NSTISS NATIONAL MANAGER NATIONAL SECURITY 5 June 1992 TELECOMMUNICATIONS AND INFORMATION SYSTEMS SECURITY FOREWORD l. National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, "National Information Systems Security (INFOSEC) Glossary," provides standard definitions for many of the specialized terms relating to the disciplines of communications security (COMSEC) and automated information systems security (AISS), sometimes referred to as computer security (COMPUSEC). In general, communications and data management terms that do not relate closely to telecommunications and automated information systems security are outside the scope of this document and are not included. 2. The definitions contained in this glossary are prescriptive for all elements of the U.S. Government and for its contractors with respect to national security systems. 3. This document is divided into three sections: Section I contains terms and definitions, Section II is a list of commonly used abbreviations and acronym expansions, and Section III contains applicable references. In the definitions section, explanatory information is presented in notes following the definitions with which they are associated. Such notes are not part of the definitions to which they relate. 4. This document supersedes NCSC-9, "National Communications Security (COMSEC) Glossary," dated l September 1982. 5. Representatives of the National Security Telecommunications and Information Systems Security Committee may obtain additional copies of this instruction from: Executive Secretariat National Security Telecommunications and Information Systems Security Committee (NSTISSC) National Security Agency Fort George G. Meade, MD 20755-6000 6. U.S. Government contractors are to contact their appropriate government agency or Contracting Officer Representative regarding distribution of this document. 7. Readers are encuraged to review this glossary and suggest additions, deletions, or changes at any time. Recommendations for revising the document may be sent to the Executive Secretariat at the above address, via the appropriate NSTISSC representative. J. M. McConnell Vice Admiral, U.S. Navy NSTISSI No. 4009 SECTION I TERMS AND DEFINITIONS A access (COMSEC) Capability and opportunity to gain knowledge of or to alter information or material. (AIS) Ability and means to communicate with (i.e. input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. NOTE: An individual does not have "access~ if the proper authority or a physical, technical, or procedural measure prevents them from obtaining knowledge or having an opportunity to alter information, material, resources, or components. access control Process of limiting access to the resources of an AIS only to authorized users, programs, processes, or other systems. access control list Mechanism implementing discretionary access control in an AIS that identifies the users who may access an object and the type of access to the object that a user is permitted. access control mechanism Security safeguards designed to detect and prevent unauthorized access, and to permit authorized access in an AIS. NSTISSI No. 4009 access level Hierarchical portion of the security level used to identify the sensitivity of AIS data and the clearance or authorization of users. NOTE: Access level, in conjunction with the non-hierarchical categories, forms the sensitivity label of an object. See category. access list (COMSEC) Roster of persons authorized admittance to a controlled area. (AIS) Compilation of users, programs, and/or processes and the access levels and types to which each is authorized. access period Segment of time, generally expressed in days or weeks, during which access rights prevail. access port Logical or physical identifier a computer uses to distinguish different terminal input/output data streams or the physical connection for attaching an external device. access type Privilege to perform an action on a program or file. NOTE: Read, write, execute, append, modify, delete, and create are examples of access types. accessible space Area within which the user is aware of all persons entering and leaving, which denies the opportunity for concealed TEMPEST surveillance, and which delineates the closest point of potential tempest intercept from a vehicle. accountability (COMSEC) Principle that an individual is responsible for safeguarding and controlling of COMSEC equipment, keying material, and information entrusted to his/her care and is answerable to proper authority for the loss or misuse of that equipment or information. 2 NSTISSI No. 4009 accountability (AIS) Property that allows auditing of activities on an AIS to be traced to persons who may then be held responsible for their actions. accounting legend Numeric code used to indicate the code minimum accounting controls required for items of accountable COMSEC material within the COMSEC Material Control System. NOTE: National-level accounting legend codes are: ALC-l - continuously accountable by serial number. ALC-2 - continuously accountable by quantity. ALC-4 - report of initial receipt required. After acknowledging receipt, users may control in accordance with Service, department, or agency directives. accounting number Number assigned to an item of COMSEC material to facilitate its control. accreditation Formal declaration by a designated approving authority that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards. accreditation authority Synonymous with designated approving authority. add-on security Incorporation of new hardware, software, or firmware safeguards in an operational AIS. adversary Person or organization that must be denied access to critical information. 3 NSTISSI No. 4009 alternate COMSEC Person designated by proper authority to custodian perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian. anti-jam Measures to ensure that intended transmitted information can be received despite deliberate jamming attempts. anti-spoof Measures to prevent an opponent's participation in a telecommunications network or operation/control of a cryptographic or COMSEC system. assembly Group of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment. assurance Measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the security policy. attack Act of trying to defeat AIS safeguards. audit Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. audit trail Chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event. NOTE: Audit trail may apple to information in an AIS, to message routing in a communications system, or to the transfer of COMSEC material. 4 NSTISSI No. 4009 authenticate Verify the identity of a user, user device, or other entity, or the integrity of data stored, transmitted, or otherwise exposed to unauthorized modification in an automated information system, or establish the validity of a transmitted message. authentication Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's eligibility to receive specific categories of information. authentication system Cryptosystem or process used for authentication. authenticator Means used to confirm the identity or eligibility of a station, originator, or individual. authorization Access rights granted to a user, program, or process. authorized vendor Manufacturer of existing COMSEC equipment who is authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Authorized Vendor Program in which a vendor, producing a Program COMSEC product under contract to the National Security Agency, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. NOTE: Eligible buyers are typically U.S. Government organizations or U.S. Government contractors. Products approved for marketing and sale through the Authorized Vendor Program are placed on the Endorsed Cryptographic Products List. 5 NSTISSI No. 4009 auto-manual system Programmable, hand-held crypto-equipment used to perform encoding and decoding functions. automated information Any equipment or interconnected system systems or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware. NOTE: Included are computers, word processing systems, networks, or other electronic information handling systems, and associated equipment. automated information Synonymous with computer security. systems security automated security Use of automated procedures to ensure monitoring security controls for an AIS are not circumvented. automatic remote Procedure to rekey a distant crypto- rekeying equipment electronically without specific actions by the receiving terminal operator. availability of data Data that is in the place, at the time, and in the form needed by the user. 6 NSTISSI No. 4009 B backdoor Synonymous with trap door. Bell-La Padula Formal-state transition model of a security model computer security policy that describes a formal set of access controls based on information sensitivity and subject authorizations. (See star (*) property and simple security property.) benign Condition of cryptographic data such that it cannot be compromised by human access to the data. NOTE: The term benign may be used to modify a variety of COMSEC-related terms, (e.g., key, data, storage, fill, and key distribution techniques). benign environment Nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural security countermeasures. beyond Al Level of trust employed by the DoD Trusted Computer System Evaluation Criteria that was beyond the state-of- the-art technology at the time the criteria was developed. NOTE: As defined in the "Orange Book," beyond Al includes all the Al-level features, plus others not required at the Al level. binding Process of associating a specific communications terminal with a specific cryptographic key or associating two related elements of information. bit error rate Ratio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system. 7 NSTISSI No. 4009 BLACK Designation applied to telecommunications and automated information systems, and to associated areas, circuits, components, and equipment, in which only unclassified signals are processed. NOTE: Encrypted signals are unclassified. BLACK key Encrypted key. (See RED key.) brevity list List containing words and phrases used to shorten messages. browsing Act of searching through AIS storage to locate or acquire information, without necessarily knowing the existence or format of information being sought. bulk encryption Simultaneous encryption of all channels of a multichannel telecommunications trunk. 8 NSTISSI No. 4009 C call back Procedure for identifying a remote AIS terminal, whereby the host system disconnects the caller and then dials the authorized telephone number of the remote terminal to re-establish the connection. call sign cipher Cryptosystem used to encipher/decipher call signs, address groups, and address indicating groups. canister Type of protective package used to contain and dispense key in punched or printed tape form. capability Unforgeable ticket that provides incontestable proof that the presenter is authorized access to the object named in the ticket. capability-based AIS in which access to protected objects system is granted if the subject possesses a capability for the object. category Restrictive label that has been applied to both classified and unclassified data, thereby increasing the requirement for protection of, and restricting the access to, the data. NOTE: Examples include sensitive compartmented information, proprietary information, and North Atlantic Treaty Organization information. Individuals are granted access to special category information only after being granted formal access authorization. CCI assembly Device embodying a cryptographic logic or other COMSEC design that the National Security Agency has approved as a controlled cryptographic item and performs the entire COMSEC function, but is dependent upon the host equipment to operate. 9 NSTISSI No. 4009 CCI component Device embodying a cryptographic logic or other COMSEC design, which the National Security Agency has approved as a controlled cryptographic item, that does not perform the entire COMSEC function and is dependent upon the host equipment or assembly to complete and operate the COMSEC function. CCI equipment Telecommunications or information handling equipment that embodies a controlled cryptographic item component or controlled cryptographic item assembly and performs the entire COMSEC function without dependence on a host equipment to operate. central office of Office of a federal department or agency record that keeps records of accountable COMSEC material held by elements subject to its oversight. certificate of action Statement attached to a COMSEC audit statement report by which a COMSEC custodian certifies that all actions have been completed. certification Comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, to establish the extent to which a particular design and implementation meets a set of specified security requirements. certified TEMPEST U.S. Government or U.S. Government technical authority contractor employee designated to review the TEMPEST countermeasures programs of a federal department or agency. challenge and reply Prearranged procedure in which authentication one communicator requests authentication of another and the latter establishes his/her validity with a correct reply. 10 NSTISSI No. 4009 checksum Value computed, via some parity or hashing algorithm, on information requiring protection against error or manipulation. NOTE: Checksums are stored or transmitted with data and are intended to detect data integrity problems. check word Cipher text generated by a cryptographic logic to detect failures in the cryptography. cipher Cryptographic system in which units of plain text are substituted according to a predetermined key. cipher text Enciphered information. cipher text auto-key Cryptographic logic which uses previous cipher text to generate a key stream. ciphony Process of enciphering audio information, resulting in encrypted speech. classified information National security information that has been classified pursuant to Executive Order 12356. clearing Removal of data from an AIS, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., through the keyboard). NOTE: An AIS need not be disconnected from any external network before clearing takes place. Clearing enables a product to be reused within, but not outside of, a secure facility. It does not produce a declassified product by itself, but may be the first step in the declassification process. See purge. Il NSTISSI No. 4009 closed security Environment that provides sufficient environment assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system. NOTE: Closed security is predicated upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control. code System of communication in which arbitrary groups of letters, numbers, or symbols represent units of plain text of varying length. NOTE: Codes may or may not provide security. Common uses include: (a) converting information into a form suitable for communications or encryption, (b) reducing the length of time required to transmit information, (c) describing the instructions which control the operation of a computer, and (d) converting plain text to meaningless combinations of letters or numbers and vice versa. code book Book or other document containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique. code group Group of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence. code vocabulary Set of plain text words, numerals, phrases, or sentences for which code equivalents are assigned in a code system. cold start Procedure for initially keying crypto- equipment. 12 NSTISSI No. 4009 command authority Individual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges. Commercial COMSEC Relationship between the National Endorsement Program Security Agency and industry, in which the National Security Agency provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type l or type 2 product. NOTE: Products developed under the Commercial COMSEC Endorsement Program may include modules, subsystems, equipment, systems, and ancillary devices. common fill device One of a family of devices developed to read-in, transfer, or store key. NOTE: KYK-l3 Electronic Transfer Device, KYX-l5 Net Control Device, and KOI-l8 General Purpose Tape Reader are examples of common fill devices. communications cover Concealing or altering of characteristic communications patterns to hide information that could be of value to an adversary. communications Deliberate transmission, retransmission, deception or alteration of communications to mislead an adversary's interpretation of the communications. (See imitative communications deception and manipulative communications deception.) 13 NSTISSI No. 4009 communications Analytic model of communications profile associated with an organization or activity. NOTE: The model is prepared from a systematic examination of communications content and patterns, the functions they reflect, and the communications security measures applied. communications Measures and controls taken to deny security unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. NOTE: Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material. compartmented mode AIS security mode of operation wherein each user with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts has all of the following: a. Valid security clearance for the most restricted information processed in the system. b. Formal access approval and signed non-disclosure agreements for that information to which a user is to have access. c. Valid need-to-know for information to which a user is to have access. 14 NSTISSI No. 4009 compromise Disclosure of information or data to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred. compromising Unintentional signals that, if emanations intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by telecommunications or automated information systems equipment. (See TEMPEST.) computer abuse Intentional or reckless misuse, alteration, disruption, or destruction of data processing resources. computer Use of a crypto-algorithm program cryptography stored in software or firmware, by a general purpose computer to authenticate or encrypt/decrypt data for storage or transmission. computer security Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. computer security Any event in which a computer system is incident attacked, intruded into, or threatened with an attack or intrusion. computer security Device designed to provide limited subsystem computer security features in a larger system environment. Computer Security Program that focuses on technical Technical vulnerabilities in commercially Vulnerability available hardware, firmware and Reporting Program software products acquired by DoD. NOTE: The Computer Security Technical Vulnerability Reporting Program provides for reporting, cataloging, and discrete dissemination of technical vulnerability and corrective-measure information on a need-to-know basis. 15 NSTISSI No. 4009 COMSEC account Administrative entity, identified by an account number, used to maintain accountability, custody and control of COMSEC material. COMSEC account audit Examination of the holdings, records, and procedures of a COMSEC account to ensure that all accountable COMSEC material is properly handled and safeguarded. COMSEC aid COMSEC material, other than an equipment or device, that assists in securing telecommunications and which is required in the production, operation, or maintenance of COMSEC systems and their components. NOTE: COMSEC keying material, callsign/ frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids. COMSEC boundary Definable perimeter within a telecommunications equipment or system within which all hardware, firmware, and software components that perform critical COMSEC functions are located. NOTE: Key generation and key handling and storage are critical COMSEC functions. COMSEC chip set Collection of National Security Agency approved microchips furnished to a manufacturer to secure or protect telecommunications equipment. (See secure communications and protected communications.) 16 NSTISSI No. 4009 COMSEC control Set of instructions or routines for program a computer that controls or affects the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication. COMSEC custodian Person designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding and destruction of COMSEC material assigned to a COMSEC account. NOTE: The term COMSEC manager is replacing the term COMSEC custodian. These terms are not synonymous, since the responsibilities of the COMSEC manager extend beyond the functions required for effective operation of a COMSEC account. COMSEC end item Equipment or combination of components ready for its intended use in a COMSEC application. COMSEC equipment Equipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. NOTE: COMSEC equipment includes crypto- equipment, crypto-ancillary equipment, cryptoproduction equipment, and authentication equipment. COMSEC facility Space employed primarily for the purpose of generating, storing, repairing, or using COMSEC material. COMSEC incident Occurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information. 17 NSTISSI No. 4009 COMSEC insecurity COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information. COMSEC manager Person who manages the COMSEC resources of a command or activity. (See the note following the definition for COMSEC custodian.) COMSEC material Item designed to secure or authenticate telecommunications. NOTE: COMSEC material includes, but is not limited to, key, equipment, devices, documents, firmware or software that embodies or describes cryptographic logic and other items that perform COMSEC functions. COMSEC Material Logistics and accounting system Control System through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. NOTE: Included are the COMSEC central offices of record, cryptologistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the COMSEC Material Control System. COMSEC modification Electrical, mechanical, or software change to a National Security Agency approved COMSEC end item. NOTE: Categories of COMSEC modifications are: mandatory, optional, special mission mandatory, special mission optional, human safety mandatory, and repair actions. COMSEC module Removable component that performs COMSEC functions in a telecommunications equipment or system. 18 NSTISSI No. 4009 COMSEC monitoring Act of listening to, copying, or recording transmissions of one's own official telecommunications to provide material for analysis, so that the degree of security being provided to those transmissions may be determined. COMSEC profile Statement of the COMSEC measures and materials used to protect a given operation, system, or organization. COMSEC survey Organized collection of COMSEC and communications data relative to a given operation, system, or organization. COMSEC system data Information required by a COMSEC equipment or system to enable it to properly handle and control key. COMSEC training Teaching of hands-on skills relating to COMSEC accounting, the use of COMSEC aids, or the installation, use, maintenance, and repair of COMSEC equipment. confidentiality Assurance that information is not disclosed to unauthorized entities or processes. configuration control Process of controlling modifications to a telecommunications or automated information systems hardware, firmware, software, and documentation to ensure the system is protected against improper modifications prior to, during, and after system implementation. configuration management Management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures and test documentation of an automated information system, throughout the development and operational life of a system. confinement property Synonymous with star (*) property. 19 NSTISSI No. 4009 contingency key Key held for use under specific operational conditions or in support of specific contingency plans. contingency plan Plan maintained for emergency response, backup operations, and post-disaster recovery for an AIS, as a part of its security program, that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. controlled access Log-in procedures, audit of security protection relevant events, and resource isolation as prescribed for class C2 in the Orange Book. controlled Secure telecommunications or information cryptographic item handling equipment, or associated cryptographic component, that is unclassified but governed by a special set of control requirements. NOTE: Such items are marked "CONTROLLED CRYPT0GRAPHIC ITEM" or, where space is limited, "CCI." controlled sharing Condition which exists when access control is applied to all users and components of an AIS. controlled space Three-dimensional space surrounding telecommunications and automated information systems equipment, within which unauthorized persons are denied unrestricted access and are either escorted by authorized persons or are under continuous physical or electronic surveillance. controlling Official responsible for directing authority the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet. 20 NSTISSI No. 4009 cooperative key Electronically exchanging functions of generation locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. cooperative remote Synonymous with manual remote rekeying rekeying. cost-benefit analysis Assessment of the costs of providing protection or security to a telecommunications or AIS versus risk and cost associated with asset loss or damage. countermeasure Action, device, procedure, technique, or other measure that reduces the vulnerability of an AIS. covert channel Unintended and/or unauthorized communications path that can be used to transfer information in a manner that violates an AIS security policy. (See overt channel and exploitable channel.) covert storage Covert channel that involves the channel direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. NOTE: Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. covert timing Covert channel in which one channel process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process. 21 NSTISSI No. 4009 credentials Information passed from one entity to another, that is used to establish the sending entity's access rights. cryptanalysis Operations performed in converting encryped messages to plain text without initial knowledge of the crypto-algorithm and/or key employed in the encryption. CRYPTO Marking or designator identifying COMSEC keying material used to secure or authenticate telecommunication carrying classified or sensitive U.S. Government or U.S. Government-derived information. NOTE: When written in all upper case letters, CRYPTO has the meaning stated above. When written in lower case as a prefix, crypto and crypt are abreviations for cryptographic. crypto-alarm Circuit or device which detects failures or aberrations in the logic or operation of crypto-equipment. NOTE: Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm. crypto-algorithm well-defined procedure or sequence of rules or steps used to produce cipher text from plain text and vice versa. crypto-ancillary Equipment designed specifically to equipment facilitate efficient or reliable operation of crypto-equipment, but that does not perform cryptographic functions crypto-equipment Equipment that embodies a cryptographic logic. cryptographic Pertaining to, or concerned with, cryptography. 22 NSTISSI No. 4009 cryptographic Hardware or firmware embodiment of the component cryptographic logic. NOTE: Cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items. cryptographic Function used to set the state of initialization a cryptographic logic prior to key generation, encryption, or other operating mode. cryptographic logic Well-defined procedure or sequence of rules or steps used to produce cipher text from plain text, and vice versa, or to produce a key stream, plus delays, alarms, and checks which are essential to effective performance of the cryptographic process. (See crypto- algorithm.) cryptographic Function which randomly determines the randomization transmit state of a cryptographic logic. cryptography Principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form. crypto-ignition key Device or electronic key used to unlock the secure mode of crypto-equipment. cryptonet Stations that hold a specific key for use. NOTE: Activities that hold key for other than use, such as cryptologistic depots, are not cryptonet members for that key. Controlling authorities are defacto members of the cryptonets they control. 23 NSTISSI No. 4009 cryptoperiod Time span during which each key setting remains in effect. cryptosecurity Component of communications security that results from the provision of technically sound cryptosystems and their proper use. cryptosynchronization Process by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic. cryptosystem Associated COMSEC items interacting to provide a single means of encryption or decryption. cryptosystem Process of establishing the assessment exploitability of a cryptosystem, normally by reviewing transmitted traffic protected or secured by the system under study. cryptosystem Process of determining vulnerabilities evaluation of a cryptosystem. cryptosystem review Examination of a cryptosystem by the controlling authority to ensure its adequacy of design and content, continued need, and proper distribution. cryptosystem survey Management technique in which actual holders of a cryptosystem express opinions on the system's suitability and provide usage information for technical evaluations. 24 NSTISSI No. 4009 D data encryption Cryptographic algorithm, designed for standard the protection of unclassified data and published by the National Institute of Standards and Technology in Federal Information Processing Standard Publication 46. data flow control Synonymous with information flow control. data integrity Condition that exists when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed. data origin Corroboration that the source of data is authentication as claimed. data security Protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. decertification Revocation of the certification of an AIS item or equipment for cause. decipher Convert enciphered text to the equivalent plain text by means of a cipher system. decode Convert encoded text to its equivalent plain text by means of a code. decrypt Generic term encompassing decode and decipher. dedicated mode AIS security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: a. Valid security clearance for all information within the system. 25 NSTISSI No. 4009 b. Formal access approval and signed non-disclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs). c. Valid need-to-know for all information contained within the AIS. NOTE: When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time. default classification Temporary classification reflecting the highest classification being processed in an AIS. NOTE: Default classification is included in the caution statement affixed to the object. degauss Destroy information contained in magnetic media by subjecting that media to high- intensity alternating magnetic fields, following which the magnetic fields slowly decrease. delegated development Information systems security program program in which the Director, National Security Agency, delegates the development and/or production of the entire telecommunica- tions product, including the information systems security portion, to a lead department or agency. denial of service Result of any action or series of actions that prevents any part of a telecommunications or AIS from functioning. 26 NSTISSI No. 4009 descriptive top-level Top-level specification that is specification written in a natural language (e.g., English), an informal design notation, or a combination of the two. NOTE: Descriptive top-level specification, required for a class B2 and B3 AIS, completely and accurately describes a trusted computing base. See formal top-level specification. designated approving Official with the authority to formally authority assume responsibility for operating an AIS or network at an acceptable level of risk. design controlled Part or subassembly for a COMSEC spare part equipment or device with a National Security Agency controlled design. dial back Synonymous with call back. digital signature Synonymous with electronic signature. direct shipment Shipment of COMSEC material directly from the National Security Agency to user COMSEC accounts. discretionary access Means of restricting access to control objects based on the identity and need- to-know of users and/or groups to which the object belongs. NOTE: Controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (directly or indirectly) to any other subject. See mandatory access control. 27 NSTISSI No. 4009 DoD Trusted Computer Document containing basic requirements System Evaluation and evaluation classes for assessing Criteria degrees of effectiveness of hardware and software security controls built into AIS. NOTE: This document, DoD 5200.28 STD, is frequently referred to as the Orange Book. domain Unique context (e.g., access control parameters) in which a program is operating; in effect, the set of objects that a subject has the ability to access. dominate Term used to compare AIS security levels. NOTE: Security level S1 is said to dominate security level S2 if the hierarchical classification of S1 is greater than, or equal to, that of S2 and the non-hierarchical categories of S1 include all those of S2 as a subset. drop accountability Procedure under which a COMSEC account custodian initially receipts for COMSEC material, and then provides no further accounting for it to its central office of record. NOTE: Local accountability of the COMSEC material may continue to be required. See also accounting legend code, ALC-3 and ALC-4. dummy group Textual group having the appearance of a valid code or cipher group which has no plain text significance. 28 NSTISSI No. 4009 E electronically Key produced only in non-physical generated key form. NOTE: Electronically generated key stored magnetically (e.g., on a floppy disc) is not considered hard copy key. electronic signature Process that operates on a message to assure message source authenticity and integrity, and source non-repudiation. electronic security Protection resulting from all measures designed to deny unauthorized persons information of value which might be derived from the interception and analysis of non-communications electromagnetic radiations, such as radar. element Removable item of COMSEC equipment, assembly, or subassembly which normally consists of a single piece or group of replaceable parts. embedded computer Computer system that is an integral part of a larger system or subsystem that performs or controls a function, either in whole or in part. embedded cryptography Cryptography which is engineered into an equipment or system the basic function of which is not cryptographic. NOTE: Components comprising the cryptographic module are inside the equipment or system add share host device power and housing. The cryptographic function may be dispersed or identifiable as a separate module within the host. 29 NSTISSI No. 4009 embedded cryptographic Cryptosystem that performs or controls system a function, either in whole or in part, as an integral element of a larger system or subsystem. emission security Protection resulting from all measures taken to deny unauthorized persons information of value which might be derived from intercept and analysis of compromising emanations from crypto- equipment, AIS, and telecommunications systems. encipher Convert plain text to equivalent cipher text by means of a cipher. encode Convert plain text to equivalent cipher text by means of a code. encrypt Generic term encompassing encipher and encode. end-item accounting Accounting for all the accountable components of a COMSEC equipment configuration by a single short title. endorsed DES Unclassified equipment that embodies equipment unclassified data encryption standard cryptographic logic and has been endorsed by the National Security Agency for the protection of national security information. endorsed for unclassified Unclassified cryptographic equipment cryptographic item that embodies a U.S. Government classified cryptographic logic and is endorsed by the National Security Agency for the protection of national security information. (See type 2 product.) 30 NSTISSI No. 4009 endorsement National Security Agency approval of a commercially-developed telecommunications or automated information systems protection equipment or system for safeguarding national security information. end-to-end encryption Encryption of information at its origin, and decryption at its intended destination, without any intermediate decryption. end-to-end security Safeguarding information in a secure telecommunications system by cryptographic or protected distribution system means from point of origin to point of destination. entrapment Deliberate planting of apparent flaws in an AIS for the purpose of detecting attempted penetrations. environment Procedures, conditions, and objects that affect the development, operation, and maintenance of an AIS. erasure Process intended to render stored data irretrievable by normal means. executive state One of several states in which an AIS may operate, and the only one in which certain privileged instructions may be executed. NOTE: Such privileged instructions cannot be executed when the system is operating in other (e.g., user) states. exercise key Key intended to safeguard transmissions associated with exercises. exploitable channel Covert channel that is intended to violate the security policy governing an AIS and is useable or detectable by subjects external to the trusted computing base. (See covert channel.) 31 NSTISSI No. 4009 exploratory development Assembly of preliminary circuits or parts model in line with commercial practice to investigate, test, or evaluate the soundness of a concept, device, circuit, equipment, or system in a "breadboard" or rough experimental form, without regard to eventual overall physical form or layout. extraction resistance Capability of a crypto-equipment or a secure telecommunications system or equipment to resist efforts to extract key. 32 NSTISSI No. 4009 F fail safe Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system. fail soft Pertaining to the selective termination of affected nonessential processing when a hardware or software failure is determined to be imminent in an AIS. failure access Unauthorized and usually inadvertent access to data resulting from a hardware or software failure in an AIS. failure control Methodology used to detect and provide fail safe or fail soft recovery from hardware and software failures in an AIS. fetch protection AIS-provided restriction to prevent a program from accessing data in another user's segment of storage. fielded equipment COMSEC end-item shipped to the user subsequent to first article testing on the initial production contract. file protection Aggregate of all processes and procedures established in an AIS designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents. file security Means by which access to computer files is limited to authorized users only. fill device COMSEC item used to transfer or store key in electronic form or to insert key into a crypto-equipment. FIREFLY Key management protocol based on public key cryptography. 33 NSTISSI No. 4009 fixed COMSEC facility COMSEC facility that is located in an immobile structure or aboard a ship. flaw Error of commission, omission, or oversight in an AIS that may allow protection mechanisms to be bypassed. flaw hypothesis System analysis and penetration methodology technique in which the specification and documentation for an AIS are analyzed and then flaws in the system are hypothesized. NOTE: List of hypothesized flaws is prioritized on the basis of the estimated probability that a flaw exists and, assuming a flaw does exist, on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to perform penetration testing of a system. formal access Documented approval by a data approval owner to allow access to a particular category of information. formal proof Complete and convincing mathematical argument, presenting the full logical justification for each proof step, for the truth of a theorem or set of theorems. NOTE: In computer security, these formal proofs provide A1, and beyond A1 assurance under the DoD Trusted Computer System Evaluation Criteria. formal security policy Mathematically precise statement of a model security policy. NOTE: Such a model must define a secure state, an initial state, and how the model represents changes in state. The model must be shown to be secure by proving that the initial state is secure and that all possible subsequent states remain secure. 34 NSTISSI No. 4009 formal top-level Top-level specification that is written specification in a formal mathematical language to allow theorems, showing the correspon- dence of the system specification to its formal requirements, to be hypothesized and formally proven. NOTE: Formal top-level specification, required for a class A1 AIS, completely and accurately describes the trusted computing base. See descriptive top- level specification. formal verification Process of using formal proofs to demonstrate the consistency between formal specification of a system and formal security policy model (design verification) or between formal specification and its high-level program implementation (implementation verification). frequency hopping Repeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications. front-end security Security filter, which could be filter implemented in hardware or software, that is logically separated from the remainder of an AIS to protect the integrity of the system. full maintenance Complete diagnostic repair, modification, and overhaul of information systems security equipment, including repair of defective assemblies by piece part replacement. (See limited maintenance.) functional testing Segment of security tasting in which advertised security mechanisms of an AIS are tested under operational conditions. 35 NSTISSI No. 4009 G granularity Relative fineness or coarseness to which an access control mechanism can be adjusted. NOTE: Protection at the file level is considered coarse granularity, whereas protection at the field level is considered to be a finer granularity. guard Processor that provides a filter between two disparate systems operating at different security levels or between a user terminal and a data base to remove data for which the user is not authorized access. 36 NSTISSI No. 4009 H handshaking procedures Dialogue between two entities (e.g., a user and a computer, a computer and another computer, or a program and another program) for the purpose of identifying and authenticating these entities to one another. hard copy key Physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories. hardwired key Key that is permanently installed. hashing Iterative process that computes a value (referred to as a hashword) from a particular data unit in a manner that, when a hashword is protected, manipulation of the data is detectable. hashword Synonymous with checksum. high risk environment Specific location or geographic area where there are insufficient friendly security forces to ensure the safeguarding of information systems security equipment. hostile cognizant agent Person, authorized access to national security information, who intentionally makes that information available to an intelligence service or other group, the goals of which are inimical to the interests of the United States Government or its allies. host to front-end Set of conventions governing the protocol format and control of data that is passed from a host to a front-end machine. 37 NSTISSI No. 4009 I identification Process that enables recognition of an entity by an AIS. NOTE: This is generally accomplished by the use of unique machine-readable user names. imitative communications Introduction of deceptive messages or deception signals into an adversary's telecommunications signals. See communications deception and manipulative communications deception. impersonation Synonymous with spoofing. implant Electronic device or component modification to electronic equipment that is designed to gain unauthorized interception of information-bearing energy via technical means. inadvertent Accidental exposure of information disclosure to a person not authorized access. incomplete parameter AIS design flaw that results when checking all parameters have not been fully anticipated for accuracy and consistency, thus making the system vulnerable to penetration. individual accountability Ability to associate positively the identity of a user with the time, method, and degree of access to an AIS. information flow Procedure to ensure that information control transfers within an AIS are not made from a higher security level object to an object of a lower security level. 38 NSTISSI No. 4009 information label Piece of information that accurately and completely represents the sensitivity of the data in a subject or object. NOTE: Information label consists of a security label as well as other required security markings (e.g., codewords, dissemination control markings, and handling caveats), to be used for data information security labeling purposes. information system Any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data, and includes software, firmware, and hardware. information systems The protection of information systems security (INFOSEC) against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. information system Person responsible to the designated security officer approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages. information systems Item (chip, module, assembly, or security product equipment), technique, or service that performs or relates to information systems security. initialize Setting the state of a cryptographic logic prior to key generation, encryption, or other operating mode. integrity check value Checksum that is capable of detecting malicious modification of an AIS. 39 NSTISSI No. 4009 interim approval Temporary authorization granted by a designated approving authority for an AIS to process classified information and information governed by 10 U.S.C. Section 2315 or 44 U.S.C. 3502(2) in its operational environment based on preliminary results of a security evaluation of the system. internet private line Network cryptographic unit that interface provides secure connections, singularly or in simultaneous multiple connections, between a host and a predetermined set of corresponding hosts. internet protocol Standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks. 40 NSTISSI No. 4009 K key Information (usually a sequence of random or pseudorandom binary digits) used initially to set up and periodically change the operations performed in crypto-equipment for the purpose of encrypting or decrypting electronic signals, for determining electronic counter-countermeasures patterns (e.g., frequency hopping or spread spectrum), or for producing other key. NOTE: "Key" has replaced the terms "variable," "key(ing) variable," and "cryptovariable.' key-auto-key Cryptographic logic which uses previous key to produce key. key card Paper card, containing a pattern of punched holes, which establishes the key for a specific cryptonet at a specific time. key encryption key Key that encrypts or decrypts other key for transmission or storage. key list Printed series of key settings for a specific cryptonet. NOTE: Key lists may be produced in list, pad, or printed tape format. key management Process by which key is generated, stored, protected, transferred, loaded, used, and destroyed. key production key Key that is used to initialize a keystream generator for the production of other electronically generated key. 41 NSTISSI No. 4009 key stream Sequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key. key tag Identification information associated with certain types of electronic key. key tape Punched or magnetic tape containing key. NOTE: Printed key in tape form is referred to as a key list. key updating Irreversible cryptographic process for modifying key automatically or manually. keying material Key, code, or authentication information in physical or magnetic form. 42 NSTISSI No. 4009 L least privilege Principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. NOTE: Application of this principle limits the damage that can result from accident, error, or unauthorized use of an AIS. limited access Synonymous with access control. limited maintenance COMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. NOTE: Soldering or unsoldering usually is prohibited in limited maintenance. See full maintenance. line conduction Unintentional signals or noise induced or conducted on a telecommunications or automated information system signal, power, control, indicator, or other external interface line. link encryption Encryption of data in individual links of a telecommunications system. list-oriented Computer protection in which each protected object has a list of all subjects authorized to access it. (See also ticket-oriented.); lock and key Protection system that involves protection system matching a key or password with a specific access requirement. logic bomb Resident computer program that triggers an unauthorized act when particular states of an AIS are realized. 43 NSTISSI No. 4009 logical completeness Means for assessing the effectiveness measure and degree to which a set of security and access control mechanisms meets the requirements of security specifications. long title Descriptive title of a COMSEC item. low probability of Result of measures used to hide or detection disguise intentional electromagnetic transmissions. low probability of Result of measures to prevent the intercept intercept of intentional electromagnetic transmissions. 44 NSTISSI No. 4009 M machine cryptosystem Cryptosystem in which cryptographic processes are performed by crypto- equipment. magnetic remanence Magnetic representation of residual information that remains on a magnetic medium after the medium has been erased or overwritten. NOTE: Magnetic remanence refers to data remaining on magnetic storage media after removal of the power or after degaussing. maintenance hook Special instructions in software to allow easy maintenance and additional feature development. NOTE: Maintenance hooks are not clearly defined during access for design specification. Since maintenance hooks frequently allow entry into the code at unusual points or without the usual checks, they are a serious security risk if they are not removed prior to live implementation. Maintenance hooks are special types of trap doors. maintenance key Key intended only for off-the-air in-shop use. malicious logic Hardware, software, or firmware that is intentionally included in an AIS for an unauthorized purpose. NOTE: Trojan horse is a form of malicious logic. 45 NSTISSI No. 4009 mandatory access Means of restricting access to objects control based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. (See discretionary access control.) mandatory Change to a COMSEC end item that the modification National Security Agency requires to be completed and reported by a specified date. NOTE: This type of modification should not be confused with modifications that are optional to the National Security Agency, but have been adjudged mandatory by a given department or agency. The latter modification may have an installation deadline established and controlled solely by the user's headquarters. manipulative Alteration or simulation of friendly communications telecommunications for the purpose deception of deception. NOTE: Manipulative communications deception may involve establishment of bogus communications structures, transmission of deception messages, and expansion or creation of communications schedules on existing structures to display an artificial volume of messages. See communications deception and imitative communications deception. manual cryptosystem Cryptosystem in which the cryptographic processes are performed manually without the use of crypto-equipment or auto- manual devices. manual remote Procedure by which a distant crypto- rekeying equipment is rekeyed electrically, with specific actions required by the receiving terminal operator. 46 NSTISSI No. 4009 masquerading Synonymous with spoofing. master crypto-ignition Crypto-ignition key that is able to key initialize crypto-ignition key, when interacting with its associated crypto- equipment. material symbol Communications circuit identifier used for key card resupply purposes. memory bounds Limits in the range of storage addresses for a protected region in the memory of an AIS. message authentication Data element associated with an code authenticated message which allows a receiver to verify the integrity of the message. message externals Non-textual (outside the message text) characteristics of transmitted messages. message indicator Sequence of bits transmitted over a telecommunications system for the purpose of crypto-equipment synchronization. NOTE: Some off-line cryptosystems, such as the KL-5l and one-time pad systems, employ message indicators to establish decryption starting points. mimicking Synonymous with spoof ing. mobile COMSEC facility COMSEC facility that can be readily moved from one location to another. mode of operation Description of the conditions under which an AIS operates, based on the sensitivity of data processed and the clearance levels and authorizations of the users. NOTE: Five modes of operation are authorized for an AIS processing information and for networks transmitting information. See compartmented mode, dedicated mode, multilevel mode, partitioned security mode, and system- high mode. 47 NSTISSI No. 4009 multilevel device Device that is trusted to properly maintain and separate data of different security levels. multilevel mode AIS security mode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: a. Some users do not have a valid security clearance for all the information processed in the AIS. b. All users have the proper security clearance and appropriate formal access approval for that information to which they have access. c. All users have a valid need-to-know only for information to which they have access. multilevel security Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances, but prevents users from obtaining access to information for which they lack authorization. mutual suspicion Condition in which two entities need to rely upon each other to perform a service, yet neither entity trusts the other to properly protect shared data. 48 NSTISSI No. 4009 N national security Information that has been determined, information pursuant to Executive Order 12356 or any predecessor order, to require protection against unauthorized disclosure, and that is so designated. national security Telecommunications and automated infor- systems mation systems operated by the U.S. Government, its contractors, or its agents, that contain classified information or, as set forth in 10 U.S.C. Section 2315, that involves intelligence activities, involves cryptologic activities related to national security, involves command and control of military forces, involves equipment that is an integral part of a weapon or weapon system, or involves equipment that is critical to the direct fulfillment of military or intelligence missions. need-to-know Access to, or knowledge or possession of, specific information required to carry out official duties. net control station Terminal in a secure telecommunications net responsible for distributing key in electronic form to the members of the net. network front end Device that implements the needed security-related protocols to allow a computer system to be attached to a network. network reference Access control concept that refers to monitor an abstract machine that mediates all access to objects within a network by subjects within the network. See reference monitor. 49 NSTISSI No. 4009 network security Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. NOTE: Network security includes providing for data integrity. network security Individual formally appointed by a officer designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network. See information system security officer. network system System that is implemented with a collection of interconnected network components. NOTE: A network system is based on a coherent security architecture and design. network trusted Totality of protection mechanisms computing base within a network system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. See trusted computing base. no-lone zone Area, room, or space which, when manned, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. (See two person integrity.) noncooperative Synonymous with automatic remote remote rekeying rekeying. 50 NSTISSI No. 4009 non-repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data. non-secret encryption Synonymous with public key cryptography. null Dummy letter, letter symbol, or code group inserted in an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmis- sion or transmission security purposes. 51 NSTISSI No. 4009 O object Passive entity that contains or receives information. NOTE: Access to an object implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, and network nodes. object reuse Reassignment of a storage medium (e.g., page frame, disk sector, magnetic tape) that contained one or more objects, after ensuring that no residual data remained on the storage medium. off-line cryptosystem Cryptosystem in which encryption and decryption are performed independently of the transmission and reception functions. one-part code Code in which plain text elements and their accompanying code groups are arranged in alphabetical, numerical, or other systematic order, so that one listing serves for both encoding and decoding. NOTE: One-part codes are normally small codes that are used to pass small volumes of low-sensitivity information. one-time Cryptosystem employing key which is cryptosystem used only once. one-time pad Manual one-time cryptosystem produced in pad form. one-time tape Punched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems. 52 NSTISSI No. 4009 on-line cryptosystem Cryptosystem in which encryption and decryption are performed in association with the transmitting and receiving functions. open security Environment that does not provide environment sufficient assurance that applications and equipment are protected against the introduction of malicious logic prior to or during the operation of a system. open storage Storage of classified information within an accredited facility, but not in General Services Adminstration approved secure containers, while the facility is unoccupied by authorized personnel. operational data Protection of data from either security accidental or unauthorized intentional modification, destruction, or disclosure during input, processing, or output operations. operational key Key intended for use on-the-air for protection of operational information or for the production or secure electrical transmission of key streams. operational waiver Authority for continued use of unmodified COMSEC end-items, pending the completion of a mandatory modification. operations code Code composed largely of words and phrases which are suitable for general communications use. operations security Process denying to potential adversaries information about capabilities and/or intentions by identifying, controlling and protecting generally unclassified evidence of the planning and execution of sensitive activities. 53 NSTISSI No. 4009 optional modification National Security Agency approved modification that is not required for universal implementation by all holders of a COMSEC end-item. NOTE: This class of modification requires all of the engineering/ doctrinal control of mandatory modification, but is usually not related to security, safety, TEMPEST, or reliability. Orange Book Synonymous with DoD Trusted Computer System Evaluation Criteria. organizational Limited maintenance performed by a maintenance user organization. overt channel Communications path within a computer system or network that is designed for the authorized transfer of data. (See covert channel.) over-the-air key Providing electronic key via distribution over-the-air rekeying, over-the-air key transfer, or cooperative key generation. over-the-air key transfer Electronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished. over-the-air rekeying Changing traffic encryption key or transmission security key in remote crypto-equipment by sending new key directly to the remote crypto-equipment over the communications path it secures. overwrite procedure Process which removes or destroys data recorded on an AIS storage medium by writing patterns of data over, or on top of, the data stored on the medium. 54 NSTISSI No. 4009 P parity Set of bits used to determine whether a block of data (key or data stored in computers) has been intentionally or unintentionally altered. partitioned security mode AIS security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an AIS. NOTE: This security mode encompasses the compartmented mode and applies to non- intelligence DoD organizations and DoD contractors. passphrase Sequence of characters, longer than the acceptable length of a password, that is transformed by a password system into a virtual password of acceptable length. password Protected/private character string used to authenticate an identity or to authorize access to data. penetration Unauthorized act of bypassing the security mechanisms of a cryptographic system or AIS. penetration testing Security testing in which evaluators attempt to circumvent the security features of an AIS based on their understanding of the system design and implementation. per-call key Unique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. (See cooperative key generation.) 55 NSTISSI No. 4009 periods processing Processing of various levels of classified and unclassified information at distinctly different times. NOTE: Under periods processing, the system must be purged of all information from one processing period before transitioning to the next when there are different users with differing authorizations. permuter Device used in a crypto-equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits. plain text Unencrypted information. positive control Generic term referring to a sealed material authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material or devices. preproduction model Version of a crypto-equipment that employs standard parts and is in final mechanical and electrical form suitable for complete evaluation of form, design, and performance. NOTE: Preproduction models are often referred to as E-model equipment. print suppression Eliminating the display of characters in order to preserve their secrecy. NOTE: An example of print suppression is not displaying the characters of a password as it is keyed at she input terminal. privacy system Commercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack. 56 NSTISSI No. 4009 production model Crypto-equipment in its final mechanical and electrical form of production design made by use of production tools, jigs, fixtures, and methods using standard parts. profile Detailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an AIS. proprietary information Material and information relating to or associated with a company's products, business or activities, including but not limited to: financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know- how that have been clearly identified and properly marked as proprietary information, trade secrets or company confidential information. NOTE: Trade secrets constitute the whole or any portion or phase of any technical information, design process, procedure, formula or improvement that is not generally available to the public, that a company considers company confidential and that could give or gives an advantage over competitors who do not know or use the trade secret. protected Telecommunications deriving their communications protection through use of type 2 products or data encryption standard equipment. (See secure communications.) protected distribution Wireline or fiber-optic telecommuni- system cations system that includes terminals and adequate acoustic, electrical, electromagnetic, and physical safeguards to permit its use for the unencrypted transmission of classified information. 57 NSTISSI No. 4009 protection equipment Type 2 product or data encryption standard equipment that the National Security Agency has endorsed to meet applicable standards for the protection of telecommunications or automated information systems containing national security information. protection philosophy Informal description of the overall design of an AIS that delineates each of the protection mechanisms employed. NOTE: Combination, appropriate to the evaluation class, of formal and informal techniques used to show the mechanisms are adequate to enforce the security policy. protection ring One of a hierarchy of privileged modes of an AIS that gives certain access rights to user programs and processes authorized to operate in a given mode. protective packaging Packaging techniques for COMSEC material which discourage penetration, reveal that a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use. protective technologies Special tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material. 58 NSTISSI No. 4009 protective Any penetration of information system technology/package security protective technology or incident packaging, such as a crack, cut, or tear. protocol Set of rules and formats, semantic and syntactic, that permits entities to exchange information. public cryptography Body of cryptographic and related knowledge, study, techniques, and applications that is, or intended to be, in the public domain. public key Type of cryptography in which the cryptography encryption process is publicly available and unprotected, but in which a part of the decryption key is protected so that only a party with knowledge of both parts of the decryption process can decrypt the cipher text. NOTE: Commonly called non-secret encryption in professional cryptologic circles. FIREFLY is an application of public key cryptography. purge Removal of data from an AIS, its storage devices, or other peripheral devices with storage capacity in such a way that the data may not be reconstructed. NOTE: An AIS must be disconnected from any external network before a purge. See clearing. 59 NSTISSI No. 4009 Q QUADRANT Short name referring to technology which provides tamper-resistant protection to crypto-equipment. R randomizer Analog or digital source of unpredictable, unbiased, and usually independent bits. NOTE: Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator. read Fundamental operation in an AIS that results only in the flow of information from an object to a subject. (See access type.) read access Permission to read information in an AIS. real-time reaction Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access. recovery procedures Actions necessary to restore data files of an AIS and computational capability after a system failure. RED Designation applied to telecommuni- cations and automated information systems, plus associated areas, circuits, components, and equipment which, when classified plain text signals are being processed thereIn, require protection during electrical transmission. 60 NSTISSI No. 4009 RED/BLACK concept Separation of electrical and electronic circuits, components, equipment, and systems that handle classified plain text (RED) information, in electrical signal form, from those which handle unclassified (BLACK) information in the same form. RED key Unencrypted key. (See BLACK key.) RED signal Telecommunications or automated information systems signal that would divulge classified information if recovered and analyzed. NOTE: RED signals may be plain text, key, subkey, initial fill, control, or traffic flow related information. reference monitor Access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. reference validation Portion of a trusted computing base, the mechanism normal function of which is to control access between subjects and objects, and the correct operation of which is essential to the protection of data in the system. NOTE: This is the implementation of reference monitor. release prefix Prefix appended to the short title of United States produced keying material to indicate its foreign releasability. NOTE: "A" designate material that is releasable to specific allied nations and "US" designates material intended exclusively for United States use. 61 NSTISSI No. 4009 remanence Residual information that remains on storage media after erasure. (See magnetic remanence.) remote rekeying Procedure by which a distant crypto- equipment is rekeyed electrically. (See automatic remote rekeying and manual remote rekeying.) repair action National Security Agency approved change to a COMSEC end item that does not affect the original characteristics of the end item and is prdvided for optional application by holders. NOTE: Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control, but must be fully documented by changes to the maintenance manual. reserve keying Key held to satisfy unplanned material needs. (See contingency key.) residual risk Portion of risk that remains after security measures have been applied. residue Data left in storage after automated information processing operations are complete, but before degaussing or overwriting has taken place. resource encapsulation Method by which the reference monitor mediates accesses to an AIS resource. NOTE: Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage. 62 NSTISSI No. 4009 risk analysis Synonymous with risk assessment. risk assessment Process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security and using the analysis as a basis for identifying appropriate and cost-effective measures. risk index Difference between the minimum clearance or authorization of AIS users and the maximum sensitivity (e.g., classification and categories) of data processed by the system. risk management Process concerned with the identification, measurement, control, and minimization of security risks in information systems. 63 NSTISSI No. 4009 S safeguarding Statement affixed to a computer statement output or printout that states the highest classification being processed at the time the product was produced, and requires control of the product, at that level, until determination of the true classification by an authorized person. sample key Key intended for off-the-air demonstration use only. sanitize To remove or edit classified or sensitive data so that what remains is of a lower classification or sensitivity than the original data. scavenging Searching through object residue to acquire data. scratch pad store Momentary key storage in crypto- equipment. secure communications Telecommunications deriving security through use of type l products and/or protected distribution systems. secure operating system Resident software that controls hardware and other software functions in an AIS to provide a level of protection or security appropriate to the classification, sensitivity, and/or criticality of the data and resources it manages. secure state Condition in which no subject can access any object in an unauthorized manner. 64 NSTISSI No. 4009 secure subsystem Subsystem that contains its own implementation of the reference monitor concept for those resources it controls. NOTE: Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects. security fault analysis Assessment, usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered. security filter AIS trusted subsystem that enforces security policy on the data that passes through it. security flaw Error of commission or omission in an AIS that may allow protection mechanisms to be bypassed. security inspection Examination of an AIS to determine compliance with security policy, procedures, and practices. security kernel Hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. NOTE: Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct. security label Piece of information that represents the sensitivity of a subject or object, such as its hierarchical classification (CONFIDENTIAL, SECRET, TOP SECRET) together with any applicable non- hierarchical security categories (e.g., sensitive compartmented information, critical nuclear weapon design information). (See information label and sensitivity label.) 65 NSTISSI No. 4009 security perimeter Boundary where security controls are in effect to protect AIS assets. security range Highest and lowest security levels that are permitted in or on an AIS, system component, subsystem, or network. security requirements Types and levels of protection necessary for equipment, data, information, applications and facilities to meet security policy. security requirements Description of the minimum baseline requirements necessary for an AIS to maintain an acceptable level of security. security safeguards Protective measures and controls that are prescribed to meet the security requirements specified for an AIS. NOTE: Safeguards may include security features, as well as management constraints, personnel security, and security of physical structures, areas, and devices. See accreditation. security specification Detailed description of the safeguards required to protect an AIS. security test and Examination and analysis of the evaluation safeguards required to protect an AIS, as they have been applied in an operational environment, to determine the security posture of that system. security testing Process to determine that an AIS protects data and maintains functionality as intended. NOTE: Security testing may reveal vulnerabilities beyond the scope of the AIS design. seed key Initial key used to start an updating or key generation process. 66 NSTISSI No. 4009 self-authentication Implicit authentication, to a predetermined level, of all transmissions on a secure communications system. sensitive information Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. NOTE: Systems that are not national security systems, but contain sensitive information are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L. 100- 235). sensitivity label Piece of information that represents elements of the security label(s) of a subject and an object. NOTE: Sensitivity labels are used by the trusted computing base as the basis for mandatory access control decisions. shielded enclosure Room or container designed to attenuate electromagnetic radiation. short title Identifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and control. NOTE: NAG-l6C/TSEC is an example of a short title. signals security Generic term encompassing communications security and electronic security. 67 NSTISSI No. 4009 simple security Bell-La Padula security model rule property allowing a subject read access to an object only if the security level of the subject dominates the security level of the object. single-level device AIS device that is not trusted to properly maintain and separate data to different security levels. single point keying Means of distributing key to multiple, local crypto-equipment or devices from a single fill point. software system test and Process that plans, develops, and evaluation process documents the quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements. special mission Modification that applies only modification to a specific mission, purpose, operational, or environmental need. NOTE: Special mission modifications may be either optional or mandatory. speech privacy Techniques that use fixed sequence permutations or voice/speech inversion to render speech unintelligible to the casual listener. spelling table Synonymous with syllabary. split knowledge Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams, so that no one individual or team Bill know the whole data. spoofing (COMSEC) Interception, alteration, and retransmission of a cipher signal or data in such a way as to mislead the recipient. (AIS) Attempt to gain access to an AIS by posing as an authorized user. 68 NSTISSI No. 4009 spread spectrum Telecommunications techniques in which a signal is transmitted in a bandwidth considerably greater than the frequency content of the original information. NOTE: Frequency hopping, direct sequence spreading, time scrambling, and combinations of these techniques are forms of spread spectrum. star (*) property Bell-La Padula security model rule allowing a subject write access to an object only if the security level of the object dominates the security level of the subject. start-up KEK Key encryption key held in common by a group of potential communicating entities and used to establish ad hoc tactical nets. state variable Variable that represents either the state of an AIS or the state of some system resource. storage object Object that supports both read and write accesses to an AIS. subassembly Major subdivision of a cryptographic assembly which consists of a package of parts, elements, and circuits that performs a specific function. subject Active entity in an AIS, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. subject security level Sensitivity label(s) of the objects to which the subject has both read and write access. NOTE: Security level of a subject must always be dominated by the clearance level of the user with which the subject is associated. 69 NSTISSI No. 4009 superencryption Process of encrypting encrypted information. NOTE: Occurs when a message, encrypted off-line, is transmitted over a secured, on-line circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted. supersession Scheduled or unscheduled replacement of a COMSEC aid with a different edition. supervisor state Synonymous with executive state. suppression measure Action, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in a telecommunications or automated information system. syllabary List of individual letters, combination of letters, or syllables, with their equivalent code groups, used for spelling out words or proper names not present in the vocabulary of a code. NOTE: A syllabary may also be known as a spelling table. synchronous crypto- Method of on-line crypto-operation in operation which crypto-equipment and associated terminals have timing systems to keep them in step. system development Methodologies developed through software methodologies engineering to manage the complexity of system development. NOTE: Development methodologies include software engineering aids and high-level design analysis tools. 70 NSTISSI No. 4009 system high Highest security level supported by an AIS. system high mode AIS security mode of operation wherein each user, with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts, has all of the following: a. Valid security clearance for all information within an AIS. b. Formal access approval and signed non-disclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs). c. Valid need-to-know for some of the information contained within the AIS. system indicator Symbol or group of symbols in an off- line encrypted message that identifies the specific cryptosystem or key used in the encryption. system integrity Quality of an AIS when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. system low Lowest security level supported by an AIS. system security Measure of security provided by a system, as determined by evaluation of the totality of all system elements and COMSEC measures that support telecommunications and AIS protection. 71 NSTISSI No. 4009 system security The efforts that help achieve maximum engineering security and survivability of a system during its life cycle and interfacing with other program elements to ensure security functions are effectively integrated into the total system engineering effort. system security Determination of the risk associated evaluation with the use of a given system, considering its vulnerabilities and perceived security threat. system security A formal document that fully describes management plan the planned security tasks required to meet system security requirements. system security officer Synonymous with information system security officer. 72 NSTISSI No. 4009 T tampering Unauthorized modification that alters the proper functioning of a cryptographic or AIS security equipment or system in a manner that degrades the security or functionality it provides. tape mixer Teletypewriter security equipment that encrypts plain text and decrypts cipher text by combining them with a key stream from a one-time tape. technical attack Attack that can be perpetrated by circumventing or nullifying hardware or software protection mechanisms, rather than by subverting system personnel or other users. technical penetration Deliberate penetration of a security area by technical means to gain unauthorized interception of information-bearing energy. technical security hazard Condition that could permit the technical penetration of an area through equipment that by reason of its normal design, installation, operation, maintenance, or damaged condition, allows the unauthorized transmission of classified information. technical security Equipment, components, devices, material and associated documentation or other media that pertains to cryptography or the securing of teleqommunications and automated information systems. telecommunications Preparation, transmission, communication, or related processing of information (writing, images, sounds or other data) by electrical, electromagnetic, electromechanical, electro-optical or electronic means. 73 NSTISSI No. 4009 telecommunications and Protection afforded to telecommuni- automated information cations and automated information systems security systems, in order to prevent exploitation through interception, unauthorized electronic access, or related technical intelligence threats and to ensure authenticity. NOTE: Such protection results from the application of security measures (including cryptosecurity, transmission security, emission security, and computer security) to systems that generate, store, process, transfer, or communicate information of use to an adversary, and also includes the physical protection of technical security material and technical security information. telecommunications Synonymous with communications security. security TEMPEST Short name referring to investigation, study, and control of compromising emanations from telecommunications and automated information systems equipment. (See compromising emanations.) TEMPEST test Laboratory or on-site test to determine the nature of compromising emanations associated with a telecommunications or automated information system. TEMPEST zone Defined area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated without emanating electromagnetic radiation beyond the controlled space boundary of the facility. NOTE: Facility TEMPEST zones are determined by measuring electromagnetic attenuation provided by a building's properties and the free space loss to the controlled space boundary. Equipment TEMPEST zone assignments are based on the 74 NSTISSI No. 4009 terminal Means used to uniquely identify a identification terminal to an AIS. test key Key intended for on-the-air testing of COMSEC equipment or systems. threat Capabilities, intentions, and attack methods of adversaries to exploit, or any circumstance or event with the potential to cause harm to, information or an information system. threat analysis Process of studying information to identify the nature of and elements comprising a threat. threat assessment Process of formally evaluating the degree of threat to an information system and describing the nature of the threat. threat monitoring Analysis, assessment, and review of AIS audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of data or system security. ticket-oriented Computer protection system in which each subject maintains a list of unforgeable bit patterns called tickets, one for each object that a subject is authorized to access. (See list-oriented.) time bomb Logic bomb for which the logic trigger is time. time compliance date Date by which a mandatory modification to a COMSEC end item must be incorporated if the item is to remain approved for operational use. time-dependent Password that is valid only at a certain password time of day or during a specified interval of time. 75 NSTISSI No. 4009 traditional COMSEC COMSEC program in which the National program Security Agency acts as the central procurement agency for the development and, in some cases, the production of COMSEC items. NOTE: This includes the Authorized Vendor Program and user partnerships. Modifications to the COMSEC end items used in products developed and/or produced under these programs must be approved by the National Security Agency. traffic analysis Study of communications characteristics external to the text. traffic encryption Key used to encrypt plain text or key to superencrypt previously encrypted text and/or to decrypt cipher text. traffic-flow security Measure used to conceal the presence of valid messages in an on-line cryptosystem or secure communications system. NOTE: Encryption of sending and receiving addresses and causing the circuit to appear busy at all times by sending dummy traffic are two methods of traffic-flow security. A more common method is to send a continuous encrypted signal, irrespective of whether traffic is being transmitted. traffic padding Generation of spurious communications or data units to disguise the amount of real data units being sent. training key Cryptographic key intended for on-the-air or off-the-air training. tranquility Property whereby the security level of an object cannot change while the object is being processed by an AIS. 76 NSTISSI No. 4009 transmission security Component of communications security that results from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis. transmission security Key that is used in the control of key transmission security processes, such as frequency hopping and spread spectrum. trap door Hidden software or hardware mechanism that can be triggered to permit protection mechanisms in an AIS to be circumvented. NOTE: A trap door is usually activated in some innocent-appearing manner; e.g., a special random key sequence at a terminal. Software developers often write trap doors in their code that enable them to reenter the system to perform certain functions. Trojan horse Computer program containing an apparent or actual useful function that contains additional (hidden) functions that allows unauthorized collection, falsification or destruction of data. trusted computer AIS that employs sufficient system hardware and software assurance measures to allow simultaneous processing of a range of classified or sensitive information. 77 NSTISSI No. 4009 trusted computing Totality of protection mechanisms base within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. NOTE: The ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security policy. trusted distribution Method for distributing trusted computing base hardware, software, and firmware components, both originals and updates, that provides protection of the trusted computing base from modification during distribution, and for the detection of any changes. trusted identification An identification method used in forwarding AIS networks whereby the sending host can verify that an authorized user is attempting a connection to another host. NOTE: The sending host transmits the required user authentication information to the receiving host. The receiving host can then verify that the user is validated for access to the system. This operation may be transparent to the user. trusted path Mechanism by which a person using a terminal can communicate directly with the trusted computing base. NOTE: Trusted path can only be activated by the person or the trusted computing base and cannot be imitated by untrusted software. 78 NSTISSI No. 4009 trusted process Process that has privileges to circumvent the system security policy and has been tested and verified to operate only as intended. trusted software Software portion of a trusted computing base. TSEC nomenclature System for identifying the type and purpose of certain items of COMSEC material. NOTE: TSEC is derived from telecommunications security. two-part code Code consisting of an encoding section, in which the vocabulary items (with their associated code groups) are arranged in alphabetical or other systematic order, and a decoding section, in which the code groups (with their associated meanings) are arranged in a separate alphabetical or numeric order. two-person control Continuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed, and each familiar with established security and safety requirements. 79 NSTISSI No. 4009 two-person integrity System of storage and handling designed to prohibit individual access to certain COMSEC keying material, by requiring the presence of at least two authorized persons, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. NOTE: Two-person integrity procedures differ from no-lone zone procedures in that, under two-person integrity controls, two authorized persons must directly participate in the handling and safeguarding of the keying material (as in accessing storage containers, transportation, keying/rekeying operations, and destruction). No-lone zone controls are less restrictive in that the two authorized persons need only to be physically present in the common area where the material is located. Two- person control refers to nuclear command and control COMSEC material while two- person integrity refers only to COMSEC keying material. type 1 product Classified or controlled cryptographic item endorsed by the National Security Agency for securing classified and sensitive U.S. Government information, when appropriately keyed. NOTE: The term refers only to products, and not to information, key, services, or controls. Type 1 products contain classified National Security Agency algorithms. They are available to U.S. Government users, their contractors, and federally sponsored non-U.S. Government activities subject to export restrictions in accordance with International Traffic in Arms Regulation. 80 NSTISSI No. 4009 type 2 product Unclassified cryptographic equipment, assembly, or component, endorsed by the National Security Agency, for use in telecommunications and automated information systems for the protection of national security information. NOTE: The term refers only to products, and not to information, key, services, or controls. Type 2 products may not be used for classified information, but contain classified National Security Agency algorithms that distinguish them from products containing the unclassified data encryption standard algorithm. Type 2 products are available to U.S. Government departments and agencies and sponsored elements of state and local governments, sponsored U.S. Government contractors, and sponsored private sector entities. Type 2 products are subject to export restrictions in accordance with the International Traffic in Arms Regulation. type 3 algorithm Cryptographic algorithm that has been registered by the National Institute of Standards and Technology and has been published as a Federal Information Processing Standard for use in protecting unclassified sensitive information or commercial information. type 4 algorithm Unclassified cryptographic algorithm that has been registered by the National Institute of Standards and Technology, but is not a Federal Information Processing Standard. 81 NSTISSI No. 4009 U unauthorized The revelation of information to disclosure individuals not authorized to receive it. unclassified Information that has not been determined, pursuant to E.O. 12356 or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified. untrusted process Process that has not been tested and verified for adherence to the security policy. NOTE: Untrusted process may include incorrect or malicious code that attempts to circumvent the security mechanisms. updating Automatic or manual cryptographic process that irreversibly modifies the state of a COMSEC key, equipment, device, or system. user Person or process accessing an AIS by direct connections (e.g., via terminals) or indirect connections. NOTE: "Indirect connection" relates to persons who prepare input data or receive output that is not reviewed for content or classification by a responsible individual. user ID Unique symbol or character string that is used by an AIS to uniquely identify a specific user. User Partnership Partnership between the National Security Program Agency and a U.S. Government department or agency to facilitate the development of secure information processing and communications equipment incorporating National Security Agency approved cryptographic security. 82 NSTISSI No. 4009 user profile Patterns of a user's activity on an AIS that can be used to detect changes in normal routines. user representative Person authorized by an organization to order COMSEC keying material and to interface with the keying system to provide information to key users, ensuring that the correct type of key is ordered. U.S.-controlled facility Base or building, access to which is physically controlled by U.S. persons who are authorized U.S. Government or U.S. Government contractor employees. U.S.-controlled space Room or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. persons who are authorized U.S. Government or U.S. Government contractor employees. NOTE: Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. persons who are U.S. Government or U.S. Government contractor employees. U.S. person United States citizen or resident alien. 83 NSTISSI No. 4009 V validation Process of applying specialized security test and evaluation procedures, tools, and equipment needed to establish acceptance for joint usage of an AIS by one or more departments or agencies and their contractors. NOTE: This action will include, as necessary, final development, evaluation, and testing, preparatory to acceptance by senior security test and evaluation staff specialists. variant One of two or more code symbols which have the same plain text equivalent. verification The process of comparing two levels of an AIS specification for proper correspondence (e.g., security policy model with top-level specification, top-level specification with source code, or source code with object code). NOTE: This process may or may not be automated. verified design Computer protection class in which formal security verification methods are used to assure that the AIS mandatory and discretionary security controls can effectively protect classified and sensitive information stored in, or processed by; the system. NOTE: Class A1 system is verified design. virtual password AIS password computed from a passphrase that meets the requirements of password storage (e.g., 64 bits). 84 NSTISSI No. 4009 virus Self replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no external signs of its presence. vulnerability Weakness in an information system, or cryptographic system, or components (e.g., system security procedures, hardware design, internal controls) that could be exploited. vulnerability analysis Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. 85 NSTISSI No. 4009 W work factor Estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure. NOTE: In cryptography, a work factor is the number of computer binary operations needed to guarantee that a particular key will not be recovered through cryptanalysis. worm Independent program that replicates from machine to machine across network connections often clogging networks and computer systems as it spreads. write Fundamental operation in an AIS that results only in the flow of information from a subject to an object. (See access type.) write access Permission to write to an object in an AIS. Z zeroize Remove or eliminate the key from a crypto-equipment or fill device. 86 NSTISSI No. 4009 SECTION II COMMONLY USED ABBREVIATIONS AND ACRONYMS ACL access control list ADM advanced development model ADP automated data processing AE application entity AIG address indicator group AIRK area interswitch rekeying key AIS automated information system AISS automated information systems security AJ anti-jamming AK automatic remote rekeying AKDC automatic key distribution center AKD/RCU automatic key distribution/rekeying control unit AKM automated key management center ALC accounting legend code AMS l. auto-manual system 2. autonomous message switch ANDVT advanced narrowband digital voice terminal ANSI American National Standards Institute AOSS automated office support systems APC adaptive predictive coding APU auxiliary power unit 87 NSTISSI No. 4009 ARPANET Advanced Research Projects Agency Network ASCII American standard code for information interchange ASPJ advanced self-protection jammer ASU approval for service use AUTODIN Automatic Digital Network AV auxiliary vector AVP Authorized Vendor Program C3 command, control, and communications C3I command, control, communications and intelligence C4 command, control, communications and computers CA l. controlling authority 2. cryptanalysis 3. COMSEC account 4. command authority CCEP Commercial COMSEC Endorsement Program CCI controlled cryptographic item CCO circuit control officer CDS cryptographic device services CEOI communications electronics operation instruction CEPR compromising emanation performance requirement CERT computer emergency response team 88 NSTISSI No. 4009 CFD common fill device CIAC computer incident assessment capability CIK crypto-ignition key CIP crypto-ignition plug CIRK common interswitch rekeying key CK compartment key CKG cooperative key generation CLMD COMSEC local management device CMCS COMSEC material control system CNCS cryptonet control station CNK cryptonet key COMPUSEC computer security COMSEC communications security COR central office of record CPS COMSEC parent switch CPU central processing unit CRP COMSEC resources program (Budget) Crypt/Crypto cryptographic-related CSE communications security element CSS l. COMSEC subordinate switch 2. Constant Surveillance Service (Courier) 3. Continuous Signature Service (Courier) 4. coded switch system CSSO contractor special security officer 89 NSTISSI No. 4009 CSTVRP Computer Security Technical Vulnerability Reporting Program CTAK cipher text auto-key CTTA certified TEMPEST technical authority CUP COMSEC Utility Program DAA designated approving authority DAC discretionary access control DAMA demand assigned multiple access DCS l. Defense Communications System 2. Defense Courier Service DCSP design controlled spare part(s) DDN Defense Data Network DDS dual driver service (courier) DES data encryption standard DIB directory information base DoD TCSEC Department of Defense Trusted Computer System Evaluation Criteria DLED dedicated loop encryption device DMA direct memory access DPL Degausser Products List (a section in the Information Systems Security Products and Services Catalogue) DSN Defense Switched Network DSVT digital subscriber voice terminal DTLS descriptive top-level specification 90 NSTISSI No. 4009 DTD Data Transfer Device DTS Diplomatic Telecommunications Service DUA directory user agent EAM emergency action message ECCM electronic counter-countermeasures ECM electronic countermeasures ECPL Endorsed Cryptographic Products List (a section in the Information Systems Security Products and Services Catalogue) EDAC error detection and correction EDESPL Endorsed Data Encryption Standard Products List EDM engineering development model EFD electronic fill device EFTO encrypt for transmission only EGADS Electronic Generation, Accounting, and Distribution System EKMS Electronic Key Management System ELINT electronic intelligence ELSEC electronic security E Model engineering development model EMSEC emission security EPL Evaluated Products List (a section in the Information Systems Security Products and Services Catalogue) ERTZ equipment radiation TEMPEST zone ETL Endorsed Tools List 91 NSTISSI No. 4009 ETPL Endorsed TEMPEST Products List item EUCI endorsed for unclassified cryptographic information EV enforcement vector FDIU fill device interface unit FIPS Federal Information Processing Standards FOCI foreign owned, controlled or influenced FOUO for official use only FSRS functional security requirements specification FSTS Federal Secure Telephone Service FTS Federal Telecommunications System FTAM file transfer access management FTLS formal top-level specification GPS Global Positioning System GTS Global Telecommunications Service GWEN Ground Wave Emergency Network HDM Hierarchical development methodology HMS human safety mandatory modification HUS hardened unique storage HUSK hardened unique storage key IBAC identity based access control ICU interface control unit IDS intrusion detection system IEMATS Improved Emergency Message Automatic Transmission System 92 NSTISSI No. 4009 IFF identification, friend or foe IFFN identification, friend, foe, or neutral IIRK interarea interswitch rekeying key ILS integrated logistics support INFOSEC information systems security IP internet protocol IPM interpersonal messaging IPSO internet protocol security option IR information ratio IRK interswitch rekeying key IS information system ISDN Integrated Services Digital Network ISO International Standards Organization ISS information systems security ISSO information systems security officer ITAR International Traffic in Arms Regulation JTIDS Joint Tactical Information Distribution System KAK key-auto-key KEK key encryption key KMASE key management application service element KMC key management center KMID key management identification number KMODC key material ordering and distribution center 93 NSTISSI No. 4009 KMP key management protocol KMPDU key management protocol data unit KMS key management system KMSA key management system agent KMUA key management user agent KP key processor KPK key production key KVG key variable generator LAN local area network KG key generator LEAD low-cost encryption/authentication device LKG loop key generator LMD local management device LME layer management entry LMI layer management interface LOCK logical co-processing kernel LPC linear predictive coding LPD low probability of detection LPI low probability of intercept LRIP limited rate initial preproduction LSI large scale integration MAC l. mandatory access control 2. message authentication code MAN mandatory modification 94 NSTISSI No. 4009 MATSYM material symbol MCCB modification/configuration control board MDC manipulation detection code MEECN Minimum Essential Emergency Communications Network MEP management engineering plan MER minimum essential requirements MHS message handling system MI message indicator MIB management information base MIJI meaconing, intrusion, jamming and interference MINTERM miniature terminal MIPR military interdepartmental purchase request MLS multi level security MOA memorandum of agreement MOU memorandum of understanding MRK manual remote rekeying MRT miniature receiver terminal MSE mobile subscriber equipment NACAM National COMSEC Advisory Memorandum NACSEM National COMSEC Emanations Memorandum NACSI National COMSEC Instruction NACSIM National COMSEC Information Memorandum NAK negative acknowledge 95 NSTISSI No. 4009 NATO North Atlantic Treaty Organization NCCD nuclear command and control document NCS l. National Communications System 2. National Cryptologic School 3. net control station NCSC National Computer Security Center NETS Nationwide Emergency Telecommunications Service NISAC National Industrial Security Advisory Committee NIST National Institute of Standards and Technology NLZ no-lone zone NSAD network security architecture and design NSD National Security Directive NSDD National Security Decision Directive NSEP National Security Emergency Preparedness NSO network security officer NSTAC National Security Telecommunications Advisory Committee NSTISSAM National Security Telecommunications and Information Systems Security Advisory/Information Memorandum NSTISSC National Security Telecommunications and Information Systems Security Committee NSTISSD National Security Telecommunications and Information Systems Security Directive NSTISSI National Security Telecommunications and Information Systems Security Instruction 96 NSTISSI No. 4009 NSTISSP National Security Telecommunications and Information Systems Security Policy NTCB network trusted computing base NTIA National Telecommunications and Information Administration NTISSAM National Telecommunications and Information Systems Security Advisory/Information Memorandum NTISSD National Telecommunications and Information Systems Security Directive NTISSI National Telecommunications and Information Systems Security Instruction NTISSP National Telecommunications and Information Systems Security Policy OADR originating agency's determination required OPCODE operations code OPSEC operations security OPT optional modification OTAD over-the-air key distribution OTAR over-the-air rekeying OTAT over-the-air key transfer OTP one-time pad OTT one-time tape PAA peer access approval PAE peer access enforcement PAL permissive action link 97 NSTISSI No. 4009 PC personal computer PCZ protected communications zone PDR preliminary design review PDS protected distribution system PDU protocol data unit PES positive enable system PKA public key algorithm PKC public key cryptography PKSD programmable key storage device P model preproduction model PLSDU physical layer service data unit PNEK post-nuclear event key PPL Preferred Products List (a section in the Information Systems Security Products and Services Catalogue.) PRBAC partition rule base access control PROM programmable read-only memory PROPIN proprietary information PSDU physical layer service data unit PSL Protected Services List PTT push-to-talk PWA printed wiring assembly PWDS protected wireline distribution system RAC repair action RACE rapid automatic cryptographic equipment RAM random access memory 98 NSTISSI No. 4009 ROM read-only memory RQT reliability qualification tests SAMS semiautomatic message switch SAO special access office SAP l. system acquisition plan 2. special access program SARK SAVILLE advanced remote keying SCI sensitive compartmented information SCIF sensitive compartmented information facility SDNRIU secure digital net radio interface unit SDNS Secure Data Network System SDR system design review SFA security fault analysis SI special intelligence SIGSEC signals security SISS Subcommittee on Information Systems Security of the NSTISSC SMM special mission mandatory modification SMO special mission optional modification SMU secure mobile unit SPK single point key(ing) SPS scratch pad store SRR security requirements review SSO special security officer 99 NSTISSI No. 4009 ST&E security test and evaluation STS Subcommittee on Telecommunications Security of the NSTISSC STU secure telephone unit TA traffic analysis TACTED tactical trunk encryption device TACTERM tactical terminal TAG TEMPEST Advisory Group TAISS telecommunications and automated information systems security TCB trusted computing base TCD time compliance data TCSEC DoD Trusted Computer System Evaluation Criteria TD transfer device TED trunk encryption device TEK traffic encryption key TEP TEMPEST Endorsement Program TFM trusted facility manual TFS traffic flow security TLS top-level specification TNI trusted network interpretation TNIEG trusted network interpretation environment guideline TPC two-person control TPI two-person integrity 100 NSTISSI No. 4009 TRANSEC transmission security TRB technical review board TRI-TAC Tri-service Tactical Communications System TSCM technical surveillance countermeasures TSEC telecommunications security TSK transmission security key UA user agent UIRK unique interswitch rekeying key UIS user interface system UPP User Partnership Program USDE undesired signal data emanations V model advanced development model VST VINSON subscriber terminal VTT VINSON trunk terminal WAN wide area network WWMCCS Worldwide Military Command and Control System XDM/x Model experimental development model exploratory development model 101 NSTISSI No. 4009 SECTION III REFERENCES A. National Security Directive 42, dated 5 July 1990. B. Executive Order 12356, National Security Information, dated 6 April 1982. C. Executive Order 12333, United States Intelligence Activities, dated 4 December 1981. D. Public Law 100-235, Computer Security Act of 1987, dated 8 January 1988. E. 10 United States Code Section 2315, The Warner Amendment, dated 1 December 1981. F. 44 United States Code Section 3502(2), Public Law 96-511, Paperwork Reduction Act of 1980, dated Il December 1980. 102
Any comments or questions regarding this specific page?
Please feel free to sign our Guest Book
Please feel free to sign our Guest Book
To be contacted for a confidential consultation |
please E-mail: email@example.com
or send a letter via US Mail to: