E2. ENCLOSURE 2
used in this Instruction are selected from the NSTISSI 4009 (reference(k))
definitions when possible. Where new terms are used, the revised or new
definitions will be submitted as changes to reference (k)
Property that allows auditing of IT system activities to be traced to persons
or processes that may then be held responsible for their actions.
Accountability includes authenticity and non-repudiation.
Formal declaration by the DAA that an IT system is approved to operate in a
particular security mode using a prescribed set of safeguards at an acceptable
level of risk.
The configuration of any equipment or interconnected system or subsystems of
equipment that is used in the automatic acquisition, storage, manipulation,
management, movement, control, display, switching, interchange, transmission,
or reception of data or information; includes computers, ancillary equipment,
and services, including support services and related resources.
Organization. The Government organization that is responsible for
developing a system.
Measure of confidence that the security features, practices, procedures and
architecture of an IT system accurately mediates and enforces the security
The property that allows the ability to validate the claimed identity of a
Timely, reliable access to data and information services for authorized
Comprehensive evaluation of the technical and non-technical security features
of an IT system and other safeguards, made in support of the accreditation
process, to establish the extent that a particular design and implementation
meets a set of specified security requirements.
Authority (CA). The official responsible for performing the comprehensive
evaluation of the technical and non-technical security features of an IT
system and other safeguards, made in support of the accreditation process, to
establish the extent that a particular design and implementation meet a set of
specified security requirements.
Environment. The total environment in that an automated information
system, network, or a component operates. The environment includes physical,
administrative, and personnel procedures as well as communication and
networking relationships with other information systems.
Security (COMSEC). Measures and controls taken to deny unauthorized
persons information derived from telecommunications and ensure the
authenticity of such telecommunications. Communications security includes
cryptosecurity, transmission security, emission security, and physical
security of COMSEC material.
Confidentiality. Assurance that information is not disclosed to
unauthorized persons, processes, or devices.
Control. Process of controlling modifications to a IT systemís hardware,
firmware, software, and documentation to ensure the system is protected
against improper modifications prior to, during, and after system
Management. Management of security features and assurances through control
of changes made to hardware, software, firmware, documentation, test, test
fixtures, and test documentation throughout the life-cycle of the IT.
Manager. The individual or organization responsible for Configuration
Control or Configuration Management.
Integrity. The attribute of data that is related to the preservation of
its meaning and completeness, the consistency of its representation(s), and
its correspondence to what it represents.
Information Infrastructure (DII). The DII is the seamless web of
communications networks, computers, software, databases, applications, data,
security services, and other capabilities that meets the information
processing and transport needs of DoD users in peace and in all crises,
conflict, humanitarian support, and wartime roles.
Approving Authority (DAA or Accreditor). Official with the authority to
formally assume the responsibility for operating a system or network at an
acceptable level of risk.
. The organization that develops
the information system.
E2.1.20. DoD Information
Technology Security Certification and Accreditation Process (DITSCAP). The
standard DoD process for identifying information security requirements,
providing security solutions, and managing information system security
E2.1.21. Emissions security
(EMSEC). Measures taken to deny unauthorized persons information derived
from intercept and analysis of compromising emanations from crypto-equipment
or an IT system.
Aggregate of external procedures, conditions, and objects effecting the
development, operation, and maintenance of an IT system.
Program Strategies . Generally
characterized by design, development, and deployment of a preliminary
capability that includes provisions for the evolutionary addition of future
functionality and changes, as requirements are further defined, DoD Directive
E2.1.24. Governing Security
Requisites. Those security requirements that must be addressed in all
systems. These requirements are set by policy, directive, or common practice
set; e.g., by E.O, OMB, the OSD, a Military Service or a DoD Agency. Those
requirements are typically high-level. While implementation will vary from
case to case, those requisites are fundamental and shall be addressed.
E2.1.25. Grand Design
Program Strategies . Characterized by
acquisition, development, and deployment of the total functional capability in
a single increment, reference (i).
Program Strategies . Characterized by
acquisition, development, and deployment of functionality through a number of
clearly defined system "increments" that stand on their own, reference (i).
Category. The term used to bound information and tie it to an information
Infrastructure-Centric. A security management approach that considers
information systems and their computing environment as a single entity.
Security Policy. The aggregate of public law, directives, regulations,
rules, and regulate how an organization manages, protects, and distributes
information. For example, the information security policy for financial data
processed on DoD systems may be in U.S.C., E.O., DoD Directives, and local
regulations. The information security policy lists all the security
requirements applicable to specific information.
System. Any telecommunication or computer-related equipment or
interconnected system or subsystems of equipment that is used in the
acquisition, storage, manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of voice and/or data, and
includes software, firmware, and hardware.
E2.1.31. Information System
Security Officer (ISSO). The person responsible to the DAA for ensuring
the security of an IT system is approved, operated, and maintained throughout
its life-cycle in accordance with the SSAA.
Technology (IT). The hardware, firmware, and software used as part of the
information system to perform DoD information functions. This definition
includes computers, telecommunications, automated information systems, and
automatic data processing equipment. IT includes any assembly of computer
hardware, software, and/or firmware configured to collect, create,
communicate, compute, disseminate, process, store, and/or control data or
Technology Security (ITSEC). Protection of information technology against
unauthorized access to or modification of information, whether in storage,
processing or transit, and against the denial of service to authorized users,
including those measures necessary to detect, document, and counter such
threats. Protection and maintenance of confidentiality, integrity,
availability, and accountability.
E2.1.34. Integrator. An
organization or individual that unites, combines, or otherwise incorporates
information system components with another system(s).
Quality of an IT system reflecting the logical correctness and reliability of
the operating system; the logical completeness of the hardware and software
implementing the protection mechanisms; and the consistency of the data
structures and occurrence of the stored data. It is composed of data integrity
and system integrity.
E2.1.36. Legacy Information
System. An operational information system that existed before to the
implementation of the DITSCAP.
The organization or individual that maintains the information system.
Organization. The organization that keeps an IT system operating in
accordance with prescribed laws, policy, procedures and regulations. In the
case of a contractor maintained system, the maintenance organization is the
government organization responsible for, or sponsoring the operation of the IT
E2.1.39. Mission. The
assigned duties to be performed by a resource.
Item (NDI). Any item that is available in the commercial marketplace; any
previously developed item that is in use by a Department or Agency of the
United States, a State or local government, or a foreign government with which
the United States has a mutual defense cooperation agreement; any item
described above, that requires only minor modifications in order to meet the
requirements of the procuring Agency; or any item that is currently being
produced that does not meet the requirements of definitions above, solely
because the item is not yet in use or is not yet available in the commercial
E2.1.41. Other Program
Strategies . Strategies intended to
encompass variations and/or combinations of the grand design, incremental,
evolutionary, or other program strategies, DoD Directive 5000.1 (reference (i)).
Manager. The person ultimately responsible for the overall procurement,
development, integration, modification, or operation and maintenance of the IT
E2.1.43. Risk. A
combination of the likelihood that a threat will occur, the likelihood that a
threat occurrence will result in an adverse impact, and the severity of the
Assessment. Process of analyzing threats to, and vulnerabilities of, an IT
system, and the potential impact that the loss of information or capabilities
of a system would have on national security. The resulting analysis is used as
a basis for identifying appropriate and effective measures.
Management. Process concerned with the identification, measurement,
control, and minimization of security risks in IT systems to a level
commensurate with the value of the assets protected.
Measures and controls that ensure confidentiality, integrity, availability,
and accountability of the information processed and stored by a computer.
Inspection. Examination of an IT system to determine compliance with
security policy, procedures, and practices.
Process. The series of activities that monitor, evaluate, test, certify,
accredit, and maintain the system accreditation throughout the system
Requirements. Types and levels of protection necessary for equipment,
data, information, applications, and facilities to meet security policy.
Specification. Detailed description of the safeguards required to protect
an IT system.
E2.1.51. Security Test and
Evaluation (ST&E). Examination and analysis of the safeguards required
to protect an IT system, as they have been applied in an operational
environment, to determine the security posture of that system.
Information . Information, the loss,
misuse, or unauthorized access to or modification of which could adversely
affect the national interest or the conduct of federal programs, or the
privacy to which individuals are entitled under 5 U.S.C. Section 552a (reference (l)), but that has not been specifically authorized under criteria
established by an E. O. or an Act of Congress to be kept secret in the
interest of national defense or foreign policy.
E2.1.53. System. A set
of interrelated components consisting of mission, environment, and
architecture as a whole.
E2.1.54. System Entity.
A system subject (user or process) or object.
Integrity. Quality of an IT system to perform its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
E2.1.56. System Security
Authorization Agreement (SSAA). A formal agreement among the DAA(s), the
CA, the IT system user representative, and the program manager. It is used
throughout the entire DITSCAP to guide actions, document decisions, specify
ITSEC requirements, document certification tailoring and level-of-effort,
identify potential solutions, and maintain operational systems security.
E2.1.57. TEMPEST. Short
name referring to investigation, study, and control of compromising emanations
from IT equipment.
E2.1.58. Threat. Any
circumstance or event with the potential to cause harm to an IT system in the
form of destruction, disclosure, adverse modification of data, and/or denial
Assessment. Formal description and evaluation of threat to an IT
E2.1.60. Trusted Computing
Base (TCB). Totality of protection mechanisms within a computer system,
including hardware, firmware, and software, the combination responsible for
enforcing a security policy.
E2.1.61. User. Person
or process authorized to access an IT system.
Representative. The individual or organization that represents the user or
user community in the definition of information system requirements.
E2.1.63. Utility. An
element of the DII providing information services to DoD users. Those services
include Defense Information Systems Agency Mega-Centers, information
processing, and wide-area network communications services.
Determination of the correct implementation in the completed IT system with
the security requirements and approach agreed on by the users, acquisition
authority, and the DAA.
The process of determining compliance of the evolving IT system specification,
design, or code with the security requirements and approach agreed on by the
users, acquisition authority, and the DAA.
Weakness in an information system, or cryptographic system, or components
(e.g., system security procedures, hardware design, internal controls) that
could be exploited.
Assessment. Systematic examination of an information system or product to
determine the adequacy of security measures, identify security deficiencies,
provide data from which to predict the effectiveness of proposed security
measures, and confirm the adequacy of such measures after