DoDI 8510.1 Definitions Flashcards Preview

RMF > DoDI 8510.1 Definitions > Flashcards

Flashcards in DoDI 8510.1 Definitions Deck (41):


Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.



Access privileges granted to a user, program, or process or the act of granting those privileges


authorization boundary

All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.


Authorizing Official (AO)

Senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.



An organizational official acting on behalf of an AO in carrying out and coordinating the required activities associated with security authorization


Authorization (to Operate) (ATO)

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.


control correlation identifier (CCI)

Decomposition of an NIST control into single, actionable, measurable statement.


common controls

Controls inherited by organizational information systems


cross domain solution (CDS)

A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.



Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.



DoD-owned IT and DoD-controlled IT. DoD IT includes IS, PIT, IT services, and IT products.



Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.



The physical components of an information system.


Interim Approval To Test (IATT)

Temporary authorization to test an information system in a specified operational information environment within the timeframe and under the conditions or constraints enumerated in the written authorization.


IT product

Individual IT hardware or software items. Products can be commercial or government provided and include, but are not limited to, operating systems, office productivity software, firewalls, and routers.


IT Service

A capability provided to one or more DoD entities by an internal or external provider based on the use of information technology and that supports a DoD mission or business process. An IT Service consists of a combination of people, processes, and technology.


Information System (IS)

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.


Information Systems Security Manager (ISSM)

Individual responsible for the information assurance of a program, organization, system, or enclave.


Information Systems Security Officer (ISSO)

Individual assigned responsibility for maintaining the appropriate operational security posture for an information system or program.


Mission Area (ma)

A defined area of responsibility with functions and processes that contribute to mission accomplishment.


Milestone B

a decision to award the contract(s) for development


mission partners

Those with whom DoD cooperates to achieve national goals, such as other departments and agencies of the U.S. Government, State and local governments, allies, coalition members, host nations and other nations, multinational organizations, non-governmental organizations, and the private sector.



Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.


penetration testing

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.


Platform IT (PIT)

IT, both hardware and software, that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems.


PIT system

A collection of PIT within an identified boundary under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.


(PM = program manager)
(SM = system manager)

The individual with responsibility for and authority to accomplish program or system objectives for development, production, and sustainment to meet the user’s operational needs.


Plan of Action and Milestones (POA&M)

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.



Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.



A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.


risk assessment

The process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated, potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).


risk executive function

An individual or group within an organization that helps to ensure that 1) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and 2) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.


risk management

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and 4) documenting the overall risk management program.


risk mitigation

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.


Risk Management Framework (RMF)

A structured approach used to oversee and manage risk for an enterprise.


security assessment report (SAR)

Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.


security control assessor (SCA)

security control assessors possess the required skills and technical expertise to successfully carry out assessments of system-specific, hybrid, and common controls. This includes knowledge of and experience with the specific hardware, software, and firmware components employed by the organization.


security control inheritance

A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.


sensitive compartmented information (SCI)

Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.



A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.


security assessment plan

Provides the objectives for the security control assessment and a detailed roadmap of how to conduct such an assessment.