subject Security Level Sensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject. CNSS Instruction No. 4009 Superencryption Process of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, on-line circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted. CNSS Instruction No. 4009 Supersession Scheduled or unscheduled replacement of a COMSEC aid with a different edition. CNSS Instruction No. 4009 Supervisor State Synonymous with executive state of an operating system. CNSS Instruction No. 4009 Suppression Measure Action, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an IS. CNSS Instruction No. 4009 Surrogate Access See discretionary access control. CNSS Instruction No. 4009 Syllabary List of individual letters, combination of letters, or syllables, with their equivalent code groups, used for spelling out words or proper names not present in the vocabulary of a code. A syllabary may also be a spelling table. CNSS Instruction No. 4009 Symmetric Key Encryption methodology in which the encryptor and decryptor use the same key, which must be kept secret. CNSS Instruction No. 4009 Synchronous Crypto-Operation Method of on-line crypto-operation in which crypto-equipment and associated terminals have timing systems to keep them in step. CNSS Instruction No. 4009 System Administrator (SA) Individual responsible for the installation and maintenance of the nonsecurity aspects of an information system, providing effective IS utilization, adequate security parameters, and sound implementation of established IA policy and procedures. CNSS Instruction No. 4009 System Assets Any software, hardware, data, administrative, physical, communications, or personnel resource within an IS. CNSS Instruction No. 4009 System Development Methodologies Methodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools. CNSS Instruction No. 4009 System High Highest security level supported by an IS. CNSS Instruction No. 4009 System High Mode IS security mode of operation wherein each user, with direct or indirect access to the IS, its peripherals, remote terminals, or remote hosts, has all of the following, a. valid security clearance for all information within an IS, b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs), and c. valid need-to-know for some of the information contained within the IS. CNSS Instruction No. 4009 System Indicator Symbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption. CNSS Instruction No. 4009 System Integrity Attribute of an IS when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. CNSS Instruction No. 4009 System Low Lowest security level supported by an IS. CNSS Instruction No. 4009 System Profile Detailed security description of the physical structure, equipment component, location, relationship, and general operating environment of an IS. CNSS Instruction No. 4009 System Security See information systems security. CNSS Instruction No. 4009 System Security Engineering See information systems security engineering. CNSS Instruction No. 4009 System Security Officer See information system security officer. CNSS Instruction No. 4009 System Security Plan Formal document fully describing the planned security tasks required to meet system security requirements. CNSS Instruction No. 4009

TA technical advisory TA Traffic Analysis CNSS Instruction No. 4009 TACTERM Tactical Terminal CNSS Instruction No. 4009 TAG TEMPEST Advisory Group CNSS Instruction No. 4009 Tampering Unauthorized modification altering the proper functioning of INFOSEC equipment. CNSS Instruction No. 4009 Target of Evaluation (TOE) IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation. CNSS Instruction No. 4009 TCB Trusted Computing Base CNSS Instruction No. 4009 TCP/IP Transmission Control Protocol/Internet Protocol CNSS Instruction No. 4009 TED Trunk Encryption Device CNSS Instruction No. 4009 TEK Traffic Encryption Key CNSS Instruction No. 4009 TEP TEMPEST Endorsement Program CNSS Instruction No. 4009 Technical Controls Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. (NIST Special Pub 800-53. CNSS Instruction No. 4009 Technical Vulnerability Information Detailed description of a vulnerability to include the implementable steps (such as code) necessary to exploit that vulnerability. CNSS Instruction No. 4009 Telecommunications Preparation, transmission, communication, or related processing of information (writing, images, sounds or other data) by electrical, electromagnetic, electromechanical, electro-optical or electronic means. CNSS Instruction No. 4009 Telecommunications Security (TSEC) See information systems security. CNSS Instruction No. 4009 TEMPEST Short name referring to investigation, study, and control of compromising emanations from IS equipment. CNSS Instruction No. 4009 TEMPEST Test Laboratory or on-site test to determine the nature of compromising emanations associated with an IS. CNSS Instruction No. 4009 TEMPEST Zone Designed area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated. CNSS Instruction No. 4009 Test Key Key intended for testing of COMSEC equipment or systems. CNSS Instruction No. 4009 TFM Trusted Facility Manual CNSS Instruction No. 4009 TFS Traffic Flow Security CNSS Instruction No. 4009 Threat Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. CNSS Instruction No. 4009 Threat Analysis Examination of information to identify the elements comprising a threat. CNSS Instruction No. 4009 Threat Assessment Formal description and evaluation of threat to an IS. CNSS Instruction No. 4009 Threat Monitoring Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security. CNSS Instruction No. 4009 Ticket-Oriented IS protection system in which each subject maintains a list of unforgeable bit patterns called tickets, one for each object a subject is authorized to access. See list-oriented. CNSS Instruction No. 4009 Time Bomb Resident computer program that triggers an unauthorized act at a predefined time. CNSS Instruction No. 4009 Time-Compliance Date Date by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use. CNSS Instruction No. 4009 Time-Dependent Password Password that is valid only at a certain time of day or during a specified interval of time. CNSS Instruction No. 4009 TLS Top-Level Specification CNSS Instruction No. 4009 TOE Target of Evaluation CNSS Instruction No. 4009 TOE Security Functions (TSF) Set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TSP. CNSS Instruction No. 4009 TOE Security Policy (TSP) Set of rules that regulate how assets are managed, protected, and distributed within the TOE. CNSS Instruction No. 4009 TPC Two-Person Control CNSS Instruction No. 4009 TPEP Trusted Products Evaluation Program CNSS Instruction No. 4009 TPI Two-Person Integrity CNSS Instruction No. 4009 Traditional INFOSEC Program Program in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modification to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA. CNSS Instruction No. 4009 Traffic Analysis (TA) Study of communications patterns. CNSS Instruction No. 4009 Traffic Encryption Key (TEK) Key used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text. CNSS Instruction No. 4009 Traffic-Flow Security (TFS) Measure used to conceal the presence of valid messages in an on-line cryptosystem or secure communications system. CNSS Instruction No. 4009 Traffic Padding Generation of spurious communications or data units to disguise the amount of real data units being sent. CNSS Instruction No. 4009 Tranquility Property whereby the security level of an object cannot change while the object is being processed by an IS. CNSS Instruction No. 4009 TRANSEC Transmission Security CNSS Instruction No. 4009 Transmission Security (TRANSEC) Component of communications security that results from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis. CNSS Instruction No. 4009 Trap-door Hidden software or hardware mechanism used to circumvent security controls. Synonymous with Back Door. CNSS Instruction No. 4009 Triple DES Product cipher that, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher 3 times. Some forms use two 56-bit keys, some use three. See NIST FIPS 46-3 and CNSSAM IA/02-04. CNSS Instruction No. 4009 TRB Technical Review Board CNSS Instruction No. 4009 TRI-TAC Tri-Service Tactical Communications System CNSS Instruction No. 4009 Trojan Horse Program containing hidden code that allows the unauthorized collection, falsification, or destruction of information. See malicious code. CNSS Instruction No. 4009 Trusted Channel Means by which a TOE Security Function (TSF) and a remote trusted IT product can communicate with necessary confidence to support the TOE Security Policy (TSP). CNSS Instruction No. 4009 Trusted Computer System IS employing sufficient hardware and software assurance measures to allow simultaneous processing of a range of classified or sensitive information. CNSS Instruction No. 4009 Trusted Computing Base (TCB) Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy. CNSS Instruction No. 4009 Trusted Distribution Method for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution. CNSS Instruction No. 4009 Trusted Foundry Facility where both classified and unclassified parts can be produced with an extra level of assurance that the parts have not been tampered. CNSS Instruction No. 4009 Trusted Facility Manual Document containing the operational requirements\s security environment\s hardware and software configurations and interfaces\s and all security procedures, measures, and contingency plans. CNSS Instruction No. 4009 Trusted Identification Forwarding Identification method used in IS networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host. CNSS Instruction No. 4009 Trusted Path Means by which a user and a TOE Security Function (TSF) can communicate with necessary confidence to support the TOE Security Policy (TSP). CNSS Instruction No. 4009 Trusted Process Process that has privileges to circumvent the system security policy and has been tested and verified to operate only as intended. CNSS Instruction No. 4009 Trusted Recovery Ability to ensure recovery without compromise after a system failure. CNSS Instruction No. 4009 Trusted Software Software portion of a trusted computing base (TCB). CNSS Instruction No. 4009 TSABI Top Secret and Below Interoperability CNSS Instruction No. 4009 TSCM Technical Surveillance Countermeasures CNSS Instruction No. 4009 TSEC Telecommunications Security CNSS Instruction No. 4009 TSEC Nomenclature System for identifying the type and purpose of certain items of COMSEC material. CNSS Instruction No. 4009 TTAP Trust Technology Assessment Program CNSS Instruction No. 4009 TTPs tactics, techniques, and procedures Tunneling Technology enabling one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. CNSS Instruction No. 4009 Two-Part Code Code consisting of an encoding section, in which the vocabulary items (with their associated code groups) are arranged in alphabetical or other systematic order, and a decoding section, in which the code groups (with their associated meanings) are arranged in a separate alphabetical or numeric order. CNSS Instruction No. 4009 Two-Person Control Continuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed, and each familiar with established security and safety requirements. CNSS Instruction No. 4009 Two-Person Integrity (TPI) System of storage and handling designed to prohibit individual access to certain COMSEC keying material by requiring the presence of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See no-lone zone. CNSS Instruction No. 4009 Type Certification The certification acceptance of replica information systems based on the comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a specified set of security requirements. CNSS Instruction No. 4009 Type 1 Key Generated and distributed under the auspices of NSA for use in a cryptographic device for the protection of classified and sensitive national security information. CNSS Instruction No. 4009 Type 1 Product Cryptographic equipment, assembly, or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring the most stringent protection mechanisms. CNSS Instruction No. 4009 Type 2 Key Generated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified national security information. CNSS Instruction No. 4009 Type 2 Product Cryptographic equipment, assembly, or component classified or certified by NSA for encrypting and decrypting sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified national security information. CNSS Instruction No. 4009 Type 3 Key Used in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product. CNSS Instruction No. 4009 Type 3 Product Unclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP). CNSS Instruction No. 4009 Type 4 Key Used by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. Government endorsement or oversight. CNSS Instruction No. 4009 Type 4 Product Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor's commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS. CNSS Instruction No. 4009

UA User Agent CNSS Instruction No. 4009 UDOP user-developed operational picture UIS User Interface System CNSS Instruction No. 4009 Unauthorized Disclosure Type of event involving exposure of information to individuals not authorized to receive it. CNSS Instruction No. 4009 Unclassified Information that has not been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is not designated as classified. CNSS Instruction No. 4009 Untrusted Process Process that has been evaluated or examined for adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms. CNSS Instruction No. 4009 Updating Automatic or manual cryptographic process that irreversibly modifies the state of a COMSEC key, equipment, device or system. CNSS Instruction No. 4009 UPP User Partnership Program CNSS Instruction No. 4009 User Person or process authorized to access an IS. (PKI) Individual defined, registered, and bound to a public key structure by a certification authority (CA). CNSS Instruction No. 4009 User ID Unique symbol or character string used by an IS to identify a specific user. CNSS Instruction No. 4009 User Partnership Program (UPP) Partnership between the NSA and a U.S. Government agency to facilitate development of secure IS equipment incorporating NSA approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user's specific application. CNSS Instruction No. 4009 User Representative Individual authorized by an organization to order COMSEC keying material and interface with the keying system\s providing information to key users and ensure the correct type of key is ordered. CNSS Instruction No. 4009 U.S.-Controlled Facility Base or building to which access is physically controlled by U.S. persons who are authorized U.S. Government or U.S. Government contractor employees. CNSS Instruction No. 4009 U.S.-Controlled Space Room or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. Government or U.S. Government contractor employees. Keys or combinations to locks controlling entrance to U.S.-Controlled spaces must be under the exclusive control of U.S. persons who are U.S. Government or U.S. Government contractor employees. CNSS Instruction No. 4009 USCYBERCOM United States Cyber Command USSTRATCOM United States Strategic Command U.S. Person United States citizen or a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments. CNSS Instruction No. 4009

VA vulnerability assessment Validated Products List List of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS). CNSS Instruction No. 4009 Validation Process of applying specialized security test and evaluation procedures, tools, and equipment needed to establish acceptance for joint usage of an IS by one or more departments or agencies and their contractors. CNSS Instruction No. 4009 Variant One of two or more code symbols having the same plain text equivalent. CNSS Instruction No. 4009 Verification Process of comparing two levels of an IS specification for proper correspondence (e.g., security policy model with top-level specification, top-level specification with source code, or source code with object code). CNSS Instruction No. 4009 Virtual Private Network (VPN) Protected IS link utilizing tunneling, security controls (see information assurance), and end-point address translation giving the user the impression of a dedicated line CNSS Instruction No. 4009 Virus Self replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no obvious signs of its presence. CNSS Instruction No. 4009 VMS Vulnerability Management System VoIP Voice over Internet Protocol VPN Virtual Private Network CNSS Instruction No. 4009 Vulnerability Weakness in an IS, system security procedures, internal controls, or implementation that could be exploited. CNSS Instruction No. 4009 Vulnerability Analysis Examination of information to identify the elements comprising a vulnerability. CNSS Instruction No. 4009 Vulnerability Assessment Formal description and evaluation of vulnerabilities of an IS. CNSS Instruction No. 4009

Web Risk Assessment Process for ensuring websites are in compliance with applicable policies. CNSS Instruction No. 4009 Wireless Technology Permits the active or passive transfer of information between separated points without physical connection. Active information transfer may entail a transmit and/or receive emanation of energy, whereas passive information transfer entails a receive-only capability. Currently wireless technologies use IR, acoustic, RF, and optical but, as technology evolves, wireless could include other methods of transmission. CNSS Instruction No. 4009 Work Factor Estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure. CNSS Instruction No. 4009 Worm See malicious code. CNSS Instruction No. 4009 Write Fundamental operation in an IS that results only in the flow of information from a subject to an object. See access type. CNSS Instruction No. 4009 Write Access Permission to write to an object in an IS. CNSS Instruction No. 4009

XDM/X Model Experimental Development Model/Exploratory Development Model. CNSS Instruction No. 4009

Zero Fill To fill unused storage locations in an IS with the representation of the character denoting "0. CNSS Instruction No. 4009 Zeroize To remove or eliminate the key from a crypto-equipment or fill device. CNSS Instruction No. 4009 Zone of Control Synonymous with inspectable space. CNSS Instruction No. 4009