Glossary of Key Information Security Terms (NIST) part 51 / R

A plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.

Access to an organizational information system by a user (or an information system acting on behalf of a user) communicating through an external network (e.g., the Internet). Access by users (or information systems) communicating external to an information system security perimeter. The ability for an organization’s users to access its nonpublic computing resources from external locations other than the organization’s facilities. Access to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).

Maintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).

Maintenance activities conducted by individuals communicating external to an information system security perimeter. Maintenance activities conducted by individuals communicating through an external network (e.g., the Internet).

Procedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.

Portable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.

The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.

NSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.

An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

A database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.

Key held to satisfy unplanned needs. See Contingency Key.

The remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat. Portion of risk remaining after security measures have been applied.

Data left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.

The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning. The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

Method by which the reference monitor mediates accesses to an information system resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage.

The entity that responds to the initiator of the authentication exchange.

A trustworthy person designated by a sponsoring organization to authenticate individual applicants seeking certificates on the basis of their affiliation with the sponsor.

An information distribution approach whereby relevant essential information is made readily available and discoverable to the broadest possible pool of potential users.

All data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].

To prematurely end the operational period of a certificate effective at a specific date and time.