Resources Glossary of Information Assurance (IA) Certification and Accreditation terms used on this site
There are 104 entries in this glossary.All
| Term | Definition |
|---|---|
| accreditation boundary |
(IA) - Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. (Synonymous with Security Perimeter) (IC) – For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system (DCID 6/3, 5 Jun 99) |
| accreditation decision |
A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. |
| adequate security |
Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. (OMB Circular A-130) |
| application |
Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges. Examples include office automation, electronic mail, web services, and major functional or mission software programs. |
| artifacts |
System policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls. |
| assigned IA controls |
The set of IA controls that a given DoD IS must address to achieve an adequate IA posture. Consist of baseline IA controls plus any augmenting IA controls. |
| augmenting IA controls |
IA controls that augment baseline IA controls to address special security needs or unique requirements (e.g., cross security domain solutions, health information portability, privacy, etc.) of the IS(s) to which they apply. Augmenting IA controls may originate from a mission area (MA), a DoD Component, a Community of Interest (COI), or a local system. Augmenting IA controls must neither contradict nor negate DoD baseline IA controls and must not degrade interoperability across the DoD Enterprise. |
| Authorization Termination Date (ATD) |
The date assigned by the DAA that indicates when an ATO, IATO, or IATT expires. Acronym: ATD |
| Authorization to Operate (ATO) |
Authorization granted by a DAA for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years. Acronym: ATO |
| authorized user |
Any appropriately cleared individual with a requirement to access a DoD information system in order to perform or assist in a lawful and authorized governmental function. |
| Automated Information System (AIS) Appli |
For DoD information assurance purposes, an AIS application is the product or deliverable of an acquisition program, such as those described in DoD Directive 5000.1. (reference (u)). An AIS application performs clearly defined functions for which there are readily identifiable security considerations and needs that are addressed as part of the acquisition. An AIS application may be a single software application (e.g., Integrated Consumable Items Support (ICIS)); multiple software applications that are related to a single mission (e.g., payroll or personnel); or a combination of software and hardware performing a specific support function across a range of missions (e.g., Global Command and Control System (GCCS), Defense Messaging System (DMS)). |
| baseline IA controls |
The minimum set of IA controls that must be addressed to achieve adequate security. Baseline IA controls are prescribed by DoDI 8500.2 (Reference (d)) based on mission assurance category (MAC) and confidentiality level (CL). |
| basic robustness |
Security services and mechanisms that equate to best commercial practices. |
| CAT I severity category |
Assigned to findings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges. An ATO will not be granted while CAT I weaknesses are present. |
| CAT II severity category |
Assigned to findings that have a potential to lead to unauthorized system access or activity. CAT II findings that have been satisfactorily mitigated will not prevent an ATO from being granted. |
