Glossary and Acronym List
Annual Assessment (AA)
After an initial SA&A package is completed, an annual assessment is conducted to review specific security controls identified by the agency each year, and to review outstanding plan of action and milestone (POA&M) weaknesses that remain from prior assessments and from any ongoing testing that has been conducted during the previous reporting year.
Authorization to Operate (ATO)
An ATO is a formal declaration by an authorizing official (AO), who authorizes operation of a system and explicitly accepts the risk to agency operations. The ATO is signed after a security assessor certifies that the system has met and passed all requirements to become operational.
Authorizing Official (AO) or Designated Approving Authority (DAA)
The AO/DAA is a government official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, individuals, other organizations and the Nation. AO/DAAs typically have budgetary oversight for an information system/application or are responsible for the mission and/or business operations supported by the system or application. The AO/DAA is typically in a management position with a level of authority commensurate with understanding and accepting such information system-related security risks. AO/DAAs coordinate their activities with the risk executive (function), chief information officer (CIO), chief information security officer (CISO), common control providers, information system owners, information system security officers (ISSO), security control assessors, and other interested parties during the security authorization process. The role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.
Cloud Service Provider (CSP)
A CSP offers customers Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Software as a Service (SaaS) via a private, public, or hybrid deployment model. See NIST 800-145 (link is external) for more information on this definition, service models, and deployment models.
Common Control Provider
The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by subordinate information systems and applications). Common control providers are responsible for: (i) documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization); (ii) ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization; (iii) documenting assessment findings in a security assessment report; and (iv) producing a plan of action and milestones (POA&M) for all controls having weaknesses or deficiencies. Security plans, security assessment reports, and POA&Ms for common controls (or a summary of such information) are made available to information system owners inheriting those controls after the information is reviewed and approved by the senior official or executive with oversight responsibility for those controls.
Continuous Diagnostics and Mitigation (CDM)
The Department of Homeland Security (DHS) CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, including relative risks and threats, and helps system personnel to identify and mitigate flaws at near-network speed. The CDM program enables government entities to expand their continuous diagnostic capabilities by increasing their network sensor capacity, automating sensor collections, and prioritizing risk alerts.
Continuous Monitoring (CM)
CM provides oversight of the security controls in an information system on an ongoing basis and informs the Authorizing Official (AO) when changes occur that may undermine the security of a system. CM comprises three functions:
- Configuration management and control
- Security control monitoring
- Reporting status and documentation
These activities are performed continuously throughout the life cycle of an information system.
E-Authentication Risk Assessment (eRA) and e-Authentication Threshold Analysis (eTA)
eRA and eTA are procedures that were codified through the e-Authentication Initiative, which developed a uniform process for establishing electronic identity in support of the President's Management Agenda (PMA) of 2002 and the E-Government Act of 2002. The e-authentication Threshold Analysis (eTA) provides a means for easily determining if a full e-authentication risk assessment (eRA) needs to be conducted for the information system/application by asking if the system will be available on the Internet (e.g., outside of the government firewall), is web browser based, and if the system requires some type of user authentication. The eRA provides a systematic process by which system or information owners can then assess relative security effects across multiple threat areas to determine the appropriate authentication and identity-proofing requirements.
Enterprise-Performance Life Cycle (EPLC)
EPLC is HHS's framework for enhancing IT governance through the rigorous application of sound investment and project-management principles and industry best practices. Visit the HHS EPLC page for more information.
Federal Information System
The U.S. Office of Management and Budget (OMB) defines a federal information system as a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. If you are unsure whether your system qualifies as a federal information system, contact the NCI Information Systems Security Officer (ISSO) at firstname.lastname@example.org (link sends e-mail) for help in making a final determination. The term federal information system may also be referred to as a federal application.
Federal Information Security Modernization Act (FISMA) of 2014
Federal Information Security Modernization Act of 2014 (Public Law No: 113-283 (12/18/2014)) - amends the Federal Information Security Management Act of 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information content and systems that support agency operations and assets, including those provided or managed by another agency, contractor, or other source. FISMA is the law that drives all agency SA&A related compliance activities.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is a government-wide program led by the General Services Administration (GSA) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Its requirements are compliant with the Federal Information Security Management Act (FISMA) and are based on NIST's 800-53 set of security controls. Agencies and cloud-service providers (CSPs) initiate the process, working with the FedRAMP Program Management Office.
Federal Information Processing Standard (FIPS) 199 Security Categorization
The FIPS 199 Security Categorization process addresses the first task required by the Risk Management Framework (RMF) to develop standards for categorizing information and information systems. Published by the National Institute of Standards and Technology (link is external) (NIST), FIPS 199 establishes security categories for information and information systems with regard to confidentiality, integrity, and availability. The security categories are based on the potential damage to an organization that are likely to occur should certain events jeopardize the information systems' ability to function.
NIH Security Assessment Tool (NSAT)
NSAT is NIH's central repository and tracking tool for all security assessment and authorization (SA&A) information and artifacts. All NIH-operated systems and externally operated systems are required to store their information directly in NSAT to help automate information gathering and streamline reporting. Contact your Information Systems Security Officer (ISSO (link sends e-mail)
) to for assistance entering your system/application into NSAT.
Plan of Action & Milestones (POA&M)
The POA&M is a summary of findings and weaknesses from the system's security assessment (SA) and from continuous monitoring activities. Its purpose is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts to address security weaknesses found in federal information systems and applications.
Privacy Impact Assessment (PIA)
The PIA is an analysis of how information related to a federal information system is handled. Its principal aims are to
- Determine the risks and consequences of collecting, maintaining, and disseminating information in electronic information systems
- Examine protections and alternative processes to prevent potential privacy risks
Risk Assessment (RA)
Risk Assessment is the process of identifying risks to an agency's mission, operations, image, reputation, or assets, as well as risks to individuals arising from the operation of the agency's information system. Risk management, also incorporates threat and vulnerability analyses, and considers mitigations provided by planned or in-place security controls.
Risk Management Framework (RMF)
The National Institute of Standards and Technology (NIST) Guide for Applying the RMF to Federal Information Systems (link is external)describes a structured, yet flexible approach that can be used to determine the level of risk mitigation needed to protect information systems, information, and infrastructure supporting organizational mission and business processes from serious threats. The RMF is designed to help leadership understand the current status of security programs and the security controls planned or in place to protect federal information and information systems. The RMF provides a methodology that can be applied in an iterative manner to both new and legacy information systems within the context of the system-development life cycle (SDLC) and federal enterprise architecture (FEA).
SANS Top 20 Critical Security Controls
The SANS (link is external) Critical Security Controls (link is external), which are also commonly referred to as the SANS Top 20, comprise best-practice guidelines for computer security formulated through industry consensus. The Controls focus first on prioritizing security functions that are effective against the latest advanced targeted threats, emphasizing security controls where products, processes, architectures, and services that have demonstrated real-world effectiveness are employed. They also focus on a smaller number of actionable controls with high-payoff, embodying a "must do first" philosophy. Since the Controls were derived from the most common attack patterns and vetted across a broad community of government and industry organizations, they can serve as the basis for immediate high-value action.
Security Assessment and Authorization (SA&A)
SA&A is the formal process of evaluating, testing, and examining security controls that have been implemented in an information system using the National Institute of Standards and Technology security control assessment process. Authorization is the formal written permission required before a system can become operational. The authorizing official is a senior management official or executive with the authority to assume responsibility for operating an information system at an acceptable level of risk to agency operations and assets or to individuals.
Security Assessment Report (SAR)
The SAR documents the results of a security-control assessment. The assessment team reports, for each procedure performed, whether each determination statement in a procedural step was "satisfied" or "other than satisfied." In the latter case, the assessment team indicates which parts of the security control were affected by the finding, describes how the control differs from the planned or expected state, and notes any potential compromises to confidentiality, integrity, and availability due to the "other than satisfied" result.
Security Control Assessor (formerly Certifying Agent)
The security control assessor (SCA) is the individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities.
System Security Plan (SSP)
An SSP is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. SSP s should adhere to the format defined by the National Institute of Standards and Technology (NIST) (link is external).
System Development Life Cycle (SDLC)
SDLC, also referred to as the application-development life-cycle and as an Enterprise-Performance Life Cycle (EPLC), is a term used in systems engineering, information systems, and software engineering to describe a process for planning, creating, testing, and deploying an information system. The system development life cycle concept applies to a wide range of hardware and software configurations.