CGRC - Domain1 & Glossary
CGRC - Domain1 & Glossary
CGRC - Domain1 & Glossary
3. Patch Management: Patch management involves ensuring that all software and systems are kept up‐to‐
date with the latest security patches and updates. This helps to prevent known vulnerabilities from being
exploited by attackers.
4. Incident Response: Incident response is the process of responding to security incidents and breaches when
they occur. This may involve implementing incident response plans and procedures, conducting regular
drills and exercises to test those plans, and ensuring that incident response teams are properly trained and
equipped to respond to security incidents.
5. Training and Awareness: Training and awareness programs are used to educate employees and other
stakeholders about the importance of information security and the specific risks and threats facing the
organization. This may involve conducting regular training sessions, distributing security awareness
materials, and promoting a culture of security throughout the organization.
6. Risk Assessment and Management: Risk assessment and management involves identifying and assessing
the risks facing the organization's information assets, and implementing appropriate controls and
safeguards to mitigate those risks. This may involve conducting regular risk assessments, developing risk
management plans, and monitoring the effectiveness of those plans over time.
» Roles and responsibilities in the authorization/approval process RMF is a structured process used by federal
agencies and other organizations to manage security and privacy risks associated with their information systems.
The authorization/approval process is a key step in the RMF, in which the information system owner or authorizing
official approves the system to operate, based on a comprehensive assessment of the system's security and privacy
risks. The following are common roles and responsibilities in the authorization/approval process within the RMF:
1. Information System Owner: The information system owner is responsible for identifying and managing the
information system's security and privacy risks. The information system owner provides information and
documentation to support the authorization/approval process and ensures that the system meets the
organization's security requirements.
2. Authorizing Official: The authorizing official is responsible for reviewing and approving the information
system's authorization package. The authorizing official has the authority to make final decisions regarding
the system's authorization to operate and is accountable for the outcomes of those decisions.
3. Security Control Assessor: The security control assessor is responsible for assessing the effectiveness of the
security controls implemented in the information system. The security control assessor provides the results
of the security control assessment to the authorizing official to support the authorization decision.
4. Risk Executive Function: The risk executive function is responsible for overseeing and managing the
organization's risk management activities. The risk executive function provides guidance and support to the
information system owner and authorizing official throughout the authorization/approval process.
5. Information System Security Officer: The information system security officer is responsible for
implementing and maintaining the security controls in the information system. The information system
security officer provides documentation and evidence of the effectiveness of the security controls to
support the authorization decision.
1. Identify Program Management Control Requirements: The first step in selecting program management
controls is to identify the requirements of the program. This involves defining the scope of the program,
identifying the goals and objectives, and establishing the parameters for risk management.
2. Determine the Appropriate Controls: Once the program requirements have been identified, the next step is
to determine the appropriate controls to implement. This involves selecting controls that align with the
program's goals and objectives, and that are appropriate for the level of risk the program is intended to
address.
3. Develop Control Implementation Plan: After determining the appropriate controls, the next step is to
develop a control implementation plan. This plan outlines the steps required to implement the controls,
including assigning responsibilities, setting timelines, and determining the necessary resources.
4. Implement and Monitor Controls: The final step is to implement the program management controls and
monitor their effectiveness. This involves ensuring that the controls are being implemented as planned, and
that they are achieving the desired results.
» Privacy requirements Privacy requirements are an important aspect of a risk management program, particularly in
organizations that collect, store, or process sensitive information. The following are some key steps in addressing
privacy requirements within a risk management program:
1. Identify Privacy Risks: The first step in addressing privacy requirements is to identify the potential privacy
risks associated with the organization's information systems and processes. This involves identifying the
types of personal information that are collected, stored, or processed by the organization, and determining
how that information is used and shared.
2. Define Privacy Requirements: Once the privacy risks have been identified, the next step is to define the
privacy requirements for the organization. This involves determining the privacy controls and safeguards
that are necessary to protect personal information and ensure compliance with applicable privacy laws and
regulations.
3. Implement Privacy Controls: The next step is to implement the privacy controls that have been defined. This
may involve implementing technical safeguards, such as encryption and access controls, as well as
administrative and procedural safeguards, such as policies and training programs.
4. Monitor and Maintain Privacy Controls: Once the privacy controls have been implemented, it is important
to monitor and maintain them to ensure their continued effectiveness. This may involve conducting
periodic privacy risk assessments, reviewing and updating privacy policies and procedures, and conducting
privacy training for employees.
5. Respond to Privacy Incidents: Finally, it is important to have a plan in place to respond to privacy incidents,
such as data breaches or unauthorized access to personal information. This may involve notifying affected
individuals and regulatory authorities, as well as taking steps to mitigate the harm caused by the incident.
» Determine third‐party hosted information systems Determining third‐party hosted information systems is an
important aspect of a risk management program, particularly in organizations that use cloud services or outsource
their IT operations to third‐party providers. The following are some key steps in addressing third‐party hosted
information systems within a risk management program:
1. Identify Third‐Party Hosted Information Systems: The first step in addressing third‐party hosted information
systems is to identify all systems and applications that are hosted by third‐party providers. This may involve
conducting an inventory of all IT assets and systems used by the organization, including those that are
hosted in the cloud.
2. Assess Third‐Party Providers: Once the third‐party hosted information systems have been identified, the
next step is to assess the third‐party providers that are hosting those systems. This may involve conducting
due diligence on the provider, reviewing their security and privacy policies and procedures, and assessing
their compliance with applicable laws and regulations.
3. Define Contractual Requirements: After assessing the third‐party providers, the next step is to define the
contractual requirements for the services they provide. This may involve negotiating specific provisions
related to security, privacy, and compliance with applicable laws and regulations.
4. Implement Monitoring and Oversight Mechanisms: Once the contractual requirements have been defined,
it is important to implement monitoring and oversight mechanisms to ensure that the third‐party providers
are meeting those requirements. This may involve conducting periodic audits or assessments of the
provider's security and privacy controls, as well as monitoring their performance against established service
level agreements.
5. Plan for Continuity and Recovery: Finally, it is important to plan for continuity and recovery in the event of a
disruption or termination of the third‐party hosted information systems. This may involve defining backup
and recovery procedures, as well as establishing contingency plans for transitioning to a new provider if
necessary.
Glossary
Adequate Security Security protections commensurate with the risk resulting from the unauthorized
access, use, disclosure, disruption, modification or destruction of the information. This includes
ensuring that information hosted on behalf of an agency and information systems and applications
used by the agency operate effectively and provide confidentiality, integrity and availability
protection through the application of cost‐effective security controls.
Allocation The process of an organization employs to assign security or its environment of operation;
or to assign controls to specific system elements responsible for providing a security or privacy
capability (e.g. router, server, remote sensor).
Assessor The individual, group or organization responsible for conducting a security or privacy
assessment.
Asset System and subsystem components that must be protected, including but not limited to: all
hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.
Authorization Official (AO) A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions,
image or reputation), agency assets, individuals, other organizations and the nation.
Authorizing Official Designated Representative (AO DR) An organizational official acting on behalf of
an authorizing official in carrying out and coordinating the required activities associated with the
authorization process.
Authorization Package The essential information that an authorizing official uses to determine
whether to authorize the operation of an information system or the provision of a designated set of
common controls. At a minimum, the authorization package includes an executive summary, system
security plan, privacy plan, security control assessment, privacy control assessment as well as any
relevant plans of action and milestones.
Authorization to Operate (ATO) The official management decision given by one or more senior
federal officials to authorize operation of an information system and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed‐upon set of security
and privacy controls. Authorization also applies to common controls inherited by agency information
systems.
Authorization to Use (ATU) The official management decision given by an authorizing official to
authorize the use of an information system, service or application based on the information in an
existing authorization package generated by another organization, and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed‐upon set of controls
in the system, service or application.
Change Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.
Chief Information Officer (CIO) The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is
acquired and information resources are managed for the agency in a manner that achieves the
agency's strategic goals and is responsible for ensuring agency compliance with, and prompt,
efficient and effective implementation of, the information policies and information resources
management responsibilities, including the reduction of information collection burdens on the
public.
Chief Information Security Officer (CISO) See Senior Agency Information Security Officer
Clear A method of sanitization by applying logical techniques to sanitize data in all user‐addressable
storage locations for protection against simple non‐invasive data recovery techniques using the same
interface available to the user; typically applied through the standard read and write commands to
the storage device, such as by re‐writing with a new value or using a menu option to reset the device
to the factory state (where re‐writing is not supported)
Common Control (CC) A security or privacy control that is inherited by multiple information systems
or programs.
Common Control Provider (CCP) An organizational official responsible for the development,
implementation, assessment and monitoring of common controls (i.e., controls inheritable by
organizational systems).
Common Criteria Governing document that provides a comprehensive, rigorous method for
specifying security function and assurance requirements for products and systems.
Compensating Controls The security and privacy controls implemented in lieu of the controls in the
baselines described in NIST Special Publication 800‐53 that provide equivalent or comparable
protection for a system or organization.
Configuration The possible conditions, parameters and specifications with which an information
system or system component can be described or arranged.
Configuration Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.
Configuration Control Board A group of qualified people with responsibility for the process of
regulating and approving changes to hardware, firmware, software, and documentation throughout
the development and operational lifecycle of an information system.
Configuration Settings The set of parameters that can be changed in hardware, software or firmware
that affect the security posture and/or functionality of the system.
Control Assessor The individual, group or organization responsible for conducting a control
assessment. See assessor.
Control Baseline The set of controls that are applicable to information or an information system to
meet legal, regulatory or policy requirements, as well address protection needs for the purpose of
managing risk.
Destroy A method of sanitization that renders target data recovery infeasible using state‐of‐the‐art
laboratory techniques and results in the subsequent inability to use the media for storage of data.
Disposal A release outcome following the decision that media does not contain sensitive data. This
occurs either because the media never contained sensitive data or because sanitization techniques
were applied, and the media no longer contains sensitive data.
Enterprise An organization with a defined mission / goal and a defined boundary, using systems to
execute that mission, and with responsibility for managing its own risks and performance. An
enterprise may consist of all or some of the following business aspects acquisition, program
management, human resources, financial management, security, as well as systems, information and
mission management. See organization.
Enterprise Architecture A strategic information asset base, which defines the mission; the
information necessary to perform the mission; the technologies necessary to perform the mission;
and the transitional processes for implementing new technologies in response changing mission
needs; and includes a baseline architecture; a target architecture; and a sequencing plan.
Hardware The material physical components of a system. See software and firmware
High Impact Level The loss of CIA that could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, individuals, other organizations or the
nation
High‐Impact System A system in which at least one security objective (i.e., confidentiality, integrity
or availability) is assigned a FIPS publication 199 potential impact value of high.
Hybrid Control A security or privacy control that is implemented for an information system in part as
a common control and in part as a system‐specific control.
Impact With respect to security, the effect on an organizational operations, organizational assts,
individuals, other organizations or the nation (including the national security interests of the United
States) of a loss of confidentiality, integrity or availability of an information or a system. With respect
to privacy, the adverse effects that individuals could experience when an information system
processes their PII.
Impact Value The assessed worst‐case potential impact that could result from a compromise of the
confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.
Independent Verification and Validation A comprehensive review, analysis and testing (software
and/or hardware) performed by an objective third party to confirm (i.e., verify) that the
requirements are correctly defined, and to confirm (i.e., validate) that the system correctly
implements the required functionality and security requirements.
Information Life Cycle The stages through which information passes, typically characterized as
creation or collection, processing dissemination, use, storage and disposition, to include destruction
and deletion. "Life cycle" typically appears as two words in NIST publications, but as one word in ISO
standards.
Information Owner (IO) Official with statutory or operational authority for specified information and
responsibility for establishing the controls for its generation, collection, processing, dissemination
and disposal.
Information Security The protection of information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and
availability.
Information Security Architecture An embedded integral part of the enterprise architecture that
describes the structure and behavior of the enterprise security processes, security systems,
personnel and organizational subunits, showing their alignment with the enterprise's mission and
strategic plans. See security architecture.
management process and gives confidence to interested parties that risks are adequately managed.
The ISO 27001 standard defines the components of the ISMS.
Information System Owner (ISO) The organizational official responsible for the development,
implementation, assessment and monitoring of security controls in an information system.
Information Systems Security Officer (ISSO) Responsible for security an information system,
managing all security aspects of the system and assembling the security accreditation package while
serving as the point of contact for the Security Control Assessor (SCA)
Information Security Risk The risk to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations and the nation due to the
potential for unauthorized access, use, disclosure, disruption, modification or destruction of
information and/or systems.
Information Steward An agency official with statutory or operational authority for specified
information and responsibility for establishing the controls for its generation, collection, processing,
dissemination and disposal.
Information System A discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition or information.
Information Type A specific category of information (e.g., privacy, medical, proprietary, financial,
investigative, contractor‐sensitive, security management) defined by an organization or in some
instances, by a specific law, executive order, directive, policy or regulation.
Inheritance A situation in which a system or application receives protection from controls (or
portions of controls) that are developed, implemented, assessed, authorized and monitored by
entities other than those responsible for the system or application; entities either internal or external
to the organization where the system or application resides. NIST refers to this term as "Control
Inheritance." See: Common Control
Integrity Guarding against improper information modification or destruction and includes ensuring
information non‐repudiation and authenticity.
Likelihood RESEARCH
Likelihood Value COPY DEFINITION AND FORMAT TO IMPACT VALUE: The assessed worst‐case
potential impact that could result from a compromise of the confidentiality, integrity, or availability
of information expressed as a value of low, medium or high.
Low‐Impact System A system in which all three security objectives (i.e., confidentiality, integrity and
availability are assigned a FIPS Publication 199 potential impact value of low.
Moderate‐Impact System A system in which at least one security objective (i.e., confidentiality,
integrity or availability) is assigned a FIPS publication 199 potential impact value of moderate.
National Security System Any system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf of an agency ‐ (i) the
function, operation or use of which involves intelligence activities related to national security;
involves command and control of military forces; involves equipment that is an integral part of a
weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions
(excluding a system that is to be used for routine administrative and business applications, for
example: payroll, finance, logistics and personnel management applications); or (ii) is protected at all
times by procedures established for information that have been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of
national defense or foreign policy.
Organization An entity of any size, complexity, or positioning within an organizational structure (e.g.,
federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as
appropriate, any of their operational elements).
Organization Defined Control Parameter The variable part of a control or control enhancement that
can be instantiated by an organization during the tailoring process by either assigning an
organization defined value or selecting a value from a pre‐defined list provided as part of the control
or control enhancement.
Organizationally Tailored Control Baseline A control baseline tailored for a defined notional (type of)
information system using overlays and/or system‐specific control tailoring and intended for use in
selecting controls for multiple systems within one or more organizations. See Also: Tailoring
Personally Identifiable Information (PII) Information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or linkable
to a specific individual.
Plan of action and Milestones (POAM) A document that identifies tasks needing to be accomplished.
It details resources required to accomplish the elements of the plan, any milestones in meeting the
tasks and scheduled completion dates for the milestones.
Potential Impact The loss of confidentiality, integrity or availability could be expected to have a
limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199
Moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 High) on organizational
operations, organizational assets or individuals.
Privacy Architect Individual, group or organization responsible for ensuring that the system privacy
requirements necessary to protect individuals' privacy are adequately addressed in all aspects of
enterprise architecture including reference models, segment and solution architectures, and
information systems processing PII.
Privacy Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's privacy protection processes, technical measures,
personnel and organizational sub‐units, showing their alignment with the enterprise's mission and
strategic plans.
Privacy Control The administrative, technical, and physical safeguards employed within an agency to
ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls
can be selected to achieve multiple objectives; those controls that are selected to achieve both
security and privacy objectives require a degree of collaboration between the organization's
information security program and privacy program.
Privacy Control Assessment The assessment of privacy controls to determine whether the controls
are implemented correctly, operating as intended, and sufficient to ensure compliance with
applicable privacy requirements and manage privacy risks. A privacy control assessment is both an
assessment and a formal document detailing the process and the outcome of the assessment.
Privacy Information Information that describes the privacy posture of an information system or
organization.
Privacy Plan A formal document that details the privacy controls selected for an information system
or environment of operation that are in place or planned, to meet applicable privacy requirements
and manage privacy risks, details how the controls have been implemented, and describes the
methodologies and metrics that will be used to assess the controls.
Purge A method of sanitization by applying physical or logical techniques that renders target data
recovery infeasible using state‐of‐the‐art laboratory techniques
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event
and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the
circumstance or event occurs; and (ii) the likelihood of occurrence.
Risk Assessment The process of identifying risks to organizational operations (including mission,
functions, image, reputation), organizational assets, individuals, other organizations and the nation,
resulting from the operation of a system.
Risk Executive (Function) An individual or group within an organization, led by the senior
accountable official for risk management, that helps to ensure that security risk considerations for
individual systems, to include the authorization decisions for those systems, are viewed from an
organization‐wide perspective with regard to the overall strategic goals and objectives of the
organization in carrying out its missions and business functions; and managing risk from individual
systems is consistent across the organization, reflects organizational risk tolerance and is considered
along with other organizational risks affecting mission/business success.
Risk Management The program and supporting processes to manage risk to agency operations
(including mission, functions, image, reputation), agency assets, individuals, other organizations and
the nation, and includes: establishing the context for risk‐related activities; assessing risk; responding
to risk once determined; and monitoring risk over time.
Risk Response Accepting, avoiding, mitigating, sharing or transferring risk to agency operations,
agency assets, individuals, other organizations or the nation.
Sanitize A process to render access to target data on the media infeasible for a given level of effort.
Clear, purge and destroy are actions that can be taken to sanitize media.
Security Architect Individual, group or organization responsible for ensuring that the information
security requirements necessary to protect the organization's core missions and business processes
are adequately addressed in all aspects of enterprise architecture including reference models,
segment and solution architectures, and the resulting information systems supporting those missions
and business processes.
Security Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's security processes, information security systems,
personnel and organizational sub‐units, showing their alignment with the enterprise's mission and
strategic plans. See information security architecture.
Security Categorization The process of determining the security category for information or a
system. Security categorization methodologies are described in CNSS Instruction 1253 for national
security systems and in FIPS Publication 199 for other than national security systems. See: security
category
Security Controls The management, operational and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the confidentiality, integrity and
availability of the system and its information.
Security Control Baseline The set of minimum security controls defined for a low‐impact, moderate‐
impact or high‐impact information system. See Also: Control Baseline
Security Control Assessment The testing or evaluation of security controls to determine the extent
to which the controls are implemented correctly, operating as intended and producing the desired
outcome with respect to meeting the security requirements for an information system or
organization.
Security Impact Analysis The analysis conducted by an organizational official to determine the extent
to which a change to the information system has affected the security state of the system.
Security Plan A formal document that provides an overview of the security requirements for an
information system and describes the security controls in place or planned for meeting those
requirements.
Security Posture The security status of an enterprise's networks, information and systems based on
information security resources (e.g., people hardware, software, policies) and capabilities in place to
manage the defense of the enterprise and to react as the situation changes. Synonymous with
security status.
Security Risk Risk that arises through the loss of confidentiality, integrity, or availability of
information or systems, and that considers impacts to the organization (including assets, mission,
functions, image or reputation), individuals, other organizations and the nation. See: Risk.
Senior Accountable Official for Risk Management (SAORM) The senior official, designated by the
head of each agency, who has vision into all areas of the organization, and is responsible for
alignment of information security management processes with strategic, operational and budgetary
planning processes.
Senior Agency Information Security Officer (SAISO) Official responsible for carrying out the Chief
Information Officer responsibilities under FISMA and serving as the chief Information Officer's
primary liaison to the agency's authorizing officials, information system security officers.
Senior Agency Official for Privacy (SAOP) The senior official, designated by the head of each agency,
who has agency‐wife responsibility for privacy, including implementation of privacy protections;
compliance with federal laws, regulations and policies relating to privacy; management of privacy
risks at the agency; and a central policymaking role int eh agency's development and evaluation of
legislative, regulatory and other policy proposals.
Software Computer Programs and associated data that may be dynamically written or modified
during execution.
Supply Chain Linked set of resources and processes between multiple tiers of developers that begins
with the sourcing of products and services and extends through the design, development,
manufacturing, processing, handling and delivery of products and services to the acquirer.
Supply Chain Risk Risks that arise from the loss of confidentiality, integrity or availability of
information or information systems, and reflect the potential adverse impacts to organizational
operations (including mission, functions, image or reputation), organizational assets, individuals,
other organizations and the nation.
Supply Chain Risk ManagementThe process of identifying, assessing and mitigating the risks
associated it the global and distributed nature of information and communications technology
product and service supply chains.
System Any organized assembly of resources and procedures united and regulated by interaction or
interdependence to accomplish a set of specific functions. See information system. Note: Systems
also include specialized systems such as industrial/process controls systems, telephone switching and
private branch exchange (PBX) systems, and environmental control systems. Combination of
interacting elements organized to achieve one or more stated purposes. Note 1: There are many
types of systems. Examples include: general and special‐purpose information systems; command,
control and communication systems; crypto modules; central processing unit and graphics processor
boards; industrial/process control systems; flight control systems; weapons, targeting and fire
control systems; medical devices and treatment systems; financial, banking and merchandising
transaction systems; and social networking systems. Note 2: The interacting elements in the
definition of system include hardware, software, data, humans, processes, facilities, materials and
naturally occurring physical entities. Note 3: System of systems is included in the definition of
system.
System Component A discrete identifiable information technology asset that represents a building
block of a system and may include hardware, software and firmware.
System Development Life Cycle (SDLC) The scope of activities associated with a system,
encompassing the system's initiation, development and acquisition, implementation, operation and
maintenance and ultimately its disposal that instigates another system initiation.
System Element Member of a set of elements that constitute a system. Note 1: A system element
can be a discrete component, product, service, subsystem, system, infrastructure or enterprise. Note
2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive
nature of the term allows the term system to apply equally when referring to a discrete component
or to a large, complex, geographically distributed system‐of‐systems. Note 4: System elements are
implemented by: hardware, software and firmware that perform operations on data/information;
physical structures, devices and components in the environment of operation; and the people,
processes and procedures for operating, sustaining and supporting the system elements. Note 5:
System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document)
are interchangeable terms as used in this document.
System Privacy Officer Individual with assigned responsibility for maintaining the appropriate
operational privacy posture for a system or program.
System Security Officer Individual with assigned responsibility for maintaining the appropriate
operational security posture for an information system or program.
System Security Plan Principally used to verify that Information Systems (ISs) are meting their stated
security goals and objectives
System‐Specific Control A security or privacy control for an information system that is implemented
at the system level and is not inherited by any other information system.
System User Individual, or (system) process acting on behalf of an individual, authorized to access a
system.
System Privacy Engineer Individual assigned responsibility for conducting systems privacy
engineering activities.
Systems Security Engineer Individual assigned responsibility for conducting systems security
engineering activities.
Systems Security or Privacy Engineer See Systems Security Engineer and Systems Privacy Engineer
Tailored Control Baseline A set of controls resulting from the application of tailoring guidance to a
control baseline. See: Tailoring
Tailoring The process by which security control baselines are modified by identifying and designating
common controls, applying scoping considerations, selecting compensating controls, assigning
specific values to agency‐defined control parameters, supplementing baselines with additional
controls or control enhancements and providing additional specification information for control
implementation. The tailoring process may also be applied to privacy controls.
Threat Any circumstance or event with the potential to adversely impact organizational operations,
organizational assets, individuals, other organizations or the nation through a system via
unauthorized access, destruction, disclosure, modification of information and/or denial of service.
Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a vulnerability.