Glossary and Acronym List

Annual Assessment (AA)

After an initial SA&A package is completed, an annual assessment is conducted to review specific security controls identified by the agency each year, and to review outstanding plan of action and milestone (POA&M) weaknesses that remain from prior assessments and from any ongoing testing that has been conducted during the previous reporting year.

Authorization to Operate (ATO)

An ATO is a formal declaration by an authorizing official (AO), who authorizes operation of a system and explicitly accepts the risk to agency operations. The ATO is signed after a security assessor certifies that the system has met and passed all requirements to become operational.

Authorizing Official (AO) or Designated Approving Authority (DAA)

The AO/DAA is a government official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, individuals, other organizations and the Nation. AO/DAAs typically have budgetary oversight for an information system/application or are responsible for the mission and/or business operations supported by the system or application. The AO/DAA is typically in a management position with a level of authority commensurate with understanding and accepting such information system-related security risks. AO/DAAs coordinate their activities with the risk executive (function), chief information officer (CIO), chief information security officer (CISO), common control providers, information system owners, information system security officers (ISSO), security control assessors, and other interested parties during the security authorization process. The role of authorizing official has inherent U.S. Government authority and is assigned to government personnel only.

Cloud Service Provider (CSP)

A CSP offers customers Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Software as a Service (SaaS) via a private, public, or hybrid deployment model. See NIST 800-145 (link is external) for more information on this definition, service models, and deployment models.

Common Control Provider

The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by subordinate information systems and applications). Common control providers are responsible for: (i) documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization); (ii) ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization; (iii) documenting assessment findings in a security assessment report; and (iv) producing a plan of action and milestones (POA&M) for all controls having weaknesses or deficiencies. Security plans, security assessment reports, and POA&Ms for common controls (or a summary of such information) are made available to information system owners inheriting those controls after the information is reviewed and approved by the senior official or executive with oversight responsibility for those controls.

Continuous Diagnostics and Mitigation (CDM)

The Department of Homeland Security (DHS) CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, including relative risks and threats, and helps system personnel to identify and mitigate flaws at near-network speed. The CDM program enables government entities to expand their continuous diagnostic capabilities by increasing their network sensor capacity, automating sensor collections, and prioritizing risk alerts.

Continuous Monitoring (CM)

CM provides oversight of the security controls in an information system on an ongoing basis and informs the Authorizing Official (AO) when changes occur that may undermine the security of a system. CM comprises three functions:

• Configuration management and control
• Security control monitoring
• Reporting status and documentation

These activities are performed continuously throughout the life cycle of an information system.

E-Authentication Risk Assessment (eRA) and e-Authentication Threshold Analysis (eTA)

eRA and eTA are procedures that were codified through the e-Authentication Initiative, which developed a uniform process for establishing electronic identity in support of the President's Management Agenda (PMA) of 2002 and the E-Government Act of 2002. The e-authentication Threshold Analysis (eTA) provides a means for easily determining if a full e-authentication risk assessment (eRA) needs to be conducted for the information system/application by asking if the system will be available on the Internet (e.g., outside of the government firewall), is web browser based, and if the system requires some type of user authentication. The eRA provides a systematic process by which system or information owners can then assess relative security effects across multiple threat areas to determine the appropriate authentication and identity-proofing requirements.

Enterprise-Performance Life Cycle (EPLC)

EPLC is HHS's framework for enhancing IT governance through the rigorous application of sound investment and project-management principles and industry best practices. Visit the HHS EPLC page for more information.

Federal Information System

The U.S. Office of Management and Budget (OMB) defines a federal information system as a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. If you are unsure whether your system qualifies as a federal information system, contact the NCI Information Systems Security Officer (ISSO) at nciirm@mail.nih.gov (link sends e-mail) for help in making a final determination. The term federal information system may also be referred to as a federal application.

Federal Information Security Modernization Act (FISMA) of 2014

Federal Information Security Modernization Act of 2014 (Public Law No: 113-283 (12/18/2014)) - amends the Federal Information Security Management Act of 2002.  FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information content and systems that support agency operations and assets, including those provided or managed by another agency, contractor, or other source. FISMA is the law that drives all agency SA&A related compliance activities.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP is a government-wide program led by the General Services Administration (GSA) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Its requirements are compliant with the Federal Information Security Management Act (FISMA) and are based on NIST's 800-53 set of security controls. Agencies and cloud-service providers (CSPs) initiate the process, working with the FedRAMP Program Management Office.

Federal Information Processing Standard (FIPS) 199 Security Categorization

...