U.S. flag

An official website of the United States government, Department of Justice.

Commonly Used Terms

Justice Information Sharing
gonin / shutterstock.com (see reuse policy).
Description

Disclaimer:  Glossary definitions use the exact language of various federal statutes, regulations, policy guidance, and other sources. (The source for each definition is noted. Definitions may change or be amended. The Glossary was last updated on 10/9/08).

Select a letter, then select a term. Click here for a list of acronyms.

A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z

A

Access: means the ability or opportunity to gain knowledge of classified information.” Executive Order 13292, Classified National Security Information, Section 6.1(a)."

Access Restriction: An identified restriction that controls how access can be provided to documentary material and information about the documentary material, and how the material can be stored. Restrictions may apply to all or part of the documentary material, and may be based on national security considerations, donor restrictions, court orders, Freedom of Information Act (FOIA) exemptions, or other statutory or regulatory provisions.” National Archives and Records Administration, Electronic Records Glossary."

Access Review: The process of reviewing documentary material to determine what material or parts of material must be withheld from a requestor because of access restrictions, and the process of implementing those decisions to release, redact, or withdraw, or withhold materials. This includes systematic review, mandatory review, FOIA review, special access review, and review of records of concern.” National Archives and Records Administration, Electronic Records Glossary."

Accession: As a verb, the processes supporting the transfer of legal custody of documentary material to NARA’S from the creator (or the creator’s legal representative, successor, or heir), including the generation, execution, and processing of deeds of gift, the standard forms, or other appropriate legal documents. As a noun, the body of documentary material for which legal custody is transferred by one act of accessioning.” National Archives and Records Administration, Electronic Records Glossary."

Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.“ NIST FIPS Publication 200,: Minimum Security Requirements for Federal Information and Information Systems."

Accreditation Boundary: All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in CNSS Instruction 4009 and DCID 6/3.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Adequate Security: Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.” [OMB Circular A-130, Appendix III]. NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Affiliate: means a foreign bank that is controlled by or is under common control with a depository institution, credit union, or foreign bank; and (B) the term 'physical presence' means a place of business that-- (i) is maintained by a foreign bank; (ii) is located at a fixed address (other than solely an electronic address) in a country in which the foreign bank is authorized to conduct banking activities, at which location the foreign bank-- (I) employs 1 or more individuals on a full-time basis; and (II) maintains operating records related to its banking activities; and (iii) is subject to inspection by the banking authority which licensed the foreign bank to conduct banking activities.” USA PATRIOT Act, Public Law 107-56, Section"

Agency: Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency.” Freedom of Information Act, 5 U.S.C. Section 552. “[A]ny executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the Federal government, or any independent regulatory agency. Within the Executive Office of the President, the term includes only OMB and the Office of Administration.” OMB Circular A-130, Management of Federal Information Resources.

“Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: (i) the Government Accountability Office; (ii) the Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.” 44 U.S.C., SEC. 3502] and NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems;

“The term “agency” has the meaning set forth for the term “executive agency” in section 105 of title 5, United States Code, but includes the Postal Rate Commission and the United States Postal Service and excludes the Government Accountability Office. (ii) The term “protected information” has the meaning set forth for such term in paragraph 1(b) of these Guidelines.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment, at 7."

Agent of a Foreign Power: means— “(1) any person other than a United States person, who— (A) acts in the United States as an officer or employee of a foreign power, or as a member of a foreign power as defined in subsection (a)(4) of this section; (B) acts for or on behalf of a foreign power which engages in clandestine intelligence activities in the United States contrary to the interests of the United States, when the circumstances of such person’s presence in the United States indicate that such person may engage in such activities in the United States, or when such person knowingly aids or abets any person in the conduct of such activities or knowingly conspires with any person to engage in such activities; or (2) any person who— (A) knowingly engages in clandestine intelligence gathering activities for or on behalf of a foreign power, which activities involve or may involve a violation of the criminal statutes of the United States; (B) pursuant to the direction of an intelligence service or network of a foreign power, knowingly engages in any other clandestine intelligence activities for or on behalf of such foreign power, which activities involve or are about to involve a violation of the criminal statutes of the United States; (C) knowingly engages in sabotage or international terrorism, or activities that are in preparation therefor, for or on behalf of a foreign power; (D) knowingly enters the United States under a false or fraudulent identity for or on behalf of a foreign power or, while in the United States, knowingly assumes a false or fraudulent identity for or on behalf of a foreign power; or (E) knowingly aids or abets any person in the conduct of activities described in subparagraph (A), (B), or (C) or knowingly conspires with any person to engage in activities described in subparagraph (A), (B), or (C).” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801."

Aggrieved Person: means a person who is the target of an electronic surveillance or any other person whose communications or activities were subject to electronic surveillance.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801; “A person who was a party to any intercepted wire, oral, or electronic communication or a person against whom the interception was directed.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Anonymized Data: means data in which the individual to whom the data pertains is not identifiable with reasonable efforts, including information that has been encrypted or hidden through the use of other technology.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 504."

Anonymization of Data: refers to techniques used to allow data to be shared or searched without disclosing identity.” The Heritage Foundation."

Anonymized Information: [I]nformation that has been scrambled or encrypted so that it is not human readable, and so the underlying information cannot be accessed without taking particular actions.” Markle Foundation Report, Mobilizing Information to Prevent Terrorism: Accelerating Development of Trusted ISE (July 2006)."

Anonymizer: Sometimes called a Web anonymizer, this privacy service lets a user visit Web sites while preventing those sites from gathering information about the user (including IP address, browser and operating system identification, and cookie-stored data) or which sites he has visited. Anonymizers usually work by using a proxy server to process HTTP requests. When the user clicks on a hyperlink or types a URL, the anonymizing server intervenes and gets the information for the user. The Web site whose page is being requested gets only information about the anonymizer server, not the user’s computer. An anonymizer makes a user feel that his privacy is better protected on the Internet, but it also prevents personalization, so sites can’t tailor their content to suit the user, and he may have to re-enter personal identification repeatedly (such as when making purchases).” Computerworld."

Applicant: A person who has applied to become a key holder, prior to the time at which keys and certificates are issued to and accepted by them.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Appraisal: The process of determining the value and thus the disposition of records based upon their current administrative, legal, and fiscal use; their evidential and informational value; their arrangement and condition; their intrinsic value; and their relationship to other records.” National Archives and Records Administration, Electronic Records Glossary."

Archival Processing: The activities of accessioning, arranging, describing, conducting access review, and properly storing documentary material.” National Archives and Records Administration, Electronic Records Glossary."

Artifact: Detailed mission product documentation addressing information exchanges and data elements for SAR (data models, schemas, structures, etc.).” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 1 (January 2008)."

Asset(s):
There are various definitions.
 

Audit Trail: [A] record showing who has accessed an IT system and what operations the user has performed during a given period.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Authentication: The broadest definition of authentication within computing systems encompasses identity verification, message origin authentication, and message content authentication.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “The process of verifying the authorization of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems. “The process of identifying an individual, in computer systems this is usually based on a username and password . In security systems , authentication is distinct from authorization , which is the process of giving individuals access to system objects based on their identity . Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation; “Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems, and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Authentication Token: Secret key, private key or one-time password.” NIST Special Publication 800-63, Electronic Authentication Guideline."

Authenticator: Secrets that create the binding between credentials and its presenter.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Authentic Copy: A copy of documentary material for which the official custodian attests the authenticity.” National Archives and Records Administration, Electronic Records Glossary."

Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See authentication.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems; “The property of a documentary material that it is what it purports to be and has not been corrupted.” National Archives and Records Administration, Electronic Records Glossary."

Authentically Preserve: To maintain documentary material over time in such a manner that its identity is unquestionable and it is not corrupted.” National Archives and Records Administration, Electronic Records Glossary."

Authority Source: A list, file, pick list, or thesaurus containing standardized information (e.g., acronyms, abbreviations, names, and phrases) which are used to ensure that a person, place, thing, event, or concept is consistently referred to using the same terminology, so providing a uniform method of creating consistent indexes or access points to documentary material and information about documentary material.” National Archives and Records Administration, Electronic Records Glossary."

Authority to Process Information: Occurs when management authorizes a system based on an assessment of management, operational and technical controls. By authorizing processing in a system the management official accepts the risk associated with it.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Authorization: Permission to perform some action.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Authorized Investigative Agency: means an agency designated by the head of the agency selected pursuant to subsection (b) to conduct a counterintelligence investigation or investigation of persons who are proposed for access to classified information to ascertain whether such persons satisfy the criteria for obtaining and retaining access to such information. (3) The term “authorized adjudicative agency” means an agency authorized by law, regulation, or direction of the Director of National Intelligence to determine eligibility for access to classified information in accordance with Executive Order 12968.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 3001."

Authorizing Official:
(Synonymous with Accreditation Authority) “Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Automated Biometrics Identification System: Initially established by the former INS [Immigration and Naturalization Service] in 1989, the Automated Biometrics Identification System, or IDENT, contains biometric data including fingerprints and photographs used to identify and track illegal aliens who are apprehended trying to enter the United States. The system is also used to identify apprehended aliens suspected of criminal activity such as alien smuggling, aliens subject to removal for conviction of aggravated felonies, and aliens who have been previously deported. On March 1, 2003, the INS and responsibility for IDENT were transferred to the DHS.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 8-9 (June, 2005)."

Automated Information System: means an assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process, store, or control data or information.” Executive Order 13292, Classified National Security Information, Section 6.1(c)."

Automatic Declassification: means the declassification of information based solely upon: (1) the occurrence of a specific date or event as determined by the original classification authority; or (2) the expiration of a maximum time frame for duration of classification established under this order.” Executive Order 13292, Classified National Security Information, Section 6.1(d)"

Authorized: when used with respect to access to classified information, means having authority, right or permission pursuant to the provisions of a statute, Executive order, directive of the head of any department or agency engaged in foreign intelligence or counterintelligence activities, order of any United States court, or provisions of any Rule of the House of Representatives or resolution of the Senate which assigns responsibility within the respective House of Congress for the oversight of intelligence activities.” National Security Act, Public Law 235, Section 606."

Availability: means “ensuring timely and reliable access to and use of information.” Federal Information Security Management Act, Public Law 107-347, Section 3542 and NIST FIPS Publication 200, Minimum Security for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Awareness, Training, and Education: “Includes (1) awareness programs set the stage for training by changing organizational attitudes toward realization of the importance of security and the adverse consequences of its failure; (2) the purpose of training is to teach people the skills that will enable them to perform their jobs more effectively; and (3) education is more in-depth than training and is targeted for security professionals and those whose jobs require expertise in automated information security.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems.


Top

 


B

Background Check: A background records check regarding an individual under this subsection shall consist of the following: “(A) A check of the relevant criminal history data bases. “(B) In the case of an alien, a check of the relevant data bases to determine the status of the alien under the immigration laws of the United States. “(C) As appropriate, a check of the relevant international data bases through Interpol–U.S. National Central Bureau or other appropriate means.” USA PATRIOT Act, Public Law 107-56, Section 1012."

Biological Event of National Concern: means— (A) an act of terrorism involving a biological agent or toxin; or (B) a naturally occurring outbreak of an infectious disease that may result in a national epidemic.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1101."

Biometric Identifier Information: The term 'biometric identifier information' means the distinct physical or behavioral characteristics of an individual that are used for unique identification, or verification of the identity, of an individual.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

Biometric Identifier: The term 'biometric identifier' means a technology that enables the automated identification, or verification of the identity, of an individual based on biometric information.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

Boundary Protection: Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Boundary Protection Device: A device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) monitors and controls communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications. Boundary protection devices include such components as proxies, gateways, routers, firewalls, guards, and encrypted tunnels.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Business Data: The term 'business data' means operating and financial data and information about businesses, tax-exempt organizations, and government entities.” Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501."


Top

 


C

Certification: A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Certification Agent: The individual, group, or organization responsible for conducting a security certification.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Certification and Accreditation: A term that is “synonymous with the term authorize processing.” Certification is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meets a pre-specified set of security requirements.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems; “Certification involves the testing and evaluation of the technical and non-technical security features of an IT system to determine its compliance with a set of specified security requirements. Accreditation is a process whereby a Designated Approval Authority (DAA) or other authorizing management official authorizes an IT system to operate for a specific purpose using a defined set of safeguards at an acceptable level of risk.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Certification Practice Statement: A statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in a certificate policy or requirements specified in a contract for services).” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Certified Copy: A copy of a documentary material signed and certified as an authentic copy by the official custodian of the original.” National Archives and Records Administration, Electronic Records Glossary."

Chief Information Officer: Agency official responsible for: (i) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. [44 U.S.C., Sec. 5125(b)].” NIST FIPS Publication 200, Minimum Security for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Chief Information Security Officer: see Senior Agency Information Security Officer. NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Civil Liberties: The term civil liberties refers to fundamental individual rights such as freedom of speech, press, or religion; due process of law; and other limitations on the power of the government to restrain or dictate the actions of individuals. They are the freedoms that are guaranteed by the Bill of Rights—the first ten Amendments—to the Constitution of the United States. Civil liberties offer protection to individuals from improper government action and arbitrary governmental interference . . . .” DOJ Global Justice Information Sharing Initiative, National Criminal Intelligence Sharing Plan (NCISP), at 5 (October, 2003); DOJ’s Justice Information Sharing Initiative, Privacy, Civil Rights and Civil Liberties: Policy and Templates for Justice Information Systems, September, 2006, at 3; “The term civil liberties refers to fundamental individual rights such as freedom of speech, press, or religion; due process of law; and other limitations on the power of the government to restrain or dictate the actions of individuals. They are the freedoms that are guaranteed by the Bill of Rights—the first ten Amendments—to the Constitution of the United States. Civil liberties offer protection to individuals from improper government action and arbitrary governmental interference. . . . For purposes of this paper, the term civil liberties also includes any rights and privileges not specifically delegated to the federal government by the people. This includes common law rights and —unenumerated rights— derived from a general presumption of freedom of individual action (i.e., action that is permissible unless expressly prohibited by law).” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Guidance on Civil Rights and Civil Liberties Protection, at 4."

Civil Rights: The term civil rights is used to imply that the state has a role in ensuring all citizens have equal protection under the law and equal opportunity to exercise the privileges of citizenship regardless of race, religion, sex, or other characteristics unrelated to the worth of the individual. Civil rights are, therefore, obligations imposed upon government to promote equality. More specifically, they are the rights to personal liberty guaranteed to all United States citizens by the Thirteenth and Fourteenth Amendments and by acts of Congress. Generally, the term civil rights involves positive (or affirmative) government action, while the term civil liberties involves restrictions on government.” DOJ Global Justice Information Sharing Initiative, National Criminal Intelligence Sharing Plan, at 5-6 (October, 2003); DOJ Global Justice Information Sharing Initiative, Privacy, Civil Rights and Civil Liberties: Policy and Templates for Justice Information Systems, September, 2006, at 2-3; Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Guidance on Civil Rights and Civil Liberties Protection, at 4."

Classification: means the act or process by which information is determined to be classified information.” Executive Order 13292, Classified National Security Information, Section 6.1(f)."

Classification Guide: means a documentary form of classification guidance issued by an original classification authority that identifies the elements of information regarding a specific subject that must be classified and establishes the level and duration of classification for each such element.” Executive Order 13292, Classified National Security Information, Section 6.1(g)."

Classification Guidance: means any instruction or source that prescribes the classification of specific information.” Executive Order 13292, Classified National Security Information, Section 6.1(f)."

Classified Information: Classified information or classified national security information means information that has been determined pursuant to E. O. 12958 as amended by E.O. 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System; “means information that has been determined pursuant to this order or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.”; “[I]nformation or material designated and clearly marked or clearly represented, pursuant to the provisions of a statute or Executive order (or a regulation or order issued pursuant to a statute or Executive order), as requiring a specific degree of protection against unauthorized disclosure for reasons of national security.” National Security Act, Public Law 235, Section 606; “[A]ny information that has been determined pursuant to Executive Order No. 12356 of April 2, 1982, or successor orders, or the Atomic Energy Act of 1954, to require protection against unauthorized disclosure and that is so designated.” National Security Act, Public Law 235, Section 606."

Collection of Information: means the obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public, of facts or opinions by or for an agency, regardless of form or format, calling for either— (i) answers to identical questions posed to, or identical reporting or recordkeeping requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the United States; or (ii) answers to questions posed to agencies, instrumentalities, or employees of the United States which are to be used for general statistical purposes; and (B) shall not include a collection of information described under section 3518 (c)(1).” Paperwork Reduction Act, Public Law 104-13 et seq. “Section 3518 (c)(1) states that a particular subchapter in the PRA does not apply to the collection of information-- (A) during the conduct of a Federal criminal investigation or prosecution, or during the disposition of a particular criminal matter; (B) during the conduct of-- (i) a civil action to which the United States or any official or agency thereof is a party; or (ii) an administrative action or investigation involving an agency against specific individuals or entities; (C) by compulsory process pursuant to the Antitrust Civil Process Act and section 13 of the Federal Trade Commission Improvements Act of 1980; or (D) during the conduct of intelligence activities as defined in section 3.4(e) of Executive Order No. 12333, issued December 4, 1981, or successor orders, or during the conduct of cryptologic activities that are communications security activities. (2) This subchapter applies to the collection of information during the conduct of general investigations (other than information collected in an antitrust investigation to the extent provided in subparagraph (C) of paragraph (1)) undertaken with reference to a category of individuals or entities such as a class of licensees or an entire industry.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq."

Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction (WMD Report): Provides multiple recommendations endorsed by the President to improve information sharing beyond those outlined in the IRTPA. The WMD Report calls for the establishment of a Chief Information Management Officer responsible for information sharing, information security, and information technology. The Report asserts that the risk of not sharing should be balanced with the need to protect classified sources and methods. The Commissioners also recommend improvements related to a networked environment, including identity management with attribute-based access, user authorization and audits, encryption of stored data, and universal discovery. Further, they recommend uniform information sharing policy, practices, procedures, and rules for accessing “U.S. persons” information. Finally, the Commissioners recommend simplified classification rules and tagging data for security and content to ease discovery and retrieval.” U.S. Intelligence Community, Information Sharing Strategy, at 6 (February, 2008)."

Commodity Service: An information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Common Carrier: In a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Common Security Control: Security control that can be applied to one or more agency information systems and has the following properties: (i) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and (ii) the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and NIST SP 800-37"

Common Terrorism Information Sharing Standards (CTISS): Business process-driven, performance-based “common standards” for preparing terrorism information for maximum distribution and access, to enable the acquisition, access, retention, production, use, management, and sharing of terrorism information within the ISE. Two categories of common standards are formally identified under CTISS: functional standards and technical standards. Functional standards set forth rules, conditions, guidelines, and characteristics of data and mission products supporting ISE business process areas. Technical standards document specific technical methodologies and practices to design and implement information sharing capability into ISE systems. CTISS, such as ISE-SAR, are implemented in ISE participant infrastructures that include ISE Shared Spaces as described in the ISE EAF.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 1 (January 2008) and Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Communities of Interest: (COI) “are defined in the National Information Exchange Model (NIEM) CONOPS, October 2004, as a collaborative group of users who require a shared vocabulary to exchange information in pursuit of common goals, interests, and business objectives.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Compensating Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Compilation: means an aggregation of pre-existing unclassified items of information.” Executive Order 13292, Classified National Security Information, Section 1.7(e)."

Compromise: The unauthorized disclosure, modification, substitution or use of sensitive data (including plaintext cryptographic keys and other critical security parameters).” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Computer Trespasser: (A) means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Confidentiality: A process by which “sensitive information is not disclosed to unauthorized individuals, entities or processes.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” Federal Information Security Management Act, Public Law 107-347, Section 3542 and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.; “[T]he property that data or information is not made available or disclosed to unauthorized persons or processes.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Confidentiality Protection: Requires access controls such as user ID/passwords, terminal identifiers, restrictions on actions like read, write, delete, etc. Examples of confidentiality-protected information are personnel, financial, proprietary, trade secrets, internal agency, investigations, other federal agency, national resources, national security, and high or new technology under Executive Order or Act of Congress.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Confidential Source: means any individual or organization that has provided, or that may reasonably be expected to provide, information to the United States on matters pertaining to the national security with the expectation that the information or relationship, or both, are to be held in confidence.” Executive Order 13292, Classified National Security Information, Section 6.1(i)."

Configuration Control: Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation. NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Congressional Intelligence Committees: means— (1) the Select Committee on Intelligence of the Senate; and (2) the Permanent Select Committee on Intelligence of the House of Representatives.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 1012."

Consular Lookout and Support System (CLASS): is the State Department’s tool for vetting foreign individuals applying for visas to the United States. Maintained by the Bureau of Consular Affairs, the CLASS visa database provides information on alien that is used in the determination of whether visa issuance is appropriate. This database receives information from TIPOFF on individual associated with or suspected of terrorism and acts as a watch list during the visa issuance process and other processes involving name-checks at State Department Consular Affairs posts throughout the world.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7-8 (June, 2005)."

Consumer Report: Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for: (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 604 [§ 1681b]. (2) Exclusions. The term “consumer report” does not include: (A) any (i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons; (B) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (C) any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and such person makes the disclosures to the consumer required under section 615 [§ 1681m]; or (D) a communication described in subsection (o).” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Consumer Reporting Agency: Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Consumer Reporting Agency that Compiles and Maintains Files on Consumers on a Nationwide Basis: [A] consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide: (1) Public record information. (2) Credit account information from persons who furnish that information regularly and in the ordinary course of business.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Content (of Documentary Material): The information conveyed by documentary material.” National Archives and Records Administration, Electronic Records Glossary."

Contents: when used with respect to a communication, includes any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801; and the Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Context (of Documentary Material): The organizational, functional, and operational circumstances in which documentary material is created and/or received and used.” National Archives and Records Administration, Electronic Records Glossary."

Contingency Plan: Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.” NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems."

Continuity of Operations Plan (COOP): A predetermined set of instructions or procedures that describe how an organization’s essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.” NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems."

Contractor Records: Records created or received and maintained for the Government by contractors. (a) Contractors performing program functions are likely to create or receive records necessary to provide adequate and proper documentation of these programs and to manage them effectively. DHS contracts shall specify the delivery to the Government of all records including data needed for the adequate and proper documentation of contractor-operated programs in accordance with requirements of the Federal Acquisition Regulation (FAR) (b) When contracts involve the creation of data for the Government’s use, in addition to specifying a final product, DHS officials may need to specify the delivery of background data that may have reuse value to the Government. Before specifying the background data that contractors must deliver to the agency, program and contracting officials shall consult with DHS records and information managers and historians and, when appropriate, with other Government agencies to ensure that all agency and Government needs are met, especially when the data deliverables support a new agency mission or a new Government program. (c) Deferred ordering and delivery-of-data clauses and rights-in-data clauses shall be included in contracts whenever necessary to ensure adequate and proper documentation or because the data have reuse value to the Government. (d) When data deliverables include electronic records, DHS shall require the contractor to deliver sufficient technical documentation to permit DHS or other Government agencies to use the data. (e) All data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records and shall be managed in accordance with records management legislation as codified at 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (5 U.S.C. 552), and the Privacy Act (5 U.S.C. 552a), and shall be scheduled for disposition in accordance with 36 C.F.R. part 1228.” DHS Records Management Handbook."

Controlled Area: Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Controlled Unclassified Information (CUI): As used in this plan, Controlled Unclassified Information (CUI) is defined as categories of unclassified information that require controls that protect it from public release, both to safeguard the civil liberties and legal rights of U.S. citizens, and to deny information advantage to those who threaten the security of the nation.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Counterintelligence: means information gathered, and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or inter national terrorist activities.” National Security Act, Public Law 235, Section 606 and NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System."

Countermeasures: Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [CNSS Instruction 4009] Synonymous with security controls and safeguards.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems; and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Counterterrorism Watch (CT Watch): CT Watch is the FBI’s 24-hour global command center for terrorism prevention operations, while the DHS’s NTC [National Targeting Center] provides around-the-clock tactical targeting and analytical research in support of the anti-terrorism efforts of the Customs and Border Protection agency.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 14 (June, 2005)."

Covered Activity: means any suspicious transaction, activity, or occurrence that involves, or is directed against, a passenger transportation system or vehicle or its passengers indicating that an individual may be engaging, or preparing to engage, in a violation of law relating to— (A) a threat to a passenger transportation system or passenger safety or security; or (B) an act of terrorism (as that term is defined in section 3077 of title 18, United States Code).” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1206."

Covert Action: means an activity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly, but does not include - (1) activities the primary purpose of which is to acquire intelligence, traditional counterintelligence activities, traditional activities to improve or maintain the operational security of United States Government programs, or administrative activities; (2) traditional diplomatic or military activities or routine support to such activities; (3) traditional law enforcement activities conducted by United States Government law enforcement agencies or routine support to such activities; or 4) activities to provide routine support to the overt activities (other than activities described in paragraph (1), (2), or (3)) of other United States Government agencies abroad. (f) No covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.” National Security Act, Public Law 235, Section 606."

Covert Agent: means— (A) a present or retired officer or employee of an intelligence agency or a present or retired member of the Armed Forces assigned to duty with an intelligence agency - (i) whose identity as such an officer, employee, or member is classified information, and (ii) who is serving outside the United States or has within the last five years served outside the United States; or (B) a United States citizen whose intelligence relationship to the United States is classified information, and - (i) who resides and acts outside the United States as an agent of, or informant or source of operational assistance to, an intelligence agency, or (ii) who is at the time of the disclosure acting as an agent of, or informant to, the foreign counterintelligence or foreign counterterrorism components of the Federal Bureau of Investigation; or (C) an individual, other than a United States citizen, whose past or present intelligence relationship to the United States is classified information and who is a present or former agent of, or a present or former informant or source of operational assistance to, an intelligence agency.” National Security Act, Public Law 235, Section 606."

Creator: The organization or person responsible for the creation, accumulation, or maintenance of a series of documentary material when in working (primary) use.” National Archives and Records Administration, Electronic Records Glossary."

Credentialed and Credentialing: mean having provided, or providing, respectively, documentation that identifies personnel and authenticates and verifies the qualifications of such personnel by ensuring that such personnel possess a minimum common level of training, experience, physical and medical fitness, and capability appropriate for a particular position in accordance with standards created under section 510.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 401."

Credentials: Certificate or document attesting to the truth of certain stated facts.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Criminal History Information: (aka criminal history records) include—“(A) an identifying description of the individual to whom the information or records pertain; (B) notations of arrests, detentions, indictments, or other formal criminal charges pertaining to such individual; and (C) any disposition to a notation described in subparagraph (B), including acquittal, sentencing, correctional supervision, or release. Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 6403. “(A) means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, or release; and (B) does not include identification information such as fingerprint records if such information does not indicate involvement of the individual with the criminal justice system.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Criminal History Record Repository: The term “criminal history record repository” means the State agency designated by the Governor or other appropriate executive official or the legislature of a State to perform centralized recordkeeping functions for criminal history records and services in the State.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Criminal Indication: The standard of ‘reasonable indication’ is substantially lower than ‘probable cause.’ In determining whether there is reasonable indication of a federal criminal violation, a Special Agent may take into account any facts or circumstances that a prudent investigator would consider.

However, the standard does require specific facts or circumstances indicating a past, current, or impending violation.

There must be an objective, factual basis for initiating the investigation; a mere hunch is insufficient.” The Attorney General's Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations."

Critical Infrastructure: means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” USA PATRIOT Act, Public Law 107-56, Section 1016."

Critical Infrastructure Sectors: means the following sectors, in both urban and rural areas: (A) Agriculture and food. (B) Banking and finance. (C) Chemical industries. (D) Commercial facilities. (E) Commercial nuclear reactors, materials, and waste. (F) Dams. (G) The defense industrial base. (H) Emergency services. (I) Energy. (J) Government facilities. (K) Information technology. (L) National monuments and icons. (M) Postal and shipping. (N) Public health and health care. (O) Telecommunications. (P) Transportation systems. (Q) Water.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2001."

Criminal Intelligence: Information compiled, analyzed and/or disseminated in an effort to anticipate, prevent, or monitor criminal activity.” IACP Model Policy on Criminal Intelligence.

A more detailed definition follows.
“Criminal Intelligence is data that has been evaluated (analyzed) to determine that it:
  (1) is relevant to the identification of (and the criminal activity engaged in) by:

  • an individual who is reasonably suspected of involvement in criminal activity or
  • an organization that is reasonably suspected of involvement in criminal activity and
  (2) meets criminal intelligence system submission criteria.

It is information that is developed from data gathered by investigators and analysts.

Criminal intelligence, because it has undergone some form of evaluation or analysis, indicates to law enforcement that the subject is likely to be involved in some definable criminal activity.

It is more than separate pieces of information that by themselves mean nothing but, taken together, show an investigator or analyst something about the subject’s criminal involvement.” (format added) Institute for Intergovernmental Research, Criminal Intelligence Systems Operating Policies FAQ on 28 CFR Part 23."

Criminal Intelligence Information: means data which has been evaluated to determine that it (1) is relevant to the identification of and the criminal activity engaged in by an individual who or an organization which is reasonably suspected of involvement in criminal activity and (2) meets criminal intelligence system submission criteria.” Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, §23.3(b)(3)."

Criminal Intelligence System: means the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information.” For example, when an investigator analyzes information and determines that there is “reasonable suspicion” that a subject (whether an individual, organization, gang business, etc.) is reasonably suspected of being involved in a definable criminal activity or enterprise, then that information qualifies as criminal intelligence and may be stored in a criminal intelligence database and disseminated as criminal intelligence information.” Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, §23.3(b)(1)."

Criminal Intelligence Systems Operating Policies (28 CFR Part 23):
“is a regulation that governs interjurisdictional and multijurisdictional criminal intelligence systems that are operated by or on behalf of state and local law enforcement agencies and that are funded with certain federal funds (see next question). 28 CFR Part 23 is a federal regulation that was issued by the U.S. Department of Justice in 1980, revised in 1993, and clarified in 1998 to address circumstances that evolved with changing technologies and law enforcement needs. 28 CFR Part 23 is applicable to “criminal intelligence systems,” offering guidance on the collection, storage, and dissemination of criminal intelligence information.” Institute for Intergovernmental Research, Criminal Intelligence Systems Operating Policies FAQ on 28 CFR Part 23."

Criminal Justice: The term “criminal justice” includes activities relating to the detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. The administration of criminal justice includes criminal identification activities and the collection, storage, and dissemination of criminal history records.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Criminal Justice Services: means services provided by the FBI to criminal justice agencies in response to a request for information about a particular individual or as an update to information previously provided for criminal justice purposes.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Criminal Predicate: (also referred to as Reasonable Suspicion) there are various definitions for this term.

“Reasonable Suspicion or Criminal Predicate is established when information exists which establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise.

In an interjurisdictional intelligence system, the project is responsible for establishing the existence of reasonable suspicion of criminal activity either through:

  • examination of supporting information submitted by a participating agency or
  • by delegation of this responsibility to a properly trained participating agency which is subject to routine inspection and audit procedures established by the project.”
Criminal Intelligence Systems Operating Policies, 28 CFR Part 20(c).

The National Research Council of the National Academies, Protecting Individual Privacy in the Struggle Against Terrorists: A framework for Assessment, at 15 describes a criminal predicate as “the possession of reliable, fact-based information that reasonably infers that a particularly described… subject has committed, is committing or is about to commit a crime."

Criterion Offense: means any felony or misdemeanor offense not included on the list of non-serious offenses published periodically by the FBI.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Critical Infrastructure: has the same definition as described in section 2 of the Homeland Security Act of 2002, and means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (a); “systems and assets vital to national defense, national security, economic security, public health or safety including both regional and national infrastructure. Critical infrastructure may be publicly or privately owned; examples of critical infrastructure include gas and oil production, storage, or delivery systems, water supply systems, telecommunications networks, electrical power generation or delivery systems, financing and banking systems, emergency services (including medical, police, fire, and rescue services), and transportation systems and services (including highways, mass transit, airlines, and airports); and (4) the term ‘foreign terrorist organization’ means an organization designated as a terrorist organization under section 219(a)(1) of the Immigration and Nationality Act.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 6602."

Critical Infrastructure Information: (or CII) means information not customarily in the public domain and related to the security of critical infrastructure or protected systems. CII consists of records or information concerning: (1) Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or local law, harms the interstate commerce of the United States, or threatens public health or safety; (2) The ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or (3) Any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (b)."

Critical Infrastructure Information Program: or 'CII Program' means the maintenance, management, and review of these procedures and of the information provided to DHS in expectation of the protections provided by the CII Act of 2002.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (c)."

Critical Infrastructure Warning Information Network (CWIN): is the critical, survivable network connecting DHS with the vital sectors that are essential in restoring the Nation’s infrastructure during incidents of national significance: Electricity, Information Technology (IT), and Telecommunications; the states’ homeland security advisors; and the sector-specific agencies (SSAs) and sector-specific resources (SSRs) for each of the critical infrastructure sectors.” DHS Exhibit 300 Public Release BY08 (Form), CWIN -Critical infrastructure Warning Information Network (2008)."

Cryptographic Key: A parameter used in conjunction with a cryptographic algorithm that determines: (1) the transformation of plaintext data into ciphertext data, (2) the transformation of ciphertext data into plaintext data, (3) a digital signature computed from data, (4) the verification of a digital signature computed from data, or (5) a data authentication code (DAC) computed from data.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Cryptography: The discipline which embodies principles, means and methods for the transformation of data to hide its information content, prevent its undetected modification, prevent its unauthorized use or a combination thereof.” “Cryptography deals with the transformation of ordinary text (plaintext) into coded form (ciphertext) by encryption and transformation of ciphertext into plaintext by decryption.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Current Investigation File: means, with respect to a security clearance, a file on an investigation or adjudication that has been conducted during-- (A) the 5-year period beginning on the date the security clearance was granted, in the case of a Top Secret Clearance, or the date access was granted to a highly sensitive program;(B) the 10-year period beginning on the date the security clearance was granted in the case of a Secret Clearance; and (C) the 15-year period beginning on the date the security clearance was granted in the case of a Confidential Clearance.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 3001."


Top

 


D

Damage to the National Security: means harm to the national defense or foreign relations of the United States from the unauthorized disclosure of information, taking into consideration such aspects of the information as the sensitivity, value, utility, and provenance of that information.” Executive Order 13292, Classified National Security Information, Section 6.1(j)."

Data Aggregation: With respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Database: does not include telephone directories, news reporting, information publicly available to any member of the public without payment of a fee, or databases of judicial and administrative opinions or other legal research sources.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 804; “means a set of data, consisting of at least one data file, that is sufficient for a given purpose.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Database Management System: means a software system used to access and retrieve data stored in a data base.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Data Element: A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Data Extracts: see Logging of Data Extracts below."

Data File: means related numeric, textual, or graphic information that is organized in a strictly prescribed form and format. National Archives And Records Administration, Electronic Records Management Regulations, 36 CFR 1234; (1) A collection of data that is stored together and treated as a unit by a computer. 2) Related data (numeric, textual, or graphic information) and fields that are organized in a strictly prescribed form and format.” National Archives and Records Administration, Electronic Records Glossary."

Data Integrity: The state that exists when computerized data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destruction.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Data Mining: means a program involving pattern-based queries, searches, or other analyses of 1 or more electronic databases, where— (A) a department or agency of the Federal Government, or a non-Federal entity acting on behalf of the Federal Government, is conducting the queries, searches, or other analyses to discover or locate a predictive pattern or anomaly indicative of terrorist or criminal activity on the part of any individual or individuals; (B) the queries, searches, or other analyses are not subject-based and do not use personal identifiers of a specific individual, or inputs associated with a specific individual or group of individuals, to retrieve information from the database or databases; and (C) the purpose of the queries, searches, or other analyses is not solely— (i) the detection of fraud, waste, or abuse in a Government agency or program; or (ii) the security of a Government computer system. Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 804.

“Although the use and sophistication of data mining have increased in both the government and the private sector, data mining remains an ambiguous term. According to some experts, data mining overlaps a wide range of analytical activities, including data profiling, data warehousing, online analytical processing, and enterprise analytical applications. Some of the terms used to describe data mining or similar analytical activities include 'factual data analysis' and 'predictive analytics.' We surveyed technical literature and developed a definition of data mining based on the most commonly used terms found in this literature. Based on this search, we define data mining as the application of database technology and techniques—such as statistical analysis and modeling—to uncover hidden patterns and subtle relationships in data and to infer rules that allow for the prediction of future results.” GAO Report, Data Mining: Federal Efforts Cover Wide Range of Uses, May 2004. “involves the uses of sophisticated data analysis tools to discover previously unknown, valid patterns and relationships in large data sets.” Congressional Research Service, Data Mining and Homeland Security: An Overview; “[A] query or search or other analysis of 1 or more electronic databases, whereas –

  1. at least 1 of the database was obtained from or remains under the control of a non-Federal entity, or the information was acquired initially by another department or agency of the Federal Government for purposes other than intelligence or law enforcement;
  2. Department or agency of the Federal Government or a non-Federal entity acting on behalf of the Federal Government is conducting the query or search or other analysis to find a predictive pattern indicating terrorist or criminal activity; and
  3. the search does not use a specific individual’s personal identifiers to acquire information concerning that individual. [Note: The definition further specifies that “the term 'database' does not include telephone directories, news reporting, information publicly available via the Internet or available by any other means to any member of the public without payment of a fee, or databases of judicial and administrative opinions.”] House Report 108-774 – Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2005, and for Other Purposes;
“[T]he process of knowledge discovery, predictive modeling, and analytics” that traditionally involves the discovery of patterns and relationships from structured data bases of historical occurrences. DHS OIG Survey of DHS Data Mining Activities (August 2006)."

Data Standards: Data standards help identify the fundamental building blocks for defining, formatting, and exchanging actual terrorism information. Data standards are applicable to a wide range of elements to include raw collected data, messages, and published documents and records. In general, CTISS data standards for Federal Government agencies and departments must map to components of the Federal Enterprise Architecture (FEA), such as the Data Reference Model and the ISE EAF.” Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Data Trail: is a collection of information that reveals the places where an individual has actually been or things he has done."

Data Type: The representation of information according to preset specifications (e.g., plain text files, fixed length text files, HTML, TIFF, etc.)” National Archives and Records Administration, Electronic Records Glossary."

Declassification: means the authorized change in the status of information from classified information to unclassified information.” Executive Order 13292, Classified National Security Information, Section 6.1(k)."

Declassification Authority: means: (1) the official who authorized the original classification, if that official is still serving in the same position; (2) the originators current successor in function; (3) a supervisory official of either; or (4) officials delegated declassification authority in writing by the agency head or the senior agency official.” Executive Order 13292, Classified National Security Information, Section 6.1(l)."

Declassification Guide: means written instructions issued by a declassification authority that describes the elements of information regarding a specific subject that may be declassified and the elements that must remain classified.” Executive Order 13292, Classified National Security Information, Section 6.1(m)."

Decryption: The process of changing ciphertext into plaintext.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Department of Defense Top Ten Fugitives (Air Force): The Defense Department’s Fugitive Recovery Program, run by the Air Force Office of Special Investigations, was formally implemented in 1997 to concentrate the Air Force’s efforts in retrieving Air Force fugitives. Although the TSC [Terrorist Screening Center] has the capability to use this information as an additional source for terrorist screening, this list provides no independent terrorist watch list function. Therefore, the TSC does not consider this list to be a watch list.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 9 (June, 2005)."

Department of Defense Information Sharing Strategy (DoD ISS): Provides the strategy for the Department of Defense (DoD) to build a collaborative culture and DoD Information Sharing Environment. Through this strategy and its vision to “deliver the power of Information to ensure mission success,” the DoD will: (1) Achieve unity of effort across missions and operations, (2) Improve the speed and execution of decisions, (3) Achieve rapid adaptability across mission and coalition operations, (4) Improve the ability to anticipate events and resource needs, and (5) Achieve greater precision in mission planning and execution. The DoD also defines information sharing as, “[m]aking information available to participants (people, process, or systems).” This information availability is to be brought about by a 4-tiered set of goals, envisioned to be quick wins: (1) Promote, encourage, and incentivize sharing, (2) Achieve an extended enterprise, (3) Strengthen agility, in order to accommodate unanticipated partners and events, and (4) Ensure trust across organizations. The DoD ISS establishes five touchstones of information sharing to guide implementation planning and establish key areas for improvement by all stakeholders.” U.S. Intelligence Community, Information Sharing Strategy, at 17 (February, 2008)."

Deposit Agreement: A type of disposition agreement in which NARA’s agrees to accept physical custody of documentary material without taking legal custody of them.
Note: Such agreements are unusual, and are not applicable for material over which NARA’s has statutory authority, i.e. Federal and Presidential records.” National Archives and Records Administration, Electronic Records Glossary."

Derivative Classification: means the incorporating, paraphrasing, restating, or generating in new form information that is already classified, and marking the newly developed material consistent with the classification markings that apply to the source information. Derivative classification includes the classification of information based on classification guidance. The duplication or reproduction of existing classified information is not derivative classification.” Executive Order 13292, Classified National Security Information, Section 6.1(n)."

Designated Approving Authority (DAA): The senior management official who has the authority to authorize processing (accredit) an automated information (major application) or (general support system) and accept the risk associated with the system.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Digital Signature: The result of a cryptographic transformation of data which, when properly implemented, provides the services of: (1) origin authentication, (2) data integrity, and (3) signer non-repudiation. The digital signature is computed using a set of rules (e.g., the Digital Signature Algorithm (DSA)) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. [. . . ]. A data unit that allows a recipient of a message to verify the identity of the signatory and integrity of the message. [. . . ]. A nonforgeable transformation of data that allows the proof of the source (with non-repudiation) and the verification of the integrity of that data.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Direct Access: means access to the National Identification Index by computer terminal or other automated means not requiring the assistance of or intervention by any other party or agency.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Disclose: means to communicate, provide, impart, transmit, transfer, convey, publish, or otherwise make available.” National Security Act, Public Law 235, Section 606."

Disclosure: To permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means.” Family Educational Right to Privacy Act Regulations, 34 CFR Part 99, Section 99.3; “[T]he release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Discretionary Access Control (DAC): DAC leaves a certain amount of access control to the discretion of the object’s owner or anyone else who is authorized to control the object’s access [NCSC87]. For example, it is generally used to limit a user’s access to a file [NSP94]; it is the owner of the file who controls other users’ accesses to the file. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the file. DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons. First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann’s file to an object that Bob controls. Bob may now grant any other user access to the copy of Ann’s file without Ann’s knowledge. Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann’s files. When investigating the problem, the audit files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows:

  • Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system.
  • No restrictions apply to the usage of information when the user has received it.
  • The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization’s security requirements.
ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies [FCK03]. Other mechanisms, even though not designed with DAC in mind, may have the capabilities to implement a DAC policy.” NIST Interagency Report 7316, Assessment of Access Control Systems."

Disposal: Removal of records from DHS control and authority by their physical destruction, sale as waste material, or other forms of savage or transfer; includes erasure of information captured or maintained on electronic media.” DHS Records Management Handbook."

Disposal Authority: The legal authorization obtained only from the Archivist of the United States, NARA’s, for the disposal of records and recorded information.” DHS Records Management Handbook."

Dispose: To carry out disposition instructions to destroy or donate temporary records after their retention period expires or other documentary material without permanent value.” National Archives and Records Administration, Electronic Records Glossary."

Disposition: Refers to actions taken with regard to Federal records that are no longer needed for current government business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. Disposition is a comprehensive term that includes both destruction and transfer of Federal records to the National Archives of the United States. For more detailed discussions of disposition and disposition programs, refer to 36 CFR Part 1228, Subpart D - Implementing Schedules or the Disposition of Federal Records Handbook. The disposition of both temporary and permanent records requires the prior authorization of the Archivist of the United States. Agencies submit disposition requests to NARA’s on a Standard Form 115, Request for Records Disposition Authority.” National Archives and Records Administration, Frequently Asked Questions about Records Scheduling and Disposition; “Those actions taken regarding records no longer needed for the conduct the regular current business of the creator. Note: These actions include transfer to storage facilities or records centers, transfers from one creator to another, transfer of physical custody to NARA’s, transfer of legal custody to NARA’s, and disposal.” National Archives and Records Administration, Electronic Records Glossary."

Disposition Agreement: A general term that includes all types of agreements (records schedules, deeds of gift, deposit agreements) that contain disposition instructions.” National Archives and Records Administration, Electronic Records Glossary."

Disposition Instruction: The instructions contained in a disposition agreement that mandate what is to be done with documentary material at certain points in their lifecycle. Disposition Instructions may consist of:

  • Specification of the length of time material should be retained by their creator or custodian (a retention period),
  • Conditions under which the creator or custodian should terminate retention,
  • Physical or legal transfer of material to another custodian,
Destruction of records, or stipulation that the material is not to be destroyed.” National Archives and Records Administration, Electronic Records Glossary."

Dissemination: The government initiated distribution of information to the public. Not considered dissemination within the meaning of this Circular is distribution limited to government employees or agency contractors or grantees, intra- or inter-agency use or sharing of government information, and responses to requests for agency records under the Freedom of Information Act (5 U.S.C. 552) or Privacy Act.” OMB Circular A-130, Management of Federal Information Resources."

Document: means any recorded information, regardless of the nature of the medium or the method or circumstances of recording.” Executive Order 13292, Classified National Security Information, Section 6.1(o)."

Documentary Material: Records (temporary or permanent), nonrecord material, personal papers or artifacts that refer to all media containing recorded information, regardless of the nature of the media or the method(s) or circumstance(s) of recording.” National Archives and Records Administration, Electronic Records Glossary."

Domestic Organization: means “a group or organization (whether formally or informally constituted) composed of citizens of the United States and which has no significant connection with a foreign power, its agents or agencies.” United States v. United States District Court (a/k/a “the Kieth case”), 407 U.S. 297, 310 (1972) (discussing presidential electronic surveillance authority under the Communications Act of 1934)."

Downgrading: means a determination by a declassification authority that information classified and safeguarded at a specified level shall be classified and safeguarded at a lower level.” Executive Order 13292, Classified National Security Information, Section 6.1(p)."

Donated Material: Documentary material that has been transferred into NARA’s legal custody via a deed of gift from a person or non-Federal organization.” National Archives and Records Administration, Electronic Records Glossary."


Top

 


E

Education Records: Those records, files, documents, and other materials which: contain information directly related to a student; and are maintained by an educational agency or institution or by a person acting for such agency or institution. The term “education records” does not include: records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute; records maintained by a law enforcement unit of the educational agency or institution that were created by that law enforcement unit for the purpose of law enforcement; in the case of persons who are employed by an educational agency or institution but who are not in attendance at such agency or institution, records made and maintained in the normal course of business which relate exclusively to such person in that person’s capacity as an employee and are not available for use for any other purpose; or records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.” Family Educational Right to Privacy Act, 20 USC Section 1232g."

Electronic Communication: Any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic or photo-optical system that affects interstate or foreign commerce, but does not include: (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device (as defined in section 3117 of this title); or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Electronic Communications Service: Any wire, radio, electromagnetic, photo-optical or photo-electronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Electronic Communications System: Any service which provides to users thereof the ability to send or receive wire or electronic communications. Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Electronic Information System: A system that contains and provides access to computerized Federal records and other information.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Electronic Mail System: A computer application used to create, receive, and transmit messages and other documents. Excluded from this definition are file transfer utilities (software that transmits files between users but does not retain any transmission data), data systems used to collect and process data that have been organized into data files or data bases on either personal computers or mainframe computers, and word processing documents not transmitted on an e-mail system.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Electronic Mail Message: A document created or received on an electronic mail system including brief notes, more formal or substantive narrative documents, and any attachments, such as word processing and other electronic documents, which may be transmitted with the message.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Electronic, Mechanical, or Other Device: Any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than— (a) any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties; (b) a hearing aid or similar device being used to correct subnormal hearing to not better than normal.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Electronic Record: means any information that is recorded in a form that only a computer can process and that satisfies the definition of a Federal record in 44 U.S.C. 3301.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Electronic Recordkeeping System: An electronic system in which records are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition.” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Electronic Signature: A method of signing an electronic message that -- (A) Identifies and authenticates a particular person as the source of the electronic message; and Implementing Cryptography 123 (B) Indicates such person’s approval of the information contained in the electronic message. [GPEA].” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Electronic Storage: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Electronic Surveillance: means— (1) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire or radio communication sent by or intended to be received by a particular, known United States person who is in the United States, if the contents are acquired by intentionally targeting that United States person, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes; (2) the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States, but does not include the acquisition of those communications of computer trespassers that would be permissible under section 2511 (2)(i) of title 18; (3) the intentional acquisition by an electronic, mechanical, or other surveillance device of the contents of any radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, and if both the sender and all intended recipients are located within the United States; or (4) the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801."

El Paso Intelligence Center (EPIC): EPIC established a Southwest Border Intelligence Service Center with a concentration on drug movement and immigration violations. Members of EPIC have access to a wide range of intelligence, including information from the U.S. Drug Enforcement Administration and U.S. Immigration and Customs Enforcement (ICE)."

Emergency Response Providers: includes Federal, State, and local emergency public safety, law enforcement, emergency response, emergency medical (including hospital emergency facilities), and related personnel, agencies, and authorities.” The Homeland Security Act, 6 U.S.C. section 101(6)."

Employment Purposes: When used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Enabling Technology: As used in this plan, the term “enabling technology” refers to any technological capability used to support ISE policies or business processes.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Encrypted Key (Ciphertext Key): A cryptographic key that has been encrypted with a key encrypting key, a PIN or a password to disguise the value of the underlying plaintext key.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Encryption: The process of changing plaintext into ciphertext for the purpose of security or privacy.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “The translation of data into a form that is unintelligible without a deciphering mechanism.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Engage in Terrorist Activity: means, in an individual capacity or as a member of an organization— ‘‘(I) to commit or to incite to commit, under circumstances indicating an intention to cause death or serious bodily injury, a terrorist activity; ‘‘(II) to prepare or plan a terrorist activity; ‘‘(III) to gather information on potential targets for terrorist activity; ‘‘(IV) to solicit funds or other things of value for— ‘‘(aa) a terrorist activity; ‘‘(bb) a terrorist organization described in clause (vi)(I) or (vi)(II); or ‘‘(cc) a terrorist organization described in clause (vi)(III), unless the solicitor can demonstrate that he did not know, and should not reasonably have known, that the solicitation would further the organization’s terrorist activity; ‘‘(V) to solicit any individual— ‘‘(aa) to engage in conduct otherwise described in this clause; ‘‘(bb) for membership in a terrorist organization described in clause (vi)(I) or (vi)(II); or ‘‘(cc) for membership in a terrorist organization described in clause (vi)(III), unless the solicitor can demonstrate that he did not know, and should not reasonably have known, that the solicitation would further the organization’s terrorist activity; or ‘‘(VI) to commit an act that the actor knows, or reasonably should know, affords material support, including a safe house, transportation, communications, funds, transfer of funds or other material financial benefit, false documentation or identification, weapons (including chemical, biological, or radiological weapons), explosives, or training— ‘‘(aa) for the commission of a terrorist activity; ‘‘(bb) to any individual who the actor knows, or reasonably should know, has committed or plans to commit a terrorist activity; ‘‘(cc) to a terrorist organization described in clause (vi)(I) or (vi)(II); or ‘‘(dd) to a terrorist organization described in clause (vi)(III), unless the actor can demonstrate that he did not know, and should not reasonably have known, that the act would further the organization’s terrorist activity. This clause shall not apply to any material support the alien afforded to an organization or individual that has committed terrorist activity, if the Secretary of State, after consultation with the Attorney General, or the Attorney General, after consultation with the Secretary of State, concludes in his sole unreviewable discretion, that this clause should not apply.” USA PATRIOT Act, Public Law 107-56, Section 411."

Enrollment Service: The entity that manages the process of a certificate applicant applying for a certificate.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Enterprise Architecture: (i) a strategic information asset base, which defines the mission; (ii) the information necessary to perform the mission; (iii) the technologies necessary to perform the mission; and (iv) the transitional processes for implementing new technologies in response to changing mission needs; and (B) includes-- (i) a baseline architecture; (ii) a target architecture; and (iii) a sequencing plan.” E-Government Act of 2002, Public Law 107–347, Section 3601 and Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Enterprise Search: As used in this plan, the term “enterprise search” is defined as the act of searching content to discover data, information, and knowledge wherever it exists.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Environment: Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system. [CNSS Instruction 4009].” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Essential Characteristics: Those properties/characteristics of electronic records that must remain unchanged through transfer, ingest, storage, and presentation or output of records.” National Archives and Records Administration, Electronic Records Glossary."

Exchange Protocols Standards: Exchange Protocols standards, predominantly technical in nature, address the rules that influence system-to-system communications; these may include syntax, sequencing, and formatting guidelines for the systems affected. A core Exchange Protocol standard for the CTISS is the Extensible Markup Language (XML)10. XML is a general-purpose markup computer language used for creating special purpose markup languages capable of describing many different kinds of data. Markup languages are formal annotation approaches to documents or collections of digital data that aid in identifying structure and content of representative data elements.” Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Exigent Circumstances: are circumstances requiring action before authorization otherwise necessary under these guidelines can reasonably be obtained, in order to:

  • protect life or substantial property interests;
  • apprehend or identify a fleeing offender;
  • prevent the hiding, destruction or alteration of evidence; or
  • avoid other serious impairment or hindrance of an investigation.”
The Attorney General’s Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations."

Explosives Detection Canine Team: means a canine and a canine handler that are trained to detect explosives, radiological materials, chemical, nuclear or biological weapons, or other threats as defined by the Secretary.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1307."

Expunge Material: To completely remove documentary material from NARA’s physical custody and all related information about the material such as that no trace of the material’s existence or its audit trail remains.” National Archives and Records Administration, Electronic Records Glossary."

External Information System (or Component): Various definitions exist:

  • “An information system or component of an information system that is outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.
  • “Service An information system service that is implemented outside of the accreditation boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system).” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.
  • “Service Provider A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Top

F

False Match: The term 'false match' means the incorrect matching of one individual’s biometric identifier information to another individual’s biometric identifier information by a biometric identifier system.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

Failure to Enroll: The term 'failure to enroll' means the inability of an individual to enroll in a biometric identifier system due to an insufficiently distinctive biometric sample, the lack of a body part necessary to provide the biometric sample, a system design that makes it difficult to provide consistent biometric identifier information, or other factors.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

False Non-match: The term 'false non-match' means the rejection of a valid identity by a biometric identifier system.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

FBI’s N-DEx: N-DEx will provide the first implementation of structured search and index capabilities for DOJ’s Law Enforcement Information Sharing Program. All kinds of data (structured, full-text, multimedia, etc.) will be available through N-DEx, although searching, matching, and linking will only be possible on well-defined entities (people, vehicles, locations, weapons, phone numbers, etc.), not arbitrary text (full-text data). The initial focus is on structured incident data but will be expanded to other structured data (extracted entity data from full-text documents). N-DEx’s focus is on large agencies and aggregated data sources such as RICs but will expand to any law enforcement agency.” DOJ/DHS, Fusion Center Guidelines, at 34."

FBI’s R-DEx: R-DEx provides an interface to Regional Intelligence Centers (RICs) to enable searching of unstructured documents and for retrieving matching documents. R-DEx serves two main functions: providing RICs with access to DOJ’s data and enabling a RIC’s user to perform full-text searches over DOJ unstructured documents for the region, in addition to the state and local documents accessed internally.” DOJ/DHS, Fusion Center Guidelines, at 34."

Federal Benefit Program: Any program administered or funded by the Federal Government, or by any agent or State on behalf of the Federal Government, providing cash or in-kind assistance in the form of payments, grants, loans, or loan guarantees to individuals.” Privacy Act of 1974, 5 U.S.C. § 552a."

Federal Enterprise Architecture: A business-driven framework that defines and aligns Federal business functions and supporting technology using a set of 5 common models (performance, business, services, data, and technology).” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Federal Enterprise Architecture FEA Program Management Office: A business-based framework for government-wide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Federal Information System: An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Federal Personnel: Officers and employees of the Government of the United States, members of the uniformed services (including members of the Reserve Components), individuals entitled to receive immediate or deferred retirement benefits under any retirement program of the Government of the United States (including survivor benefits).” Privacy Act of 1974, 5 U.S.C. § 552a"

Financial Institution: Any institution the business which is engaging in financial activities as described in section 1843(k) of title 12.” Gramm-Leach-Bliley Act, Public Law 106-102, Section 509; The term “financial institution” does not include: (1) any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (2) the Federal Agricultural Mortgage Corporation; or (3) any entity chartered and operating under the Farm Credit Act of or institutions chartered by Congress specifically to engage in transactions described in section 6802(e)(1)(C) of this title, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.” Gramm-Leach-Bliley Act, Public Law 106-102, Section 509."

Financial Crimes Enforcement Network (FinCEN): FinCEN supports law enforcement investigative efforts and fosters interagency and global cooperation against domestic and international financial crimes to provide United States policymakers with strategic analysis of domestic and worldwide money-laundering developments, trends, and patterns. FinCEN controls over 150 million reports filed under the Bank Secrecy Act and other similar laws.” Financial Crimes Enforcement Network, DOJ/DHS, Fusion Center Guidelines, at 34."

File: When used in connection with information on any consumer, means all of the information on that consumer recorded and retained by a consumer reporting agency regardless of how the information is stored.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

File Series: means file units or documents arranged according to a filing system or kept together because they relate to a particular subject or function, result from the same activity, document a specific kind of transaction, take a particular physical form, or have some other relationship arising out of their creation, receipt, or use, such as restrictions on access or use.” Executive Order 13292, Classified National Security Information, Section 6.1(q)."

Firewall: A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Foreign Government Information: means: (1) information provided to the United States Government by a foreign government or governments, an international organization of governments, or any element thereof, with the expectation that the information, the source of the information, or both, are to be held in confidence; (2) information produced by the United States Government pursuant to or as a result of a joint arrangement with a foreign government or governments, or an international organization of governments, or any element thereof, requiring that the information, the arrangement, or both, are to be held in confidence; or (3) information received and treated as 'foreign government information' under the terms of a predecessor order.” Executive Order 13292, Classified National Security Information, Section 6.1(r)."

Foreign Intelligence: means information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities.” National Security Act, Public Law 235, Section 606."

Foreign Intelligence Information: means— (1) information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against— (A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; (B) sabotage or international terrorism by a foreign power or an agent of a foreign power; or (C) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or (2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to— (A) the national defense or the security of the United States; or (B) the conduct of the foreign affairs of the United States.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801; “[F]or purposes of section 2517 (6) [of the ECPA], means: (A) information, whether or not concerning a United States person, that relates to the ability of the United States to protect against: (i) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; (ii) sabotage or international terrorism by a foreign power or an agent of a foreign power; or (iii) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or (B) information, whether or not concerning a United States person, with respect to a foreign power or foreign territory that relates to— (i) the national defense or the security of the United States; or (ii) the conduct of the foreign affairs of the United States. Electronic Communications Privacy Act, 18 U.S.C. Section 2510 and the USA PATRIOT Act, Public Law 107-56, Section 203."

Foreign Partners: As used in this plan, the term “foreign partners” refers to non-U.S. government organizations that participate in the ISE. The term “foreign governments” is a general term that includes foreign governments and their sub-components, such as individual ministries or foreign provincial or local authorities. While this Plan focuses in particular on foreign governments, however, the same conclusions and recommendations may generally be applicable to other foreign information sharing partners. Such foreign partners include, for example, regional inter-governmental organizations such as the European Union (EU), international organizations composed of governments such as the United Nations (UN) and the International Criminal Police Organization (INTERPOL), certain other entities with recognized comparable international status and certain foreign private entities such as port operators, foreign airlines, and other logistics providers.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Foreign Power: means— (1) a foreign government or any component thereof, whether or not recognized by the United States; (2) a faction of a foreign nation or nations, not substantially composed of United States persons; (3) an entity that is openly acknowledged by a foreign government or governments to be directed and controlled by such foreign government or governments; (4) a group engaged in international terrorism or activities in preparation therefor; (5) a foreign-based political organization, not substantially composed of United States persons; or (6) an entity that is directed and controlled by a foreign government or governments.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801."

Foreign Power and Agent of a Foreign Power: have the same meanings as set forth in sections 101 (a) and (b) respectively, of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).” National Security Act, Public Law 235, Section 606."

Foreign Terrorist Tracking Task Force (FTTTF): The President established the FTTTF through Homeland Security Presidential Directive-2 as a multi-agency effort led by the Attorney General with assistance from the Secretary of State, the Director of Central Intelligence, and other government officials, as appropriate. The mission of the FTTTF is to ensure that federal agencies coordinate programs to: 1) deny entry into the United States of aliens associated with, suspected of being engaged in, or supporting terrorist activity; and 2) locate, detain, prosecute, or deport any such aliens already present in the United States.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 13 n32 (June, 2005). “In order for the TSC [Terrorist Screening Center] to begin operating by December 1, 2003, it was co-located with the [FTTTF]. The FTTTF provided space, equipment, personnel, and technological and financial support to assist in the creation of the TSC.” Id. at 13."

For Official Use Only (FOUO): The term used within DHS to identify unclassified information of a sensitive nature, not otherwise categorized by statute or regulation, the unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national interest. Information impacting the National Security of the United States and classified Confidential, Secret, or Top Secret under Executive Order 12958, “Classified National Security Information,” as amended, or its predecessor or successor orders, is not to be considered FOUO. FOUO is not to be considered classified information.” This includes the following types of information: (a) Information of the type that may be exempt from disclosure per 5 U.S.C. 552, Freedom of Information Act, and its amendments. Designation of information as FOUO does not infer that the information is already exempt from disclosure under FOIA. Requests under FOIA, for information designated as FOUO, will be reviewed and processed in the same manner as any other FOIA request; (b) Information exempt from disclosure per 5 U.S.C. 552a, Privacy Act; (c) Information within the international and domestic banking and financial communities protected by statute, treaty, or other agreements; (d) Other international and domestic information protected by statute, treaty, regulation or other agreements; (e)Information that could be sold for profit; (f) Information that could result in physical risk to personnel; (g) DHS information technology (IT) internal systems data revealing infrastructure used for servers, desktops, and networks; applications name, version and release; switching, router, and gateway information; interconnections and access methods; mission or business use/need. Examples of information are systems inventories and enterprise architecture models. Information pertaining to national security systems and eligible for classification under Executive Order 12958, as amended, will be classified as appropriate; (h) Systems security data revealing the security posture of the system. For example, threat assessments, system security plans, contingency plans, risk management plans, Business Impact Analysis studies, and Certification and Accreditation documentation; (i) Reviews or reports illustrating or disclosing facility infrastructure or security vulnerabilities, whether to persons, systems, or facilities, not otherwise eligible for classification under Executive Order 12958, as amended; (j) Information that could constitute an indicator of U.S. government intentions, capabilities, operations, or activities or otherwise threaten operations security; (k) Developing or current technology, the release of which could hinder the objectives of DHS, compromise a technological advantage or countermeasure, cause a denial of service, or provide an adversary with sufficient information to clone, counterfeit, or circumvent a process or system.” DHS Management Directive, Safeguarding Sensitive But Unclassified (For Official Use Only) Information."

Functional Standards: Rules, conditions, guidelines, and characteristics of data and mission products supporting ISE business process areas . Functional standards may be Government-unique or may be a combination of other functional standards as appropriate.” Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Fusion: refers to the overarching process of managing the flow of information and intelligence across levels and sectors of government and private industry. It goes beyond establishing an intelligence center or creating a computer network. The fusion process supports the implementation of risk-based, information-driven prevention, response, and consequence management programs. At the same time, it supports efforts to address immediate and/or emerging threat-related circumstances and events.” DOJ/DHS, Fusion Center Guidelines, at 13. It is important to note that the fusion process is not a system or database; it is an important part of a mechanism by which participating law enforcement, public safety, and private sector entities can provide and receive enhanced information from a fusion center. Id. at 13-14."

Fusion Center: A “collaborative effort of two or more agencies that provide resources, expertise, and/or information to the center with the goal of maximizing the ability to detect, prevent, apprehend, and respond to criminal and terrorist activity.” DOJ/DHS, Fusion Center Guidelines, at 35; “the term 'fusion center' means a collaborative effort of 2 or more Federal, State, local, or tribal government agencies that combines resources, expertise, or information with the goal of maximizing the ability of such agencies to detect, prevent, investigate, apprehend, and respond to criminal or terrorist activity.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 511; “A center established by State and local governments designed to coordinate the gathering, analysis, and dissemination of law enforcement, public-safety, and terrorism information.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."


Top

 


G

General Support System: [A]n interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Users may be from the same or different organizations.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Geospatial Information: The term 'geospatial information' means graphical or digital data depicting natural or manmade physical features, phenomena, or boundaries of the earth and any information related thereto, including surveys, maps, charts, remote sensing data, and images.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 8201."

Geospatial Intelligence: This is the analysis and visual representation of security related activities on the earth. It is produced through an integration of imagery, imagery intelligence, and geospatial information.” U.S. Intelligence Community."

Geospatial Technology: The term 'geospatial technology' means any technology utilized by analysts, specialists, surveyors, photogrammetrists, hydrographers, geodesists, cartographers, architects, or engineers for the collection, storage, retrieval, or dissemination of geospatial information, including--(i) global satellite surveillance systems; (ii) global position systems; (iii) geographic information systems; (iv) mapping equipment; (v) geocoding technology; and (vi) remote sensing devices.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 8201."

Government Information: [I]nformation created, collected, processed, disseminated, or disposed of by or for the Federal Government.” OMB Circular A-130, Management of Federal Information Resources."

Government-Unique Standards: Standards developed by the Government for its own uses (OMB Circular A-119).” Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Guard (System): A mechanism limiting the exchange of information between information systems or subsystems.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."


Top

H

Hazardous Materials: are “(1) any material defined as a hazardous material by the Secretary of Transportation; and “(2) any chemical or biological material or agent determined by the Secretary of Health and Human Services or the Attorney General as being a threat to the national security of the United States.” USA PATRIOT Act, Public Law 107-56, Section 1012."

Health Information: Any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Hierarchical Description: The principal of archival description in which documentary material is described in aggregates at various prescribed hierarchical levels. At NARA’s these levels range from the largest grouping (series) to the intermediate level (file unit) to the smallest (item). Descriptions of materials at the series level are also linked to one of two types of archival control groups: a record group or a collection.” National Archives and Records Administration, Electronic Records Glossary."

High-Consequence Target: means a property, natural resource, location, area, or other target designated by the Secretary that is a viable terrorist target of national significance, which may include a facility or specific critical infrastructure, the attack of which by railroad could result in— (A) catastrophic loss of life; (B) significant damage to national security or defense capabilities; or (C) national economic harm.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1551."

High-Impact: The potential impact is HIGH if—
- The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

High-Impact System: An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

High Intensity Drug Trafficking Areas (HIDTA): This program provides federal funds to problem areas to help eliminate or reduce drug trafficking and its harmful consequences. Analysts at HIDTA centers have access to a variety of databases and systems that are available to law enforcement.” High Intensity Drug Trafficking Areas, DOJ/DHS Fusion Center Guidelines, at 34."

Highly Sensitive Program: means-- (A) a government program designated as a Special Access Program (as that term is defined in section 4.1(h) of Executive Order 12958 or any successor Executive order); or (B) a government program that applies restrictions required for-- (i) restricted data (as that term is defined in section 11 of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)); or(ii) other information commonly referred to as “sensitive compartmented information”. Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 3001."

Homeland Security Advisory System: The Homeland Security Advisory System is designed to guide our protective measures when specific information to a particular sector or geographic region is received. It combines threat information with vulnerability assessments and provides communications to public safety officials and the public.

  • Homeland Security Threat Advisories contain actionable information about an incident involving, or a threat targeting, critical national networks or infrastructures or key assets. They could, for example, relay newly developed procedures that, when implemented, would significantly improve security or protection. They could also suggest a change in readiness posture, protective actions, or response. This category includes products formerly named alerts, advisories, and sector notifications. Advisories are targeted to Federal, state, and local governments, private sector organizations, and international partners.
  • Homeland Security Information Bulletins communicate information of interest to the nation’s critical infrastructures that do not meet the timeliness, specificity, or significance thresholds of warning messages. Such information may include statistical reports, periodic summaries, incident response or reporting guidelines, common vulnerabilities and patches, and configuration standards or tools. It also may include preliminary requests for information. Bulletins are targeted to Federal, state, and local governments, private sector organizations, and international partners.
  • Color-coded Threat Level System is used to communicate with public safety officials and the public at-large through a threat-based, color-coded system so that protective measures can be implemented to reduce the likelihood or impact of an attack. Raising the threat condition has economic, physical, and psychological effects on the nation; so, the Homeland Security Advisory System can place specific geographic regions or industry sectors on a higher alert status than other regions or industries, based on specific threat information."

Homeland Security Information: means any information possessed by a Federal, State, or local agency that— (A) relates to the threat of terrorist activity; (B) relates to the ability to prevent, interdict, or disrupt terrorist activity; (C) would improve the identification or investigation of a suspected terrorist or terrorist organization; or (D) would improve the response to a terrorist act.” Homeland Security Information Sharing Act, Public Law 107-296, Section 892; ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions, and Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Homeland Secure Data Network: The Homeland Secure Data Network (HSDN) is a secure communications infrastructure provided by the Department of Homeland Security (DHS). The National Strategy for Homeland Security and the Homeland Security Act of 2002 served to mobilize and organize our nation to secure our homeland from terrorist attacks. In response to these mandates, HSDN enables Federal, State, and Local governments to share timely and actionable classified information."

Homeland Security Information Network (HSIN): The Homeland Security Information Network is a computer-based counterterrorism communications system connecting all 50 states, five territories, Washington, D.C., and 50 major urban areas.

HSIN allows all states and major urban areas to collect and disseminate information between federal, state, and local agencies involved in combating terrorism.

  • helps provide situational awareness
  • facilitates information sharing and collaboration with homeland security partners throughout the federal, state and local levels
  • provides advanced analytic capabilities
  • enables real time sharing of threat information
This communications capability delivers to states and major urban areas real-time interactive connectivity with the National Operations Center. This collaborative communications environment was developed by state and local authorities."

Homeland Security Information Network - Critical Infrastructure (HSIN CI): The HSIN-CI community of interest was specially designed to communicate real-time information to critical infrastructure owners and operators – 80 percent of whom are part of the private sector. HSIN–CI has the capacity to send alerts and notifications to the private sector at a rate of:

  • 10,000 simultaneous outbound voice calls per minute
  • 30,000 inbound simultaneous calls (hot line scenario)
  • 3,000 outbound simultaneous faxes
  • 5,000 outbound simultaneous Internet e-mail
  • Immediate Internet website content changes made."

Human-Source Intelligence (HUMINT): Human intelligence is derived from human sources. To the public, HUMINT remains synonymous with espionage and clandestine activities, yet, in reality, most HUMINT collection is performed by overt collectors such as diplomats and military attaches. HUMINT is the oldest method for collecting information, and until the technical revolution of the mid to late twentieth century, it was the primary source of intelligence. HUMINT is used mainly by the CIA, the Department of State, the DoD, and the FBI. Collection includes clandestine acquisition of photography, documents, and other material; overt collection by personnel in diplomatic and consular posts; debriefing of foreign nationals and US citizens who travel abroad; and official contacts with foreign governments. The National HUMINT Requirements Tasking Center is responsible for providing guidance for HUMINT activities, which are reflected in the National HUMINT Collection Directive. As part of this national effort, all HUMINT collection within the DoD is managed by the Defense HUMINT Service, under the direction of DIA’s Directorate for Operations.” U.S. Intelligence Community."

Homeland Security Operations Center (HSOC): The Homeland Security Operations Center (HSOC) serves as the nation’s nerve center for information sharing and domestic incident management—dramatically increasing the vertical coordination between federal, state, territorial, tribal, local, and private sector partners. The HSOC collects and fuses information from a variety of sources everyday to help deter, detect, and prevent terrorist acts. Operating 24 hours a day, seven days a week, 365 days a year, the HSOC provides real-time situational awareness and monitoring of the homeland, coordinates incidents and response activities, and, in conjunction with the DHS Office of Information Analysis, issues advisories and bulletins concerning threats to homeland security, as well as specific protective measures. Information on domestic incident management is shared with Emergency Operations Centers at all levels through the Homeland Security Information Network (HSIN).” Fact Sheet: Homeland Security Operations Center."


Top

 


I

IAFIS: means the Integrated Automated Fingerprint Identification System of the Federal Bureau of Allocation, which serves as the national depository for fingerprint, biometric, and criminal history information, through which fingerprints are processed electronically.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 6403."

Identifiable Form: [A]ny representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” E-Government Act of 2002, Public Law 107—347, Section 208; and OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002; “The term “identifiable form” means any representation of information that permits the identity of the respondent to whom the information applies to be reasonably inferred by either direct or indirect means. Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501. See also, Information in Identifiable Form."

Identification: The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems. “In a biometric security system, the process of comparing a biometric data sample against all of the system’s database reference templates in order to establish the identity of the person trying to gain access to the system.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Identity Credential: Information (electronic or printed) that seeks to either uniquely identify or provides qualifications or defining attributes about an individual identity.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Imagery Intelligence (IMINT): Imagery Intelligence includes representations of objects reproduced electronically or by optical means on film, electronic display devices, or other media. Imagery can be derived from visual photography, radar sensors, infrared sensors, lasers, and electro-optics. NGA is the manager for all imagery intelligence activities, both classified and unclassified, within the government, including requirements, collection, processing, exploitation, dissemination, archiving, and retrieval.” U.S. Intelligence Community."

Immutable Audits: Audit trails that cannot be disabled or changed. Immutable Audits ensure that (1) “everyone is subject to an audit”; (2) “produce cross-organizational audits”; (3) “measure accuracy of auditors by cross-validation;” and (4) “produce user logs that are tamper resistant.” “This type of technology is intended to permanently record, in a tamper resistant manner, how users have used a system. Even corrupt database administrators cannot alter history. . . . . Immutable logs can increase security, build trust among users, measure compliance with policies and guidelines, and improve transparency and the ability to conduct oversight by appropriate stakeholders.” Jonas, J., Mobilizing Information to Prevent Terrorism — Accelerating Development of a Trusted Information Sharing Environment.”."

Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Individual: A citizen of the United States or an alien lawfully admitted for permanent residence.” Privacy Act of 1974, 5 U.S.C. § 552a and OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002; “[T]he person who is the subject of protected health information.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Individual Accountability: Requires individual users to be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules.” NIST Special Publication 800-26; Integrating IT Security into the Capital Planning and Investment Control Process."

Individually Identifiable Health Information: [I]nformation that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Industrial Control System: An information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Informant: means any individual who furnishes information to an intelligence agency in the course of a confidential relationship protecting the identity of such individual from public disclosure.” National Security Act, Public Law 235, Section 606."

Information: means any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government. “Control” means the authority of the agency that originates information, or its successor in function, to regulate access to the information.” Executive Order 13292, Classified National Security Information, Section 6.1(s); “[A]ny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms.” OMB Circular A-130, Management of Federal Information Resources; “An instance of an information type.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Information Dissemination Product: [A]ny book, paper, map, machine-readable material, audiovisual production, or other documentary material, regardless of physical form or characteristic, disseminated by an agency to the public.” OMB Circular A-130, Management of Federal Information Resources."

Information Exchange: The transfer of information from one organization to another organization, in accordance with CTISS processes.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008)."

Information in Identifiable Form: Information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. See also, Identifiable Form."

Information Life Cycle: The stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition.” OMB Circular A-130, Management of Federal Information Resources."

Information Owner: Is responsible for establishing the rules for appropriate use and protection of the data/information. The information owner retains that responsibility even when the data/information are shared with other organizations.” NIST Special Publication 800-26; Integrating IT Security into the Capital Planning and Investment Control Process; “Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems and NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. See also Information System Owner."

Information Processing Services Organization (IPSO): A discrete set of personnel, information technology, and support equipment with the primary function of providing services to more than one agency on a reimbursable basis.” OMB Circular A-130, Management of Federal Information Resources."

Information Quality: refers to various aspects of the information itself. Traditionally, the basic elements of information quality have been identified as accuracy, completeness, currency, reliability, and context/meaning. Today, information quality is being more fully described in multidimensional models, expanding conventional views of the topic to include considerations of accessibility, security, and privacy.” DOJ’s Justice Information Sharing Initiative, Privacy, Civil Rights and Civil Liberties: Policy and Templates for Justice Information Systems, September, 2006, at 4."

Information Management: The planning, budgeting, manipulating, and controlling of information throughout its life cycle.” OMB Circular A-130, Management of Federal Information Resources."

Information Resources: Information and related resources, such as personnel, equipment, funds, and information technology (44 U .S .C . 3502(6)).” Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007); “Information and related resources, such as personnel, equipment, funds, and information technology.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System and the Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq.; “[I]ncludes both government information and information technology.” OMB Circular A-130, Management of Federal Information Resources. See also, Information System and Information Technology, Mission Critical System, Major Information System."

Information Resellers: include consumer reporting agencies (CRA), which assemble and share credit histories and other personal information used to help make important decisions about individuals, such as their eligibility for financial services. Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 6. 'Information Reseller' is an umbrella term used to describe a wide variety of businesses that collect and aggregate personal information from multiple sources and make it available to their customers.” Id. at 1. Examples include Experian, Choicepoint, Dun & Bradstreet, and West Publishing."

Information Resources Management: The process of managing information resources to accomplish agency missions. The term encompasses both information itself and the related resources, such as personnel, equipment, funds, and information technology.” OMB Circular A-130, Management of Federal Information Resources and the Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. Section 3501. et seq."

Information Rights Management: Technology that enables the owner of data to control what a recipient can do with the data, much in the same way a PDF can be created without enabling the recipient to print it.” Mobilizing Information to Prevent Terrorism — Accelerating Development of a Trusted Information Sharing Environment.” Jeff Jonas."

Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System; “[P]rotecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information.” Federal Information Security Management Act, Public Law 107-347, Section 3542; “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Federal Information Security Management Act, Public Law 107-347, Section 3542."

Information Sharing and Analysis Centers Council (ISACs): The mission of the Information Sharing and Analysis Centers Council (ISAC Council) is to advance the physical and cyber security of the critical infrastructures of North America by establishing and maintaining a framework for valuable interaction between and among the ISACs and with government.” ISACouncil.org."

Information Sharing and Analysis Organization or ISAO: means any formal or informal entity or collaboration created or employed by public or private sector organizations, for purposes of: (1) Gathering and analyzing critical infrastructure information in order to better understand security problems and interdependencies related to critical infrastructure and protected systems to ensure the availability, integrity, and reliability thereof; (2) Communicating or disclosing critical infrastructure information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or an incapacitation problem related to critical infrastructure or protected systems; and (3) Voluntarily disseminating critical infrastructure information to its members, Federal, State, and local governments, or any other entities that may be of assistance in carrying out the purposes specified in paragraphs (d)(1) and (d)(2) of this section.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Section 29.2(d)."

Information Sharing Council (ISC) The term “Information Sharing Council” means the Information Systems Council established by Executive Order 13356, or any successor body designated by the President, and referred to under subsection (g).” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 1016. “The term 'Information Sharing Council' (ISC) means the Information Systems Council established by Executive Order 13356, or any successor body designated by the President, and referred to under subsection 1016(g) of the IRTPA. [Extracted from IRTPA 1016(a)(1)] E.O. 13388, which superseded E.O. 13356, established the Information Sharing Council.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006). “The ISC is an interagency forum established by Section 1016 of IRTPA and Executive Order 13388, and operating under a Charter approved by the ISPCC. It is an advisory body to the President and PM in the development of policies, procedures and guidelines necessary to implement the ISE. Additionally, it provides participants an avenue to actively engage in implementation planning and decision-making for the establishment of an effective ISE. The Council also acts as a mechanism to ensure coordination among Federal departments and agencies, and is a means for the PM to assess progress among ISE communities.” Information Sharing Environment Interim Implementation Plan, at 13."

Information Sharing Environment (ISE): means an approach that facilitates the sharing of terrorism information, which approach may include any methods determined necessary and appropriate for carrying out this section.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 1016; 'information sharing environment' and 'ISE' mean an approach that facilitates the sharing of terrorism and homeland security information, which may include any method determined necessary and appropriate for carrying out this section.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 504. (amending this definition from IRTPA to add homeland security information); “The terms “information sharing environment” and “ISE” mean an approach that facilitates the sharing of terrorism information, which approach may include any methods determined necessary and appropriate for carrying out this section [1016]. [IRTPA 1016(a)(2)]. The ISE is to provide and facilitate the means for sharing terrorism information among all appropriate Federal, State, local, and tribal entities, and the private sector through the use of policy guidelines and technologies.” To the greatest extent practicable, the ISE is to provide the functional equivalent of, or otherwise support, a decentralized, distributed, and coordinated environment that—A) connects existing systems, where appropriate, provides no single points of failure, and allows users to share information among agencies, between levels of government, and, as appropriate, with the private sector; (B) ensures direct and continuous online electronic access to information; (C) facilitates the availability of information in a form and manner that facilitates its use in analysis, investigations, and operations; (D) builds upon existing systems capabilities currently in use across the Government; (E) employs an information access management approach that controls access to data rather than just systems and networks, without sacrificing security; (F) facilitates the sharing of information at and across all levels of security; (G) provides directory services, or the functional equivalent, for locating people and information; (H) incorporates protections for individuals’ privacy and civil liberties; and (I) incorporates strong mechanisms to enhance accountability and facilitate oversight, including audits, authentication, and access controls. [Extracted from IRTPA 1016(b)(2)].” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006).

“In accordance with the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Section 1016, and Executive Order 13388, entitled Further Strengthening the Sharing of Terrorism Information to Protect Americans, the Information Sharing Environment (ISE) is defined as the combination of policies, procedures, and technologies linking the resources (people, systems, databases, and information) of all federal executive branch entities to facilitate terrorism information sharing, access, and collaboration among users in order to combat terrorism more effectively. In addition, ISE will provide links to state, local, and tribal government agencies and the private sector to ensure effective sharing of information among all relevant entities. The Information Sharing Environment is designed to meet the dual imperatives of sharing critical information and protecting privacy and civil liberties.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment; “the term 'information sharing environment' means the information sharing environment established under section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 485).” The 9/11 Commission Report Implementation Act;

The Information Sharing Environment (ISE) is an approach to the sharing of terrorism and homeland security information that is being implemented through a combination of policies, procedures, and technologies designed to facilitate access to critical information by all relevant entities. The ISE serves the dual imperatives of enhanced information sharing to combat terrorism and protecting the information privacy and other legal rights of Americans in the course of increased information access and collaboration across and among levels of government and elements of the private sector. The ISE is being developed pursuant to the Intelligence Reform and Terrorism Prevention Act of 2004, as amended by the Implementing Recommendations of the 9/11 Commission Act of 2007 (IRTPA, Section 1016) and Executive Order 13388, entitled “Further Strengthening the Sharing of Terrorism Information to Protect Americans;” ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Information Sharing Environment Privacy Guidelines Committee: The PGC is established pursuant to the Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment (ISE Privacy Guidelines) by the PM-ISE to provide ongoing guidance on the implementation of the ISE Privacy Guidelines “so that, among other things, agencies follow consistent interpretations of applicable legal requirements, avoid duplication of effort, share best practices, and have a forum for resolving issues on an interagency basis.” ISE.gov."

Information Sharing Environment Privacy Official: The ISE Privacy Official is the official responsible for directly overseeing the agency’s implementation of and compliance with the ISE Privacy Guidelines. The agency’s senior official with overall agency-wide responsibility for information privacy issues (as designated by statute or executive order or as otherwise identified in response to the Office of Management and Budget (OMB) Memorandum M-05-08 dated February 11, 2005) will serve as the ISE Privacy Official, unless the head of the agency determines that a different official would be better situated to perform this role. See Section 12(a) of the ISE Privacy Guidelines.” DNI’s Privacy Guidelines for the Information Sharing Environment."

Information Sharing Policy Coordination Committee: . . . “the President . . . established the Information Sharing Policy Coordination Committee (ISPCC), which is chaired jointly by the Homeland Security Council (HSC) and the National Security Council (NSC), and which has the responsibilities set forth in Section D of Homeland Security Presidential Directive-1 and other relevant presidential guidance with respect to information sharing. The ISPCC was established to address major information sharing policy issues, including the resolution of issues raised by the PM, and provide policy analysis and13recommendations for consideration by the more senior committees of the HSC and NSC systems. The PM is a member of the ISPCC.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Interim Implementation Plan, at 13-14."

Information System (IS): A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. OMB Circular A-130, Management of Federal Information Resources; “[A] discrete set of information [44 USC 3502 (8)] resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System; “[A]n interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164. See also, Mission Critical System, Major Information System, Federal Information System, National Security System, Information Technology and Information Resources."

Information System (IS): A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. OMB Circular A-130, Management of Federal Information Resources; “[A] discrete set of information [44 USC 3502 (8)] resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System; “[A]n interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Information System Life Cycle: [T]he phases through which an information system passes, typically characterized as initiation, development, operation, and termination.” OMB Circular A-130, Management of Federal Information Resources."

Information System Owner: Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems. See also Information Owner."

Information System Security Officer: Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Information Technology: [A]ny equipment, software or interconnected system or subsystem that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.; “[A]ny equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term “information technology” includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. The term “information technology” does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. The term “information technology” does not include national security systems as defined in the Clinger-Cohen Act of 1996 (40 U.S.C. 1452).” OMB Circular A-130, Management of Federal Information Resources and Clinger-Cohen Act of 1996, Public Law 104-106, Section 5002."

Information Type: A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Inspection: means the comprehensive process used by Customs and Border Protection to assess goods entering the United States to appraise them for duty purposes, to detect the presence of restricted or prohibited items, and to ensure compliance with all applicable laws.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1524."

Integrated Automated Fingerprint Identification System (IAFIS): Maintained by the FBI and operational in July 1999, the Integrated Automated Fingerprint Identification System (IAFIS) is a national fingerprint and criminal history system that provides automated fingerprint and latent search capabilities, electronic image storage, and electronic exchange of fingerprints and responses. According to the FBI, IAFIS is the largest biometric database in the world, containing fingerprints and the corresponding criminal history for more than 47 million subjects. The database includes terrorism-related names and fingerprints and therefore is a watch list of sorts; however, individuals included in this database should also be included in primary watch lists such as TIPOFF or VGTOF [Violent Gang and Terrorist Organizations File]. IAFIS supports other watch lists by making additional biometric identifying information such as fingerprints available.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 8 (June, 2005); the Federal Bureau of Investigation’s “national depository for fingerprint, biometric, and criminal history information, through which fingerprints are processed electronically.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 6403."

Integrity: The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner. . . . Integrity refers to assurance that a message was not modified accidentally or deliberately in transit, by replacement, insertion or deletion.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “[G]uarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity”. Federal Information Security Management Act, Public Law 107-347, Section 3542; “[T]he state that exists when information is unchanged from its source and has not been accidentally or intentionally modified, altered, or destroyed.” Executive Order 13292, Section 6.1(v); “The property that data or information have not been altered or destroyed in an unauthorized manner.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164. See also, Information System, Mission Critical System, Major Information System, National Security System and Information Resources."

Intelligence: (1) the product resulting from the [. . . ] collection, processing, integration, analysis, evaluation, and [50 USC Ch 15] interpretation of available information concerning foreign countries or areas; or (2) information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding. The term 'intelligence' includes foreign intelligence and counterintelligence.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System; “Intelligence includes foreign intelligence and counterintelligence.” National Security Act, Public Law 235, Section 606."

Intelligence Activities: The term 'intelligence activities' includes all activities that agencies within the Intelligence Community are authorized to conduct pursuant to Executive Order 12333, United States Intelligence Activities."

Intelligence Agency: means any department, agency, or other entity of the United States involved in intelligence or intelligence-related activities.” National Security Act, Public Law 235, Section 606, Section 414(e)(1); “[I]ntelligence agency” means the Central Intelligence Agency, a foreign intelligence component of the Department of Defense, or the foreign counterintelligence or foreign counterterrorism components of the Federal Bureau of Investigation.” National Security Act, Public Law 235, Section 606."

Intelligence Analyst: means an individual who regularly advises, administers, supervises, or performs work in the collection, gathering, analysis, evaluation, reporting, production, or dissemination of information on political, economic, social, cultural, physical, geographical, scientific, or military conditions, trends, or forces in foreign or domestic areas that directly or indirectly affect national security.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 511."

Intelligence Community: includes the following:(A) The Office of the Director of National Intelligence; (B) The Central Intelligence Agency; (C) The National Security Agency; (D) The Defense Intelligence Agency; (E) The National Geospatial-Intelligence Agency; (F) The National Reconnaissance Office; (G) Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs; (H) The intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Federal Bureau of Investigation, and the Department of Energy; (I) The Bureau of Intelligence and Research of the Department of State; (J) The Office of Intelligence and Analysis of the Department of the Treasury; (K) The elements of the Department of Homeland Security concerned with the analysis of intelligence information, including the Office of Intelligence of the Coast Guard; (L) Such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence and the head of the department or agency concerned, as an element of the intelligence community.” National Security Act, Public Law 235, Section 606 (as amended by the Intelligence Reform and Terrorism Prevention Act); “Intelligence Community” and “agency within the Intelligence Community” have the meanings set forth for those terms in section 3.4(f) of Executive Order 12333 of December 4, 1981, as amended.” Executive Order 13356, Strengthening the Sharing of Terrorism Information To Protect Americans and Homeland Security Information Sharing Act, Public Law 107-296, Section 892."

Intelligence Component of the Department: means any element or entity of the Department that collects, gathers, processes, analyzes, produces, or disseminates intelligence information within the scope of the information sharing environment, including homeland security information, terrorism information, and weapons of mass destruction information, or national intelligence, as defined under section 3(5) of the National Security Act of 1947 (50 U.S.C. 401a(5)), except— (A) the United States Secret Service; and (B) the Coast Guard, when operating under the direct authority of the Secretary of Defense or Secretary of the Navy pursuant to section 3 of title 14, United States Code, except that nothing in this paragraph shall affect or diminish the authority and responsibilities of the Commandant of the Coast Guard to command or control the Coast Guard as an armed force or the authority of the Director of National Intelligence with respect to the Coast Guard as an element of the intelligence community (as defined under section 3(4) of the National Security Act of 1947 (50 U.S.C. 401a(4)).” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 502."

Intelligence-led Policing: means the collection and analysis of information to produce an intelligence end product designed to inform law enforcement decision making at the tactical and strategic levels.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 511."

Intelligence Program: with respect to the acquisition of a major system, means a program that—(i) is carried out to acquire such major system for an element of the intelligence community; and (ii) is funded in whole out of amounts available for the National Intelligence Program.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458."

Intelligence Project: means the organizational unit that operates an intelligence system on behalf of and for the benefit of a single agency or the organization that operates an interjurisdictional intelligence system on behalf of a group of participating agencies. 28 CFR Part 23, §23.3(b)(5)."

Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA): Requires the Director of National Intelligence (DNI) to ensure maximum availability of and access to intelligence information within the Intelligence Community consistent with national security requirements. The statute also calls for protecting sources and methods in the context of maximizing the dissemination of intelligence information following DNI-established guidelines for classification, retrieval (in the form when initially gathered through finished products), and writing products at the lowest classification possible to support customers.” U.S. Intelligence Community, Information Sharing Strategy, at 6 (February, 2008)."

Interagency Border Inspection System (IBIS): resides on the DHS’s Treasury Enforcement Communications System, or TECS, a large computerized information system containing more than a billion records in 700 tables, designed to identify individuals, businesses, and vehicles suspected of or involved in violation of federal law. TECS is also a communications system permitting message transmittal between law enforcement offices and other federal, state, and local law enforcement agencies. The database provides access to the FBI’s NCIC and the National Law Enforcement Telecommunications System (NLETS). The TECS database serves as the principal information system supporting border management and the law enforcement mission of the DHS’s U.S. Customs and Border Protection (CBP) and other federal law enforcement agencies. CBP personnel located at air, land, and sea ports of entry, as well as law enforcement and regulatory personnel from more than 20 other federal agencies or bureaus, can access IBIS. The IBIS system is used to expedite the clearance process at ports of entry and to keep track of information on suspect individuals, businesses, vehicles, aircraft, and vessels. Therefore, IBIS is considered a watch listing system.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 (June, 2005)."

Intercept: [T]he aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Interconnection Security Agreement (ISA): In this guide, an agreement established between the organizations that own and operate connected IT systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Interjurisdictional Intelligence System: means an intelligence system that involves two or more participating agencies representing different governmental units or jurisdictions. Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, §23.3(b)(2)."

International Terrorism: means activities that— (1) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or of any State, or that would be a criminal violation if committed within the jurisdiction of the United States or any State; (2) appear to be intended— (A) to intimidate or coerce a civilian population; (B) to influence the policy of a government by intimidation or coercion; or (C) to affect the conduct of a government by assassination or kidnapping; and (3) occur totally outside the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to coerce or intimidate, or the locale in which their perpetrators operate or seek asylum.” Foreign Intelligence Surveillance Act, 50 U.S.C., Section 1801."

International Association of Crime Analysts (IACA): IACA helps crime analysts around the world improve their skills and make valuable contacts, helps law enforcement agencies maximize use of crime analysis, and advocates for standards of performance and technique with the professions.” DOJ/DHS, Fusion Center Guidelines, at 34."

International Association of Law Enforcement Intelligence Analysts (IALEIA): IALEIA’s mission is to professionalize analysis in law enforcement, military, and private industry. IALEIA holds major conferences, local or regional chapter meetings, and training sessions and has published a number of booklets.” DOJ/DHS, Fusion Center Guidelines, at 34."

International Criminal Police Organization (INTERPOL): The stated mission of Interpol is to provide essential services for the international law enforcement community to optimize the effort to combat crime. The three core services that it provides are: 1) a global police communication system, 2) a range of criminal databases and analytical services, and 3) support for police operations throughout the world. The National Central Bureau of Interpol within the DOJ coordinates with the international organization on behalf of the U.S. government.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 (June, 2005); “INTERPOL is a worldwide law enforcement organization established for mutual assistance in the prevention, detection, and deterrence of international crimes. It houses international police databases, provides secure international communications between member countries for the exchange of routine criminal investigative information, and is an information clearinghouse on international criminal/fugitives and stolen properties.” DOJ/DHS, Fusion Center Guidelines, at 34."

Interpol Terrorism Watch List: In 2002, Interpol established the Interpol Terrorism Watch List, which is available by secure access to Interpol offices and authorized police agencies in its member countries.28 According to the FBI, the list contained approximately 100 names as of June 2004 and all of the individuals were accounted for on a primary watch list, such as VGTOF [Violent Gang and Terrorist Organizations File] or TIPOFF.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 9 (June, 2005)."

Interstate Identification System: The term “Interstate Identification Index System” or “III System”— (A) means the cooperative Federal-State system for the exchange of criminal history records; and (B) includes the National Identification Index, the National Fingerprint File and, to the extent of their participation in such system, the criminal history record repositories of the States and the FBI.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Intrusion Detection System (IDS): A software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems.; “[A] software application that can be implemented on host operating systems or as network devices to monitor for signs of intruder activity and attacks.” NIST Special Publication 800-41."

Investigation Service: An entity that examines credentials and evaluates their authenticity.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Investigative Consumer Report: [A] consumer report or portion thereof in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on or with others with whom he is acquainted or who may have knowledge concerning any such items of information. However, such information shall not include specific factual information on a consumer’s credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when such information was obtained directly from a creditor of the consumer or from the consumer.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Investigative or Law Enforcement Officer: [A]ny officer of the United States or of a State or political subdivision thereof, who is empowered by law to conduct investigations of or to make arrests for offenses enumerated in this chapter, and any attorney authorized by law to prosecute or participate in the prosecution of such offenses.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

ISE Participant: The term “ISE participant” is defined as any Federal, State, local, or tribal government organization; private sector entity; or foreign government organization that participates in the ISE.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

ISE Privacy Guidelines Committee: The ISE Privacy Guidelines Committee is a standing committee established by the PM-ISE and is composed of each Information Sharing Council agency’s ISE Privacy Official. The Committee provides ongoing guidance on the implementation of the ISE Privacy Guidelines, so that, among other things, agencies follow consistent interpretations of applicable legal requirements, avoid duplication of effort, share best practices, and have a forum for resolving issues on an interagency basis. See Section 12(b) of the ISE Privacy Guidelines.” ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

ISE Privacy Official: The ISE Privacy Official is the official responsible for directly overseeing the agency’s implementation of and compliance with the ISE Privacy Guidelines. The agency’s senior official with overall agency-wide responsibility for information privacy issues (as designated by statute or executive order or as otherwise identified in response to the Office of Management and Budget (OMB) Memorandum M-05-08 dated February 11, 2005) will serve as the ISE Privacy Official, unless the head of the agency determines that a different official would be better situated to perform this role. See Section 12(a) of the ISE Privacy Guidelines.” ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

ISE-Suspicious Activity Report (ISE-SAR): An ISE-SAR is a SAR (as defined below in 5g) that has been determined, pursuant to a two-part process, to have a potential terrorism nexus. ISE-SAR business rules will serve as a unified process to support the reporting, tracking, processing, storage, and retrieval of terrorism-related suspicious activity reports across the ISE.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008). See also, Suspicious Activity Report."

Issuing Authority: An entity that issues credentials, and that updates credential status after issuance.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Item: The lowest level of hierarchical description as defined by NARA, which describes the smallest intellectually indivisible archival unit (e.g. a letter, memorandum, report, leaflet, or photograph). National Archives and Records Administration, Electronic Records Glossary."


Top

 


J

There are no 'J' terms.


Top

 


K

Key Management: The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs, counters) during the entire life cycle of the keys, including the generation, storage, distribution, entry and use, deletion or destruction, and archiving. [ . . .] The generation, storage, secure distribution and application of keying material in accordance with a security policy that prevents its modification, unauthorized use, or a combination thereof.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Key Resources means publicly or privately controlled resources essential to the minimal operations of the economy and government.” The Homeland Security Act, 6 U.S.C. section 101(9)."


Top

 


L

Law Enforcement Information: For the purposes of the ISE only, any information obtained by or of interest to a law enforcement agency or official that is both (A) related to terrorism or the security of our homeland and (B) relevant to a law enforcement mission, including but not limited to information pertaining to an actual or potential criminal, civil, or administrative investigation or a foreign intelligence, counterintelligence, or counterterrorism investigation; assessment of or response to criminal threats and vulnerabilities; the existence, organization, capabilities, plans, intentions, vulnerabilities, means, methods, or activities of individuals or groups involved or suspected of involvement in criminal or unlawful conduct or assisting or associated with criminal or unlawful conduct; the existence, identification, detection, prevention, interdiction, or disruption of, or response to, criminal acts and violations of the law; identification, apprehension, prosecution, release, detention, adjudication, supervision, or rehabilitation of accused persons or criminal offenders; and victim/witness assistance.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006) and ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Law Enforcement Intelligence Unit (LEIU): The purpose of LEIU is to record and exchange confidential criminal information not previously available through regular police communication channels concerning organized crime. Membership in LEIU is open to local or state law enforcement agencies having a criminal intelligence function. The applicant must be sponsored by a current member. LEIU may be reached at the State Terrorism Threat Assessment Center, Bureau of Investigation, Intelligence Operations Program, Central Coordinating Agency, Post Office Box 163029, Sacramento, CA 95816-3029.” DOJ/DHS, Fusion Center Guidelines, at 34-35."

Least Privilege: When a user is associated with a role, the user can be given no more privilege than is necessary to perform the job; since many of the responsibilities overlap between job categories, maximum privilege for each job category could cause unauthorized access. This concept of least privilege requires identifying the user’s job functions, determining the minimum set of privileges required to perform those functions, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, least privilege is often difficult or costly to achieve because it is difficult to tailor access based on various attributes or constraints. Role hierarchies can be established to provide for the natural structure of an enterprise. A role hierarchy defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role. NIST Interagency Report 7316, Assessment of Access Control Systems. See also, Role-Based Access Control, Discretionary Access Control, and Mandatory Access Control."

Level of Sensitivity: refers to how the intelligence information should be disseminated. Typically, the submitter sets a designation to classify how the information will be released. The following is an example, from the 28 CFR Part 23 Sample Operating Policies and Procedures located on IIR’s Web site, of how a project may opt to set three levels of dissemination based on the sensitivity of the intelligence:

  1. Open—disseminate the criminal intelligence file to the inquirer when there is a hit, with no further action required.
  2. Release Agency Name Only—provide only the controlling agency name and contact information.
  3. Restricted—do not disseminate the criminal intelligence file or even indicate that there has been a hit. Notify the controlling agency.
Projects will develop the levels of sensitivity and train all participating agencies as to the usage of each level.” Institute for Intergovernmental Research, Criminal Intelligence Systems Operating Policies FAQ on 28 CFR Part 23"

Line of Business: The following OMB-defined process areas common to virtually all federal agencies: Case Management, Financial Management, Grants Management, Human Resources Management, Federal Health Architecture, Information Systems Security, Budget Formulation and Execution, Geospatial, and IT Infrastructure.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Local Access: Access to an organizational information system by a user (or an information system) communicating through an internal organization-controlled network (e.g., local area network) or directly to a device without the use of a network.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Local Government: The term 'local government' means— (A) a county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government; (B) an Indian tribe or authorized tribal organization, or in Alaska a Native village or Alaska Regional Native Corporation; and (C) a rural community, unincorporated town or village, or other public entity. [Homeland Security Act of 2002, 6 U.S.C. 101] Outcome Measures Outcomes describe the intended result of carrying out a program or activity. They define an event or condition that is external to the program or activity and that is of direct importance to the intended beneficiaries and/or the public. For a tornado warning system, outcomes could be the number of lives saved and property damage averted. While performance measures must distinguish between outcomes and outputs, there must be a reasonable connection between them, with outputs supporting (i.e., leading to) outcomes in a logical fashion. [OMB A-11]” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006). “Local Government has the same meaning as established in section 2 of the Homeland Security Act of 2002, and means: (1) A county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government; (2) An Indian tribe or authorized tribal organization, or in Alaska a Native village or Alaska Regional Native Corporation; and (3) A rural community, unincorporated town or village, or other public entity.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (e)."

Low Impact: The potential impact is LOW if—
— The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Low-Impact System: An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."


Top

 


M

Maintain Includes maintain, collect, use or disseminate.” Privacy Act of 1974, 5 U.S.C. § 552a"

Major Application: [A]n application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems. An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Major Information System: embraces 'large' and 'sensitive' information systems and means, as defined in OMB Circular A-130 (Section 6.u.) and annually in OMB Circular A-11 (section 300-4 (2003)), a system or project that requires special management attention because of its: (i) importance to the agency mission, (ii) high development, operating and maintenance costs, (iii) high risk, (iv) high return, (v) significant role in the administration of an agency’s programs, finances, property or other resources.” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. See also, Information System, Mission Critical System, Information Technology, National Security System and Information Resources."

Major Acquisition/Investment: means a system or project requiring special management attention because of its importance to the mission or function of the agency, a component of the agency or another organization; is for financial management and obligates more than $500,000 annually; has significant program or policy implications; has high executive visibility; has high development, operating, or maintenance costs; or is defined as major by the agency’s capital planning and investment control process. OMB may work with the agency to declare other investments as major investments. You should consult with your OMB representative about what investments to consider as 'major,' consult your agency budget officer or OMB representative. Systems not considered 'major' are 'non-major.'“ Preparation, Submission, And Execution Of The Budget, OMB Circular A-11, Part 7, Section 300."

Major System: has the meaning given such term in section 4(9) of the Federal Property and Administrative Services Act of 1949 (41 U.S.C. 403(9)).” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 102A; “The term “major system” means a combination of elements that will function together to produce the capabilities required to fulfill a mission need, which elements may include hardware, equipment, software or any combination thereof, but excludes construction or other improvements to real property; and (B) a system shall be considered a major system if (i) the Department of Defense is responsible for the system and the total expenditures for research, development, test and evaluation for the system are estimated to be more than $75,000,000 (based on fiscal year 1980 constant dollars) or the eventual total expenditure for procurement of more than $300,000,000 (based on fiscal year 1980 constant dollars); (ii) a civilian agency is responsible for the system and total expenditures for the system are estimated to exceed $750,000 (based on fiscal year 1980 constant dollars) or the dollar threshold for a “major system” established by the agency pursuant to Office of Management and Budget (OMB) Circular A-109, entitled “Major Systems Acquisitions”, whichever is greater; or (iii) the system is designated a “major system” by the head of the agency responsible for the system.” The Federal Property and Administrative Services Act of 1949, 41 U.S.C. 403(9)."

Malicious Code: Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Management Controls: are the organization, policies, and procedures used to reasonably ensure that (i) programs achieve their intended results; (ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported and used for decision making. Management Accountability and Control, OMB A-123. The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Mandatory Access Control (MAC): policy means that access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights. An example of MAC occurs in military security, where an individual data owner does not decide who has a Top Secret clearance, nor can the owner change the classification of an object from Top Secret to Secret [Pfl97]. MAC is the most mentioned NDAC policy.

The need for a MAC mechanism arises when the security policy of a system dictates that:

  1. Protection decisions must not be decided by the object owner.
  2. The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner).
Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the “simple security rule,” or “no read up.” Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the “*-property” (pronounced “star property”) or “no write down.” The *-property is required to maintain system security in an automated environment. A variation on this rule called the “strict *-property” requires that information can be written at, but not above, the subject’s clearance level. Multilevel security models such as the Bell-La Padula Confidentiality and Biba Integrity models are used to formally specify this kind of MAC policy. However, information can pass through a covert channel in MAC, where information of a higher security class is deduced by inference such as assembling and intelligently combining information of a lower security class. Popular mechanisms used in implementing MAC policies are demonstrated in Section.” NIST Interagency Report 7316, Assessment of Access Control Systems. See also, Role-Based Access Control, Discretionary Access Control, and Least Privilege."

Mandatory Declassification Review: means the review for declassification of classified information in response to a request for declassification that meets the requirements under section 3.5 of this order.” Executive Order 13292, Classified National Security Information, Section 6.1(w)."

Matching Agency: Generally, the Recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is the matching agency and is responsible for meeting the reporting and publication requirements associated with the matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source agency do so for its own matching program(s).” OMB Circular A-130, Appendix I, Management of Federal Information Resources."

Matching Program: Any computerized comparison of two or more automated systems of records or a system of records with non-Federal records for the purpose of establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in-kind assistance or payments under Federal benefit programs, or recouping payments or delinquent debts under such Federal benefit programs, or two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records. The term does not include: (1) matches performed to produce aggregate statistical data without any personal identifiers; (2) matches performed to support any research or statistical project, the specific data of which may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals; (3) matches performed, by an agency (or component thereof) which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons; (4) matches of tax information (I) pursuant to section 6103(d) of the Internal Revenue Code of 1986, (II) for purposes of tax administration as defined in section 6103(b)(4) of such Code, (III) for the purpose of intercepting a tax refund due an individual under authority granted by section 404(e), 464, or 1137 of the Social Security Act; or (IV) for the purpose of intercepting a tax refund due an individual under any other tax refund intercept program authorized by statute which has been determined by the Director of the Office of Management and Budget to contain verification, notice, and hearing requirements that are substantially similar to the procedures in section 1137 of the Social Security Act; (5) matches using records predominantly relating to Federal personnel, that are performed for routine administrative purposes (subject to guidance provided by the Director of the Office of Management and Budget pursuant to subsection (v)); or conducted by an agency using only records from systems of records maintained by that agency if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel; (6) matches performed for foreign counterintelligence purposes or to produce background checks for security clearances of Federal personnel or Federal contractor personnel; (7) matches performed incident to a levy described in section 6103(k)(8) of the Internal Revenue Code of 1986; or (8) matches performed pursuant to section 202(x)(3) or 1611(e)(1) of the Social Security Act (42 U.S.C. § 402(x)(3), § 1382(e)(1).” Privacy Act of 1974, 5 U.S.C. § 552a."

Material Weakness or Significant Weakness: A term “used to identify control weaknesses that pose a significant risk or a threat to the operations and/or assets of an audited entity. 'Material weakness' is a very specific term that is defined one way for financial audits and another way for weaknesses reported under the Federal Managers Financial Integrity Act of 1982. Such weaknesses may be identified by auditors or by management.” NIST Special Publication 800-26; Integrating IT Security into the Capital Planning and Investment Control Process."

Measurement and Signature Intelligence (MASINT): Measurement and Signature Intelligence is technically derived intelligence data other than imagery and SIGINT. The data results in intelligence that locates, identifies, or describes distinctive characteristics of targets. It employs a broad group of disciplines including nuclear, optical, radio frequency, acoustics, seismic, and materials sciences. Examples of this might be the distinctive radar signatures of specific aircraft systems or the chemical composition of air and water samples. The Central MASINT Organization, a component of DIA, is the focus for all national and DoD MASINT matters."

Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Media Access Control Address: A hardware address that uniquely identifies each component of an IEEE 802-based network. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Medical Information [I]nformation or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Media Sanitization: A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Memorandum of Understanding/Agreement (MOU/A): A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide [NIST SP 800-47], an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Metadata Standards: Metadata is structured, encoded data that provide nomenclature and characteristics of information-bearing elements aiding in the identification, discovery, sorting, understanding, and management of described information— essentially data about data. Search engines use metadata to find and describe matching information sources.” Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Microform Records: Microform records must meet the filming, storage and use standards in 36 C.F.R. part 1230.” DHS Records Management Handbook."

Mission Creep (aka “Function Creep” “Task Accretion” and “Mission Leap”): Generally involves the collection of personal information for a particular purpose and subsequently discovering additional, secondary uses to which the information can be put."

Mission Critical System: [A]ny telecommunications or information system used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, that: (A) is defined as a national security system under section 5142 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1452);(B) is protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be classified in the interest of national defense or foreign policy; or (C) processes any information, the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq. See also, Information System, Major Information System, National Security System, Information Technology and Information Resources."

Minimization Procedures: with respect to electronic surveillance, means— (1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; (2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; (3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and (4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.” Foreign Intelligence Surveillance Act, 50 U.S.C. Section 1801."

Mobile Code: Software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Mobile Code Technologies: Software technologies that provide the mechanisms for the production and use of mobile code (e.g., Java, JavaScript, ActiveX, VBScript).” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

Moderate Impact: The potential impact is MODERATE if—

—The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Moderate-Impact System: An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Motor Vehicle Record: [A]ny record that pertains to a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles.” Driver's Privacy Protection Act, 18 U.S.C. Section 2725."

Multijurisdictional Intelligence System: also referred to as Interjurisdictional Intelligence System, means an intelligence system that involves two or more agencies representing different governmental units or jurisdictions. A multijurisdictional intelligence system is operated for the purpose of sharing criminal intelligence information across jurisdictional lines, not for the purpose of responding to a particular multijurisdictional issue, such as gangs, in a coordinated manner (considered a multijurisdictional task force for the purposes of 28 CFR Part 23 task force for the purposes of 28 CFR Part 23).” Institute for Intergovernmental Research, Criminal Intelligence Systems Operating Policies FAQ on 28 CFR Part 23."

Multiple Sources: means two or more source documents, classification guides, or a combination of both.” Executive Order 13292, Classified National Security Information."


Top

 


N

National Automated Immigration Lookout System (NAILS): was a database created by the former Immigration and Naturalization Service (INS). It contained biographical and case data for aliens who may be inadmissible to the United States or were being sought by officials for other reasons related to immigration and law enforcement. Included in this information were lookouts for individuals associated with terrorism, representing a watch list of individuals that posed a threat to national security. Like IBIS [Interagency Border Inspection System], the NAILS database was housed with the TECS [Treasury Enforcement Communications System] system, and the records of each of these systems interfaced with each other. The NAILS database was absorbed into other DHS systems in January 2005.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 (June, 2005)."

National Crime Information Center (“NCIC”): NCIC is a nationwide information system maintained by the FBI that provides the criminal justice community with immediate access to information on various law enforcement data, such as criminal history records and missing persons. The FBI’s Criminal Justice Information Services Division (CJIS), is responsible for managing the NCIC database.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 24 (June, 2005); “NCIC is a nationwide information system that links local, state, tribal, and federal criminal justice agencies together. NCIC’s capabilities include an enhanced name search, fingerprint searches, information on persons on probation or parole, a convicted sex offender registry, and a registry of individuals incarcerated in the federal prison system.” DOJ/DHS, Fusion Center Guidelines."

National Data Exchange Project (N-DEx): Federal Bureau of Investigation’s “National Data Exchange project; it is a developing system that is expected to provide a nationwide capability to exchange data derived from police incident and event reports. Data from incident and arrest reports — name, address, and non-specific crime characteristics — will be entered into a central repository to be queried against by future data submissions. The national scale of N-DEx will enable rapid coordination among all strata of law enforcement. It is an effort to electronically share police incident report information across the nation.” See example: http://www.icjia.state.il.us/iijis/public/pdf/PRV/PRV_issuesDoc_Oct2005.pdf."

National Directory of New Hires (NDNH): The National Directory of New Hires (NDNH) is a national repository of employment, unemployment insurance, and quarterly wage information. The data residing in the NDNH includes: records from the State Directory of New Hires (SDNH); quarterly wage and unemployment insurance data from the State Employment Security Agencies (SESAs), new hire and quarterly wage data from federal agencies. The system is maintained by the Department of Health and Human Services (HHS). The Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 1996 (also known as Welfare Reform) was signed into law on August 22, 1996. One key provision of PRWORA is that all states must have a program to collect information about newly hired employees. Under new hire reporting, employers must report information about newly hired employees to a State Directory of New Hires (SDNH). States match new hire reports against their child support records to locate parents, establish orders, or modify or enforce existing orders. To address the large number of cases where the parent who owes child support is employed in another state, PRWORA called for the establishment of the National Directory of New Hires (NDNH). The NDNH is a major component of the Federal Parent Locator Service (FPLS). Federal law strictly limits authorized disclosures of data entered into the National Directory of New Hires (NDNH) to the following:

  • State agencies administering the Child Support Enforcement Program and the Temporary Assistance for Needy Families (TANF) Program.
  • The Secretary of the Treasury for purposes of administering the Earned Income Tax Credit Program.
  • The Commissioner of Social Security for purposes of administering Social Security programs.
  • Duly authorized persons for the purposes of establishing parentage and setting the amount of, modifying, or enforcing child support orders.
  • The Secretary of the Department of Education for purposes of administering the student loan program.
Federal law requires the Secretary of the Department of Health and Human Services to establish and implement safeguards to protect the integrity and security of information in the NDNH and to restrict access to and use of the information to authorized persons and for authorized purposes."

National Drug Intelligence Center (NDIC): The NDIC supports national policy and law enforcement decisions with timely strategic domestic drug intelligence assessments, focusing on the production, trafficking, and consumption trends and patterns of all illicit drugs inside United States national borders and territories.” DOJ/DHS, Fusion Center Guidelines, at 35."

National Fingerprint File: The term “National Fingerprint File” means a database of fingerprints, or other uniquely personal identifying information, relating to an arrested or charged individual maintained by the FBI to provide positive identification of record subjects indexed in the III System.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

National Foreign Intelligence Program: refers to all programs, projects, and activities of the intelligence community, as well as any other programs of the intelligence community designated jointly by the Director of Central Intelligence and the head of a United States department or agency or by the President. Such term does not include programs, projects, or activities of the military departments to acquire intelligence solely for the planning and conduct of tactical military operations by United States Armed Forces.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458."

National Identification Index: The term “National Identification Index” means an index maintained by the FBI consisting of names, identifying numbers, and other descriptive information relating to record subjects about whom there are criminal history records in the III System.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

National Indices: The term “National indices” means the National Identification Index and the National Fingerprint File.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

National Intelligence: The terms 'national intelligence' and 'intelligence related to national security' refer to all intelligence, regardless of the source from which derived and including information gathered within or outside the United States, that— (A) pertains, as determined consistent with any guidance issued by the President, to more than one United States Government agency; and (B) that involves— (i) threats to the United States, its people, property, or interests; ii) the development, proliferation, or use of weapons of mass destruction; or (iii) any other matter bearing on United States national or homeland security.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 1012."

National Intelligence and Intelligence-Related to the National Security: (A) each refer to intelligence which pertains to the interests of more than one department or agency of the Government; and (B) do not refer to counterintelligence or law enforcement activities conducted by the Federal Bureau of Investigation except to the extent provided for in procedures agreed to by the Director of Central Intelligence and the Attorney General, or otherwise as expressly provided for in this title.” National Security Act, Public Law 235, Section 606."

National Law Enforcement Telecommunication System (NLETS): provides direct access to information from state motor vehicle departments.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 n26 (June, 2005)."

National Security: means the national defense or foreign relations of the United States.” Executive Order 13292, Classified National Security Information, Section 6.1(y)."

National Security Emergency Preparedness Telecommunications Services: Telecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

National Security Information: Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

National Security Systems: [A]s defined in the Clinger-Cohen Act4, an information system operated by the federal government, the function, operation or use of which involves: (a) intelligence activities, (b) cryptologic activities related to national security, (c) command and control of military forces, (d) equipment that is an integral part of a weapon or weapons systems, or (e) systems critical to the direct fulfillment of military or intelligence missions, but does not include systems used for routine administrative and business applications, such as payroll, finance, logistics and personnel management.” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 and Clinger-Cohen Act of 1996, Public Law 104-106, Section 5142; “[A]ny telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be administrative and business applications (including payroll, finance, logistics, and personnel management applications). The policies and procedures established in this Circular will apply to national security systems in a manner consistent with the applicability and related limitations regarding such systems set out in Section 5141 of the Clinger-Cohen Act (Pub. L. 104-106, 40 U.S.C. 1451). Applicability of Clinger-Cohen Act to national security systems shall include budget with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations. (44 U.S.C. 2901(2)).” OMB Circular A-130, Management of Federal Information Resources. “Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.” NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems."

National Special Security Event: means a designated event that, by virtue of its political, economic, social, or religious significance, may be the target of terrorism or other criminal activity.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2001."

National Strategy for Information Sharing (NSIS): Successes and Challenges in Improving Terrorism-Related Information Sharing (October 2007): Recently released from the White House, the NSIS focuses the plan to build upon progress and establish a more integrated information sharing capability to ensure that those who need information to protect our Nation from terrorism will receive it and those who have that information will share it. The NSIS will improve interagency information sharing at the Federal level, while building information sharing bridges between the Federal Government and our non-Federal partners. Though NSIS is focused on improving the sharing of homeland security, terrorism, and law enforcement information related to terrorism within and among all levels of governments and the private sector, the foundational principles presented in this strategy are in alignment with the NSIS.” U.S. Intelligence Community, Information Sharing Strategy, at 17 (February, 2008)."

National Targeting Center (NTC): CT Watch is the FBI’s 24-hour global command center for terrorism prevention operations, while the DHS’s NTC provides around-the-clock tactical targeting and analytical research in support of the anti-terrorism efforts of the Customs and Border Protection agency.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 14 (June, 2005)."

National Technical Means: In modern usage, the term “National Technical Means” covers a variety of monitoring technologies, including others used at the time of [the] SALT I [treaty]. It continues to appear in subsequent arms control negotiations, which have a general theme called “trust but verify”. Verification, in addition to information explicitly supplied from one side to the other, involves numerous technical intelligence disciplines. Measurement and Signature Intelligence (MASINT) techniques, many being especially obscure technical methods, are extremely important parts of verification.” An arms control verification technique that involves using satellites, seismic measuring devices, and other equipment to identify, locate, and monitor the manufacturing, testing, or deployment of weapons or delivery vehicles, or other aspects of treaty compliance."

National White Collar Crime Center (NW3C): NW3C provides a national support network for local and state law enforcement agencies involved in the prevention, investigation, and prosecution of economic and high-tech crime. NW3C is a member-affiliated organization comprised of law enforcement agencies, state regulatory bodies, and local and state prosecution offices. Support services are offered in five main categories: economic and computer crime training, intelligence and analytical services, case funding for designated cases, research, and fraud-compliant referral and analysis through its National Fraud Complaint Management Center/Internet Fraud Complaint Center.” DOJ/DHS, Fusion Center Guidelines."

Need-to-Know: There are various definitions of this term. This is a partial list.

Executive Order 13292, Classified National Security Information, Section 6.1(z) “means a determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.”

Sensitive Security Information, 49 CFR Part 1520.5
(a) In general. A person has a need to know SSI in each of the following circumstances:

  1. When the person requires access to specific SSI to carry out transportation security activities approved, accepted, funded, recommended, or directed by DHS or DOT.
  2. When the person is in training to carry out transportation security activities approved, accepted, funded, recommended, or directed by DHS or DOT.
  3. When the information is necessary for the person to supervise or otherwise manage individuals carrying out transportation security activities approved, accepted, funded, recommended, or directed by the DHS or DOT.
  4. When the person needs the information to provide technical or legal advice to a covered person regarding transportation security requirements of Federal law.
  5. When the person needs the information to represent a covered person in connection with any judicial or administrative proceeding regarding those requirements.
  6. (b) Federal employees, contractors, and grantees.
    1. A Federal employee has a need to know SSI if access to the information is necessary for performance of the employee’s official duties.
    2. A person acting in the performance of a contract with or grant from DHS or DOT has a need to know SSI if access to the information is necessary to performance of the contract or grant.
    3. (c) Background check. TSA or Coast Guard may make an individual’s access to the SSI contingent upon satisfactory completion of a security background check or other procedures and requirements for safeguarding SSI that are satisfactory to TSA or the Coast Guard.

      (d) Need to know further limited by the DHS or DOT. For some specific SSI, DHS or DOT may make a finding that only specific persons or classes of persons have a need to know.

      IACP Criminal Intelligence, Concepts and Issues, at 3 (July 2003).

      “A recipient agency or individual has a ‘need to know’ when the requested information is pertinent to and necessary for the initiation or furtherance of a criminal investigation or apprehension. Both [need to know and right to know] may need to be satisfied based on the nature and sensitivity of the information requested and the law surrounding the release of particular types of information or intelligence."

 

Network: means a system of two or more computers that can exchange data or information.” Executive Order 13292, Classified National Security Information, Section 6.1(aa)."

Networks: Include communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

National Information Exchange Model (NIEM): A joint technical and functional standards program initiated by the Department of Homeland Security (DHS) and the Department of Justice (DOJ) that supports national-level interoperable information sharing.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008)."

Nlets - The International Justice and Public Safety Information Sharing Network: (www.nlets.org). “Nlets is an interstate law enforcement network for the exchange of law enforcement and related justice information.” DOJ/DHS, Fusion Center Guidelines."

No-Fly and Selectee Lists: The Transportation Security Administration’s (TSA) No-Fly list includes names of individuals that are to be denied transport on commercial flights because they are deemed a threat to civil aviation. The TSA Selectee list includes names of individuals whom air carriers are required to “select” for additional screening prior to permitting them to board an aircraft. Known or suspected terrorists can be submitted for inclusion to either list by an FBI case agent or an NCTC [National Counterterrorism Center] analyst. The lists are disseminated to airlines on a daily basis to be used as a watch list for comparison against passenger manifests for all flights that enter or depart U.S. airspace.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 8 (June, 2005)."

Nonpublic Information: is derived from proprietary or nonpublic sources, such as credit header data, product warranty registrations, lists of magazine or catalog subscribers, and other application information provided to private businesses directly by consumers.” Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 6. “Nonpublic information is information that the employee gains by reason of Federal employment and that he knows or reasonably should know has not been made available to the general public. It includes information that he knows or reasonably should know:(1) Is routinely exempt from disclosure under 5 U.S.C. 552 or otherwise protected from disclosure by statute, Executive order or regulation;(2) Is designated as confidential by an agency; or (3) Has not actually been disseminated to the general public and is not authorized to be made available to the public on request.” 5 CFR Part 2635, Standards of Ethical Conduct for Employees of the Executive Branch, Sec. 2635.703."

Nonpublic Personal Information: Personally identifiable financial information - (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution. The term personally identifiable financial information does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of GRAMM-LEACH BLILELY ACT. The term also shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information. The term shall include, however, any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information.” Gramm-Leach-Bliley Act, Public Law 106-102, Section 509."

Non-Repudiation: This service provides proof of the integrity and origin of data that can be verified by a third party. [. . .] Non-repudiation of origin is protection against a sender of a message later denying transmission.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Nonstatistical Purpose: The term “nonstatistical purpose”— (A) means the use of data in identifiable form for any purpose that is not a statistical purpose, including any administrative, regulatory, law enforcement, adjudicatory, or other purpose that affects the rights, privileges, or benefits of a particular identifiable respondent; and (B) includes the disclosure under section 552 of title 5, United States Code (popularly known as the Freedom of Information Act) of data that are acquired for exclusively statistical purposes under a pledge of confidentiality. Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501."


Top

 


O

Office of Information and Regulatory Affairs (OIRA): Is a Federal office that Congress established in the 1980 Paperwork Reduction Act. OIRA is an office within the Office of Management and Budget, which is an agency within the Executive Office of the President. [. . .] In addition to reviewing draft regulations under Executive Order 12866, OIRA reviews collections of information under the Paperwork Reduction Act, and also develops and oversees the implementation of government-wide policies in the areas of information technology, information policy, privacy, and statistical policy."

Open Source Information: means any “all information that can be derived from overt collection: all types of media, government reports and other documents, scientific research and reports, commercial vendors of information, the Internet, etc. The main qualifiers to open source information are that it does not require any type of clandestine collection techniques to obtain it and that it must be obtained through means that entirely meet the copyright and commercial requirements of vendors where applicable.” Lowenthal, M., Open Source Intelligence: New Myths, New Realities."

Open Source Intelligence (OSINT): applies the proven methods of the Intelligence Community to open source information, and transforms volumes of information into an unclassified intelligence product that represents judicious source discovery and validation, multi-source integration and subject-matter expertise. The internet is only a tiny slice of OSINT. It includes internet searches and searches of commercially available databases.” Lowenthal, M., Open Source Intelligence: New Myths, New Realities."

Operational Controls: Security methods that focus on mechanisms that primarily are implemented and executed by people (as opposed to systems).” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems; “ The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Opt-In/Opt-Out: An important distinction in the privacy debate concerns the terms under which e-mail marketers (legitimate ones, not spammers that ignore ethical and legal concerns) can contact users. Opt-in is the consumer-friendly position, where companies can send e-mail only to people who have directly given their consent for such communications, typically by signing up at a Web site. Opt-out is the marketer-preferred alternative under which marketers can e-mail to anyone who hasn—t specifically told them not to. Unfortunately, spammers have used opt-out replies as a way of verifying valid e-mail addresses.

The Internet Direct Marketing Bureau has endorsed opt-in e-mail as the best practice for its marketer members.” Computer World."

Oral Communication: Any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation, but such term does not include any electronic communication.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Organization: A federal agency or, as appropriate, any of its operational elements.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Original Classification: means an initial determination that information requires, in the interest of the national security, protection against unauthorized disclosure.” Executive Order 13292, Classified National Security Information, Section 6.1(bb)."


Top

 


P

Participating Agency: means an agency or local, county, state, federal, or other governmental unit that exercises law enforcement or criminal investigation authority and that is authorized to submit and receive criminal intelligence information through an interjurisdictional intelligence system. A participating agency may be a member or nonmember of an interjurisdictional intelligence system.” Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, §23.3(b)(4)."

P3P: Short for “Platform for Privacy Preferences Project,” this is a standard XML format adopted by the World Wide Web Consortium for Web sites to use to encode their privacy policies [see Computer World]. P3P recommends practices that will let users define and share personal information with Web sites that they agree to share it with. Using software that adheres to the P3P recommendations, users can create a personal profile and make it (or parts of it) accessible to a Web site as the user directs.”."

Passenger Transportation System: means an entity or entities organized to provide passenger transportation using vehicles, including the infrastructure used to provide such transportation.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1206."

Password: A string of characters used to authenticate an identity or to verify access authorization.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “[C]onfidential authentication information composed of a string of characters.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Pattern of Activities: requires a series of acts with a common purpose or objective.” National Security Act, Public Law 235, Section 606."

Pen Register: means a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business Electronic Communications Privacy Act, 18 U.S.C. Section 2510 (as amended by the USA PATRIOT Act). See also, Trap and Trace Device."

Permanent Records: DHS records determined by DHS and approved by NARA’s to be permanent must be available in a medium and format that conforms with the standards for permanent records. DHS permanent records will be transferred to the National Archives of the United States at the time designated on a NARA’s-approved Request for Records Disposition (SF115). When permanent records are transferred to National Archives, legal custody of the records is transferred to NARA’s at this time. NARA’s takes measures needed to preserve the records and also provides reference service, including service to the creating agency.” DHS Records Management Handbook; A record that has sufficient historical or other value to warrant its continued preservation by the Federal Government beyond the time it is needed for administrative, legal, or fiscal purposes. National Archives and Records Administration, Electronic Records Glossary."

Permissioning Systems: Building HIPAA Privacy Rules into databases and search engines through digital rights management and using browsers to enforce privacy principles. These systems show the privacy status of information, highlight compliance requirements for accessing particular data, and support audit functions built into the system.” The Heritage Foundation."

Person: means any individual, including any officer or employee of the Federal Government, or any group, entity, association, corporation, or foreign power.” Foreign Intelligence Surveillance Act, 50 U.S.C. Section 1801; “[A]ny employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510; “[A]n individual, partnership, association, corporation, business trust, or legal representative, an organized group of individuals, a State, territorial, tribal, or local government or branch thereof, or a political subdivision of a State, territory, tribal, or local government or a branch of a political subdivision.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq.; “[A]ny individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.” Fair Credit Reporting Act, Public Law 91-508, Section 603."

Personal Identification Number: A 4 to 12 character alphanumeric code or password used to authenticate an identity, commonly used in banking applications.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Personally Identifiable Information (PII): This term refers to both:

  • information that directly identifies an individual, or
  • information that is linked to or linkable to an individual.

Types of PII include: (1) descriptions of personal characteristics, (2) unique sets of numbers or characters assigned to a specific individual, such as a Social Security numbers, bank account numbers, or driver license numbers, (3) descriptions of an event or point in time, or (4) descriptions of locations or places from which an individual can be identified (e.g. “that guy who hit the home run”).

Information that does not directly identify an individual may still be PII if it is presented

  • with other pieces of information, or
  • in a particular context that could be indicative of the individual’s identity.

OMB   DoD   DHS   Real ID   Others

OMB Definitions –

  • “Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.”
    Source: OMB Memorandum M-06-19,
    Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments
  • PII “refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
    Source: OMB Memorandum M-07-16,
    Safeguarding Against and Responding to the Breach of Personally Identifiable Information

DHS Definition – “Any information that permits the identity of an individual to be directly or indirectly inferred, including any other information which is linked or linkable to that individual regardless of whether the individual is a United States citizen, legal permanent resident, or a visitor to the U.S. Examples of PII include: name, date of birth, mailing address, telephone number, Social Security Number (SSN), email address, zip code, account numbers, certificate/license numbers, vehicle identifiers including license plates, uniform resource locators (URLs), Internet protocol addresses, biometric identifiers (e.g., fingerprints), photographic facial images, or any other unique identifying number or characteristic, and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual.” Source: DHS Privacy Incident Handling Guidance

Real ID Definition – For purposes of implementing the Real ID Act, DHS defines PII as “any information which can be used to distinguish or trace an individual’s identity, such as their name; driver’s license or identification card number; social security number; biometric record, including a digital photograph or signature; alone, or when combined with other personal or identifying information, which is linked or linkable to a specific individual, such as a date and place of birth or address, whether it is stored in a database, on a driver’s license or identification card, or in the machine readable technology on a license or identification card.” Source: 6 C.F.R. §37.3, Real ID Driver’s Licenses and Identification Cards Regulations

Department of Defense Definition – PII is “information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc.,” and includes “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual.” Source: 32 C.F.R. §310.4, DOD Privacy Program Regulations

Other Definitions – There are other specialized definitions, such as those found in certain GAO reports, the Family Educational Right to Privacy Act and the Bankruptcy Code."

Top

 

Personal Information: Information that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver’s status.” Drivers Privacy Protection Act, 18 U.S.C. Section 2725."

Personnel Security Investigation: means any investigation required for the purpose of determining the eligibility of any military, civilian, or government contractor personnel to access classified information. (7) The term “periodic reinvestigations” means investigations conducted for the purpose of updating a previously completed background investigation— (A) every 5 years in the case of a top secret clearance or access to a highly sensitive program; (B) every 10 years in the case of a secret clearance; or (C) every 15 years in the case of a Confidential Clearance.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 3001."

Physical Custody: To have physical control of and responsibility for a specific group of documentary material.” National Archives and Records Administration, Electronic Records Glossary."

Physical Safeguards: Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Pixel Tags: Pixel tags are small graphic files that are naked to the human eye but allow Web sites or other online services to track Internet users. Pixel tags are known by many names such as Web bugs, clear GIFs, invisible GIFs or 1x1 GIFs. The reason for the fact that they are invisible is to hide the fact that they are being used to assist in monitoring. Usually on webpages they are utilized to monitor the use of the website. They can also be used in an html context involving the use of electronic mail and allows the sender to track whether the recipient opened the message and the time that this event occurred. A relatively similar feature are cookies. Cookies are encrypted strings of text that a website stores on a user’s computer. Cookies are used to recognize return visitors; recognize registered users when they log in without forcing them to retype passwords, store and recall user preferences and identify which of our web pages are most useful for our visitors; and measure usage of our site and the various pages on the site; and provide functionality and content that meet certain measured preferences for content and value. A pixel tag can collect a variety of information about an Internet user, including: (1) the IP (Internet Protocol) address of the computer that downloaded the page on which the pixel tag appears; (2) the URL (Uniform Resource Locator) of the page on which the pixel tag appears; (3) the time the page containing the pixel tag was viewed; (4) the type of browser used; (5) the identification number of any cookie on the consumer’s computer previously placed by that server.; and (6) a previously set cookie value. However a pixel can set a new cookie to the user’s preferences. The use of pixels can be used by advertising networks of which information to add to a personal profile of whatever sites are being visited. This personal profile is thereafter identified by the use of cookies. Thereafter the personal profile is identified by the browser cookie of an ad network which will be stored in a data base server belonging to the ad network and will determines what banner ad one is shown. Pixel tags are also used to provide an independent accounting of how many people have visited a particular Web site and to assist in the gathering of statistics about web browser’s usage among different websites on the Internet.” Internet Business Law Services."

Plaintext: Unencrypted (unenciphered) data.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Plan of Action and Milestones: A plan of action and milestones (POA&M) is a tool that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The purpose of this POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.” OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones."

Program Manager for the Information Sharing Environment (PM-ISE): This position was established by IRTPA Section 1016(f) and is further described within this document.” ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Potential Impact: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.” FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems."

Practical Utility: means the ability of an agency to use information, particularly the capability to process such information in a timely and useful fashion.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq."

Preservation: Processes and operations involved in ensuring the technical and intellectual survival of authentic records through time.” National Archives and Records Administration, Electronic Records Glossary."

Preservation Assessment: 1) The review of documentary material to determine their current condition and potential need for preservation processing. 2) The results of this review.” National Archives and Records Administration, Electronic Records Glossary."

Preservation and Access Plan: A plan, based on the results of a preservation assessment, indicating the activities to be undertaken in preserving specific documentary material or sets of material and how NARA’s will provide access to them.” National Archives and Records Administration, Electronic Records Glossary."

Preservation Process: A process appropriate for ensuring the continued existence, accessibility, and authenticity of documentary material over time.” National Archives and Records Administration, Electronic Records Glossary."

Privacy: The term privacy refers to individuals’ interests in preventing the inappropriate collection, use, and release of personally identifiable information. Privacy interests include privacy of personal behavior, privacy of personal communications, and privacy of personal data. The U.S. Constitution does not explicitly use the word privacy, but several of its provisions protect different aspects of this fundamental right. Although there does not exist an explicit federal constitutional right to an individual’s privacy, privacy rights have been articulated in limited contexts by the U.S. Supreme Court. [Note: several state constitutions do contain explicit language regarding a right to privacy.] Privacy protections are numerous and include protection from unnecessary or unauthorized collection of personal information (e.g., eavesdropping), public disclosure of private facts, and shame or humiliation caused by release of personal information.” DOJ Global Justice Information Sharing Initiative, National Criminal Intelligence Sharing Plan, at 6 (October, 2003); DOJ’s Justice Information Sharing Initiative, Privacy, Civil Rights and Civil Liberties: Policy and Templates for Justice Information Systems, at 2 (September, 2006)."

Privacy Act of 1974: This federal statute controls the collection and dissemination of personal information by the federal government. It guarantees that U.S. citizens and Lawful Permanent Residents have: (1) the right to see records about themselves that are maintained by the federal government (provided that information is not subject to one or more of the Privacy Act’s exemptions); (2) the right to amend inaccurate, irrelevant, untimely, or incomplete records; and (3) the right to sue the government for failure to comply with its requirements. It also contains fair information practices that: (1) require that information about a person be collected from that person to the greatest extent practicable; (2) require agencies to ensure that their records are relevant, accurate, timely, and complete; and (3) prohibit agencies from maintaining information describing how an individual exercises his or her First Amendment rights (unless the individual consents to it, it is permitted by statute, or is within the scope of an authorized law enforcement investigation)."

Privacy and Civil Liberties Oversight Board: The Privacy and Civil Liberties Oversight Board (PCLOB) was created to ensure a system of checks and balances to protect individual privacy and civil liberties during the establishment of government efforts to protect the nation against terrorism.26 The PCLOB is to provide advice and counsel on the development and implementation of policy to the President or to the head of any executive department or agency. Section 1016 requires consultation with the PCLOB to protect the information privacy rights and other legal rights of Americans in the development and use of the ISE. The PM and the ISC will work closely with the PCLOB to ensure that privacy and civil liberties are protected in the development and management of the ISE.” Information Sharing Environment Interim Implementation Plan, at 14."

Privacy Field: A data element that may be used to identify an individual and, therefore, may be subject to privacy protection.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008)."

Privacy Impact Assessment (PIA): An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."

Privacy Policy: Most Web sites have a page describing in detail the site’s privacy practices and what the site’s owners will do with any information they collect.” Computer World."

Privacy Policy In Standardized Machine-Readable Format: [A] statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a web browser.” OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."

Private Key: A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and not made public.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Private Sector Partners: As used in this plan, the term “private sector partners” includes vendors, owners, and operators of products and infrastructures participating in the ISE.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Profiling: A technique by which information regarding past experiences with a class of persons is used to establish characteristics that are then used to search databases or other records for other persons who closely fit those characteristics.” Institute for Defense Analyses See also, Racial Profiling."

Program Manager: The term ‘‘program manager’’ means the program manager designated under subsection 1016(f) of the IRTPA, who is responsible for information sharing across the Federal Government and shall, in consultation with the Information Sharing Council, plan for and oversee the implementation of, and manage, the ISE. [Extracted from IRTPA 1016(a)(3) and 1016(f)].” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Proper Use Memorandum: [D]efines the requirements for domestic [use of satellite] imagery, outlines its intended use, and includes a proper use statement acknowledging awareness of legal and policy restrictions regarding domestic imagery. Department of the Air Force, Oversight Of Intelligence Activities; “A PUM is a memorandum between the requesting agency and [National Geospatial-Intelligence Agency] NGA outlining the parameters of permissible requests. A PUM includes the requesting agency’s authorized mission permitting use of such information, a description of the intended use of the domestic imagery, who will exploit the domestic imagery, who will receive the domestic imagery and derived products, storage and protection of the imagery, and certification by an appropriate official of the lawfulness and validity of the request.” Testimony of Daniel Sutherland, Turning Spy Satellites on the Homeland: The Privacy and Civil Liberties Implications of the National Applications Office, at 6."

Protected Computer includes “a computer. . . which is used in interstate or foreign commerce or communication.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Protected Critical Infrastructure Information or Protected CII: means CII (including the identity of the submitting person or entity) that is voluntarily submitted to DHS for its use regarding the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purpose, when accompanied by an express statement as described in Sec. 29.5 of this chapter. This information maintains its protected status unless the CII Program Manager renders a final decision that the information is not Protected CII. DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (f); “Critical infrastructure information (CII) is defined in 6 U.S.C. 131(3) (Section 212(3) of the Homeland Security Act. Critical infrastructure information means information not customarily in the public domain and related to the security of critical infrastructure or protected systems. Protected Critical Infrastructure Information is a subset of CII that is voluntarily submitted to the Federal Government and for which protection is requested under the PCII program by the requestor.” DHS Management Directive, Safeguarding Sensitive But Unclassified (For Official Use Only) Information."

Protected Health Information (PHI): Individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Protected Information: Protected Information is information about U.S. citizens and lawful permanent residents that is subject to information privacy or other legal protections under the U.S. Constitution and federal laws of the United States. Protected information may also include other information that the U.S. government expressly determines (by Executive Order, international agreement, or other similar instrument) should be covered by these Guidelines. For the Intelligence Community, protected information includes information about United States persons as defined in Executive Order 12333, which provides that a U.S. person is “a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.” (See Section 1 of the ISE Privacy Guidelines.) The definition of protected information may also include legal protections that are not strictly related to privacy. For example, information relating to the exercise of rights under the First Amendment may be subject to constitutional protections.” ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Protected System: means any service, physical or computer-based system, process, or procedure that directly or indirectly affects the viability of a facility of critical infrastructure and includes any physical or computer-based system, including a computer, computer system, computer or communications network, or any component hardware or element thereof, software program, processing instructions, or information or data in transmission or storage therein, irrespective of the medium of transmission or storage.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (g)."

Provenance: The organization or individual that created, accumulated, and/or maintained the documentary material in the conduct of business prior to their legal transfer to NARA’s.
Note: The archival principle of provenance states that documentary material of the same provenance must not be intermingled with those of any other provenance.” National Archives and Records Administration, Electronic Records Glossary."

Pseudonymity: This concept originated in the field of cryptography. Pseudonymity is the ability to prove a consistent identity without revealing one’s actual name, instead using an alias or pseudonym. Pseudonymity combines many of the advantages of both a known identity and anonymity. In anonymity, one’s identity isn—t known, but pseudonymity creates a separate, persistent “virtual” identity that can—t be linked to a specific person, group or organization. Pseudonymous remailers, called “nym servers,” take messages addressed to the pseudonym and resend them to the pseudonym’s real e-mail address, and they can also forward messages to others as though they came from the pseudonym’s address on the server. And unlike with anonymous e-mail, users can reply to a pseudonymous sender, and pseudonyms can establish reputations in the digital world.” Computer World."

Public Information: Any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq."

Public Key: A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and which may be made public. [. . . ] The public key is used to verify a digital signature. This key is mathematically linked with a corresponding private key.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Public Key Infrastructure (PKI): An architecture which is used to bind public keys to entities, enable other entities to verify public key bindings, revoke such bindings, and provide other services critical to managing public keys.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Publicly Available Information: is information not found in public records but nevertheless publicly available through other sources. These sources include telephone directories, business directories, print publications such as classified ads or magazines, Internet sites, and other sources accessible by the general public. Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 6."

Purpose: has the meaning as described in section 214(a)(1) of the CII Act of 2002, and includes the security of critical infrastructure and protected systems, analysis, warning, interdependency study, recovery, reconstitution, or other informational purpose.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (h)."


Top

 


Q

Qualified Intelligence Analyst: means an intelligence analyst (as that term is defined in section 210A(j)), including law enforcement personnel—(A) who has successfully completed training to ensure baseline proficiency in intelligence analysis and production, as determined by the Secretary, which may include training using a curriculum developed under section 209; or (B) whose experience ensures baseline proficiency in intelligence analysis and production equivalent to the training required under subparagraph (A), as determined by the Secretary.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2001."

Quality: an encompassing term comprising utility, objectivity, and integrity. Therefore, the guidelines sometimes refer to these three statutory terms, collectively, as “quality.” DHS Management Directive Number: 8200.1, Information Quality; OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies."


Top

 


R

Racial Profiling: is “any police-initiated action that relies on the race, ethnicity, or national origin rather than the behavior of an individual or information that leads the police to a particular individual who has been identified as being, or having been, engaged in criminal activity.” DOJ Resource Guide on Racial Profiling Data Collection Systems; “'Racial profiling', at its core concerns the invidious use of race or ethnicity as a criterion in conducting stops, searches and other law enforcement investigative procedures. It is premised on the erroneous assumption that any particular individual of one race or ethnicity is more likely to engage in misconduct than any particular individual of another race or ethnicity.” DOJ Guidance Regarding The Use Of Race By Federal Law Enforcement Agencies."

Radiation Detection Equipment: means any technology that is capable of detecting or identifying nuclear and radiological material or nuclear and radiological explosive devices.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1524."

Readily Accessible to the General Public: With respect to a radio communication, that such communication is not: (A) scrambled or encrypted; (B) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communication; (C) carried on a subcarrier or other signal subsidiary to a radio transmission; (D) transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication; or (E) transmitted on frequencies allocated under part 25, subpart D, E, or F of part 74, or part 94 of the Rules of the Federal Communications Commission, unless, in the case of a communication transmitted on a frequency allocated under part 74 that is not exclusively allocated to broadcast auxiliary services, the communication is a two-way voice communication by radio.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Reasonable Suspicion: (aka “Criminal Predicate”) “is established when information exists which establishes sufficient facts to give a trained law enforcement or criminal investigative agency officer, investigator, or employee a basis to believe that there is a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise. In an interjurisdictional intelligence system, the project is responsible for establishing the existence of reasonable suspicion of criminal activity either through examination of supporting information submitted by a participating agency or by delegation of this responsibility to a properly trained participating agency which is subject to routine inspection and audit procedures established by the project.” Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, Section 23.20(c)."

Receipt Data: Information in electronic mail systems regarding date and time of receipt of a message, and/or acknowledgment of receipt or access by addressee(s).” National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Recipient Agency: Any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program.” Privacy Act of 1974, 5 U.S.C. § 552a; “Recipient agencies are Federal agencies or their contractors receiving automated records from the Privacy Act systems of records of other Federal agencies, or from State or local governments, to be used in a matching program as defined in the Act.” OMB Circular A-130, Appendix I, Management of Federal Information Resources."

Record: includes any writing, drawing, map, tape, film, photograph, or other means by which information is preserved, irrespective of format.” Sensitive Security Information, 49 CFR Part 1520.1(b)."

Records: All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Record Group: An administrative grouping of organizationally related records established by an archival agency after considering the organization’s administrative history and complexity and the volume of its records.” National Archives and Records Administration, Electronic Records Glossary."

Record Type: The intellectual form of the documentary material, such as letter, memo, greeting card, or portrait.” National Archives and Records Administration, Electronic Records Glossary."

Records Center: “A facility for the storage and servicing of records pending their disposal or transfer to the National Archives. Records centers include NARA’S-authorized agency records centers and NARA-operated Federal records centers.” National Archives and Records Administration, Electronic Records Glossary."

Records Lifecycle: An archival concept that describes the lifespan of a record, from its creation or receipt to its final disposition. The records lifecycle is divided into the following stages or phases: creation/receipt, maintenance and use, retirement, final disposition, and continuing use.” National Archives and Records Administration, Electronic Records Glossary."

Records Lifecycle Data: All data collected by NARA’s that pertains to the records throughout their lifecycle. This includes all data related to records lifecycle management processes, including data collected during scheduling, physical transfer, legal transfer, and description.” National Archives and Records Administration, Electronic Records Glossary."

Records Lifecycle Transaction: An activity performed on documentary material in their existence that changes their status in the records lifecycle. Such transactions include the scheduling and appraisal of government records, the development of deposit agreements, the retirement of material to NARA physical custody, the legal transfer of material to the National Archives and Presidential Libraries, destruction, and the review, redaction, and release of information subject to legal restrictions on access.” National Archives and Records Administration, Electronic Records Glossary."

Records Schedule: Also called records disposition schedule, records control schedule, records retention schedule, records retention and disposition schedule, or schedule. “A type of disposition agreement developed by a Federal agency and approved by NARA that describes Federal records, establishes a period for their retention by the agency, and provides mandatory instructions for what to do with them when they are no longer needed for current Government business. The term refers to: (1) an SF 115, Request for Records Disposition Authority, that has been approved by NARA to authorize the disposition of Federal records; and (2) a General Records Schedule (GRS) issued by NARA. Note: Records schedules may be reproduced or referenced in a printed agency manual or directive containing the records’ descriptions and disposition instructions approved by NARA on one or more SF 115s or issued by NARA in the GRS.” National Archives and Records Administration, Electronic Records Glossary."

Recipient Agency: Any agency, or contractor thereof, receiving records contained in a system of records from a source agency for use in a matching program.” Privacy Act of 1974, 5 U.S.C. § 552a."

Recordkeeping Requirement: [A] requirement imposed by or for an agency on persons to maintain specified records, including a requirement to— (A) retain such records; (B) notify third parties, the Federal Government, or the public of the existence of such records; (C) disclose such records to third parties, the Federal Government, or the public; or (D) report to third parties, the Federal Government, or the public regarding such records.” Paperwork Reduction Act, Public Law 104-13, 44 U.S.C. § Section 3501. et seq."

Records Disposition: Any activity with respect to— (A) disposal of temporary records no longer necessary for the conduct of business by destruction or donation; (B) transfer of records to Federal agency storage facilities or records centers; (C) transfer to the National Archives of the United States of records determined to have sufficient historical or other value to warrant continued preservation; or (D) transfer of records from one Federal agency to any other Federal agency.” Records Management by the Archivist of the United States."

Records Series: File units or documents arranged according to a filing system or kept together because they relate to a particular subject or function, result from the same activity, document a specific kind of transaction, take a particular physical form, or have some other relationship arising out of their creation, receipt, or use, such as restrictions on access and use.” DHS Records Management Handbook."

Records Maintenance and Use: Any activity involving— (A) location of records of a Federal agency; (B) storage, retrieval, and handling of records kept at office file locations by or for a Federal agency; (C) processing of mail by a Federal agency; or (D) selection and utilization of equipment and supplies associated with records and copying.” Records Management by the Archivist of the United States."

Records Creation: The production or reproduction of any record.” Records Management by the Archivist of the United States."

Records Having Permanent Historical Value: means Presidential papers or Presidential records and the records of an agency that the Archivist has determined should be maintained permanently in accordance with title 44, United States Code.” Executive Order 13292, Classified National Security Information, Section 6.1(ee)."

Records Management: means the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations.” Executive Order 13292, Classified National Security Information, Section 6.1(ff); (44 U.S.C. 2901(2)); OMB Circular A-130, Management of Federal Information Resources."

Records Schedule: A type of disposition agreement developed by a Federal agency and approved by NARA’s that describes Federal records, establishes a period for their retention by the agency, and provides mandatory instructions for what to do with them when they are no longer needed for current Government business. The term refers to: (1) an SF 115, Request for Records Disposition Authority, that has been approved by NARA’s to authorize the disposition of Federal records; and (2) a General Records Schedule (GRS) issued by NARA’s. Note: Records schedules may be reproduced or referenced in a printed agency manual or directive containing the records’ descriptions and disposition instructions approved by NARA’s on one or more SF 115s or issued by NARA’s in the GRS. Also called records disposition schedule, records control schedule, records retention schedule, records retention and disposition schedule, or schedule.” National Archives and Records Administration, Electronic Records Glossary."

Redaction: The action of following instructions and/or guidelines from equity holders to create a copy of documentary material, in which access restricted information is removed so that the non-restricted information in the material may be made available to the public.” National Archives and Records Administration, Electronic Records Glossary."

References: Documents or information used to verify a Subject’s identity before issuing a credential. NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Registration Authority: An entity that registers applicants for keys and certificates, verifies user requests for a digital certificate, and tells the certificate authority it may issue a certificate.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Relying Party: A recipient who acts in reliance on a certificate and digital signature.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Reproducibility: means that the information is capable of being substantially reproduced, subject to an acceptable degree of imprecision. For information judged to have more (less) important impacts, the degree of imprecision that is tolerated is reduced (increased). If agencies apply the reproducibility test to specific types of original or supporting data, the associated guidelines shall provide relevant definitions of reproducibility (e.g., standards for replication of laboratory data). With respect to analytic results, “capable of being substantially reproduced” means that independent analysis of the original or supporting data using identical methods would generate similar analytic results, subject to an acceptable degree of imprecision or error. OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies."

Resources: means personnel and major items of equipment, supplies, and facilities available or potentially available for responding to a natural disaster, act of terrorism, or other man-made disaster.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 401."

Right to Know: A ‘right to know’ may be satisfied when the recipient agency or individual has the official capacity and statutory authority to receive the intelligence requested.

Both [need to know and right to know] may need to be satisfied based on the nature and sensitivity of the information requested and the law surrounding the release of particular types of information or intelligence.“ IACP Criminal Intelligence, Concepts and Issues, at 3 (July 2003)."

Risk: The possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems; “The net mission impact considering the probability that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems; “The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Risk Management: Is the ongoing process of assessing the risk to automated information resources and information, as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.” NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems; “The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems. "

RISS Automated Trusted Information Exchange (ATIX): RISS ATIX™ provides users with secure interagency communications and information sharing resources for exchanging public safety and law enforcement information.” DOJ/DHS, Fusion Center Guidelines, at 35."

RISSNET™: RISSNET provides the six RISS centers with a secure criminal intelligence network for communications and information sharing by local, state, tribal, and federal law enforcement agencies.” DOJ/DHS, Fusion Center Guidelines, at 35."

Role-Based Access Control: With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.” National Institute of Standards and Technology; “Although RBAC is technically a form of non-discretionary access control [Ram02, Shi02], recent computer security texts often list RBAC as one of the three primary access control policies (the others are [Discretionary Access Control (DAC) and Mandatory Access Control (MAC)]. In RBAC, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, or manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system, the role of doctor can include operations to perform a diagnosis, prescribe medication, and order laboratory tests; the role of researcher can be limited to gathering anonymous clinical information for studies. The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies and for streamlining the security management process.

Under RBAC, users are granted membership into roles based on their competencies and responsibilities in the organization. The operations that a user is permitted to perform are based on the user’s role. User membership into roles can be revoked easily and new memberships established as job assignments dictate. Role associations can be established when new operations are instituted, and old operations can be deleted as organizational functions change and evolve. This simplifies the administration and management of privileges; roles can be updated without updating the privileges for every user on an individual basis. . . . When a user is associated with a role, the user can be given no more privilege than is necessary to perform the job; since many of the responsibilities overlap between job categories, maximum privilege for each job category could cause unauthorized access. This concept of least privilege requires identifying the user’s job functions, determining the minimum set of privileges required to perform those functions, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, least privilege is often difficult or costly to achieve because it is difficult to tailor access based on various attributes or constraints. Role hierarchies can be established to provide for the natural structure of an enterprise. A role hierarchy defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role.” NIST Interagency Report 7316, Assessment of Access Control Systems. See also, Discretionary Access Control, and Mandatory Access Control."

Routine Use: Means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” Privacy Act of 1974, 5 U.S.C. § 552a."

Rules of Behavior: The rules that have been established and implemented concerning use of, security in, and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of federal government equipment, the assignment and limitation of system privileges, and individual accountability.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."


Top

 


S

Sabotage: means activities that involve a violation of chapter 105 of title 18, or that would involve such a violation if committed against the United States.” Foreign Intelligence Surveillance Act, 50 U.S.C. Section 1801."

Safeguards: Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS Instruction 4009 Adapted] Synonymous with security controls and countermeasures.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Safeguarding: means measures and controls that are prescribed to protect classified information.” Executive Order 13292, Classified National Security Information, Section 6.1(gg)."

Sanitization: Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Schedule: As a verb, the processes carried out by a Federal agency to support the development of a records schedule. As a noun, a synonym for records schedule.” National Archives and Records Administration, Electronic Records Glossary."

Screening: refers to a process that includes, but is not limited to, government officials searching for available information on an individual in various databases. For example, a person may go through a screening process when: 1) applying for a visa at a U.S. Consulate office, 2) attempting to enter the United States through a port of entry, 3) being stopped by a local law enforcement officer for a traffic violation, or 4) attempting to travel on a commercial airline.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at i n1 (June, 2005)."

Security Domains: As used in this plan, the term “Security Domains” refers to three security levels—Sensitive Compartmented Information (SCI), Secret, and Sensitive but Unclassified (SBU)—across which the ISE must operate.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Sealed Record Information: means— (A) with respect to adults, that portion of a record that is— (i) not available for criminal justice uses; (ii) not supported by fingerprints or other accepted means of positive identification; or (iii) subject to restrictions on dissemination for non-criminal justice purposes pursuant to a court order related to a particular subject or pursuant to a Federal or State statute that requires action on a sealing petition filed by a particular record subject; and (B) with respect to juveniles, whatever each State determines is a sealed record under its own law and procedure.” National Criminal History Access and Child Protection Act, Public Law 105-251, Section 217."

Secrecy: Refers to denial of access to information by unauthorized individuals.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Secret: shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.” Executive Order 13292, Classified National Security Information, Section 1.2(1)."

Secret Key: A cryptographic key used with a secret key cryptographic algorithm, uniquely associated with one or more entities, and which shall not be made public. The use of the term “secret” in this context does not imply a classification level, rather the term implies the need to protect the key from disclosure or substitution.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government."

Secure and Reliable Forms of Identification: for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee’s identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2).” Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors."

Secure Area of an Airport: The term 'secure area of an airport' means the sterile area and the Secure Identification Display Area of an airport (as such terms are defined in section 1540.5 of title 49, Code of Federal Regulations, or any successor regulation to such section).” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 4011."

Security Background Check: means reviewing the following for the purpose of identifying individuals who may pose a threat to transportation security, national security, or of terrorism: (A) Relevant criminal history databases. (B) In the case of an alien (as defined in section 101 of the Immigration and Nationality Act (8 U.S.C. 1101(a)(3))), the relevant databases to determine the status of the alien under the immigration laws of the United States. (C) Other relevant information or databases, as determined by the Secretary. Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1414."

Security Category: The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Security Contingency Plan: means a plan detailing response procedures to address a transportation security incident, threat assessment, or specific threat against transportation, including details of preparation, response, mitigation, recovery, and reconstitution procedures, continuity of government, continuity of transportation operations, and crisis management.” Sensitive Security Information, 49 CFR Part 1520.3."

Security Controls: Protective measures used to meet the security requirements specified for IT resources.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems; “The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Security Control Baseline: The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.” FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, at 9."

Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Security Management System: means a set of guidelines that address the security assessment needs of critical infrastructure and key resources that are consistent with a set of generally accepted management standards ratified and adopted by a standards making body.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2404."

Security Objective: Confidentiality, integrity, or availability.” NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems."

Security Plan: see System Security Plan."

Security Program: means a program or plan and any amendments, developed for the security of the following, including any comments, instructions, or implementing guidance: (1) An airport, aircraft, or aviation cargo operation; (2) A maritime facility, vessel, or port area; or (3) A transportation-related automated system or network for information processing, control, and communications.” Sensitive Security Information, 49 CFR Part 1520.3."

Security Requirements: Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.” FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, at 9."

Security Screening: means evaluating a person or property to determine whether either poses a threat to security.” Sensitive Security Information, 49 CFR Part 1520.3."

Self-Inspection: means the internal review and evaluation of individual agency activities and the agency as a whole with respect to the implementation of the program established under this order and its implementing directives.” Executive Order 13292, Classified National Security Information, Section 6.1(hh)."

Senior Agency Information Security Officer: Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.” Federal Information Security Management Act, Public Law 107-347, Section 3544."

Sensitive Criminal Matter: is any alleged criminal conduct involving:

  • corrupt action by a public official or political candidate,
  • the activities of foreign government,
  • the activities of a religious organization or a primarily political organization or the related activities of any individual prominent in such an organization,
  • or the activities of the news media;
and any other matter which in the judgment of a Special Agent in Charge (SAC) should be brought to the attention of the United States Attorney or other appropriate official in the Department of Justice, as well as FBI Headquarters (FBIHQ).” (formatting changes)

The Attorney General’s Guidelines on General Crimes, Racketeering Enterprise and Domestic Security/Terrorism Investigations."

 

Sensitive Information: Information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, records about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Sensitive Security Information (SSI): Sensitive security information (SSI) is defined in 49 C.F.R. Part 1520. SSI is a specific category of information that requires protection against disclosure. 49 U.S.C. 40119 limits the disclosure of information obtained or developed in carrying out certain security or research and development activities to the extent that it has been determined that disclosure of the information would be an unwarranted invasion of personal privacy; reveal a trade secret or privileged or confidential commercial or financial information; or be detrimental to the safety of passengers in transportation.” DHS Management Directive, Safeguarding Sensitive But Unclassified (For Official Use Only) Information; (a) In general. In accordance with 49 U.S.C. 114(s), SSI is information obtained or developed in the conduct of security activities, including research and development, the disclosure of which TSA has determined would— (1) Constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) Reveal trade secrets or privileged or confidential information obtained from any person; or (3) Be detrimental to the security of transportation.(b) Information constituting SSI. Except as otherwise provided in writing by TSA in the interest of public safety or in furtherance of transportation security, the following information, and records containing such information, constitute SSI: (1) Security programs and contingency plans. Any security program or security contingency plan issued, established, required, received, or approved by DOT or DHS, including— (i) Any aircraft operator or airport operator security program or security contingency plan under this chapter; (ii) Any vessel, maritime facility, or port area security plan required or directed under Federal law; (iii) Any national or area security plan prepared under 46 U.S.C. 70103; and (iv) Any security incident response plan established under 46 U.S.C. 70104. (2) Security Directives. Any Security Directive or order— (i) Issued by TSA under 49 CFR 1542.303, 1544.305, or other authority; (ii) Issued by the Coast Guard under the Maritime Transportation Security Act, 33 CFR part 6, or 33 U.S.C. 1221 et seq. related to maritime security; or (iii) Any comments, instructions, and implementing guidance pertaining thereto. (3) Information Circulars. Any notice issued by DHS or DOT regarding a threat to aviation or maritime transportation, including any— (i) Information Circular issued by TSA under 49 CFR 1542.303, 1544.305, or other authority; and (ii) Navigation or Vessel Inspection Circular issued by the Coast Guard related to maritime security. (4) Performance specifications. Any performance specification and any description of a test object or test procedure, for— (i) Any device used by the Federal government or any other person pursuant to any aviation or maritime transportation security requirements of Federal law for the detection of any weapon, explosive, incendiary, or destructive device or substance; and (ii) Any communications equipment used by the Federal government or any other person in carrying out or complying with any aviation or maritime transportation security requirements of Federal law. (5) Vulnerability assessments. Any vulnerability assessment directed, created, held, funded, or approved by the DOT, DHS, or that will be provided to DOT or DHS in support of a Federal security program. (6) Security inspection or investigative information. (i) Details of any security inspection or investigation of an alleged violation of aviation or maritime transportation security requirements of Federal law that could reveal a security vulnerability, including the identity of the Federal special agent or other Federal employee who conducted the inspection or audit. (ii) In the case of inspections or investigations performed by TSA, this includes the following information as to events that occurred within 12 months of the date of release of the information: the name of the airport where a violation occurred, the airport identifier in the case number, a description of the violation, the regulation allegedly violated, and the identity of any aircraft operator in connection with specific locations or specific security procedures. Such information will be released after the relevant 12-month period, except that TSA will not release the specific gate or other location on an airport where an event occurred, regardless of the amount of time that has passed since its occurrence. During the period within 12 months of the date of release of the information, TSA may release summaries of an aircraft operator’s, but not an airport operator’s, total security violations in a specified time range without identifying specific violations or locations. Summaries may include total enforcement actions, total proposed civil penalty amounts, number of cases opened, number of cases referred to TSA or FAA counsel for legal enforcement action, and number of cases closed. (7) Threat information. Any information held by the Federal government concerning threats against transportation or transportation systems and sources and methods used to gather or develop threat information, including threats against cyber infrastructure. (8) Security measures. Specific details of aviation or maritime transportation security measures, both operational and technical, whether applied directly by the Federal government or another person, including— (i) Security measures or protocols recommended by the Federal government; (ii) Information concerning the deployments, numbers, and operations of Coast Guard personnel engaged in maritime security duties and Federal Air Marshals, to the extent it is not classified national security information; and (iii) Information concerning the deployments and operations of Federal Flight Deck Officers, and numbers of Federal Flight Deck Officers aggregated by aircraft operator. (9) Security screening information. The following information regarding security screening under aviation or maritime transportation security requirements of Federal law: (i) Any procedures, including selection criteria and any comments, instructions, and implementing guidance pertaining thereto, for screening of persons, accessible property, checked baggage, U.S. mail, stores, and cargo, that is conducted by the Federal government or any other authorized person. (ii) Information and sources of information used by a passenger or property screening program or system, including an automated screening system.(iii) Detailed information about the locations at which particular screening methods or equipment are used, only if determined by TSA to be SSI. (iv) Any security screener test and scores of such tests. (v) Performance or testing data from security equipment or screening systems. (vi) Any electronic image shown on any screening equipment monitor, including threat images and descriptions of threat images for threat image projection systems. (10) Security training materials. Records created or obtained for the purpose of training persons employed by, contracted with, or acting for the Federal government or another person to carry out any aviation or maritime transportation security measures required or recommended by DHS or DOT. (11) Identifying information of certain transportation security personnel. (i) Lists of the names or other identifying information that identify persons as— (A) Having unescorted access to a secure area of an airport or a secure or restricted area of a maritime facility, port area, or vessel or; (B) Holding a position as a security screener employed by or under contract with the Federal government pursuant to aviation or maritime transportation security requirements of Federal law, where such lists are aggregated by airport; (C) Holding a position with the Coast Guard responsible for conducting vulnerability assessments, security boardings, or engaged in operations to enforce maritime security requirements or conduct force protection; (D) Holding a position as a Federal Air Marshal; or (ii) The name or other identifying information that identifies a person as a current, former, or applicant for Federal Flight Deck Officer. (12) Critical aviation or maritime infrastructure asset information. Any list identifying systems or assets, whether physical or virtual, so vital to the aviation or maritime transportation system that the incapacity or destruction of such assets would have a debilitating impact on transportation security, if the list is— (i) Prepared by DHS or DOT; or (ii) Prepared by a State or local government agency and submitted by the agency to DHS or DOT. (13) Systems security information. Any information involving the security of operational or administrative data systems operated by the Federal government that have been identified by the DOT or DHS as critical to aviation or maritime transportation safety or security, including automated information security procedures and systems, security inspections, and vulnerability information concerning those systems. (14) Confidential business information. (i) Solicited or unsolicited proposals received by DHS or DOT, and negotiations arising therefrom, to perform work pursuant to a grant, contract, cooperative agreement, or other transaction, but only to the extent that the subject matter of the proposal relates to aviation or maritime transportation security measures; (ii) Trade secret information, including information required or requested by regulation or Security Directive, obtained by DHS or DOT in carrying out aviation or maritime transportation security responsibilities; and(iii) Commercial or financial information, including information required or requested by regulation or Security Directive, obtained by DHS or DOT in carrying out aviation or maritime transportation security responsibilities, but only if the source of the information does not customarily disclose it to the public. (15) Research and development. Information obtained or developed in the conduct of research related to aviation or maritime transportation security activities, where such research is approved, accepted, funded, recommended, or directed by the DHS or DOT, including research results. (16) Other information. Any information not otherwise described in this section that TSA determines is SSI under 49 U.S.C. 114(s) or that the Secretary of DOT determines is SSI under 49 U.S.C. 40119. Upon the request of another Federal agency, TSA or the Secretary of DOT may designate as SSI information not otherwise described in this section. (c) Loss of SSI designation. TSA or the Coast Guard may determine in writing that information or records described in paragraph (b) of this section do not constitute SSI because they no longer meet the criteria set forth in paragraph (a) of this section.” Sensitive Security Information, 49 CFR Part 1520.5."

Sensitivity: In an information technology environment consists of the system, data, and applications which must be examined individually and in total. All systems and applications require some level of protection for confidentiality, integrity, and availability which is determined by an evaluation of the sensitivity and criticality of the information processed, the relationship of the system to the organizations mission, and the economic value of the system components.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Series: The highest level of hierarchical description as defined by NARA’s, which describes file units or items arranged in accordance with a filing system or maintained as a unit because they result from the same accumulation or filing process, the same function, or the same activity; have a particular form; or because of some other relationship arising out of their creation, receipt, or use.” National Archives and Records Administration, Electronic Records Glossary."

Service Recipient: An agency organizational unit, programmatic entity, or chargeable account that receives information processing services from an information processing service organization (IPSO). A service recipient may be either internal or external to the organization responsible for providing information resources services, but normally does not report either to the manager or director of the IPSO or to the same immediate supervisor.” OMB Circular A-130, Management of Federal Information Resources."

Services Standards: Services standards describe the business processes and system servicing routines supporting those common activities used for discovering, identifying, distributing, protecting, and managing terrorism information. These standards may also describe new information sharing services for incorporation into agency service-based architectures and integrate with other organizational business processes. Universal Description, Discovery, and Integration (UDDI) is an example of a Services standard that supports information search capability on the Internet using distributed operator sites as servicing entities.” Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Source Agency: Any agency which discloses records contained in a system of records to be used in a matching program, or any State or local government, or agency thereof, which discloses records to be used in a matching program.” Privacy Act of 1974, 5 U.S.C. § 552a. “A source agency is a Federal agency that discloses automated records from a system of records to another Federal agency or to a State or local agency to be used in a matching program. It is also a State or local agency that discloses records to a Federal agency for use in a matching program.” OMB Circular A-130, Appendix I, Management of Federal Information Resources."

Source Document: means an existing document that contains classified information that is incorporated, paraphrased, restated, or generated in new form into a new document.” Executive Order 13292, Classified National Security Information, Section 6.1(jj)."

Special Access Program: means a program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.” Executive Order 13292, Classified National Security Information, Section 6.1(kk)."

Sponsor: An entity that is authorized to make a request that a certificate be issued to a subject or entity, and that attests that the subject has the need and the right to hold a certificate.” NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Spyware: Any technology that aids in gathering information about persons or organizations without their knowledge. On the Internet, spyware is programming that’s secretly installed in a computer to gather information about the user and relay it to advertisers or other interested parties. Spyware can infiltrate a computer as a virus or as a surprise result of installing a new program. Data-collecting programs installed with the user’s knowledge aren't spyware as long as the user fully understands what data is being collected and with whom it will be shared. If your computer has spyware in it, be aware that you have a “live” server sending information about your surfing habits to a remote location.” Computer World."

State: includes the District of Columbia and any commonwealth, territory, or possession of the United States.” Homeland Security Information Sharing Act, Public Law 107-296, Section 892;. “The term “State” means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any possession of the United States. [Homeland Security Act of 2002, 6 U.S.C. 101].” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

State and Local Personnel: means any of the following persons involved in prevention, preparation, or response for terrorist attack: (A) State Governors, mayors, and other locally elected officials. (B) State and local law enforcement personnel and firefighters. (C) Public health and medical professionals. (D) Regional, State, and local emergency management agency personnel, including State adjutant generals. (E) Other appropriate emergency response agency personnel. (F) Employees of private-sector entities that affect critical infrastructure, cyber, economic, or public health security, as designated by the Federal Government in procedures developed pursuant to this section.” Homeland Security Information Sharing Act, Public Law 107-296, Section 892."

State Identification Bureau: The term 'State identification bureau' means the State entity designated by the Attorney General for the submission and receipt of criminal history record information.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 6402."

Statistical Activities: The term 'statistical activities'— (A) means the collection, compilation, processing, or analysis of data for the purpose of describing or making estimates concerning the whole, or relevant groups or components within, the economy, society, or the natural environment; and (B) includes the development of methods or resources that support those activities, such as measurement methods, models, statistical classifications, or sampling frames.” Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501."

Statistical Agency or Unit: The term “statistical agency or unit” means an agency or organizational unit of the executive branch whose activities are predominantly the collection, compilation, processing, or analysis of information for statistical purposes.” Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501."

Statistical Purpose: The term 'statistical purpose' — (A) means the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups; and (B) includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the purposes described in subparagraph (A).” Confidential Information Protection and Statistical Efficiency Act of 2002, 44 USC Section 3501."

Statistical Record: [A] record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by section 8 of Title 13.” Privacy Act of 1974, 5 U.S.C. § 552a."

Strategic Intelligence: Information concerning existing patterns or emerging trends of criminal activity designed to assist in criminal apprehension and crime control strategies, for both short- and long-term investigative goals.” IACP Model Policy on Criminal Intelligence."

Student: Any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution.” Family Educational Right to Privacy Act, 20 USC Section 1232g."

Subject: A field in a certificate that identifies the person or entity to whom the certificate is issued; also, an authorized entity that uses a certificate as applicant, subscriber, recipient or relying party, but not including the CA issuing the certificate.” NIST Draft Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation."

Submission to DHS: as referenced in these procedures means any transmittal of CII from any entity to DHS. The CII may be provided to DHS either directly or indirectly via another Federal agency, which, upon receipt of the CII, will forward it to DHS.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (i)."

Suspicious Activity Report: Official documentation of observed behavior that may be indicative of intelligence gathering or pre-operational planning related to terrorism, criminal, or other illicit intention.” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008). See also, ISE Suspicious Activity Report."

System: [A] generic term used for briefness to mean either a major application or a general support system.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

System Administrator: A person who manages a multi-user computer system. Responsibilities are similar to that of a network administrator. A system administrator would perform systems programmer activities with regard to the operating system and other network control programs.” NIST Special Publication 800-40, Creating a Patch and Vulnerability Management Program."

Systematic Declassification Review: means the review for declassification of classified information contained in records that have been determined by the Archivist to have permanent historical value in accordance with title 44, United States Code.” Executive Order 13292, Classified National Security Information, Section 6.1(ll)."

System Development Life Cycle: The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.” NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems."

System Interconnection: The direct connection of two or more IT systems for the purpose of sharing data and other information resources.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

System of Records: [A] group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” Privacy Act of 1974, 5 U.S.C. § 552a."

System Security Plan: Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. [NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, Revision 1]."


Top

 


T

Tactical Intelligence Information regarding a specific criminal event that can be used immediately by operational units to further a criminal investigation, plan tactical operations and provide for officer safety.” IACP Model Policy on Criminal Intelligence."

Target Capabilities: The term target capabilities means the target capabilities for Federal, State, local, and tribal government preparedness for which guidelines are required to be established under section 646(a) of the Post-Katrina Emergency Management Reform Act of 2006 (6 U.S.C. 746(a)).” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2001."

Tasking, Collection, Processing, Exploitation, and Dissemination (TCPED): The process of effectively using National Technical Means (NTM). Civil Applications Committee, at 28."

Technical Controls: Hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems. “The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems."

Technical Safeguards: The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

Technical Standards: Specific technical methodologies and practices to design and implement information sharing capability into ISE systems.” Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Telecommunications: means the preparation, transmission, or communication of information by electronic means.” Executive Order 13292, Classified National Security Information, Section 6.1(mm); “The transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.” NIST Special Publication 800-59, Guideline for Identifying an Information System as National Security System."

Temporary Records: Those records that are designated for either immediate disposal or for disposal after a specified period of time or an event, in accordance with a NARA’s-approved Request for Records Disposition (SF 115) or the General Records Schedule. Temporary records may document DHS business processes or document legal rights of the government or the public, document government accountability, or contain information of administrative or fiscal value. Depending on the type of record, the retention period may range from immediate destruction to as long as 100 years.” DHS Management Directive Number: 0550.1, Records Management; “Temporary records will be maintained and disposed of only in accordance with an approved records control schedule. Records classified as temporary should not be retained beyond their authorized retention period; nor will they be destroyed or otherwise disposed of prior to the end of their authorized retention period.” DHS Records Management Handbook: A record approved by the appropriate authority for disposal, either immediately or after a specified retention period. National Archives and Records Administration, Electronic Records Glossary."

Terrorism: means any activity that— (A) involves an act that— (i) is dangerous to human life or potentially destructive of critical infrastructure or key resources; and (ii) is a violation of the criminal laws of the United States or of any State or other subdivision of the United States; and (B) appears to be intended— (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping.” The Homeland Security Act, 6 U.S.C. section 101(15)."

Terrorism Information: means all information, whether collected, produced, or distributed by intelligence, law enforcement, military, homeland security, or other activities relating to— (A) the existence, organization, capabilities, plans, intentions, vulnerabilities, means of finance or material support, or activities of foreign or international terrorist groups or individuals, or of domestic groups or individuals involved in transnational terrorism; (B) threats posed by such groups or individuals to the United States, United States persons, or United States interests, or to those of other nations; (C) communications of or by such groups or individuals; or (D) groups or individuals reasonably believed to be assisting or associated with such groups or individuals.” Intelligence Reform and Terrorism Prevention Act, P.L. 108-458, Section 1016 and Executive Order 13356; Strengthening the Sharing of Terrorism Information To Protect Americans and Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006). “all information, whether collected, produced, or distributed by intelligence, law enforcement, military, homeland security, or other activities relating to— “(i) the existence, organization, capabilities, plans, intentions, vulnerabilities, means of finance or material support, or activities of foreign or international terrorist groups or individuals, or of domestic groups or individuals involved in transnational terrorism; “(ii) threats posed by such groups or individuals to the United States, United States persons, or United States interests, or to those of other nations; “(iii) communications of or by such groups or individuals; or “(iv) groups or individuals reasonably believed to be assisting or associated with such groups or individuals; and “(B) includes weapons of mass destruction information.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 504 (amending the definition of this term as used in IRTPA to include weapons of mass destruction information); Strengthening the Sharing of Terrorism Information to Protect Americans; ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Terrorist Identities Datamart Environment (TIDE) Database: Program adopted by the National Counterterrorism Center that “provides for the automatic expansion of names to incorporate 26 phonetic, cultural, and character variations, as well as combinations of these variations. Since one name can be spelled multiple ways, the software manufacturer claims to use search techniques that allow maximum efficiency in query results.” U.S. Department of Justice Office of the Inspector General Audit Division, Audit Report 05-27 U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 26-27 (June, 2005); “Terrorist Identities Datamart Environment (TIDE) serves as the central knowledge base for all source information on international terrorist identities for use by the US counterterrorism community. TIDE distributes a “sensitive but unclassified” extract to the Terrorist Screening Center (TSC). The TSC, in turn, validates this information and provides it to Federal departments and agencies and select foreign governments that use this information to screen for terrorists. - TIDE contains over 400,000 names/aliases, representing over 300,000 unique individuals.- To further increase information sharing and decrease the potential for “false positives,” additional identifiers are passed to the TSC to aide in screening opportunities. - TIDE is made available to the majority of the terrorism analytic community via NCTC Online.” NCTC and Information Sharing: Five Years Since 9/11: A Progress Report."

Terrorist Organization: means an organization— (I) designated under section 219; “(II) otherwise designated, upon publication in the Federal Register, by the Secretary of State in consultation with or upon the request of the Attorney General, as a terrorist organization, after finding that the organization engages in the activities described in subclause (I), (II), or (III) of clause (iv), or that the organization provides material support to further terrorist activity; or “(III) that is a group of two or more individuals, whether organized or not, which engages in the activities described in subclause (I), (II), or (III) of clause (iv).” USA PATRIOT Act, Public Law 107-56, Section 411."

Terrorist-Related Screening: means the collection, analysis, dissemination, and use of information related to people, cargo, conveyances, and other entities and objects that pose a threat to homeland security. Terrorist-related screening also includes risk assessment, inspection, and credentialing.” Homeland Security Presidential Directive/HSPD-11, Comprehensive Terrorist-Related Screening Procedures."

Terrorist Threat Integration Center (“TTIC”): was established on May 1, 2003, to develop comprehensive threat assessments through the integration and analysis of terrorist information collected domestically and abroad by the U.S. government. On August 27, 2004, the President signed an Executive Order establishing the National Counterterrorism Center (NCTC) to which all functions and activities of the TTIC were transferred.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 6 n24 (June, 2005)."

Text Documents: means narrative or tabular documents, such as letters, memorandums, and reports, in loosely prescribed form and format. National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Threat: An activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems; “An entity or event with the potential to harm a system.” NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems. “Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Threat Image Projection System: means an evaluation tool that involves periodic presentation of fictional threat images to operators and is used in connection with x-ray or explosives detection systems equipment.” Sensitive Security Information, 49 CFR Part 1520.3."

Threat Source: The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent."

Threshold for Criminal Intelligence: The threshold for collecting information and producing criminal intelligence shall be the ‘reasonable suspicion’ standard in 28 CFR, Part 23, Section 23.3 c.” IACP Model Policy on Criminal Intelligence."

TIPOFF System: Beginning in 1987, the Department of State’s Bureau of Intelligence and Research began keeping watch list (lookout) records on known and suspected international terrorists in its “TIPOFF” system. The Department of State obtained information for lookout records from intelligence community terrorism-related reports, Visa Viper cables generated by consular officers stationed abroad, law enforcement agencies, and other sources. This information was stored in the classified TIPOFF system. To operate as a watch list, declassified TIPOFF records were exported to databases used by the State Department’s Bureau of Consular Affairs as well as systems accessed by border patrol and immigration agents.” “In September 2003, the new Terrorist Threat Integration Center (TTIC) [now the National Counterterrorism Center] assumed the responsibility for establishing and maintaining a single repository for international terrorist information. As a result, the State Department transferred the TIPOFF system to TTIC as a foundation for the new system. NCTC plans to replace TIPOFF with a new database—the Terrorist Identities Datamart Environment (TIDE), which is expected to come on line in mid-2005. According to officials at NCTC, TIDE incorporates analysis with the “watch list” component of the TIPOFF database to create a system capable of utilizing watch list data to make analytical associations that identify terrorist threats.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 (June, 2005)."

Top Secret: shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.” Executive Order 13292, Classified National Security Information, Section 1.2(1)."

Transaction Intermediary: An entity that is involved in or handles a credential transaction, but that does not act as the ultimate arbiter of the transaction’s authenticity or trustworthiness. NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Transmission Data: Information in electronic mail systems regarding the identities of sender and addressee(s), and the date and time messages were sent. National Archives and Records Administration, Electronic Records Management Regulations, 36 CFR 1234."

Transnational Threat: means the following: (A) Any transnational activity (including international terrorism, narcotics trafficking, the proliferation of weapons of mass destruction and the delivery systems for such weapons, and organized crime) that threatens the national security of the United States; (B) Any individual or group that engages in an activity referred to in subparagraph (A).” (Definition applies only the particular subsection in which it is found in the National Security Act, Public Law 235, Section 101)."

Transportation Security Information: The term 'transportation security information' means information relating to the risks to transportation modes, including aviation, public transportation, railroad, ferry, highway, maritime, pipeline, and over-the-road bus transportation, and may include specific and general intelligence products, as appropriate. Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 1203."

Trap and Trace Device: means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510 (as amended by the USA PATRIOT Act). See also, Pen Register."

Treasury Enforcement Communications System (TECS): is “a large computerized information system containing more than a billion records in 700 tables, designed to identify individuals, businesses, and vehicles suspected of or involved in violation of federal law. TECS is also a communications system permitting message transmittal between law enforcement offices and other federal, state, and local law enforcement agencies. The database provides access to the FBI’s NCIC and the National Law Enforcement Telecommunications System (NLETS). The TECS database serves as the principal information system supporting border management and the law enforcement mission of the DHS’s U.S. Customs and Border Protection (CBP) and other federal law enforcement agencies.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 7 (June, 2005)."

Tribal Government: The term tribal government means the government of an Indian tribe. Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 2001."

Trojan Horse: A computer program containing an apparent or actual useful function that also contains additional functions that permit the unauthorized collection, falsification, or destruction of data.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Trust: Permitted action to be performed only for the intended purpose. NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Two-Factor Authentication: Typically this means that for Level 3 or 4 [authentication as defined in NIST Special Publication 800-63, Electronic Authentication Guideline.] a password or biometric is used to activate a key. Alternatively, a password protocol may be used in conjunction with a soft token, hard token, or one-time password token to achieve two-factor authentication. NIST Special Publication 800-63, Electronic Authentication Guideline."


Top

 


U

Unauthorized Disclosure: means a communication or physical transfer of classified information to an unauthorized recipient.” Executive Order 13292, Classified National Security Information, Section 6.1(nn)."

United States Person: means the following: (A) A United States citizen; (B) An alien known by the intelligence agency concerned to be a permanent resident alien; (C) An unincorporated association substantially composed of United States citizens or permanent resident aliens; (D) A corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.” (Definition applies only the particular subsection in which it is found in the National Security Act, Public Law 235, Section 105A); “Means a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section 1101 (a)(20) of title 8), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in subsection (a)(1), (2), or (3) of this section.” “United States Person means a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section 1101 (a)(20) of title 8), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in subsection (a)(1), (2), or (3) of this section.” Foreign Intelligence Surveillance Act, 50 U.S.C. Section 1801; “United States person means a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.” United States Intelligence Activities, Executive Order 12333. Section 3.4(i); “As used in this chapter, the term “United States person” means any United States citizen or alien admitted for permanent residence in the United States, and any corporation, partnership, or other organization organized under the laws of the United States.” Cuban Democracy, 22 U.S.C. Section 6010; The term 'United States person' means: 1. A citizen or resident of the United States, 2. A partnership created or organized in the United States or under the law of the United States or of any State, 3. A corporation created or organized in the United States or under the law of the United States or of any State, or 4. Any estate or trust other than a foreign estate or foreign trust. Internal Revenue Service website."

United States: The term “United States”, when used in a geographical sense, means any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, any possession of the United States, and any waters within the jurisdiction of the United States. [Homeland Security Act of 2002, 6 U.S.C. 101].” Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment Implementation Plan, Glossary (November 2006)."

Universal Core (UCore): A joint technical standard that defines a small set of context-free data elements for loosely-coupled information sharing at the national level. Office of the Director of National Intelligence, Program Manager, Information Sharing Environment, Information Sharing Environment (ISE) Functional Standard (FS) Suspicious Activity Reporting (SAR), at 2 (January 2008)."

Unnecessary Duplication: Information similar to or corresponding to information that could serve the agency’s purpose and is already accessible to the agency.” GAO, Federal Information collection: A Reexamination of the Portfolio of Major Federal Household Surveys is Needed, at 2. (Paperwork Reduction Act reference)."

Unscheduled Records: Federal records for which a disposition has not been assigned in a records schedule. National Archives and Records Administration, Electronic Records Glossary."

Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164."

User: Any person or entity who: (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use. Electronic Communications Privacy Act, 18 U.S.C. Section 2510; “[A] person or entity with authorized access.” Standards for Privacy of Individually Identifiable Health Information (“HIPAA Privacy Rule”), 45 CFR Parts 160 and 164; Individual or (system) process authorized to access an information system. [CNSS Instruction 4009]"

Utility: refers to the usefulness of the information to its intended users, including the public. In assessing the usefulness of information that the agency disseminates to the public, the agency needs to consider the uses of the information not only from the perspective of the agency but also from the perspective of the public. As a result, when transparency of information is relevant for assessing the information’s usefulness from the public’s perspective, the agency must take care to ensure that transparency has been addressed in its review of the information.” OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies."


Top

 


V

Validation: Verification that something is correct or conforms to a certain standard. In data collection or data entry, it is the process of ensuring that the data that are entered fall within the accepted boundaries of the application collecting the data. For example, if a program is collecting last names to be entered in a database, the program validates that only letters are entered and not numbers; or in a survey collecting data in the form of “yes” or “no” questions, the program validates that only those responses are used and not some other word. NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Validation of Information: (§23.3 (b)(6)) means the procedures governing the periodic review of criminal intelligence information to assure its continuing compliance with system submission criteria established by regulation or program policy. Criminal Intelligence Systems Operating Policies, 28 CFR Part 23, at Section 23.3(b)."

Validation Service: An entity that receives requests from Relying Parties to determine the status of a credential, and that returns the status of the credential, as updated by the Issuing Authority. NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Verification: In a biometric security system, the process of comparing a biometric sample against a single reference template of a specific user in order to confirm the identity of the person trying to gain access to a system. NIST Draft Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation."

Violent Gang and Terrorist Organizations File (VGTOF): The FBI’s Violent Gang and Terrorist Organizations File (VGTOF), created in October 1995 to track individuals associated with gangs and terrorist organizations, is a component of the National Crime Information Center (NCIC).25 Each record within the file is identified as either a gang or a terrorist record. The universe of terrorist records in the NCIC/VGTOF file represents individuals of interest to law enforcement due to suspected or known ties to international or domestic terrorism.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 6-7 (June, 2005)."

Virtual Private Network (VPN): A data network that enables two or more parties to communicate securely across a public network by creating a private connection, or “tunnel,” between them.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems."

Visa Viper: This “program is a State Department initiative created after the World Trade Center Bombing in 1993, when the State Department realized that hundreds of cables discussing terrorists had been initiated, but did not necessarily direct an individual to be watch listed. As a result, the Visa Viper program required Consular Affairs posts and other participating agencies to coordinate the submission of cables providing this specific direction on known or suspected terrorists. The program is congressionally mandated, and reports on program activities must be submitted to Congress on a monthly basis. U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 6 n23 (June, 2005)."

Vital Records: These types of records are essential to the continued function or reconstruction of an organization during and after an emergency. Refer to the NARA’s publication entitled “Vital Records and Records Disaster Mitigation and Recovery” for guidance on handling these types of records. The emergency preparedness needs of DHS will be met through the identification of vital records and pre-positioning copies of them at strategic locations for ready accessibility in the event of a national or local natural or technological disaster.” DHS Records Management Handbook."

Voluntary or Voluntarily: when used in reference to any submission of CII to DHS, means submitted in the absence of DHS’s exercise of legal authority to compel access to or submission of such information; such submission may be accomplished by (i.e. come from) a single entity or an ISAO on behalf of itself or its members. The term does not include information or statements submitted or relied upon as a basis for making licensing or permitting determinations, or during regulatory proceedings. In the case of any action brought under the securities laws—as is defined in section 3(a)(47) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(47)) the term “voluntary” does not include information or statements contained in any documents or materials filed, pursuant to section 12(i) of the Securities Exchange Act of 1934 (15 U.S.C. 78l(i)) with the Securities and Exchange Commission or with Federal banking regulators; and with respect to the submission of CII, it does not include any disclosure or writing that when made accompanied the solicitation of an offer or a sale of securities.” DHS Procedures for Handling Critical Infrastructure Information, 6 CFR Sec. 29.2 (j)."

Voluntary Consensus Standards: Standards developed or adopted by voluntary consensus standards bodies, both domestic and international (OMB Circular A-119).” Information Sharing Environment Administrative Memoranda, Common Terrorism Information Sharing Standards (CTISS) Program, at 2 (Oct. 2007)."

Vulnerability: A flaw or weakness that may allow harm to occur to an automated information system or activity.” NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems; A condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat. NIST Special Publication 800-21, Guideline for Implementing Cryptography In the Federal Government; A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems; “A security exposure or mis-configuration in an operating system or other system software or application software component that allows the security policy to be violated. A variety of organizations maintain publicly accessible databases of vulnerabilities based on version number of the software. Much vulnerability can potentially compromise the system or network if successfully exploited.” NIST Special Publication 800-40, Creating a Patch and Vulnerability Management Program; “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” NIST FIPS Publication 200, Minimum Security for Federal Information Systems."

Vulnerability Assessment: means any review, audit, or other examination of the security of a transportation infrastructure asset; airport; maritime facility, port area, vessel, aircraft, train, commercial motor vehicle, or pipeline, or a transportation-related automated system or network, to determine its vulnerability to unlawful interference, whether during the conception, planning, design, construction, operation, or decommissioning phase. A vulnerability assessment may include proposed, recommended, or directed actions or countermeasures to address security concerns.” Sensitive Security Information, 49 CFR Part 1520.5."


Top

 


W

Warrant Information Network: The United States Marshals Service maintains a Warrant Information Network that contains information on all persons with existing federal warrants. The TSC [Terrorist Screening Center] does not consider the information contained within this list to be a terrorist watch list. This information is maintained for the purpose of readily identifying all wanted persons and persons with existing warrants. While used as a source of additional data for terrorist screening, this list provides no independent terrorist watch list function.” U.S. Department of Justice Office of the Inspector General Audit Division, Review of the Terrorist Screening Center, Audit Report 05-27, at 9 (June, 2005)."

Weapons of Mass Destruction: means chemical, biological, radiological, and nuclear weapons.” Executive Order 13292, Classified National Security Information, Section 6.1(pp). Weapons of Mass Destruction Information is defined in IRTPA Section 1016 (codified at 6 USC 485) as information that could reasonably be expected to assist in the development, proliferation, or use of a weapon of mass destruction (including a chemical, July 2008 Appendix H-Page 5 Version 1.1 biological, radiological, or nuclear weapon) that could be used by a terrorist or terrorist organization against the United States, including information about the location of a stockpile of nuclear materials that could be exploited for use in such a weapon that could be used by a terrorist or terrorist organization against the United States. ISE Privacy and Civil Liberties Implementation Workbook, Appendix H, ISE Privacy Guidelines Definitions."

Weapons of Mass Destruction Information: means information that could reasonably be expected to assist in the development, proliferation, or use of a weapon of mass destruction (including a chemical, biological, radiological, or nuclear weapon) that could be used by a terrorist or a terrorist organization against the United States, including information about the location of any stockpile of nuclear materials that could be exploited for use in such a weapon that could be used by a terrorist or a terrorist organization against the United States.” Implementing the 9/11 Commission Recommendations Act of 2007, Public Law 110-53, Section 504."

Web Beacons: Also called Web bugs, pixel tags or clear GIFs, these file objects (typically a single transparent pixel invisible to the user) are used along with cookies to help track the behavior of Web site visitors. Users can set their browsers to accept or decline a cookie, but a Web bug always arrives; it’s just another graphic on the page. Turning off cookies will prevent tracking your specific activity, but the Web beacon can still record an anonymous visit through your IP address. Web beacons are typically used by a third party to centralize monitoring from a number of different sites. Web bugs can be put to positive use, such as to track copyright violations on the Web. Computer World."

Wire Communication: means any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier in providing or operating such facilities for the transmission of interstate or foreign communications.” Foreign Intelligence Surveillance Act; “Any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station) furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications or communications affecting interstate or foreign commerce.” Electronic Communications Privacy Act, 18 U.S.C. Section 2510."

Worm: A computer program or algorithm that replicates itself over a computer network and usually performs malicious actions.” NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems; “A type of malicious code particular to networked computers. It is a self-replicating program (unlike a virus which needs a host program) which works its way through a computer network exploiting vulnerable hosts, replicating and causing whatever damage it was programmed to do.” NIST Special Publication 800-40, Creating a Patch and Vulnerability Management Program."


Top

 


X

There are no 'X' terms.


Top

 


Y

There are no 'Y' terms.


Top

 


Z

There are no 'Z' terms.


Top

 


Source: Page created by the DHS/Office for Civil Rights and Civil Liberties and the DHS/Privacy Office in cooperation with the DOJ, Office of Justice Programs.
Last date revised: 04/12/10