Glossary
Section I
Abbreviations
- AA
- Administrative Assistant
- ADP
- automatic data processing
- AIS
- automated information system(s)
- AISSAP
- Automated Information System Security Assessment Program
- AISSP
- Army Information Systems Security Program
- AMC
- Army Materiel Command
- ASA(RDA)
- Assistant Secretary of the Army for Research, Development and Acquisition
- AUTODIN
- Automatic Digital Network
- BAS
- battlefield automation systems
- CCI
- controlled cryptographic item
- CG
- Commanding General
- COMPUSEC
- computer security
- COMSEC
- communications security
- Counter-SIGINT
- Counter-Signals Intelligence
- CS (1,2,3)
- Classified Sensitive (1,2,3)
- CSC
- Computer Security Center
- CSTVRP
- Computer Security Technical Vulnerability Reporting Program
- CTTA
- Certified TEMPEST Technical Authority
- DA
- Department of the Army
- DAA
- Designated Accreditation Authority
- DCA
- Defense Communications Agency
- DCID
- Director, Central Intelligence Directive
- DCSINT
- Deputy Chief of Staff for Intelligence
- DCSLOG
- Deputy Chief of Staff for Logistics
- DCSOPS
- Deputy Chief of Staff for Operations and Plans
- DDN
- Defense Data Network
- DES
- Data Encryption Standard
- DIA
- Defense Intelligence Agency
- DIAM
- Defense Intelligence Agency Manual
- DISC4
- Director of Information Systems for Command, Control, Communications, and Computers
- DOD
- Department of Defense
- ELSEC
- electronic security
- EPL
- Evaluated Products List
- EUCI
- Endorsed for Unclassified Cryptographic Item
- FCD
- ferrous conduit distribution
- FIPS
- Federal Information Processing Standards
- FOUO
- for official use only
- FSP
- facility security profile
- FTA/RA
- Facility TEMPEST Assessment/Risk Analysis
- HOIS
- Hostile Intelligence Service
- HQDA
- Headquarters, Department of the Army
- IAA
- Interconnected accredited AIS
- IMA
- Information mission area
- INSCOM
- United States Army Intelligence and Security Command
- IRC
- Intrusion-resistant cable
- ISS
- Information Systems Security
- ISSM
- Information Systems Security Manager
- ISSO
- Information Systems Security Officer
- ISSPM
- Information Systems Security Program Manager
- JCS
- Joint Chiefs of Staff
- LAA
- limited access authorization
- LN
- Local National
- MACOM
- major Army Command
- MJCS
- Memorandum, Joint Chiefs of Staff
- NATO
- North Atlantic Treaty Organization
- NCSC
- National Computer Security Center
- NISAC
- National Information Security Assessment Center
- NIST
- National Institute of Standards and Technology
- NSA
- National Security Agency
- NSO
- network security officer
- NTISSC
- National Telecommunications and Information Systems Security Committee
- OPSEC
- operations security
- PDS
- protected distribution system
- PEO
- program executive officer
- PM
- program manager/project manager/product manager
- RDTE
- research, development, test and evaluation
- SAP
- special access program
- SCI
- sensitive compartmented information
- SCIF
- sensitive compartmented information facility
- SF
- standard form
- SIOP-ESI
- Single Integrated Operational Plan-Extremely Sensitive Information
- SOP
- standing operating procedure
- SSO
- special security officer
- STS
- single trusted system
- TAIS
- telecommunications and automated information systems
- TASO
- terminal area security officer
- TCO
- TEMPEST control officer
- TDY
- Temporary Duty
- TRADOC
- U.S. Army Training and Doctrine Command
- TS
- Top Secret
- US(1,2)
- Unclassified Sensitive (1,2)
- USAISC
- Information Systems Command
- USAISEC
- U.S. Army Information Systems Engineering Command
- WNINTEL
- Warning Notice-Intelligence Sources or Methods Involved
- WWMCCS
- Worldwide Military Command and Control System
Section II
Terms
Access
For an AIS, a specific type of interaction between a subject and object that
causes information to flow from one to the other. In COMSEC, the capability
and opportunity to gain detailed knowledge or to alter information or material.
Access control
The process of limiting access to the resources of an automated information
system only to authorized programs, processes, or other systems (in a network).
Accountability
For an AIS, the property that enables activities on an automated information
system to be traced to individuals who may then be held responsible for
their actions. In COMSEC, the principle that an individual is responsible
for the safety and security of COMSEC equipment, keying material, and
information entrusted to his or her care, and is answerable to proper
authority for the loss or misuse of that equipment or information.
Accreditation
A formal declaration by the DAA that the AIS is approved to operate in a
particular security mode using a prescribed set of safeguards. Accreditation
is the official management authorization by a designated accreditation
authority for operation of an automated information system in a particular
security mode, using a prescribed set of safeguards based on the
certification process, as well as other management considerations. The
accreditation statement affixes security responsibility with the DAA and
shows that due care has been taken for security.
Accreditation authority
See Designated Accreditation Authority(DAA)
AIS security incident
An occurrence involving classified or unclassified-sensitive information
being processed by an AIS where there may be a deviation from the
requirements of the governing security regulations, or a compromise or
unauthorized disclosure of the information occurred or was possible.
Approval to operate
A term which is synonymous with accreditation.
Audit
The independent review and examination of a system's records and activities
to test for adequacy of the system's controls, to ensure compliance with
established policy and operational procedures, or to recommend any needed
changes in controls, policy, or procedures.
Audit trail
A chronological record of system activities sufficient to enable the
reconstruction, reviewing, and examination of the sequence of environments
and activities surrounding or leading to an operation, procedure, or event
in a transaction from inception to final results.
Authenticate
To verify the identity of a user, device, or other entity in a computer
system, or to verify the integrity of data that have been stored,
transmitted, or otherwise exposed to possible unauthorized modification.
Authentication
A security measure designed to protect a communications system against
acceptance of fraudulent transmissions or simulation by establishing the
validity of a transmission, message, or originator, or a means of verifying
an individual's eligibility to receive specific categories of information.
Automanual system
Programmable, hand-held cryptographic equipment used to perform encoding and
decoding functions.
Automated information systems
Any assembly of computer hardware, software, or firmware configured to
collect, create, communicate, compute, disseminate, process, store, or
control data or information in an electronic form. AIS include stand-alone
computers, small computers, word processors, multi-user computers,
terminals, and networks.
Automated information systems security
Measures and controls that protect an automated information system against
denial of service and unauthorized (accidental or intentional) disclosure,
modification, or destruction of automated information systems and data.
Availability
The state when data are in the place needed by the user, at the time user
needs them, and in the form needed by the user.
Category
A restrictive label that has been applied to classified or unclassified data
to increase the protection of the data by further restricting access to it.
Individuals are granted access to special category information only after
being granted formal access authorization.
Central computer facility
One or more computers with their peripheral and storage units, central
processing units, and communications equipment in a single controlled area.
Central computer facilities are those areas where computers, other than
personal computers, are housed to provide necessary environmental, physical,
or other controls.
Certification
The comprehensive evaluation of the technical and nontechnical security
features of an automated information system, and other safeguards made in
support of the accreditation process, that establish the extent to which a
particular design and implementation meet a specified set of security
requirements.
Classified defense information
Official information regarding the national security that has been
designated "top secret," "secret," or "confidential" according to Executive
Order 12356.
Clearing (magnetic media)
A procedure used to erase or overwrite classified or unclassified-sensitive
information stored on magnetic medium. Clearing allows reuse of the medium
at the same classification level, but does not produce declassified medium.
Commercial COMSEC Endorsement Program (CCEP)
A program in which cryptographic subsystems and telecommunications equipment
using embedded cryptography are developed, produced, and marketed under
formal agreements between individual commercial vendors and the National
Security Agency.
Communications deception
Deliberate transmission, retransmission, or alteration of communications to
mislead an adversary in interpretation of the communications.
Communications security (COMSEC)
Measures taken to deny unauthorized persons information derived from
telecommunications of the U.S. Government concerning national security, and
to ensure the authenticity of such telecommunications.
Compromising emanations
Unintentional intelligence-bearing signals that, if intercepted and
analyzed, disclose the information transmission received, handled, or
otherwise processed by any information processing equipment.
Computer
A machine capable of accepting data, performing calculations on, or
otherwise manipulating that data, storing it, and producing new data.
Computer facility
Physical resources that include structures or parts of structures that
support or house computer resources. The physical area where the equipment is located.
Computer security
See automated information systems security.
Confidentiality
The concept of protecting data from unauthorized disclosure.
Configuration control
The process of controlling modifications to a system's hardware, firmware,
software, and documentation that provides sufficient assurance that the
system is protected against the introduction of improper modifications
before, during, and after system implementation.
Controlled access protection
Access control through log-in procedures, audit of security-relevant events,
and resource isolation. Controlled access protection is normally associated
with class C2 systems.
Controlled cryptographic item
An unclassified but controlled secure telecommunications or automated
information-handling equipment and associated crytographic assembly,
component, or other hardware or firmware item that performs a critical
COMSEC or COMSEC-ancillary function.
Crytoequipment
Equipment that embodies a cryptographic logic.
Cryptographic
Pertaining to, or concerned with, cryptography.
Cryptography
The principles, means, and methods for rendering plain information
unintelligible and for restoring such information to intelligible form.
Cryptology
The science and activities which deal with hidden, disguised, or encrypted
communications.
Cryptosystem
The associated items of COMSEC material used as a unit to provide a single
means of encryption or decryption.
Data security
The protection of data from unauthorized (accidental or intentional)
modification, destruction, or disclosure.
Declassification (of magnetic storage media)
An administrative procedure resulting in a determination that classified
information formerly stored on a magnetic medium has been removed or
overwritten sufficiently to permit reuse in an unclassified environment.
Dedicated security mode
A mode of operation wherein all users of the AIS possess the required
personnel security clearance or authorization, formal access approval (if
required), and need-to-know for all data processed by the AIS. Processing
in this mode may be full-time or for specific periods of time.
Degauss
To reduce magnetic flux density to zero by applying a reverse magnetizing
field.
Denial of service
Action or actions which prevent any part of a TAIS from functioning
according to its intended purpose.
Designated accreditation authority
A senior management official who has the authority and responsibility to
decide to accept or reject the security safeguards prescribed for an
automated information system, and who may be responsible for issuing an
accreditation statement or certificate that records the decision to accept
those safeguards for his or her department, agency, or Service.
DOD trusted computer system evaluation criteria
A uniform set of basic requirements and evaluation classes for assessing the
effectiveness of hardware and software security controls built into
automated information systems (developed by the National Computer Security
Center and published as DOD 5200.28-STD).
Electronic security
The protection afforded by all measures designed to deny unauthorized
persons information of value that might be derived from the interception and
analysis of noncommunications electromagnetic radiations, such as radar.
Embedded cryptography
Cryptography incorporated within an equipment or system whose basic function
is not cryptographic.
Embedded system
A system that performs or controls a function, either in whole or in part,
as an integral element of a larger system or subsystem.
Emission security
The protection resulting from all measures taken to deny unauthorized
persons information of value that might be derived from intercept and
analysis of compromising emanations from cryptoequipment, automated
information systems, and telecommunications systems.
Evaluated Products List
A list of equipment, hardware, software, and firmware that has been
evaluated against, and found to be in technical compliance at a particular
level of trust, with the DOD Trusted Computer System Evaluation Criteria by
the National Computer Security Center.
Firmware
Software permanently stored in a hardware device that allows reading and
executing the software, but not writing or modifying it.
Foreign national employees
Non-U.S. citizens who normally reside in the country where employed, though
they may not be citizens of that country, and who are employed by the U.S.
Government and the Department of the Army.
Formal access approval
Documented approval to allow access to a particular category of information.
Information systems security
A composite of means to protect telecommunications systems and automated
information systems, and the information they process.
Integrity
The degree of protection for data from intentional or unintentional
alteration or misuse.
Key
Information (usually a sequence of random binary digits) used initially to
set up (and periodically to change) the operations performed in a
cryptoequipment for encrypting or decrypting electronic signals, for
determining electronic countermeasure patterns (frequency hopping or spread
spectrum), or for producing other keys.
Key management
The process by which a key is generated, stored, protected, transferred,
loaded, used, and destroyed.
Machine cryptosystem
A cryptosystem in which the cryptographic processes are performed by
cryptoequipment.
Mainframe
A computer system characterized by dedicated operators (beyond the system
users); high capacity, distinct storage devices; special environmental
considerations; and an identifiable computer room or complex.
Malicious software
Software that is intentionally introduced in a system to cause harm.
Manual cryptosystem
A cryptosystem in which the cryptographic processes are performed manually
without the use of cryptoequipment or auto-manual devices.
Multilevel security mode
A mode of operation wherein not all users of the AIS possess the required
personnel security clearance for all data being processed by the AIS.
Need-to-know
The necessity for access to, knowledge of, or possession of specific
information required to carry out official duties.
Network
Communications medium and all components attached to that medium whose
function is the transfer of information. Components may include AIS, packet
switches, telecommunications controllers, key distribution centers, and
technical control devices.
Noncommunications emitter
Any device which radiates electromagnetic energy for purposes other than
communicating (for example, radars, navigational aids, and laser range
finders). A noncommunication emitter may include features normally
associated with computers, in which case it must also meet the requirements
for an AIS.
Partitioned security mode
A mode of operation wherein all users of the AIS possess the required
personnel security clearance or authorization, but not necessarily formal
access approval and need-to-know for all information handled by the AIS. For
systems processing CS1 data, this mode is equivalent to the compartmented
mode defined in DCID 1/16.
Password
A protected or private string of characters used to authenticate an
identity.
Periods processing
The processing in an automated information system of various levels of
sensitive information at distinctly different times, with the system being
properly declassified between periods.
Protected distribution system (PDS)
A wireline or fiber-optics system which includes adequate acoustic,
electrical, electromagnetic, and physical safeguards to permit its use for
the unencrypted transmission of classified information.
Purging (magnetic media)
A procedure used to totally and unequivocally erase or overwrite all
information stored on magnetic media. Purging is one prerequisite to
declassification of magnetic media.
Remote terminal
A terminal which is not in the immediate vicinity of the AIS it accesses.
Risk
The probability that a particular threat will exploit a particular
vulnerability of an automated information system or telecommunications
system.
Risk assessment
The process of identifying security based on an analysis of threats
to and vulnerabilities of systems, determining the magnitude of those
risks, and incorporating measures needed to safeguard against them.
Risk management
The application of managerial techniques concerned with the identification,
measurement, control, and minimization of uncertain events.
Small computer
A small general-purpose computer design to support a single user at a time.
Disk drives, printers, and other equipment associated with the small
computer are considered part of the small computer.
Stand alone computer
An automated information system that is physically and electrically isolated
from all other automated information systems.
Systems high security mode
A mode of operation wherein all users of the AIS possess the required
personnel security clearance of authorization, but not necessarily a
need-to-know, for all data handled by the AIS. If the AIS processes formal
categories of information, all users must have formal access approval.
Technical vulnerability
A hardware, firmware, communication, or software weakness which leaves a
computer processing system open for potential exploitation or damage, either
externally or internally, resulting in risk for the owner, user, or manager
of the system.
Telecommunications
The preparation, transmission, communication, or related processing of
information (writing, images, sounds, or other data) by electrical,
electromagnetic, electro-mechanical, electro-optical, or electronic means.
Telecommunications and automated information systems
This term in this regulation indicates that a statement applies to both AIS
and telecommunications systems.
Telecommunications system
Any system which transmits, receives, or otherwise communicates information
by electrical, electromagnetic, electro-mechanical, or electro-optical
means. A telecommunications system may include features normally associated
with computers, in which case it must also meet the requirements for an AIS.
TEMPEST
The investigation, study, and control of compromising emanations from
electrical and electronic equipment. TEMPEST is often used as a synonym for
compromising emanations, as in "TEMPEST test" or "TEMPEST inspection."
Terminal
Any device which is used to access an AIS, including "dumb" terminals, which
only function to access another AIS, as well as personal computers or other
sophisticated AIS which may access other AIS as one of their functions.
Threat
Any capability, circumstance, or event with the potential to cause harm to
a TAIS in the form of destruction, unauthorized disclosure, modification of
data, or denial of service.
Threat agent
A means or method used to exploit a vulnerability in a system, operation,
or facility.
Transmission security
The component of COMSEC that consists of all measures designed to protect
transmissions from interception and exploitation by means other than
cryptoanalysis.
Unclassified-sensitive information
Any unclassified information, the loss, misuse, or unauthorized access to
or modification of which could adversely affect the national interest or the
conduct of Federal programs, or the privacy to which individuals are
entitled under the Privacy act.
Users
Persons or processes accessing an automated information system either by
direct connections (that is, via terminals) or indirect connections (that
is, preparing input or receiving output from the system without a review for
classification or content by a responsible individual). Also, an individual
who is required to use COMSEC material in the performance of his or her
duties and who is responsible for safeguarding that COMSEC material.
Vulnerability
A weakness in a TAIS or cryptographic system (or system security procedures,
hardware design, internal controls, and so forth) that could be exploited
to gain unauthorized access to classified or sensitive information, impact
system availability, or affect data integrity.