DoDI 8510.1 Definitions

Question 1

application

Answer 1

Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.

Question 2

authorization

Answer 2

Access privileges granted to a user, program, or process or the act of granting those privileges

Question 3

authorization boundary

Answer 3

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.

Question 4

Authorizing Official (AO)

Answer 4

Senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Question 5

AODR

Answer 5

An organizational official acting on behalf of an AO in carrying out and coordinating the required activities associated with security authorization

Question 6

Authorization (to Operate) (ATO)

Answer 6

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

Question 7

control correlation identifier (CCI)

Answer 7

Decomposition of an NIST control into single, actionable, measurable statement.

Question 8

common controls

Answer 8

Controls inherited by organizational information systems

Question 9

cross domain solution (CDS)

Answer 9

A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.

Question 10

cybersecurity

Answer 10

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

Question 11

DoD IT

Answer 11

DoD-owned IT and DoD-controlled IT. DoD IT includes IS, PIT, IT services, and IT products.

Question 12

enclave

Answer 12

Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.

Question 13

hardware

Answer 13

The physical components of an information system.

Question 14

Interim Approval To Test (IATT)

Answer 14

Temporary authorization to test an information system in a specified operational information environment within the timeframe and under the conditions or constraints enumerated in the written authorization.

Question 15

IT product

Answer 15

Individual IT hardware or software items. Products can be commercial or government provided and include, but are not limited to, operating systems, office productivity software, firewalls, and routers.

Question 16

IT Service

Answer 16

A capability provided to one or more DoD entities by an internal or external provider based on the use of information technology and that supports a DoD mission or business process. An IT Service consists of a combination of people, processes, and technology.

Question 17

Information System (IS)

Answer 17

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Question 18

Information Systems Security Manager (ISSM)

Answer 18

Individual responsible for the information assurance of a program, organization, system, or enclave.

Question 19

Information Systems Security Officer (ISSO)

Answer 19

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program.

Question 20

Mission Area (ma)

Answer 20

A defined area of responsibility with functions and processes that contribute to mission accomplishment.

Question 21

Milestone B

Answer 21

a decision to award the contract(s) for development

Question 22

mission partners

Answer 22

Those with whom DoD cooperates to achieve national goals, such as other departments and agencies of the U.S. Government, State and local governments, allies, coalition members, host nations and other nations, multinational organizations, non-governmental organizations, and the private sector.

Question 23

network

Answer 23

Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

Question 24

penetration testing

Answer 24

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.

Question 25

Platform IT (PIT)

Answer 25

IT, both hardware and software, that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems.

Question 26

PIT system

Answer 26

A collection of PIT within an identified boundary under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.

Question 27

PM/SM (PM = program manager) (SM = system manager)

Answer 27

The individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs.

Question 28

Plan of Action and Milestones (POA&M)

Answer 28

(POA&M) A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

Question 29

reciprocity

Answer 29

Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.

Question 30

risk

Answer 30

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.

Question 31

risk assessment

Answer 31

The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated, potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).

Question 32

risk executive function

Answer 32

An individual or group within an organization that helps to ensure that 1) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and 2) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

Question 33

risk management

Answer 33

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and 4) documenting the overall risk management program.

Question 34

risk mitigation

Answer 34

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Question 35

Risk Management Framework (RMF)

Answer 35

A structured approach used to oversee and manage risk for an enterprise.

Question 36

security assessment report (SAR)

Answer 36

Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

Question 37

security control assessor (SCA)

Answer 37

security control assessors possess the required skills and technical expertise to successfully carry out assessments of system-specific, hybrid, and common controls. This includes knowledge of and experience with the specific hardware, software, and firmware components employed by the organization.

Question 38

security control inheritance

Answer 38

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.

Question 39

sensitive compartmented information (SCI)

Answer 39

Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.

Question 40

security

Answer 40

A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.

Question 41

security assessment plan

Answer 41

Provides the objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment.