NSTISS NATIONAL MANAGER
NATIONAL SECURITY 5 June 1992
TELECOMMUNICATIONS
AND INFORMATION
SYSTEMS SECURITY
FOREWORD
l. National Security Telecommunications and Information
Systems Security Instruction (NSTISSI) No. 4009, "National
Information Systems Security (INFOSEC) Glossary," provides
standard definitions for many of the specialized terms relating
to the disciplines of communications security (COMSEC) and
automated information systems security (AISS), sometimes
referred to as computer security (COMPUSEC). In general,
communications and data management terms that do not relate
closely to telecommunications and automated information systems
security are outside the scope of this document and are not
included.
2. The definitions contained in this glossary are
prescriptive for all elements of the U.S. Government and for its
contractors with respect to national security systems.
3. This document is divided into three sections: Section I
contains terms and definitions, Section II is a list of commonly
used abbreviations and acronym expansions, and Section III
contains applicable references. In the definitions section,
explanatory information is presented in notes following the
definitions with which they are associated. Such notes are not
part of the definitions to which they relate.
4. This document supersedes NCSC-9, "National
Communications Security (COMSEC) Glossary," dated l September
1982.
5. Representatives of the National Security
Telecommunications and Information Systems Security Committee
may obtain additional copies of this instruction from:
Executive Secretariat
National Security Telecommunications and
Information Systems Security Committee (NSTISSC)
National Security Agency
Fort George G. Meade, MD 20755-6000
6. U.S. Government contractors are to contact their appropriate
government agency or Contracting Officer Representative regarding
distribution of this document.
7. Readers are encuraged to review this glossary and suggest
additions, deletions, or changes at any time. Recommendations for
revising the document may be sent to the Executive Secretariat at the
above address, via the appropriate NSTISSC representative.
J. M. McConnell
Vice Admiral, U.S. Navy
NSTISSI No. 4009
SECTION I
TERMS AND DEFINITIONS
A
access (COMSEC) Capability and opportunity to
gain knowledge of or to alter information
or material.
(AIS) Ability and means to communicate
with (i.e. input to or receive output
from), or otherwise make use of any
information, resource, or component in an
AIS.
NOTE: An individual does not have
"access~ if the proper authority or a
physical, technical, or procedural
measure prevents them from obtaining
knowledge or having an opportunity to
alter information, material, resources,
or components.
access control Process of limiting access to the
resources of an AIS only to authorized
users, programs, processes, or other
systems.
access control list Mechanism implementing discretionary
access control in an AIS that identifies
the users who may access an object and
the type of access to the object that a
user is permitted.
access control mechanism Security safeguards designed to detect
and prevent unauthorized access, and to
permit authorized access in an AIS.
NSTISSI No. 4009
access level Hierarchical portion of the security
level used to identify the sensitivity of
AIS data and the clearance or
authorization of users.
NOTE: Access level, in conjunction with
the non-hierarchical categories, forms
the sensitivity label of an object. See
category.
access list (COMSEC) Roster of persons authorized
admittance to a controlled area.
(AIS) Compilation of users, programs,
and/or processes and the access levels
and types to which each is authorized.
access period Segment of time, generally expressed in
days or weeks, during which access rights
prevail.
access port Logical or physical identifier a computer
uses to distinguish different terminal
input/output data streams or the physical
connection for attaching an external
device.
access type Privilege to perform an action on a
program or file.
NOTE: Read, write, execute, append,
modify, delete, and create are examples
of access types.
accessible space Area within which the user is aware of
all persons entering and leaving, which
denies the opportunity for concealed
TEMPEST surveillance, and which
delineates the closest point of potential
tempest intercept from a vehicle.
accountability (COMSEC) Principle that an individual is
responsible for safeguarding and
controlling of COMSEC equipment, keying
material, and information entrusted to
his/her care and is answerable to proper
authority for the loss or misuse of that
equipment or information.
2
NSTISSI No. 4009
accountability (AIS) Property that allows auditing of
activities on an AIS to be traced to
persons who may then be held responsible
for their actions.
accounting legend Numeric code used to indicate the
code minimum accounting controls required for
items of accountable COMSEC material
within the COMSEC Material Control
System.
NOTE: National-level accounting legend
codes are:
ALC-l - continuously accountable by
serial number.
ALC-2 - continuously accountable by
quantity.
ALC-4 - report of initial receipt
required. After acknowledging receipt,
users may control in accordance with
Service, department, or agency
directives.
accounting number Number assigned to an item of COMSEC
material to facilitate its control.
accreditation Formal declaration by a designated
approving authority that an AIS is
approved to operate in a particular
security mode using a prescribed set of
safeguards.
accreditation authority Synonymous with designated approving
authority.
add-on security Incorporation of new hardware, software,
or firmware safeguards in an operational
AIS.
adversary Person or organization that must be
denied access to critical information.
3
NSTISSI No. 4009
alternate COMSEC Person designated by proper authority to
custodian perform the duties of the COMSEC
custodian during the temporary absence of
the COMSEC custodian.
anti-jam Measures to ensure that intended
transmitted information can be received
despite deliberate jamming attempts.
anti-spoof Measures to prevent an opponent's
participation in a telecommunications
network or operation/control of a
cryptographic or COMSEC system.
assembly Group of parts, elements, subassemblies,
or circuits that are removable items of
COMSEC equipment.
assurance Measure of confidence that the security
features and architecture of an AIS
accurately mediate and enforce the
security policy.
attack Act of trying to defeat AIS safeguards.
audit Independent review and examination of
records and activities to assess the
adequacy of system controls, to ensure
compliance with established policies and
operational procedures, and to recommend
necessary changes in controls, policies,
or procedures.
audit trail Chronological record of system activities
to enable the reconstruction and
examination of the sequence of events
and/or changes in an event.
NOTE: Audit trail may apple to
information in an AIS, to message routing
in a communications system, or to the
transfer of COMSEC material.
4
NSTISSI No. 4009
authenticate Verify the identity of a user, user
device, or other entity, or the integrity
of data stored, transmitted, or otherwise
exposed to unauthorized modification in
an automated information system, or
establish the validity of a transmitted
message.
authentication Security measure designed to establish
the validity of a transmission, message,
or originator, or a means of verifying an
individual's eligibility to receive
specific categories of information.
authentication system Cryptosystem or process used for
authentication.
authenticator Means used to confirm the identity or
eligibility of a station, originator, or
individual.
authorization Access rights granted to a user, program,
or process.
authorized vendor Manufacturer of existing COMSEC equipment
who is authorized to produce quantities
in excess of contractual requirements for
direct sale to eligible buyers.
Authorized Vendor Program in which a vendor, producing a
Program COMSEC product under contract to the
National Security Agency, is authorized
to produce that product in numbers
exceeding the contracted requirements for
direct marketing and sale to eligible
buyers.
NOTE: Eligible buyers are typically U.S.
Government organizations or U.S.
Government contractors. Products
approved for marketing and sale through
the Authorized Vendor Program are placed
on the Endorsed Cryptographic Products
List.
5
NSTISSI No. 4009
auto-manual system Programmable, hand-held crypto-equipment
used to perform encoding and decoding
functions.
automated information Any equipment or interconnected system
systems or subsystems of equipment that is used
in the automatic acquisition, storage,
manipulation, management, movement,
control, display, switching, interchange,
transmission or reception of data and
includes computer software, firmware, and
hardware.
NOTE: Included are computers, word
processing systems, networks, or other
electronic information handling systems,
and associated equipment.
automated information Synonymous with computer security.
systems security
automated security Use of automated procedures to ensure
monitoring security controls for an AIS are not
circumvented.
automatic remote Procedure to rekey a distant crypto-
rekeying equipment electronically without specific
actions by the receiving terminal
operator.
availability of data Data that is in the place, at the time,
and in the form needed by the user.
6
NSTISSI No. 4009
B
backdoor Synonymous with trap door.
Bell-La Padula Formal-state transition model of a
security model computer security policy that describes a
formal set of access controls based on
information sensitivity and subject
authorizations. (See star (*) property
and simple security property.)
benign Condition of cryptographic data such that
it cannot be compromised by human access
to the data.
NOTE: The term benign may be used to
modify a variety of COMSEC-related terms,
(e.g., key, data, storage, fill, and key
distribution techniques).
benign environment Nonhostile environment that may be
protected from external hostile elements
by physical, personnel, and procedural
security countermeasures.
beyond Al Level of trust employed by the DoD
Trusted Computer System Evaluation
Criteria that was beyond the state-of-
the-art technology at the time the
criteria was developed.
NOTE: As defined in the "Orange Book,"
beyond Al includes all the Al-level
features, plus others not required at the
Al level.
binding Process of associating a specific
communications terminal with a specific
cryptographic key or associating two
related elements of information.
bit error rate Ratio between the number of bits
incorrectly received and the total number
of bits transmitted in a
telecommunications system.
7
NSTISSI No. 4009
BLACK Designation applied to telecommunications
and automated information systems, and to
associated areas, circuits, components,
and equipment, in which only unclassified
signals are processed.
NOTE: Encrypted signals are
unclassified.
BLACK key Encrypted key. (See RED key.)
brevity list List containing words and phrases used to
shorten messages.
browsing Act of searching through AIS storage to
locate or acquire information, without
necessarily knowing the existence or
format of information being sought.
bulk encryption Simultaneous encryption of all channels
of a multichannel telecommunications
trunk.
8
NSTISSI No. 4009
C
call back Procedure for identifying a remote AIS
terminal, whereby the host system
disconnects the caller and then dials the
authorized telephone number of the remote
terminal to re-establish the connection.
call sign cipher Cryptosystem used to encipher/decipher
call signs, address groups, and address
indicating groups.
canister Type of protective package used to
contain and dispense key in punched or
printed tape form.
capability Unforgeable ticket that provides
incontestable proof that the presenter is
authorized access to the object named in
the ticket.
capability-based AIS in which access to protected objects
system is granted if the subject possesses a
capability for the object.
category Restrictive label that has been applied
to both classified and unclassified data,
thereby increasing the requirement for
protection of, and restricting the access
to, the data.
NOTE: Examples include sensitive
compartmented information, proprietary
information, and North Atlantic Treaty
Organization information. Individuals
are granted access to special category
information only after being granted
formal access authorization.
CCI assembly Device embodying a cryptographic logic or
other COMSEC design that the National
Security Agency has approved as a
controlled cryptographic item and
performs the entire COMSEC function, but
is dependent upon the host equipment to
operate.
9
NSTISSI No. 4009
CCI component Device embodying a cryptographic logic or
other COMSEC design, which the National
Security Agency has approved as a
controlled cryptographic item, that does
not perform the entire COMSEC function
and is dependent upon the host equipment
or assembly to complete and operate the
COMSEC function.
CCI equipment Telecommunications or information
handling equipment that embodies a
controlled cryptographic item component
or controlled cryptographic item assembly
and performs the entire COMSEC function
without dependence on a host equipment to
operate.
central office of Office of a federal department or agency
record that keeps records of accountable COMSEC
material held by elements subject to its
oversight.
certificate of action Statement attached to a COMSEC audit
statement report by which a COMSEC custodian
certifies that all actions have been
completed.
certification Comprehensive evaluation of the technical
and nontechnical security features of an
AIS and other safeguards, made in support
of the accreditation process, to
establish the extent to which a
particular design and implementation
meets a set of specified security
requirements.
certified TEMPEST U.S. Government or U.S. Government
technical authority contractor employee designated to review
the TEMPEST countermeasures programs of a
federal department or agency.
challenge and reply Prearranged procedure in which
authentication one communicator requests authentication
of another and the latter establishes
his/her validity with a correct reply.
10
NSTISSI No. 4009
checksum Value computed, via some parity or
hashing algorithm, on information
requiring protection against error or
manipulation.
NOTE: Checksums are stored or
transmitted with data and are intended to
detect data integrity problems.
check word Cipher text generated by a cryptographic
logic to detect failures in the
cryptography.
cipher Cryptographic system in which units of
plain text are substituted according to a
predetermined key.
cipher text Enciphered information.
cipher text auto-key Cryptographic logic which uses previous
cipher text to generate a key stream.
ciphony Process of enciphering audio information,
resulting in encrypted speech.
classified information National security information that has
been classified pursuant to Executive
Order 12356.
clearing Removal of data from an AIS, its storage
devices, and other peripheral devices
with storage capacity, in such a way that
the data may not be reconstructed using
normal system capabilities (i.e., through
the keyboard).
NOTE: An AIS need not be disconnected
from any external network before clearing
takes place. Clearing enables a product
to be reused within, but not outside of,
a secure facility. It does not produce a
declassified product by itself, but may
be the first step in the declassification
process. See purge.
Il
NSTISSI No. 4009
closed security Environment that provides sufficient
environment assurance that applications and equipment
are protected against the introduction of
malicious logic prior to or during the
operation of a system.
NOTE: Closed security is predicated upon
a system's developers, operators, and
maintenance personnel having sufficient
clearances, authorization, and
configuration control.
code System of communication in which
arbitrary groups of letters, numbers, or
symbols represent units of plain text of
varying length.
NOTE: Codes may or may not provide
security. Common uses include: (a)
converting information into a form
suitable for communications or
encryption, (b) reducing the length of
time required to transmit information,
(c) describing the instructions which
control the operation of a computer, and
(d) converting plain text to meaningless
combinations of letters or numbers and
vice versa.
code book Book or other document containing plain
text and code equivalents in a systematic
arrangement, or a technique of machine
encryption using a word substitution
technique.
code group Group of letters, numbers, or both in a
code system used to represent a plain
text word, phrase, or sentence.
code vocabulary Set of plain text words, numerals,
phrases, or sentences for which code
equivalents are assigned in a code
system.
cold start Procedure for initially keying crypto-
equipment.
12
NSTISSI No. 4009
command authority Individual responsible for the
appointment of user representatives for a
department, agency, or organization and
their key ordering privileges.
Commercial COMSEC Relationship between the National
Endorsement Program Security Agency and industry, in which
the National Security Agency provides the
COMSEC expertise (i.e., standards,
algorithms, evaluations, and guidance)
and industry provides design,
development, and production capabilities
to produce a type l or type 2 product.
NOTE: Products developed under the
Commercial COMSEC Endorsement Program may
include modules, subsystems, equipment,
systems, and ancillary devices.
common fill device One of a family of devices developed to
read-in, transfer, or store key.
NOTE: KYK-l3 Electronic Transfer Device,
KYX-l5 Net Control Device, and KOI-l8
General Purpose Tape Reader are examples
of common fill devices.
communications cover Concealing or altering of characteristic
communications patterns to hide
information that could be of value to an
adversary.
communications Deliberate transmission, retransmission,
deception or alteration of communications to
mislead an adversary's interpretation of
the communications. (See imitative
communications deception and manipulative
communications deception.)
13
NSTISSI No. 4009
communications Analytic model of communications
profile associated with an organization or
activity.
NOTE: The model is prepared from a
systematic examination of communications
content and patterns, the functions they
reflect, and the communications security
measures applied.
communications Measures and controls taken to deny
security unauthorized persons information derived
from telecommunications and ensure the
authenticity of such telecommunications.
NOTE: Communications security includes
cryptosecurity, transmission security,
emission security, and physical security
of COMSEC material.
compartmented mode AIS security mode of operation wherein
each user with direct or indirect access
to the system, its peripherals, remote
terminals, or remote hosts has all of the
following:
a. Valid security clearance for the most
restricted information processed in the
system.
b. Formal access approval and signed
non-disclosure agreements for that
information to which a user is to have
access.
c. Valid need-to-know for information to
which a user is to have access.
14
NSTISSI No. 4009
compromise Disclosure of information or data to
unauthorized persons, or a violation of
the security policy of a system in which
unauthorized intentional or unintentional
disclosure, modification, destruction, or
loss of an object may have occurred.
compromising Unintentional signals that, if
emanations intercepted and analyzed, would disclose
the information transmitted, received,
handled, or otherwise processed by
telecommunications or automated
information systems equipment. (See
TEMPEST.)
computer abuse Intentional or reckless misuse,
alteration, disruption, or destruction of
data processing resources.
computer Use of a crypto-algorithm program
cryptography stored in software or firmware, by a
general purpose computer to authenticate
or encrypt/decrypt data for storage or
transmission.
computer security Measures and controls that ensure
confidentiality, integrity, and
availability of the information processed
and stored by a computer.
computer security Any event in which a computer system is
incident attacked, intruded into, or threatened
with an attack or intrusion.
computer security Device designed to provide limited
subsystem computer security features in a larger
system environment.
Computer Security Program that focuses on technical
Technical vulnerabilities in commercially
Vulnerability available hardware, firmware and
Reporting Program software products acquired by DoD.
NOTE: The Computer Security Technical
Vulnerability Reporting Program provides
for reporting, cataloging, and discrete
dissemination of technical vulnerability
and corrective-measure information on a
need-to-know basis.
15
NSTISSI No. 4009
COMSEC account Administrative entity, identified by an
account number, used to maintain
accountability, custody and control of
COMSEC material.
COMSEC account audit Examination of the holdings, records, and
procedures of a COMSEC account to ensure
that all accountable COMSEC material is
properly handled and safeguarded.
COMSEC aid COMSEC material, other than an equipment
or device, that assists in securing
telecommunications and which is required
in the production, operation, or
maintenance of COMSEC systems and their
components.
NOTE: COMSEC keying material, callsign/
frequency systems, and supporting
documentation, such as operating and
maintenance manuals, are examples of
COMSEC aids.
COMSEC boundary Definable perimeter within a
telecommunications equipment or system
within which all hardware, firmware, and
software components that perform critical
COMSEC functions are located.
NOTE: Key generation and key handling
and storage are critical COMSEC
functions.
COMSEC chip set Collection of National Security Agency
approved microchips furnished to a
manufacturer to secure or protect
telecommunications equipment. (See
secure communications and protected
communications.)
16
NSTISSI No. 4009
COMSEC control Set of instructions or routines for
program a computer that controls or affects the
externally performed functions of key
generation, key distribution, message
encryption/decryption, or authentication.
COMSEC custodian Person designated by proper authority to
be responsible for the receipt, transfer,
accounting, safeguarding and destruction
of COMSEC material assigned to a COMSEC
account.
NOTE: The term COMSEC manager is
replacing the term COMSEC custodian.
These terms are not synonymous, since the
responsibilities of the COMSEC manager
extend beyond the functions required for
effective operation of a COMSEC account.
COMSEC end item Equipment or combination of components
ready for its intended use in a COMSEC
application.
COMSEC equipment Equipment designed to provide security to
telecommunications by converting
information to a form unintelligible to
an unauthorized interceptor and,
subsequently, by reconverting such
information to its original form for
authorized recipients; also, equipment
designed specifically to aid in, or as an
essential element of, the conversion
process.
NOTE: COMSEC equipment includes crypto-
equipment, crypto-ancillary equipment,
cryptoproduction equipment, and
authentication equipment.
COMSEC facility Space employed primarily for the purpose
of generating, storing, repairing, or
using COMSEC material.
COMSEC incident Occurrence that potentially jeopardizes
the security of COMSEC material or the
secure electrical transmission of
national security information.
17
NSTISSI No. 4009
COMSEC insecurity COMSEC incident that has been
investigated, evaluated, and determined
to jeopardize the security of COMSEC
material or the secure transmission of
information.
COMSEC manager Person who manages the COMSEC resources
of a command or activity. (See the note
following the definition for COMSEC
custodian.)
COMSEC material Item designed to secure or authenticate
telecommunications.
NOTE: COMSEC material includes, but is
not limited to, key, equipment, devices,
documents, firmware or software that
embodies or describes cryptographic logic
and other items that perform COMSEC
functions.
COMSEC Material Logistics and accounting system
Control System through which COMSEC material
marked "CRYPTO" is distributed,
controlled, and safeguarded.
NOTE: Included are the COMSEC central
offices of record, cryptologistic depots,
and COMSEC accounts. COMSEC material
other than key may be handled through the
COMSEC Material Control System.
COMSEC modification Electrical, mechanical, or software
change to a National Security Agency
approved COMSEC end item.
NOTE: Categories of COMSEC modifications
are: mandatory, optional, special
mission mandatory, special mission
optional, human safety mandatory, and
repair actions.
COMSEC module Removable component that performs COMSEC
functions in a telecommunications
equipment or system.
18
NSTISSI No. 4009
COMSEC monitoring Act of listening to, copying, or
recording transmissions of one's own
official telecommunications to provide
material for analysis, so that the degree
of security being provided to those
transmissions may be determined.
COMSEC profile Statement of the COMSEC measures and
materials used to protect a given
operation, system, or organization.
COMSEC survey Organized collection of COMSEC and
communications data relative to a given
operation, system, or organization.
COMSEC system data Information required by a COMSEC
equipment or system to enable it to
properly handle and control key.
COMSEC training Teaching of hands-on skills relating to
COMSEC accounting, the use of COMSEC
aids, or the installation, use,
maintenance, and repair of COMSEC
equipment.
confidentiality Assurance that information is not
disclosed to unauthorized entities or
processes.
configuration control Process of controlling modifications to a
telecommunications or automated
information systems hardware, firmware,
software, and documentation to ensure the
system is protected against improper
modifications prior to, during, and after
system implementation.
configuration management Management of security features and
assurances through control of changes
made to hardware, software, firmware,
documentation, test, test fixtures and
test documentation of an automated
information system, throughout the
development and operational life of a
system.
confinement property Synonymous with star (*) property.
19
NSTISSI No. 4009
contingency key Key held for use under specific
operational conditions or in support of
specific contingency plans.
contingency plan Plan maintained for emergency response,
backup operations, and post-disaster
recovery for an AIS, as a part of its
security program, that will ensure the
availability of critical resources and
facilitate the continuity of operations
in an emergency situation.
controlled access Log-in procedures, audit of security
protection relevant events, and resource isolation
as prescribed for class C2 in the Orange
Book.
controlled Secure telecommunications or information
cryptographic item handling equipment, or associated
cryptographic component, that is
unclassified but governed by a special
set of control requirements.
NOTE: Such items are marked "CONTROLLED
CRYPT0GRAPHIC ITEM" or, where space is
limited, "CCI."
controlled sharing Condition which exists when access
control is applied to all users and
components of an AIS.
controlled space Three-dimensional space surrounding
telecommunications and automated
information systems equipment, within
which unauthorized persons are denied
unrestricted access and are either
escorted by authorized persons or are
under continuous physical or electronic
surveillance.
controlling Official responsible for directing
authority the operation of a cryptonet and for
managing the operational use and control
of keying material assigned to the
cryptonet.
20
NSTISSI No. 4009
cooperative key Electronically exchanging functions of
generation locally generated, random components,
from which both terminals of a secure
circuit construct traffic encryption key
or key encryption key for use on that
circuit.
cooperative remote Synonymous with manual remote
rekeying rekeying.
cost-benefit analysis Assessment of the costs of providing
protection or security to a
telecommunications or AIS versus risk and
cost associated with asset loss or
damage.
countermeasure Action, device, procedure, technique, or
other measure that reduces the
vulnerability of an AIS.
covert channel Unintended and/or unauthorized
communications path that can be used to
transfer information in a manner that
violates an AIS security policy. (See
overt channel and exploitable channel.)
covert storage Covert channel that involves the
channel direct or indirect writing to a storage
location by one process and the direct or
indirect reading of the storage location
by another process.
NOTE: Covert storage channels typically
involve a finite resource (e.g., sectors
on a disk) that is shared by two subjects
at different security levels.
covert timing Covert channel in which one
channel process signals information to another
process by modulating its own use of
system resources (e.g., central
processing unit time) in such a way that
this manipulation affects the real
response time observed by the second
process.
21
NSTISSI No. 4009
credentials Information passed from one entity to
another, that is used to establish the
sending entity's access rights.
cryptanalysis Operations performed in converting
encryped messages to plain text without
initial knowledge of the crypto-algorithm
and/or key employed in the encryption.
CRYPTO Marking or designator identifying COMSEC
keying material used to secure or
authenticate telecommunication carrying
classified or sensitive U.S. Government
or U.S. Government-derived information.
NOTE: When written in all upper case
letters, CRYPTO has the meaning stated
above. When written in lower case as a
prefix, crypto and crypt are
abreviations for cryptographic.
crypto-alarm Circuit or device which detects failures
or aberrations in the logic or operation
of crypto-equipment.
NOTE: Crypto-alarm may inhibit
transmission or may provide a visible
and/or audible alarm.
crypto-algorithm well-defined procedure or sequence of
rules or steps used to produce cipher
text from plain text and vice versa.
crypto-ancillary Equipment designed specifically to
equipment facilitate efficient or reliable
operation of crypto-equipment, but that
does not perform cryptographic functions
crypto-equipment Equipment that embodies a cryptographic
logic.
cryptographic Pertaining to, or concerned with,
cryptography.
22
NSTISSI No. 4009
cryptographic Hardware or firmware embodiment of the
component cryptographic logic.
NOTE: Cryptographic component may be a
modular assembly, a printed wiring
assembly, a microcircuit, or a
combination of these items.
cryptographic Function used to set the state of
initialization a cryptographic logic prior to key
generation, encryption, or other
operating mode.
cryptographic logic Well-defined procedure or sequence of
rules or steps used to produce cipher
text from plain text, and vice versa, or
to produce a key stream, plus delays,
alarms, and checks which are essential to
effective performance of the
cryptographic process. (See crypto-
algorithm.)
cryptographic Function which randomly determines the
randomization transmit state of a cryptographic logic.
cryptography Principles, means, and methods for
rendering plain information
unintelligible and for restoring
encrypted information to intelligible
form.
crypto-ignition key Device or electronic key used to unlock
the secure mode of crypto-equipment.
cryptonet Stations that hold a specific key for
use.
NOTE: Activities that hold key for other
than use, such as cryptologistic depots,
are not cryptonet members for that key.
Controlling authorities are defacto
members of the cryptonets they control.
23
NSTISSI No. 4009
cryptoperiod Time span during which each key setting
remains in effect.
cryptosecurity Component of communications security that
results from the provision of technically
sound cryptosystems and their proper use.
cryptosynchronization Process by which a receiving decrypting
cryptographic logic attains the same
internal state as the transmitting
encrypting logic.
cryptosystem Associated COMSEC items interacting to
provide a single means of encryption or
decryption.
cryptosystem Process of establishing the
assessment exploitability of a cryptosystem,
normally by reviewing transmitted traffic
protected or secured by the system under
study.
cryptosystem Process of determining vulnerabilities
evaluation of a cryptosystem.
cryptosystem review Examination of a cryptosystem by the
controlling authority to ensure its
adequacy of design and content, continued
need, and proper distribution.
cryptosystem survey Management technique in which actual
holders of a cryptosystem express
opinions on the system's suitability and
provide usage information for technical
evaluations.
24
NSTISSI No. 4009
D
data encryption Cryptographic algorithm, designed for
standard the protection of unclassified data and
published by the National Institute of
Standards and Technology in Federal
Information Processing Standard
Publication 46.
data flow control Synonymous with information flow control.
data integrity Condition that exists when data is
unchanged from its source and has not
been accidentally or maliciously
modified, altered, or destroyed.
data origin Corroboration that the source of data is
authentication as claimed.
data security Protection of data from unauthorized
(accidental or intentional) modification,
destruction, or disclosure.
decertification Revocation of the certification of an AIS
item or equipment for cause.
decipher Convert enciphered text to the equivalent
plain text by means of a cipher system.
decode Convert encoded text to its equivalent
plain text by means of a code.
decrypt Generic term encompassing decode and
decipher.
dedicated mode AIS security mode of operation wherein
each user, with direct or indirect access
to the system, its peripherals, remote
terminals, or remote hosts, has all of
the following:
a. Valid security clearance for all
information within the system.
25
NSTISSI No. 4009
b. Formal access approval and signed
non-disclosure agreements for all the
information stored and/or processed
(including all compartments,
subcompartments, and/or special access
programs).
c. Valid need-to-know for all
information contained within the AIS.
NOTE: When in the dedicated security
mode, a system is specifically and
exclusively dedicated to and controlled
for the processing of one particular type
or classification of information, either
for full-time operation or for a
specified period of time.
default classification Temporary classification reflecting the
highest classification being processed in
an AIS.
NOTE: Default classification is included
in the caution statement affixed to the
object.
degauss Destroy information contained in magnetic
media by subjecting that media to high-
intensity alternating magnetic fields,
following which the magnetic fields
slowly decrease.
delegated development Information systems security program
program in which the Director, National Security
Agency, delegates the development and/or
production of the entire telecommunica-
tions product, including the information
systems security portion, to a lead
department or agency.
denial of service Result of any action or series of actions
that prevents any part of a
telecommunications or AIS from
functioning.
26
NSTISSI No. 4009
descriptive top-level Top-level specification that is
specification written in a natural language (e.g.,
English), an informal design notation, or
a combination of the two.
NOTE: Descriptive top-level
specification, required for a class B2
and B3 AIS, completely and accurately
describes a trusted computing base.
See formal top-level specification.
designated approving Official with the authority to formally
authority assume responsibility for operating an
AIS or network at an acceptable level of
risk.
design controlled Part or subassembly for a COMSEC
spare part equipment or device with a National
Security Agency controlled design.
dial back Synonymous with call back.
digital signature Synonymous with electronic signature.
direct shipment Shipment of COMSEC material directly from
the National Security Agency to user
COMSEC accounts.
discretionary access Means of restricting access to
control objects based on the identity and need-
to-know of users and/or groups to which
the object belongs.
NOTE: Controls are discretionary in the
sense that a subject with a certain
access permission is capable of passing
that permission (directly or indirectly)
to any other subject. See mandatory
access control.
27
NSTISSI No. 4009
DoD Trusted Computer Document containing basic requirements
System Evaluation and evaluation classes for assessing
Criteria degrees of effectiveness of hardware and
software security controls built into
AIS.
NOTE: This document, DoD 5200.28 STD,
is frequently referred to as the Orange
Book.
domain Unique context (e.g., access control
parameters) in which a program is
operating; in effect, the set of objects
that a subject has the ability to access.
dominate Term used to compare AIS security levels.
NOTE: Security level S1 is said to
dominate security level S2 if the
hierarchical classification of S1 is
greater than, or equal to, that of S2 and
the non-hierarchical categories of S1
include all those of S2 as a subset.
drop accountability Procedure under which a COMSEC account
custodian initially receipts for COMSEC
material, and then provides no further
accounting for it to its central office
of record.
NOTE: Local accountability of the COMSEC
material may continue to be required.
See also accounting legend code, ALC-3
and ALC-4.
dummy group Textual group having the appearance of a
valid code or cipher group which has no
plain text significance.
28
NSTISSI No. 4009
E
electronically Key produced only in non-physical
generated key form.
NOTE: Electronically generated key
stored magnetically (e.g., on a floppy
disc) is not considered hard copy key.
electronic signature Process that operates on a message to
assure message source authenticity and
integrity, and source non-repudiation.
electronic security Protection resulting from all measures
designed to deny unauthorized persons
information of value which might be
derived from the interception and
analysis of non-communications
electromagnetic radiations, such as
radar.
element Removable item of COMSEC equipment,
assembly, or subassembly which normally
consists of a single piece or group of
replaceable parts.
embedded computer Computer system that is an integral part
of a larger system or subsystem that
performs or controls a function, either
in whole or in part.
embedded cryptography Cryptography which is engineered into an
equipment or system the basic function of
which is not cryptographic.
NOTE: Components comprising the
cryptographic module are inside the
equipment or system add share host device
power and housing. The cryptographic
function may be dispersed or identifiable
as a separate module within the host.
29
NSTISSI No. 4009
embedded cryptographic Cryptosystem that performs or controls
system a function, either in whole or in part,
as an integral element of a larger system
or subsystem.
emission security Protection resulting from all measures
taken to deny unauthorized persons
information of value which might be
derived from intercept and analysis of
compromising emanations from crypto-
equipment, AIS, and telecommunications
systems.
encipher Convert plain text to equivalent cipher
text by means of a cipher.
encode Convert plain text to equivalent cipher
text by means of a code.
encrypt Generic term encompassing encipher and
encode.
end-item accounting Accounting for all the accountable
components of a COMSEC equipment
configuration by a single short title.
endorsed DES Unclassified equipment that embodies
equipment unclassified data encryption standard
cryptographic logic and has been endorsed
by the National Security Agency for the
protection of national security
information.
endorsed for unclassified Unclassified cryptographic equipment
cryptographic item that embodies a U.S. Government
classified cryptographic logic and is
endorsed by the National Security Agency
for the protection of national security
information. (See type 2 product.)
30
NSTISSI No. 4009
endorsement National Security Agency approval of a
commercially-developed telecommunications
or automated information systems
protection equipment or system for
safeguarding national security
information.
end-to-end encryption Encryption of information at its origin,
and decryption at its intended
destination, without any intermediate
decryption.
end-to-end security Safeguarding information in a secure
telecommunications system by
cryptographic or protected distribution
system means from point of origin to
point of destination.
entrapment Deliberate planting of apparent flaws in
an AIS for the purpose of detecting
attempted penetrations.
environment Procedures, conditions, and objects that
affect the development, operation, and
maintenance of an AIS.
erasure Process intended to render stored data
irretrievable by normal means.
executive state One of several states in which an AIS may
operate, and the only one in which
certain privileged instructions may be
executed.
NOTE: Such privileged instructions
cannot be executed when the system is
operating in other (e.g., user) states.
exercise key Key intended to safeguard transmissions
associated with exercises.
exploitable channel Covert channel that is intended to
violate the security policy governing an
AIS and is useable or detectable by
subjects external to the trusted
computing base. (See covert channel.)
31
NSTISSI No. 4009
exploratory development Assembly of preliminary circuits or parts
model in line with commercial practice to
investigate, test, or evaluate the
soundness of a concept, device, circuit,
equipment, or system in a "breadboard" or
rough experimental form, without regard
to eventual overall physical form or
layout.
extraction resistance Capability of a crypto-equipment or a
secure telecommunications system or
equipment to resist efforts to extract
key.
32
NSTISSI No. 4009
F
fail safe Pertaining to the automatic protection of
programs and/or processing systems to
maintain safety when a hardware or
software failure is detected in a system.
fail soft Pertaining to the selective termination
of affected nonessential processing when
a hardware or software failure is
determined to be imminent in an AIS.
failure access Unauthorized and usually inadvertent
access to data resulting from a hardware
or software failure in an AIS.
failure control Methodology used to detect and provide
fail safe or fail soft recovery from
hardware and software failures in an AIS.
fetch protection AIS-provided restriction to prevent a
program from accessing data in another
user's segment of storage.
fielded equipment COMSEC end-item shipped to the user
subsequent to first article testing on
the initial production contract.
file protection Aggregate of all processes and procedures
established in an AIS designed to inhibit
unauthorized access, contamination,
elimination, modification, or destruction
of a file or any of its contents.
file security Means by which access to computer files
is limited to authorized users only.
fill device COMSEC item used to transfer or store key
in electronic form or to insert key into
a crypto-equipment.
FIREFLY Key management protocol based on public
key cryptography.
33
NSTISSI No. 4009
fixed COMSEC facility COMSEC facility that is located in an
immobile structure or aboard a ship.
flaw Error of commission, omission, or
oversight in an AIS that may allow
protection mechanisms to be bypassed.
flaw hypothesis System analysis and penetration
methodology technique in which the specification and
documentation for an AIS are analyzed and
then flaws in the system are
hypothesized.
NOTE: List of hypothesized flaws is
prioritized on the basis of the estimated
probability that a flaw exists and,
assuming a flaw does exist, on the ease
of exploiting it, and on the extent of
control or compromise it would provide.
The prioritized list is used to perform
penetration testing of a system.
formal access Documented approval by a data
approval owner to allow access to a particular
category of information.
formal proof Complete and convincing mathematical
argument, presenting the full logical
justification for each proof step, for
the truth of a theorem or set of
theorems.
NOTE: In computer security, these formal
proofs provide A1, and beyond A1
assurance under the DoD Trusted Computer
System Evaluation Criteria.
formal security policy Mathematically precise statement of a
model security policy.
NOTE: Such a model must define a secure
state, an initial state, and how the
model represents changes in state. The
model must be shown to be secure by
proving that the initial state is secure
and that all possible subsequent states
remain secure.
34
NSTISSI No. 4009
formal top-level Top-level specification that is written
specification in a formal mathematical language to
allow theorems, showing the correspon-
dence of the system specification to its
formal requirements, to be hypothesized
and formally proven.
NOTE: Formal top-level specification,
required for a class A1 AIS, completely
and accurately describes the trusted
computing base. See descriptive top-
level specification.
formal verification Process of using formal proofs to
demonstrate the consistency between
formal specification of a system and
formal security policy model (design
verification) or between formal
specification and its high-level program
implementation (implementation
verification).
frequency hopping Repeated switching of frequencies during
radio transmission according to a
specified algorithm, to minimize
unauthorized interception or jamming of
telecommunications.
front-end security Security filter, which could be
filter implemented in hardware or software, that
is logically separated from the remainder
of an AIS to protect the integrity of the
system.
full maintenance Complete diagnostic repair, modification,
and overhaul of information systems
security equipment, including repair of
defective assemblies by piece part
replacement. (See limited maintenance.)
functional testing Segment of security tasting in which
advertised security mechanisms of an AIS
are tested under operational conditions.
35
NSTISSI No. 4009
G
granularity Relative fineness or coarseness to which
an access control mechanism can be
adjusted.
NOTE: Protection at the file level is
considered coarse granularity, whereas
protection at the field level is
considered to be a finer granularity.
guard Processor that provides a filter between
two disparate systems operating at
different security levels or between a
user terminal and a data base to remove
data for which the user is not authorized
access.
36
NSTISSI No. 4009
H
handshaking procedures Dialogue between two entities (e.g., a
user and a computer, a computer and
another computer, or a program and
another program) for the purpose of
identifying and authenticating these
entities to one another.
hard copy key Physical keying material, such as printed
key lists, punched or printed key tapes,
or programmable, read-only memories.
hardwired key Key that is permanently installed.
hashing Iterative process that computes a value
(referred to as a hashword) from a
particular data unit in a manner that,
when a hashword is protected,
manipulation of the data is detectable.
hashword Synonymous with checksum.
high risk environment Specific location or geographic area
where there are insufficient friendly
security forces to ensure the
safeguarding of information systems
security equipment.
hostile cognizant agent Person, authorized access to national
security information, who intentionally
makes that information available to an
intelligence service or other group, the
goals of which are inimical to the
interests of the United States Government
or its allies.
host to front-end Set of conventions governing the
protocol format and control of data that is passed
from a host to a front-end machine.
37
NSTISSI No. 4009
I
identification Process that enables recognition of an
entity by an AIS.
NOTE: This is generally accomplished by
the use of unique machine-readable user
names.
imitative communications Introduction of deceptive messages or
deception signals into an adversary's
telecommunications signals. See
communications deception and manipulative
communications deception.
impersonation Synonymous with spoofing.
implant Electronic device or component
modification to electronic equipment that
is designed to gain unauthorized
interception of information-bearing
energy via technical means.
inadvertent Accidental exposure of information
disclosure to a person not authorized access.
incomplete parameter AIS design flaw that results when
checking all parameters have not been fully
anticipated for accuracy and consistency,
thus making the system vulnerable to
penetration.
individual accountability Ability to associate positively the
identity of a user with the time, method,
and degree of access to an AIS.
information flow Procedure to ensure that information
control transfers within an AIS are not made from
a higher security level object to an
object of a lower security level.
38
NSTISSI No. 4009
information label Piece of information that accurately and
completely represents the sensitivity of
the data in a subject or object.
NOTE: Information label consists of a
security label as well as other required
security markings (e.g., codewords,
dissemination control markings, and
handling caveats), to be used for data
information security labeling purposes.
information system Any telecommunications and/or computer
related equipment or interconnected
system or subsystems of equipment that is
used in the acquisition, storage,
manipulation, management, movement,
control, display, switching, interchange,
transmission, or reception of voice
and/or data, and includes software,
firmware, and hardware.
information systems The protection of information systems
security (INFOSEC) against unauthorized access to or
modification of information, whether in
storage, processing or transit, and
against the denial of service to
authorized users or the provision of
service to unauthorized users, including
those measures necessary to detect,
document, and counter such threats.
information system Person responsible to the designated
security officer approving authority who ensures that
security of an information system is
implemented through its design,
development, operation, maintenance, and
secure disposal stages.
information systems Item (chip, module, assembly, or
security product equipment), technique, or service that
performs or relates to information
systems security.
initialize Setting the state of a cryptographic
logic prior to key generation,
encryption, or other operating mode.
integrity check value Checksum that is capable of detecting
malicious modification of an AIS.
39
NSTISSI No. 4009
interim approval Temporary authorization granted by a
designated approving authority for an AIS
to process classified information and
information governed by 10 U.S.C. Section
2315 or 44 U.S.C. 3502(2) in its
operational environment based on
preliminary results of a security
evaluation of the system.
internet private line Network cryptographic unit that
interface provides secure connections, singularly
or in simultaneous multiple connections,
between a host and a predetermined set of
corresponding hosts.
internet protocol Standard protocol for transmission of
data from source to destinations in
packet-switched communications networks
and interconnected systems of such
networks.
40
NSTISSI No. 4009
K
key Information (usually a sequence of random
or pseudorandom binary digits) used
initially to set up and periodically
change the operations performed in
crypto-equipment for the purpose of
encrypting or decrypting electronic
signals, for determining electronic
counter-countermeasures patterns (e.g.,
frequency hopping or spread spectrum), or
for producing other key.
NOTE: "Key" has replaced the terms
"variable," "key(ing) variable," and
"cryptovariable.'
key-auto-key Cryptographic logic which uses previous
key to produce key.
key card Paper card, containing a pattern of
punched holes, which establishes the key
for a specific cryptonet at a specific
time.
key encryption key Key that encrypts or decrypts other key
for transmission or storage.
key list Printed series of key settings for a
specific cryptonet.
NOTE: Key lists may be produced in list,
pad, or printed tape format.
key management Process by which key is generated,
stored, protected, transferred, loaded,
used, and destroyed.
key production key Key that is used to initialize a
keystream generator for the production of
other electronically generated key.
41
NSTISSI No. 4009
key stream Sequence of symbols (or their electrical
or mechanical equivalents) produced in a
machine or auto-manual cryptosystem to
combine with plain text to produce cipher
text, control transmission security
processes, or produce key.
key tag Identification information associated
with certain types of electronic key.
key tape Punched or magnetic tape containing key.
NOTE: Printed key in tape form is
referred to as a key list.
key updating Irreversible cryptographic process for
modifying key automatically or manually.
keying material Key, code, or authentication information
in physical or magnetic form.
42
NSTISSI No. 4009
L
least privilege Principle that requires that each subject
be granted the most restrictive set of
privileges needed for the performance of
authorized tasks.
NOTE: Application of this principle
limits the damage that can result from
accident, error, or unauthorized use of
an AIS.
limited access Synonymous with access control.
limited maintenance COMSEC maintenance restricted to fault
isolation, removal, and replacement of
plug-in assemblies.
NOTE: Soldering or unsoldering usually
is prohibited in limited maintenance.
See full maintenance.
line conduction Unintentional signals or noise induced or
conducted on a telecommunications or
automated information system signal,
power, control, indicator, or other
external interface line.
link encryption Encryption of data in individual links of
a telecommunications system.
list-oriented Computer protection in which each
protected object has a list of all
subjects authorized to access it. (See
also ticket-oriented.);
lock and key Protection system that involves
protection system matching a key or password with a
specific access requirement.
logic bomb Resident computer program that triggers
an unauthorized act when particular
states of an AIS are realized.
43
NSTISSI No. 4009
logical completeness Means for assessing the effectiveness
measure and degree to which a set of security and
access control mechanisms meets the
requirements of security specifications.
long title Descriptive title of a COMSEC item.
low probability of Result of measures used to hide or
detection disguise intentional electromagnetic
transmissions.
low probability of Result of measures to prevent the
intercept intercept of intentional electromagnetic
transmissions.
44
NSTISSI No. 4009
M
machine cryptosystem Cryptosystem in which cryptographic
processes are performed by crypto-
equipment.
magnetic remanence Magnetic representation of residual
information that remains on a magnetic
medium after the medium has been erased
or overwritten.
NOTE: Magnetic remanence refers to data
remaining on magnetic storage media after
removal of the power or after degaussing.
maintenance hook Special instructions in software to allow
easy maintenance and additional feature
development.
NOTE: Maintenance hooks are not clearly
defined during access for design
specification. Since maintenance hooks
frequently allow entry into the code at
unusual points or without the usual
checks, they are a serious security risk
if they are not removed prior to live
implementation. Maintenance hooks are
special types of trap doors.
maintenance key Key intended only for off-the-air in-shop
use.
malicious logic Hardware, software, or firmware that is
intentionally included in an AIS for an
unauthorized purpose.
NOTE: Trojan horse is a form of
malicious logic.
45
NSTISSI No. 4009
mandatory access Means of restricting access to objects
control based on the sensitivity (as represented
by a label) of the information contained
in the objects and the formal
authorization (i.e., clearance) of
subjects to access information of such
sensitivity. (See discretionary access
control.)
mandatory Change to a COMSEC end item that the
modification National Security Agency requires to be
completed and reported by a specified
date.
NOTE: This type of modification should
not be confused with modifications that
are optional to the National Security
Agency, but have been adjudged mandatory
by a given department or agency. The
latter modification may have an
installation deadline established and
controlled solely by the user's
headquarters.
manipulative Alteration or simulation of friendly
communications telecommunications for the purpose
deception of deception.
NOTE: Manipulative communications
deception may involve establishment of
bogus communications structures,
transmission of deception messages, and
expansion or creation of communications
schedules on existing structures to
display an artificial volume of messages.
See communications deception and
imitative communications deception.
manual cryptosystem Cryptosystem in which the cryptographic
processes are performed manually without
the use of crypto-equipment or auto-
manual devices.
manual remote Procedure by which a distant crypto-
rekeying equipment is rekeyed electrically, with
specific actions required by the
receiving terminal operator.
46
NSTISSI No. 4009
masquerading Synonymous with spoofing.
master crypto-ignition Crypto-ignition key that is able to
key initialize crypto-ignition key, when
interacting with its associated crypto-
equipment.
material symbol Communications circuit identifier used
for key card resupply purposes.
memory bounds Limits in the range of storage addresses
for a protected region in the memory of
an AIS.
message authentication Data element associated with an
code authenticated message which allows a
receiver to verify the integrity of the
message.
message externals Non-textual (outside the message text)
characteristics of transmitted messages.
message indicator Sequence of bits transmitted over a
telecommunications system for the purpose
of crypto-equipment synchronization.
NOTE: Some off-line cryptosystems, such
as the KL-5l and one-time pad systems,
employ message indicators to establish
decryption starting points.
mimicking Synonymous with spoof ing.
mobile COMSEC facility COMSEC facility that can be readily moved
from one location to another.
mode of operation Description of the conditions under which
an AIS operates, based on the sensitivity
of data processed and the clearance
levels and authorizations of the users.
NOTE: Five modes of operation are
authorized for an AIS processing
information and for networks transmitting
information. See compartmented mode,
dedicated mode, multilevel mode,
partitioned security mode, and system-
high mode.
47
NSTISSI No. 4009
multilevel device Device that is trusted to properly
maintain and separate data of different
security levels.
multilevel mode AIS security mode of operation wherein
all the following statements are
satisfied concerning the users who have
direct or indirect access to the system,
its peripherals, remote terminals, or
remote hosts:
a. Some users do not have a valid
security clearance for all the
information processed in the AIS.
b. All users have the proper security
clearance and appropriate formal access
approval for that information to which
they have access.
c. All users have a valid need-to-know
only for information to which they have
access.
multilevel security Concept of processing information with
different classifications and categories
that simultaneously permits access by
users with different security clearances,
but prevents users from obtaining access
to information for which they lack
authorization.
mutual suspicion Condition in which two entities need to
rely upon each other to perform a
service, yet neither entity trusts the
other to properly protect shared data.
48
NSTISSI No. 4009
N
national security Information that has been determined,
information pursuant to Executive Order 12356 or any
predecessor order, to require protection
against unauthorized disclosure, and that
is so designated.
national security Telecommunications and automated infor-
systems mation systems operated by the U.S.
Government, its contractors, or its
agents, that contain classified
information or, as set forth in 10 U.S.C.
Section 2315, that involves intelligence
activities, involves cryptologic
activities related to national security,
involves command and control of military
forces, involves equipment that is an
integral part of a weapon or weapon
system, or involves equipment that is
critical to the direct fulfillment of
military or intelligence missions.
need-to-know Access to, or knowledge or possession of,
specific information required to carry
out official duties.
net control station Terminal in a secure telecommunications
net responsible for distributing key in
electronic form to the members of the
net.
network front end Device that implements the needed
security-related protocols to allow a
computer system to be attached to a
network.
network reference Access control concept that refers to
monitor an abstract machine that mediates all
access to objects within a network by
subjects within the network. See
reference monitor.
49
NSTISSI No. 4009
network security Protection of networks and their services
from unauthorized modification,
destruction, or disclosure, and
provision of assurance that the network
performs its critical functions correctly
and there are no harmful side-effects.
NOTE: Network security includes
providing for data integrity.
network security Individual formally appointed by a
officer designated approving authority to ensure
that the provisions of all applicable
directives are implemented throughout the
life cycle of an automated information
system network. See information system
security officer.
network system System that is implemented with a
collection of interconnected network
components.
NOTE: A network system is based on a
coherent security architecture and
design.
network trusted Totality of protection mechanisms
computing base within a network system, including
hardware, firmware, and software, the
combination of which is responsible for
enforcing a security policy. See trusted
computing base.
no-lone zone Area, room, or space which, when manned,
must be occupied by two or more
appropriately cleared individuals who
remain within sight of each other. (See
two person integrity.)
noncooperative Synonymous with automatic remote
remote rekeying rekeying.
50
NSTISSI No. 4009
non-repudiation Method by which the sender of data is
provided with proof of delivery and the
recipient is assured of the sender's
identity, so that neither can later deny
having processed the data.
non-secret encryption Synonymous with public key cryptography.
null Dummy letter, letter symbol, or code
group inserted in an encrypted message to
delay or prevent its decryption or to
complete encrypted groups for transmis-
sion or transmission security purposes.
51
NSTISSI No. 4009
O
object Passive entity that contains or receives
information.
NOTE: Access to an object implies access
to the information it contains. Examples
of objects are: records, blocks, pages,
segments, files, directories, directory
trees and programs, as well as bits,
bytes, words, fields, processors, video
displays, keyboards, clocks, printers,
and network nodes.
object reuse Reassignment of a storage medium (e.g.,
page frame, disk sector, magnetic tape)
that contained one or more objects, after
ensuring that no residual data remained
on the storage medium.
off-line cryptosystem Cryptosystem in which encryption and
decryption are performed independently of
the transmission and reception functions.
one-part code Code in which plain text elements and
their accompanying code groups are
arranged in alphabetical, numerical, or
other systematic order, so that one
listing serves for both encoding and
decoding.
NOTE: One-part codes are normally small
codes that are used to pass small volumes
of low-sensitivity information.
one-time Cryptosystem employing key which is
cryptosystem used only once.
one-time pad Manual one-time cryptosystem produced in
pad form.
one-time tape Punched paper tape used to provide key
streams on a one-time basis in certain
machine cryptosystems.
52
NSTISSI No. 4009
on-line cryptosystem Cryptosystem in which encryption and
decryption are performed in association
with the transmitting and receiving
functions.
open security Environment that does not provide
environment sufficient assurance that applications
and equipment are protected against the
introduction of malicious logic prior to
or during the operation of a system.
open storage Storage of classified information within
an accredited facility, but not in
General Services Adminstration approved
secure containers, while the facility is
unoccupied by authorized personnel.
operational data Protection of data from either
security accidental or unauthorized intentional
modification, destruction, or disclosure
during input, processing, or output
operations.
operational key Key intended for use on-the-air for
protection of operational information or
for the production or secure electrical
transmission of key streams.
operational waiver Authority for continued use of unmodified
COMSEC end-items, pending the completion
of a mandatory modification.
operations code Code composed largely of words and
phrases which are suitable for general
communications use.
operations security Process denying to potential adversaries
information about capabilities and/or
intentions by identifying, controlling
and protecting generally unclassified
evidence of the planning and execution of
sensitive activities.
53
NSTISSI No. 4009
optional modification National Security Agency approved
modification that is not required for
universal implementation by all holders
of a COMSEC end-item.
NOTE: This class of modification
requires all of the engineering/
doctrinal control of mandatory
modification, but is usually not related
to security, safety, TEMPEST, or
reliability.
Orange Book Synonymous with DoD Trusted Computer
System Evaluation Criteria.
organizational Limited maintenance performed by a
maintenance user organization.
overt channel Communications path within a computer
system or network that is designed for
the authorized transfer of data. (See
covert channel.)
over-the-air key Providing electronic key via
distribution over-the-air rekeying, over-the-air key
transfer, or cooperative key generation.
over-the-air key transfer Electronically distributing key without
changing traffic encryption key used on
the secured communications path over
which the transfer is accomplished.
over-the-air rekeying Changing traffic encryption key or
transmission security key in remote
crypto-equipment by sending new key
directly to the remote crypto-equipment
over the communications path it secures.
overwrite procedure Process which removes or destroys data
recorded on an AIS storage medium by
writing patterns of data over, or on top
of, the data stored on the medium.
54
NSTISSI No. 4009
P
parity Set of bits used to determine whether a
block of data (key or data stored in
computers) has been intentionally or
unintentionally altered.
partitioned security mode AIS security mode of operation wherein
all personnel have the clearance, but not
necessarily formal access approval and
need-to-know, for all information handled
by an AIS.
NOTE: This security mode encompasses the
compartmented mode and applies to non-
intelligence DoD organizations and DoD
contractors.
passphrase Sequence of characters, longer than the
acceptable length of a password, that is
transformed by a password system into a
virtual password of acceptable length.
password Protected/private character string used
to authenticate an identity or to
authorize access to data.
penetration Unauthorized act of bypassing the
security mechanisms of a cryptographic
system or AIS.
penetration testing Security testing in which evaluators
attempt to circumvent the security
features of an AIS based on their
understanding of the system design and
implementation.
per-call key Unique traffic encryption key generated
automatically by certain secure
telecommunications systems to secure
single voice or data transmissions.
(See cooperative key generation.)
55
NSTISSI No. 4009
periods processing Processing of various levels of
classified and unclassified information
at distinctly different times.
NOTE: Under periods processing, the
system must be purged of all information
from one processing period before
transitioning to the next when there are
different users with differing
authorizations.
permuter Device used in a crypto-equipment to
change the order in which the contents of
a shift register are used in various
nonlinear combining circuits.
plain text Unencrypted information.
positive control Generic term referring to a sealed
material authenticator system, permissive action
link, coded switch system, positive
enable system, or nuclear command and
control documents, material or devices.
preproduction model Version of a crypto-equipment that
employs standard parts and is in final
mechanical and electrical form suitable
for complete evaluation of form, design,
and performance.
NOTE: Preproduction models are often
referred to as E-model equipment.
print suppression Eliminating the display of characters in
order to preserve their secrecy.
NOTE: An example of print suppression is
not displaying the characters of a
password as it is keyed at she input
terminal.
privacy system Commercial encryption system that affords
telecommunications limited protection to
deter a casual listener, but cannot
withstand a technically competent
cryptanalytic attack.
56
NSTISSI No. 4009
production model Crypto-equipment in its final mechanical
and electrical form of production design
made by use of production tools, jigs,
fixtures, and methods using standard
parts.
profile Detailed security description of the
physical structure, equipment component,
location, relationships, and general
operating environment of an AIS.
proprietary information Material and information relating to or
associated with a company's products,
business or activities, including but not
limited to: financial information; data
or statements; trade secrets; product
research and development; existing and
future product designs and performance
specifications; marketing plans or
techniques; schematics; client lists;
computer programs; processes; and know-
how that have been clearly identified and
properly marked as proprietary
information, trade secrets or company
confidential information.
NOTE: Trade secrets constitute the whole
or any portion or phase of any technical
information, design process, procedure,
formula or improvement that is not
generally available to the public, that a
company considers company confidential
and that could give or gives an advantage
over competitors who do not know or use
the trade secret.
protected Telecommunications deriving their
communications protection through use of type 2 products
or data encryption standard equipment.
(See secure communications.)
protected distribution Wireline or fiber-optic telecommuni-
system cations system that includes terminals
and adequate acoustic, electrical,
electromagnetic, and physical safeguards
to permit its use for the unencrypted
transmission of classified information.
57
NSTISSI No. 4009
protection equipment Type 2 product or data encryption
standard equipment that the National
Security Agency has endorsed to meet
applicable standards for the protection
of telecommunications or automated
information systems containing national
security information.
protection philosophy Informal description of the overall
design of an AIS that delineates each of
the protection mechanisms employed.
NOTE: Combination, appropriate to the
evaluation class, of formal and informal
techniques used to show the mechanisms
are adequate to enforce the security
policy.
protection ring One of a hierarchy of privileged modes of
an AIS that gives certain access rights
to user programs and processes authorized
to operate in a given mode.
protective packaging Packaging techniques for COMSEC material
which discourage penetration, reveal that
a penetration has occurred or was
attempted, or inhibit viewing or copying
of keying material prior to the time it
is exposed for use.
protective technologies Special tamper-evident features and
materials employed for the purpose of
detecting tampering and deterring
attempts to compromise, modify,
penetrate, extract, or substitute
information processing equipment and
keying material.
58
NSTISSI No. 4009
protective Any penetration of information system
technology/package security protective technology or
incident packaging, such as a crack, cut, or tear.
protocol Set of rules and formats, semantic and
syntactic, that permits entities to
exchange information.
public cryptography Body of cryptographic and related
knowledge, study, techniques, and
applications that is, or intended to be,
in the public domain.
public key Type of cryptography in which the
cryptography encryption process is publicly available
and unprotected, but in which a part of
the decryption key is protected so that
only a party with knowledge of both parts
of the decryption process can decrypt the
cipher text.
NOTE: Commonly called non-secret
encryption in professional cryptologic
circles. FIREFLY is an application of
public key cryptography.
purge Removal of data from an AIS, its storage
devices, or other peripheral devices with
storage capacity in such a way that the
data may not be reconstructed.
NOTE: An AIS must be disconnected from
any external network before a purge. See
clearing.
59
NSTISSI No. 4009
Q
QUADRANT Short name referring to technology which
provides tamper-resistant protection to
crypto-equipment.
R
randomizer Analog or digital source of
unpredictable, unbiased, and usually
independent bits.
NOTE: Randomizers can be used for
several different functions, including
key generation or to provide a starting
state for a key generator.
read Fundamental operation in an AIS that
results only in the flow of information
from an object to a subject. (See
access type.)
read access Permission to read information in an
AIS.
real-time reaction Immediate response to a penetration
attempt that is detected and diagnosed
in time to prevent access.
recovery procedures Actions necessary to restore data files
of an AIS and computational capability
after a system failure.
RED Designation applied to telecommuni-
cations and automated information
systems, plus associated areas,
circuits, components, and equipment
which, when classified plain text
signals are being processed thereIn,
require protection during electrical
transmission.
60
NSTISSI No. 4009
RED/BLACK concept Separation of electrical and electronic
circuits, components, equipment, and
systems that handle classified plain
text (RED) information, in electrical
signal form, from those which handle
unclassified (BLACK) information in the
same form.
RED key Unencrypted key. (See BLACK key.)
RED signal Telecommunications or automated
information systems signal that would
divulge classified information if
recovered and analyzed.
NOTE: RED signals may be plain text,
key, subkey, initial fill, control, or
traffic flow related information.
reference monitor Access control concept that refers to an
abstract machine that mediates all
accesses to objects by subjects.
reference validation Portion of a trusted computing base, the
mechanism normal function of which is to control
access between subjects and objects, and
the correct operation of which is
essential to the protection of data in
the system.
NOTE: This is the implementation of
reference monitor.
release prefix Prefix appended to the short title of
United States produced keying material
to indicate its foreign releasability.
NOTE: "A" designate material that is
releasable to specific allied nations
and "US" designates material intended
exclusively for United States use.
61
NSTISSI No. 4009
remanence Residual information that remains on
storage media after erasure. (See
magnetic remanence.)
remote rekeying Procedure by which a distant crypto-
equipment is rekeyed electrically.
(See automatic remote rekeying and
manual remote rekeying.)
repair action National Security Agency approved change
to a COMSEC end item that does not
affect the original characteristics of
the end item and is prdvided for
optional application by holders.
NOTE: Repair actions are limited to
minor electrical and/or mechanical
improvements to enhance operation,
maintenance, or reliability. They do
not require an identification label,
marking, or control, but must be fully
documented by changes to the maintenance
manual.
reserve keying Key held to satisfy unplanned
material needs. (See contingency key.)
residual risk Portion of risk that remains after
security measures have been applied.
residue Data left in storage after automated
information processing operations are
complete, but before degaussing or
overwriting has taken place.
resource encapsulation Method by which the reference monitor
mediates accesses to an AIS resource.
NOTE: Resource is protected and not
directly accessible by a subject.
Satisfies requirement for accurate
auditing of resource usage.
62
NSTISSI No. 4009
risk analysis Synonymous with risk assessment.
risk assessment Process of analyzing threats to and
vulnerabilities of an information
system, and the potential impact that
the loss of information or capabilities
of a system would have on national
security and using the analysis as a
basis for identifying appropriate and
cost-effective measures.
risk index Difference between the minimum clearance
or authorization of AIS users and the
maximum sensitivity (e.g.,
classification and categories) of data
processed by the system.
risk management Process concerned with the
identification, measurement, control,
and minimization of security risks in
information systems.
63
NSTISSI No. 4009
S
safeguarding Statement affixed to a computer
statement output or printout that states the
highest classification being processed
at the time the product was produced,
and requires control of the product, at
that level, until determination of the
true classification by an authorized
person.
sample key Key intended for off-the-air
demonstration use only.
sanitize To remove or edit classified or
sensitive data so that what remains is
of a lower classification or sensitivity
than the original data.
scavenging Searching through object residue to
acquire data.
scratch pad store Momentary key storage in crypto-
equipment.
secure communications Telecommunications deriving security
through use of type l products and/or
protected distribution systems.
secure operating system Resident software that controls hardware
and other software functions in an AIS
to provide a level of protection or
security appropriate to the
classification, sensitivity, and/or
criticality of the data and resources it
manages.
secure state Condition in which no subject can access
any object in an unauthorized manner.
64
NSTISSI No. 4009
secure subsystem Subsystem that contains its own
implementation of the reference monitor
concept for those resources it controls.
NOTE: Secure subsystem must depend on
other controls and the base operating
system for the control of subjects and
the more primitive system objects.
security fault analysis Assessment, usually performed on
information system hardware, to
determine the security properties of a
device when hardware fault is
encountered.
security filter AIS trusted subsystem that enforces
security policy on the data that passes
through it.
security flaw Error of commission or omission in an
AIS that may allow protection mechanisms
to be bypassed.
security inspection Examination of an AIS to determine
compliance with security policy,
procedures, and practices.
security kernel Hardware, firmware, and software
elements of a trusted computing base
that implement the reference monitor
concept.
NOTE: Security kernel must mediate all
accesses, be protected from
modification, and be verifiable as
correct.
security label Piece of information that represents the
sensitivity of a subject or object, such
as its hierarchical classification
(CONFIDENTIAL, SECRET, TOP SECRET)
together with any applicable non-
hierarchical security categories (e.g.,
sensitive compartmented information,
critical nuclear weapon design
information). (See information label
and sensitivity label.)
65
NSTISSI No. 4009
security perimeter Boundary where security controls are in
effect to protect AIS assets.
security range Highest and lowest security levels that
are permitted in or on an AIS, system
component, subsystem, or network.
security requirements Types and levels of protection necessary
for equipment, data, information,
applications and facilities to meet
security policy.
security requirements Description of the minimum
baseline requirements necessary for an AIS to
maintain an acceptable level of
security.
security safeguards Protective measures and controls that
are prescribed to meet the security
requirements specified for an AIS.
NOTE: Safeguards may include security
features, as well as management
constraints, personnel security, and
security of physical structures, areas,
and devices. See accreditation.
security specification Detailed description of the safeguards
required to protect an AIS.
security test and Examination and analysis of the
evaluation safeguards required to protect an AIS,
as they have been applied in an
operational environment, to determine
the security posture of that system.
security testing Process to determine that an AIS
protects data and maintains
functionality as intended.
NOTE: Security testing may reveal
vulnerabilities beyond the scope of the
AIS design.
seed key Initial key used to start an updating or
key generation process.
66
NSTISSI No. 4009
self-authentication Implicit authentication, to a
predetermined level, of all
transmissions on a secure communications
system.
sensitive information Information, the loss, misuse, or
unauthorized access to or modification
of which could adversely affect the
national interest or the conduct of
federal programs, or the privacy to
which individuals are entitled under 5
U.S.C. Section 552a (the Privacy Act),
but that has not been specifically
authorized under criteria established by
an Executive Order or an Act of Congress
to be kept secret in the interest of
national defense or foreign policy.
NOTE: Systems that are not national
security systems, but contain sensitive
information are to be protected in
accordance with the requirements of the
Computer Security Act of 1987 (P.L. 100-
235).
sensitivity label Piece of information that represents
elements of the security label(s) of a
subject and an object.
NOTE: Sensitivity labels are used by
the trusted computing base as the basis
for mandatory access control decisions.
shielded enclosure Room or container designed to attenuate
electromagnetic radiation.
short title Identifying combination of letters and
numbers assigned to certain COMSEC
materials to facilitate handling,
accounting, and control.
NOTE: NAG-l6C/TSEC is an example of a
short title.
signals security Generic term encompassing communications
security and electronic security.
67
NSTISSI No. 4009
simple security Bell-La Padula security model rule
property allowing a subject read access to an
object only if the security level of the
subject dominates the security level of
the object.
single-level device AIS device that is not trusted to
properly maintain and separate data to
different security levels.
single point keying Means of distributing key to multiple,
local crypto-equipment or devices from a
single fill point.
software system test and Process that plans, develops, and
evaluation process documents the quantitative demonstration
of the fulfillment of all baseline
functional performance, operational, and
interface requirements.
special mission Modification that applies only
modification to a specific mission, purpose,
operational, or environmental need.
NOTE: Special mission modifications may
be either optional or mandatory.
speech privacy Techniques that use fixed sequence
permutations or voice/speech inversion
to render speech unintelligible to the
casual listener.
spelling table Synonymous with syllabary.
split knowledge Separation of data or information into
two or more parts, each part constantly
kept under control of separate
authorized individuals or teams, so that
no one individual or team Bill know the
whole data.
spoofing (COMSEC) Interception, alteration, and
retransmission of a cipher signal or
data in such a way as to mislead the
recipient.
(AIS) Attempt to gain access to an AIS
by posing as an authorized user.
68
NSTISSI No. 4009
spread spectrum Telecommunications techniques in which a
signal is transmitted in a bandwidth
considerably greater than the frequency
content of the original information.
NOTE: Frequency hopping, direct
sequence spreading, time scrambling, and
combinations of these techniques are
forms of spread spectrum.
star (*) property Bell-La Padula security model rule
allowing a subject write access to an
object only if the security level of the
object dominates the security level of
the subject.
start-up KEK Key encryption key held in common by a
group of potential communicating
entities and used to establish ad hoc
tactical nets.
state variable Variable that represents either the
state of an AIS or the state of some
system resource.
storage object Object that supports both read and write
accesses to an AIS.
subassembly Major subdivision of a cryptographic
assembly which consists of a package of
parts, elements, and circuits that
performs a specific function.
subject Active entity in an AIS, generally in
the form of a person, process, or device
that causes information to flow among
objects or changes the system state.
subject security level Sensitivity label(s) of the objects to
which the subject has both read and
write access.
NOTE: Security level of a subject must
always be dominated by the clearance
level of the user with which the subject
is associated.
69
NSTISSI No. 4009
superencryption Process of encrypting encrypted
information.
NOTE: Occurs when a message, encrypted
off-line, is transmitted over a secured,
on-line circuit, or when information
encrypted by the originator is
multiplexed onto a communications trunk,
which is then bulk encrypted.
supersession Scheduled or unscheduled replacement of
a COMSEC aid with a different edition.
supervisor state Synonymous with executive state.
suppression measure Action, procedure, modification, or
device that reduces the level of, or
inhibits the generation of, compromising
emanations in a telecommunications or
automated information system.
syllabary List of individual letters, combination
of letters, or syllables, with their
equivalent code groups, used for
spelling out words or proper names not
present in the vocabulary of a code.
NOTE: A syllabary may also be known as
a spelling table.
synchronous crypto- Method of on-line crypto-operation in
operation which crypto-equipment and associated
terminals have timing systems to keep
them in step.
system development Methodologies developed through software
methodologies engineering to manage the complexity of
system development.
NOTE: Development methodologies include
software engineering aids and high-level
design analysis tools.
70
NSTISSI No. 4009
system high Highest security level supported by an
AIS.
system high mode AIS security mode of operation wherein
each user, with direct or indirect
access to the AIS, its peripherals,
remote terminals, or remote hosts, has
all of the following:
a. Valid security clearance for all
information within an AIS.
b. Formal access approval and signed
non-disclosure agreements for all the
information stored and/or processed
(including all compartments,
subcompartments and/or special access
programs).
c. Valid need-to-know for some of the
information contained within the AIS.
system indicator Symbol or group of symbols in an off-
line encrypted message that identifies
the specific cryptosystem or key used in
the encryption.
system integrity Quality of an AIS when it performs its
intended function in an unimpaired
manner, free from deliberate or
inadvertent unauthorized manipulation of
the system.
system low Lowest security level supported by an
AIS.
system security Measure of security provided by a
system, as determined by evaluation of
the totality of all system elements and
COMSEC measures that support
telecommunications and AIS protection.
71
NSTISSI No. 4009
system security The efforts that help achieve maximum
engineering security and survivability of a system
during its life cycle and interfacing
with other program elements to ensure
security functions are effectively
integrated into the total system
engineering effort.
system security Determination of the risk associated
evaluation with the use of a given system,
considering its vulnerabilities and
perceived security threat.
system security A formal document that fully describes
management plan the planned security tasks required to
meet system security requirements.
system security officer Synonymous with information system
security officer.
72
NSTISSI No. 4009
T
tampering Unauthorized modification that alters the
proper functioning of a cryptographic or
AIS security equipment or system in a
manner that degrades the security or
functionality it provides.
tape mixer Teletypewriter security equipment that
encrypts plain text and decrypts cipher
text by combining them with a key stream
from a one-time tape.
technical attack Attack that can be perpetrated by
circumventing or nullifying hardware or
software protection mechanisms, rather
than by subverting system personnel or
other users.
technical penetration Deliberate penetration of a security area
by technical means to gain unauthorized
interception of information-bearing
energy.
technical security hazard Condition that could permit the technical
penetration of an area through equipment
that by reason of its normal design,
installation, operation, maintenance, or
damaged condition, allows the
unauthorized transmission of classified
information.
technical security Equipment, components, devices,
material and associated documentation or other
media that pertains to cryptography or
the securing of teleqommunications and
automated information systems.
telecommunications Preparation, transmission, communication,
or related processing of information
(writing, images, sounds or other data)
by electrical, electromagnetic,
electromechanical, electro-optical or
electronic means.
73
NSTISSI No. 4009
telecommunications and Protection afforded to telecommuni-
automated information cations and automated information
systems security systems, in order to prevent exploitation
through interception, unauthorized
electronic access, or related technical
intelligence threats and to ensure
authenticity.
NOTE: Such protection results from the
application of security measures
(including cryptosecurity, transmission
security, emission security, and computer
security) to systems that generate,
store, process, transfer, or communicate
information of use to an adversary, and
also includes the physical protection of
technical security material and technical
security information.
telecommunications Synonymous with communications security.
security
TEMPEST Short name referring to investigation,
study, and control of compromising
emanations from telecommunications and
automated information systems equipment.
(See compromising emanations.)
TEMPEST test Laboratory or on-site test to determine
the nature of compromising emanations
associated with a telecommunications or
automated information system.
TEMPEST zone Defined area within a facility where
equipment with appropriate TEMPEST
characteristics (TEMPEST zone assignment)
may be operated without emanating
electromagnetic radiation beyond the
controlled space boundary of the
facility.
NOTE: Facility TEMPEST zones are
determined by measuring electromagnetic
attenuation provided by a building's
properties and the free space loss to the
controlled space boundary. Equipment
TEMPEST zone assignments are based on the
74
NSTISSI No. 4009
terminal Means used to uniquely identify a
identification terminal to an AIS.
test key Key intended for on-the-air testing of
COMSEC equipment or systems.
threat Capabilities, intentions, and attack
methods of adversaries to exploit, or any
circumstance or event with the potential
to cause harm to, information or an
information system.
threat analysis Process of studying information to
identify the nature of and elements
comprising a threat.
threat assessment Process of formally evaluating the degree
of threat to an information system and
describing the nature of the threat.
threat monitoring Analysis, assessment, and review of AIS
audit trails and other data collected for
the purpose of searching out system
events that may constitute violations or
attempted violations of data or system
security.
ticket-oriented Computer protection system in which each
subject maintains a list of unforgeable
bit patterns called tickets, one for each
object that a subject is authorized to
access. (See list-oriented.)
time bomb Logic bomb for which the logic trigger is
time.
time compliance date Date by which a mandatory modification to
a COMSEC end item must be incorporated if
the item is to remain approved for
operational use.
time-dependent Password that is valid only at a certain
password time of day or during a specified
interval of time.
75
NSTISSI No. 4009
traditional COMSEC COMSEC program in which the National
program Security Agency acts as the central
procurement agency for the development
and, in some cases, the production of
COMSEC items.
NOTE: This includes the Authorized
Vendor Program and user partnerships.
Modifications to the COMSEC end items
used in products developed and/or
produced under these programs must be
approved by the National Security Agency.
traffic analysis Study of communications characteristics
external to the text.
traffic encryption Key used to encrypt plain text or
key to superencrypt previously encrypted text
and/or to decrypt cipher text.
traffic-flow security Measure used to conceal the presence of
valid messages in an on-line cryptosystem
or secure communications system.
NOTE: Encryption of sending and
receiving addresses and causing the
circuit to appear busy at all times by
sending dummy traffic are two methods of
traffic-flow security. A more common
method is to send a continuous encrypted
signal, irrespective of whether traffic
is being transmitted.
traffic padding Generation of spurious communications or
data units to disguise the amount of real
data units being sent.
training key Cryptographic key intended for on-the-air
or off-the-air training.
tranquility Property whereby the security level of an
object cannot change while the object is
being processed by an AIS.
76
NSTISSI No. 4009
transmission security Component of communications security that
results from the application of measures
designed to protect transmissions from
interception and exploitation by means
other than cryptanalysis.
transmission security Key that is used in the control of
key transmission security processes, such as
frequency hopping and spread spectrum.
trap door Hidden software or hardware mechanism
that can be triggered to permit
protection mechanisms in an AIS to be
circumvented.
NOTE: A trap door is usually activated
in some innocent-appearing manner; e.g.,
a special random key sequence at a
terminal. Software developers often
write trap doors in their code that
enable them to reenter the system to
perform certain functions.
Trojan horse Computer program containing an apparent
or actual useful function that contains
additional (hidden) functions that allows
unauthorized collection, falsification or
destruction of data.
trusted computer AIS that employs sufficient
system hardware and software assurance measures
to allow simultaneous processing of a
range of classified or sensitive
information.
77
NSTISSI No. 4009
trusted computing Totality of protection mechanisms
base within a computer system, including
hardware, firmware, and software, the
combination of which is responsible for
enforcing a security policy.
NOTE: The ability of a trusted computing
base to enforce correctly a unified
security policy depends on the
correctness of the mechanisms within the
trusted computing base, the protection of
those mechanisms to ensure their
correctness, and the correct input of
parameters related to the security
policy.
trusted distribution Method for distributing trusted computing
base hardware, software, and firmware
components, both originals and updates,
that provides protection of the trusted
computing base from modification during
distribution, and for the detection of
any changes.
trusted identification An identification method used in
forwarding AIS networks whereby the sending host can
verify that an authorized user is
attempting a connection to another host.
NOTE: The sending host transmits the
required user authentication information
to the receiving host. The receiving
host can then verify that the user is
validated for access to the system. This
operation may be transparent to the user.
trusted path Mechanism by which a person using a
terminal can communicate directly with
the trusted computing base.
NOTE: Trusted path can only be activated
by the person or the trusted computing
base and cannot be imitated by untrusted
software.
78
NSTISSI No. 4009
trusted process Process that has privileges to circumvent
the system security policy and has been
tested and verified to operate only as
intended.
trusted software Software portion of a trusted computing
base.
TSEC nomenclature System for identifying the type and
purpose of certain items of COMSEC
material.
NOTE: TSEC is derived from
telecommunications security.
two-part code Code consisting of an encoding section,
in which the vocabulary items (with their
associated code groups) are arranged in
alphabetical or other systematic order,
and a decoding section, in which the code
groups (with their associated meanings)
are arranged in a separate alphabetical
or numeric order.
two-person control Continuous surveillance and control of
positive control material at all times by
a minimum of two authorized individuals,
each capable of detecting incorrect and
unauthorized procedures with respect to
the task being performed, and each
familiar with established security and
safety requirements.
79
NSTISSI No. 4009
two-person integrity System of storage and handling designed
to prohibit individual access to certain
COMSEC keying material, by requiring the
presence of at least two authorized
persons, each capable of detecting
incorrect or unauthorized security
procedures with respect to the task being
performed.
NOTE: Two-person integrity procedures
differ from no-lone zone procedures in
that, under two-person integrity
controls, two authorized persons must
directly participate in the handling and
safeguarding of the keying material (as
in accessing storage containers,
transportation, keying/rekeying
operations, and destruction). No-lone
zone controls are less restrictive in
that the two authorized persons need only
to be physically present in the common
area where the material is located. Two-
person control refers to nuclear command
and control COMSEC material while two-
person integrity refers only to COMSEC
keying material.
type 1 product Classified or controlled cryptographic
item endorsed by the National Security
Agency for securing classified and
sensitive U.S. Government information,
when appropriately keyed.
NOTE: The term refers only to products,
and not to information, key, services, or
controls. Type 1 products contain
classified National Security Agency
algorithms. They are available to U.S.
Government users, their contractors, and
federally sponsored non-U.S. Government
activities subject to export restrictions
in accordance with International Traffic
in Arms Regulation.
80
NSTISSI No. 4009
type 2 product Unclassified cryptographic equipment,
assembly, or component, endorsed by the
National Security Agency, for use in
telecommunications and automated
information systems for the protection of
national security information.
NOTE: The term refers only to products,
and not to information, key, services, or
controls. Type 2 products may not be
used for classified information, but
contain classified National Security
Agency algorithms that distinguish them
from products containing the unclassified
data encryption standard algorithm. Type
2 products are available to U.S.
Government departments and agencies and
sponsored elements of state and local
governments, sponsored U.S. Government
contractors, and sponsored private sector
entities. Type 2 products are subject to
export restrictions in accordance with
the International Traffic in Arms
Regulation.
type 3 algorithm Cryptographic algorithm that has been
registered by the National Institute of
Standards and Technology and has been
published as a Federal Information
Processing Standard for use in protecting
unclassified sensitive information or
commercial information.
type 4 algorithm Unclassified cryptographic algorithm that
has been registered by the National
Institute of Standards and Technology,
but is not a Federal Information
Processing Standard.
81
NSTISSI No. 4009
U
unauthorized The revelation of information to
disclosure individuals not authorized to receive it.
unclassified Information that has not been determined,
pursuant to E.O. 12356 or any predecessor
order, to require protection against
unauthorized disclosure and that is not
designated as classified.
untrusted process Process that has not been tested and
verified for adherence to the security
policy.
NOTE: Untrusted process may include
incorrect or malicious code that attempts
to circumvent the security mechanisms.
updating Automatic or manual cryptographic process
that irreversibly modifies the state of a
COMSEC key, equipment, device, or system.
user Person or process accessing an AIS by
direct connections (e.g., via terminals)
or indirect connections.
NOTE: "Indirect connection" relates to
persons who prepare input data or receive
output that is not reviewed for content
or classification by a responsible
individual.
user ID Unique symbol or character string that is
used by an AIS to uniquely identify a
specific user.
User Partnership Partnership between the National Security
Program Agency and a U.S. Government department
or agency to facilitate the development
of secure information processing and
communications equipment incorporating
National Security Agency approved
cryptographic security.
82
NSTISSI No. 4009
user profile Patterns of a user's activity on an AIS
that can be used to detect changes in
normal routines.
user representative Person authorized by an organization to
order COMSEC keying material and to
interface with the keying system to
provide information to key users,
ensuring that the correct type of key is
ordered.
U.S.-controlled facility Base or building, access to which is
physically controlled by U.S. persons who
are authorized U.S. Government or U.S.
Government contractor employees.
U.S.-controlled space Room or floor within a facility that is
not a U.S.-controlled facility, access to
which is physically controlled by U.S.
persons who are authorized U.S.
Government or U.S. Government contractor
employees.
NOTE: Keys or combinations to locks
controlling entrance to U.S.-controlled
spaces must be under the exclusive
control of U.S. persons who are U.S.
Government or U.S. Government contractor
employees.
U.S. person United States citizen or resident alien.
83
NSTISSI No. 4009
V
validation Process of applying specialized
security test and evaluation
procedures, tools, and equipment needed
to establish acceptance for joint usage
of an AIS by one or more departments or
agencies and their contractors.
NOTE: This action will include, as
necessary, final development,
evaluation, and testing, preparatory to
acceptance by senior security test and
evaluation staff specialists.
variant One of two or more code symbols which
have the same plain text equivalent.
verification The process of comparing two levels of
an AIS specification for proper
correspondence (e.g., security policy
model with top-level specification,
top-level specification with source
code, or source code with object code).
NOTE: This process may or may not be
automated.
verified design Computer protection class in which
formal security verification methods
are used to assure that the AIS
mandatory and discretionary security
controls can effectively protect
classified and sensitive information
stored in, or processed by; the system.
NOTE: Class A1 system is verified
design.
virtual password AIS password computed from a passphrase
that meets the requirements of password
storage (e.g., 64 bits).
84
NSTISSI No. 4009
virus Self replicating, malicious program
segment that attaches itself to an
application program or other executable
system component and leaves no external
signs of its presence.
vulnerability Weakness in an information system, or
cryptographic system, or components
(e.g., system security procedures,
hardware design, internal controls)
that could be exploited.
vulnerability analysis Systematic examination of an
information system or product to
determine the adequacy of security
measures, identify security
deficiencies, provide data from which
to predict the effectiveness of
proposed security measures, and confirm
the adequacy of such measures after
implementation.
85
NSTISSI No. 4009
W
work factor Estimate of the effort or time needed
by a potential perpetrator, with
specified expertise and resources, to
overcome a protective measure.
NOTE: In cryptography, a work factor
is the number of computer binary
operations needed to guarantee that a
particular key will not be recovered
through cryptanalysis.
worm Independent program that replicates
from machine to machine across network
connections often clogging networks and
computer systems as it spreads.
write Fundamental operation in an AIS that
results only in the flow of information
from a subject to an object. (See
access type.)
write access Permission to write to an object in an
AIS.
Z
zeroize Remove or eliminate the key from a
crypto-equipment or fill device.
86
NSTISSI No. 4009
SECTION II
COMMONLY USED ABBREVIATIONS AND ACRONYMS
ACL access control list
ADM advanced development model
ADP automated data processing
AE application entity
AIG address indicator group
AIRK area interswitch rekeying key
AIS automated information system
AISS automated information systems security
AJ anti-jamming
AK automatic remote rekeying
AKDC automatic key distribution center
AKD/RCU automatic key distribution/rekeying
control unit
AKM automated key management center
ALC accounting legend code
AMS l. auto-manual system
2. autonomous message switch
ANDVT advanced narrowband digital voice terminal
ANSI American National Standards Institute
AOSS automated office support systems
APC adaptive predictive coding
APU auxiliary power unit
87
NSTISSI No. 4009
ARPANET Advanced Research Projects Agency Network
ASCII American standard code for information
interchange
ASPJ advanced self-protection jammer
ASU approval for service use
AUTODIN Automatic Digital Network
AV auxiliary vector
AVP Authorized Vendor Program
C3 command, control, and communications
C3I command, control, communications and
intelligence
C4 command, control, communications and
computers
CA l. controlling authority
2. cryptanalysis
3. COMSEC account
4. command authority
CCEP Commercial COMSEC Endorsement Program
CCI controlled cryptographic item
CCO circuit control officer
CDS cryptographic device services
CEOI communications electronics operation
instruction
CEPR compromising emanation performance
requirement
CERT computer emergency response team
88
NSTISSI No. 4009
CFD common fill device
CIAC computer incident assessment capability
CIK crypto-ignition key
CIP crypto-ignition plug
CIRK common interswitch rekeying key
CK compartment key
CKG cooperative key generation
CLMD COMSEC local management device
CMCS COMSEC material control system
CNCS cryptonet control station
CNK cryptonet key
COMPUSEC computer security
COMSEC communications security
COR central office of record
CPS COMSEC parent switch
CPU central processing unit
CRP COMSEC resources program (Budget)
Crypt/Crypto cryptographic-related
CSE communications security element
CSS l. COMSEC subordinate switch
2. Constant Surveillance Service
(Courier)
3. Continuous Signature Service (Courier)
4. coded switch system
CSSO contractor special security officer
89
NSTISSI No. 4009
CSTVRP Computer Security Technical
Vulnerability Reporting Program
CTAK cipher text auto-key
CTTA certified TEMPEST technical authority
CUP COMSEC Utility Program
DAA designated approving authority
DAC discretionary access control
DAMA demand assigned multiple access
DCS l. Defense Communications System
2. Defense Courier Service
DCSP design controlled spare part(s)
DDN Defense Data Network
DDS dual driver service (courier)
DES data encryption standard
DIB directory information base
DoD TCSEC Department of Defense Trusted Computer
System Evaluation Criteria
DLED dedicated loop encryption device
DMA direct memory access
DPL Degausser Products List (a section in the
Information Systems Security Products and
Services Catalogue)
DSN Defense Switched Network
DSVT digital subscriber voice terminal
DTLS descriptive top-level specification
90
NSTISSI No. 4009
DTD Data Transfer Device
DTS Diplomatic Telecommunications Service
DUA directory user agent
EAM emergency action message
ECCM electronic counter-countermeasures
ECM electronic countermeasures
ECPL Endorsed Cryptographic Products List (a
section in the Information Systems
Security Products and Services Catalogue)
EDAC error detection and correction
EDESPL Endorsed Data Encryption Standard Products
List
EDM engineering development model
EFD electronic fill device
EFTO encrypt for transmission only
EGADS Electronic Generation, Accounting, and
Distribution System
EKMS Electronic Key Management System
ELINT electronic intelligence
ELSEC electronic security
E Model engineering development model
EMSEC emission security
EPL Evaluated Products List (a section in the
Information Systems Security Products and
Services Catalogue)
ERTZ equipment radiation TEMPEST zone
ETL Endorsed Tools List
91
NSTISSI No. 4009
ETPL Endorsed TEMPEST Products List item
EUCI endorsed for unclassified cryptographic
information
EV enforcement vector
FDIU fill device interface unit
FIPS Federal Information Processing Standards
FOCI foreign owned, controlled or influenced
FOUO for official use only
FSRS functional security requirements
specification
FSTS Federal Secure Telephone Service
FTS Federal Telecommunications System
FTAM file transfer access management
FTLS formal top-level specification
GPS Global Positioning System
GTS Global Telecommunications Service
GWEN Ground Wave Emergency Network
HDM Hierarchical development methodology
HMS human safety mandatory modification
HUS hardened unique storage
HUSK hardened unique storage key
IBAC identity based access control
ICU interface control unit
IDS intrusion detection system
IEMATS Improved Emergency Message Automatic
Transmission System
92
NSTISSI No. 4009
IFF identification, friend or foe
IFFN identification, friend, foe, or neutral
IIRK interarea interswitch rekeying key
ILS integrated logistics support
INFOSEC information systems security
IP internet protocol
IPM interpersonal messaging
IPSO internet protocol security option
IR information ratio
IRK interswitch rekeying key
IS information system
ISDN Integrated Services Digital Network
ISO International Standards Organization
ISS information systems security
ISSO information systems security officer
ITAR International Traffic in Arms Regulation
JTIDS Joint Tactical Information Distribution
System
KAK key-auto-key
KEK key encryption key
KMASE key management application service element
KMC key management center
KMID key management identification number
KMODC key material ordering and distribution
center
93
NSTISSI No. 4009
KMP key management protocol
KMPDU key management protocol data unit
KMS key management system
KMSA key management system agent
KMUA key management user agent
KP key processor
KPK key production key
KVG key variable generator
LAN local area network
KG key generator
LEAD low-cost encryption/authentication device
LKG loop key generator
LMD local management device
LME layer management entry
LMI layer management interface
LOCK logical co-processing kernel
LPC linear predictive coding
LPD low probability of detection
LPI low probability of intercept
LRIP limited rate initial preproduction
LSI large scale integration
MAC l. mandatory access control
2. message authentication code
MAN mandatory modification
94
NSTISSI No. 4009
MATSYM material symbol
MCCB modification/configuration control board
MDC manipulation detection code
MEECN Minimum Essential Emergency Communications
Network
MEP management engineering plan
MER minimum essential requirements
MHS message handling system
MI message indicator
MIB management information base
MIJI meaconing, intrusion, jamming and
interference
MINTERM miniature terminal
MIPR military interdepartmental purchase
request
MLS multi level security
MOA memorandum of agreement
MOU memorandum of understanding
MRK manual remote rekeying
MRT miniature receiver terminal
MSE mobile subscriber equipment
NACAM National COMSEC Advisory Memorandum
NACSEM National COMSEC Emanations Memorandum
NACSI National COMSEC Instruction
NACSIM National COMSEC Information Memorandum
NAK negative acknowledge
95
NSTISSI No. 4009
NATO North Atlantic Treaty Organization
NCCD nuclear command and control document
NCS l. National Communications System
2. National Cryptologic School
3. net control station
NCSC National Computer Security Center
NETS Nationwide Emergency Telecommunications
Service
NISAC National Industrial Security Advisory
Committee
NIST National Institute of Standards and
Technology
NLZ no-lone zone
NSAD network security architecture and design
NSD National Security Directive
NSDD National Security Decision Directive
NSEP National Security Emergency Preparedness
NSO network security officer
NSTAC National Security Telecommunications
Advisory Committee
NSTISSAM National Security Telecommunications and
Information Systems Security
Advisory/Information Memorandum
NSTISSC National Security Telecommunications and
Information Systems Security Committee
NSTISSD National Security Telecommunications and
Information Systems Security Directive
NSTISSI National Security Telecommunications and
Information Systems Security Instruction
96
NSTISSI No. 4009
NSTISSP National Security Telecommunications and
Information Systems Security Policy
NTCB network trusted computing base
NTIA National Telecommunications and
Information Administration
NTISSAM National Telecommunications and
Information Systems Security
Advisory/Information Memorandum
NTISSD National Telecommunications and
Information Systems Security Directive
NTISSI National Telecommunications and
Information Systems Security Instruction
NTISSP National Telecommunications and
Information Systems Security Policy
OADR originating agency's determination
required
OPCODE operations code
OPSEC operations security
OPT optional modification
OTAD over-the-air key distribution
OTAR over-the-air rekeying
OTAT over-the-air key transfer
OTP one-time pad
OTT one-time tape
PAA peer access approval
PAE peer access enforcement
PAL permissive action link
97
NSTISSI No. 4009
PC personal computer
PCZ protected communications zone
PDR preliminary design review
PDS protected distribution system
PDU protocol data unit
PES positive enable system
PKA public key algorithm
PKC public key cryptography
PKSD programmable key storage device
P model preproduction model
PLSDU physical layer service data unit
PNEK post-nuclear event key
PPL Preferred Products List (a section in the
Information Systems Security Products and
Services Catalogue.)
PRBAC partition rule base access control
PROM programmable read-only memory
PROPIN proprietary information
PSDU physical layer service data unit
PSL Protected Services List
PTT push-to-talk
PWA printed wiring assembly
PWDS protected wireline distribution system
RAC repair action
RACE rapid automatic cryptographic equipment
RAM random access memory
98
NSTISSI No. 4009
ROM read-only memory
RQT reliability qualification tests
SAMS semiautomatic message switch
SAO special access office
SAP l. system acquisition plan
2. special access program
SARK SAVILLE advanced remote keying
SCI sensitive compartmented information
SCIF sensitive compartmented information
facility
SDNRIU secure digital net radio interface unit
SDNS Secure Data Network System
SDR system design review
SFA security fault analysis
SI special intelligence
SIGSEC signals security
SISS Subcommittee on Information Systems
Security of the NSTISSC
SMM special mission mandatory modification
SMO special mission optional modification
SMU secure mobile unit
SPK single point key(ing)
SPS scratch pad store
SRR security requirements review
SSO special security officer
99
NSTISSI No. 4009
ST&E security test and evaluation
STS Subcommittee on Telecommunications
Security of the NSTISSC
STU secure telephone unit
TA traffic analysis
TACTED tactical trunk encryption device
TACTERM tactical terminal
TAG TEMPEST Advisory Group
TAISS telecommunications and automated
information systems security
TCB trusted computing base
TCD time compliance data
TCSEC DoD Trusted Computer System Evaluation
Criteria
TD transfer device
TED trunk encryption device
TEK traffic encryption key
TEP TEMPEST Endorsement Program
TFM trusted facility manual
TFS traffic flow security
TLS top-level specification
TNI trusted network interpretation
TNIEG trusted network interpretation environment
guideline
TPC two-person control
TPI two-person integrity
100
NSTISSI No. 4009
TRANSEC transmission security
TRB technical review board
TRI-TAC Tri-service Tactical Communications System
TSCM technical surveillance countermeasures
TSEC telecommunications security
TSK transmission security key
UA user agent
UIRK unique interswitch rekeying key
UIS user interface system
UPP User Partnership Program
USDE undesired signal data emanations
V model advanced development model
VST VINSON subscriber terminal
VTT VINSON trunk terminal
WAN wide area network
WWMCCS Worldwide Military Command and Control
System
XDM/x Model experimental development model exploratory
development model
101
NSTISSI No. 4009
SECTION III
REFERENCES
A. National Security Directive 42, dated 5 July 1990.
B. Executive Order 12356, National Security Information,
dated 6 April 1982.
C. Executive Order 12333, United States Intelligence
Activities, dated 4 December 1981.
D. Public Law 100-235, Computer Security Act of 1987,
dated 8 January 1988.
E. 10 United States Code Section 2315, The Warner Amendment,
dated 1 December 1981.
F. 44 United States Code Section 3502(2), Public Law 96-511,
Paperwork Reduction Act of 1980, dated Il December 1980.
102
|
To be contacted for a confidential consultation please E-mail: jmatk@tscm.com
or send a letter via US Mail to:
or call:
URL: http://www.tscm.com/ |