NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Glossary and Acronym List

Federal Information Processing Standard (FIPS) 199 Security Categorization

The FIPS 199 Security Categorization process addresses the first task required by the Risk Management Framework (RMF) to develop standards for categorizing information and information systems. Published by the National Institute of Standards and Technology (link is external) (NIST), FIPS 199 establishes security categories for information and information systems with regard to confidentiality, integrity, and availability. The security categories are based on the potential damage to an organization that are likely to occur should certain events jeopardize the information systems' ability to function.

NIH Security Assessment Tool (NSAT)

NSAT is NIH's central repository and tracking tool for all security assessment and authorization (SA&A) information and artifacts. All NIH-operated systems and externally operated systems are required to store their information directly in NSAT to help automate information gathering and streamline reporting. Contact your Information Systems Security Officer (ISSO (link sends e-mail)

) to for assistance entering your system/application into NSAT.

Plan of Action & Milestones (POA&M)

The POA&M is a summary of findings and weaknesses from the system's security assessment (SA) and from continuous monitoring activities. Its purpose is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts to address security weaknesses found in federal information systems and applications.

Privacy Impact Assessment (PIA)

The PIA is an analysis of how information related to a federal information system is handled. Its principal aims are to

  • Ensure handling conforms to applicable legal, regulatory, and privacy policy requirements
  • Determine the risks and consequences of collecting, maintaining, and disseminating information in electronic information systems
  • Examine protections and alternative processes to prevent potential privacy risks

Risk Assessment (RA)

Risk Assessment is the process of identifying risks to an agency's mission, operations, image, reputation, or assets, as well as risks to individuals arising from the operation of the agency's information system. Risk management, also incorporates threat and vulnerability analyses, and considers mitigations provided by planned or in-place security controls.

Risk Management Framework (RMF)

The National Institute of Standards and Technology (NIST) Guide for Applying the RMF to Federal Information Systems (link is external)describes a structured, yet flexible approach that can be used to determine the level of risk mitigation needed to protect information systems, information, and infrastructure supporting organizational mission and business processes from serious threats. The RMF is designed to help leadership understand the current status of security programs and the security controls planned or in place to protect federal information and information systems. The RMF provides a methodology that can be applied in an iterative manner to both new and legacy information systems within the context of the system-development life cycle (SDLC) and federal enterprise architecture (FEA).

SANS Top 20 Critical Security Controls

The SANS (link is external) Critical Security Controls (link is external), which are also commonly referred to as the SANS Top 20, comprise best-practice guidelines for computer security formulated through industry consensus. The Controls focus first on prioritizing security functions that are effective against the latest advanced targeted threats, emphasizing security controls where products, processes, architectures, and services that have demonstrated real-world effectiveness are employed. They also focus on a smaller number of actionable controls with high-payoff, embodying a "must do first" philosophy. Since the Controls were derived from the most common attack patterns and vetted across a broad community of government and industry organizations, they can serve as the basis for immediate high-value action.

Security Assessment and Authorization (SA&A)

SA&A is the formal process of evaluating, testing, and examining security controls that have been implemented in an information system using the National Institute of Standards and Technology security control assessment process. Authorization is the formal written permission required before a system can become operational. The authorizing official is a senior management official or executive with the authority to assume responsibility for operating an information system at an acceptable level of risk to agency operations and assets or to individuals.

Security Assessment Report (SAR)

The SAR documents the results of a security-control assessment. The assessment team reports, for each procedure performed, whether each determination statement in a procedural step was "satisfied" or "other than satisfied." In the latter case, the assessment team indicates which parts of the security control were affected by the finding, describes how the control differs from the planned or expected state, and notes any potential compromises to confidentiality, integrity, and availability due to the "other than satisfied" result.

Security Control Assessor (formerly Certifying Agent)

The security control assessor (SCA) is the individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities.

System Security Plan (SSP)

An SSP is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. SSP s should adhere to the format defined by the National Institute of Standards and Technology (NIST) (link is external).

System Development Life Cycle (SDLC)

SDLC, also referred to as the application-development life-cycle and as an Enterprise-Performance Life Cycle (EPLC), is a term used in systems engineering, information systems, and software engineering to describe a process for planning, creating, testing, and deploying an information system. The system development life cycle concept applies to a wide range of hardware and software configurations.

  • No labels