Glossary - Ignyte

abcdefghijklmnopqrstuvwxyz

Air Force Evaluated Products List - The Air Force Evaluated Products List is a list of products evaluated and approved for use within the U.S. Air Force. Applicability: Includes specific lists for different Air Force programs and capabilities. The list is Not publicly available, used for internal Air Force purposes. URL: Process to become an evaluated product
Authorization and Attestation (A&A) - Stands for Accreditation and Attestation process. It involves different roles within the Defense Department and system compliance processes. Accreditation and Attestation (ANA) Process Definition by the Speaker: The ANA process refers to Accreditation and Attestation, a comprehensive framework involving different roles within the Defense Department and compliance processes. This encompasses the management and certification of […]
Authorization Official (AO) - Authorization Official. A decision-maker overseeing system certifications, responsible for formal acceptance or denial of risk in compliance packages. The Authorization official must be of a senior official, or rank able to accept the risk of an operational system on behalf of the organization. Within the DoD the AO is the Component head; PAO for MA- […]

Boundary Diagram - In the context of Ignite and its customers, a boundary diagram outlines what is within the scope of a system or solution and what is outside of it. It represents the system’s boundaries and usually involves a delineation between internal and external components. It can vary in complexity from simple to intricate, indicating the level […]

Center for Internet Security (CIS) Benchmarks - CIS Benchmarks are complementary standards that provide guidance on secure configuration settings for various software, systems, and platforms. The CIS benchmarks are publicly available, and come in two different levels, 1 and 2. Level 1 provides a basic set of security configurations for the system, whereas level 2 enhances the security posture. Similar to the […]
Certified Third Party Assessment Organization (C3PAO) - This is a Cybersecurity Maturity Model Certification (CMMC) term associated with Organizations certified to perform CMMC Assessments or pending Organizations who can provide consulting services.
Cloud Native Computing Foundation (CNCF) - The Cloud Native Computing Foundation (CNCF) is a non-profit aimed at improving the adoption and use of cloud technologies. They are taking on the responsibility of stewarding projects, fostering growth, making technology accessible and reliable. URL: Cloud Native Computing Foundation CNCF Charter
Command Cyber Readiness Inspection (CCRI) - The Cyber Command Readiness Inspection is evaluating an organization’s security posture and related processes. The inspection is led by the Department of Defense (DoD) according to DoD Standards and requirements applicable to Federal information systems, and systems associated with national security. The inspection focuses more on the people’s side of security, and evaluates the processes […]
Committee on National Security Systems Instruction (CNSSI) - Committee on National Security Systems Instruction. Pertains to critical national security systems, often linked to ICD and aligns with NIST 800-53 controls. Applicability: Relevant in national security systems (e.g. Confidential, Secret), highly sensitive government infrastructure. For NSS, where differences between the NIST documentation and this Instruction occur, this Instruction takes precedence. URL: CNSSI Information […]
Common Control - A Common Control is a security control that can be implemented and inherited across multiple systems or solutions within an organization. It serves as a foundational element in managing security risks across various systems, allowing for consistent application and management of security measures. As an example, a common control within an information system could be […]
Common Control Identification (CCI) - Refers to standardized control identifiers used in managing and tracking security controls. The CCI contains the 2 letter acronym associated with the control, as well as primary and sub-control number for the primary control and sub-control: AC-01-00-00 = Access Control Family (AC–01), Primary Control (00) subcontrol (00) AC-02-01-01 = Access Control Family (AC-02), Primary Control […]
Common Control Provider (CCP) - Applicability: Applies to federal information systems that use or share resources from within or external to the organization that provides services necessary for the mission system or network the ability to operate. URL:
Common Criteria - Common Criteria is an international standard for evaluating and certifying the security features and capabilities of information technology products.The system under review is verified as meeting a set of standards that allows for a quick comparison of security features available based on what the developer states are in place. When reviewing the results of the […]
Common Vulnerabilities and Exposures (Common Vulnerability Enumeration) - CVEs (Common Vulnerabilities and Exposures) Common Vulnerabilities and Exposures are standardized identifiers for known vulnerabilities in software and hardware systems.CVEs are reported to the vendor and managed by MITRE corporation. The CVE number and naming system comprise the year the vulnerability was identified, and the sequence. Each CVE is rated a Common Vulnerability Score, using […]
Control Statement - A specific requirement or guideline within NIST 800-53 controls. Can cause scope creep if not properly understood. A specific requirement or guideline within NIST 800-853 controls. (Control Statement). A control statement is the description of the organization system or processes and how the organization meets the control under review. For each of the controls, the […]
Controlled Unclassified Information (CUI) Basic - Controlled Unclassified Information (CUI) Basic is used when there are no prescribed methods of handling the information URL: CUI Training Guide CUI Registry | National Archives
Controlled Unclassified Information (CUI) Registry - The Controlled Unclassified Information Registry (CUI Registry) is the location on the Internet where NARA has implemented the definitions and guidance for CUI handling and marking requirements. The Registry contains such information as categories, marking requirements, decontrol procedures, as well as links to the overarching requirements from Executive Orders and the Federal Register. URL: Registry
Controlled Unclassified Information (CUI) Specified (SP) - Controlled Unclassified Information Specified (CUI Specified) is governed by federal laws and regulations such as Personally Identifiable Information and Health Information, which is governed by the Privacy Act and Health Insurance Portability and Privacy Act. with the CUI specified the requirements for handling, managing, storage, are already defined. URL: CUI Training Guide CUI Registry | […]
Customer Account Representative (CAR) - Assists in moving compliance packages and certifications through the approval process. The responsibilities of the CAR include addressing and prioritizing customer complaints or grievances of assigned clients, and collaborating with stakeholders to ensure the customers of the service are satisfied with the delivery of vendor provided services. Applicability: Applicable in customer representation, package movement through […]
Cybersecurity Maturity Model Certification (CMMC) - CMMC is a cybersecurity framework and certification process designed to ensure that contractors in the defense industrial base meet specific cybersecurity maturity levels. The CMMC security requirements are based upon the NIST SP 800-53 and corresponding risk designation. Three levels exist, based on the information types processed by the organization, and the relationship with the […]

Data Classification - Data Classification is the method used by organizations to determine the type of information and the risk to the organization if the information were mishandled, shared to personnel that did not have a requirement to know the information, or if alterations were made could have a drastic impact on the company. There are public and […]
Defense Counterintelligence Security Agency (DCSA) - The Defense Counterintelligence Security Agency (DCSA) is responsible for managing, responding and identifying foreign intelligence threats to the United States by working in conjunction with U.S. Intelligence, Security, and Law Enforcement counterparts. They work towards protecting the trusted workforce, and the cleared national industrial base, including the supply chains and personnel. They are also entrusted […]
Department of Defense (DoD) Information Assurance and Certification Accreditation Process (DIACAP) - Refers to DoD Information Assurance and Certification Accreditation Process based on DoD instruction 8510.00. It’s an old method superseded by DoD Risk Management Framework (RMF) or Department of Defense Instruction (DODI) 8510 for DoD systems. DIACAP required that Information Systems undergo the certification and accreditation process every (3) three years, and didn’t consider risks or […]
Department of Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) - The Department of Defense (DoD) Industrial Base Cybersecurity Assessment Center (DIBCAC) is the organization within the DoD responsible for the coordination and management of risks associated with contractors and their compliance to Department of Defense Federal Acquisition Regulation Supplements (DFARS) clause 252.204-7020 as well as NIST SP-800-171, and DoD Assessment Requirements. The DIBCAC maintains and […]
Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) - Stands for Department of Defense Information Technology Security Certification and Accreditation Process. A predecessor to DIACAP in the government’s cybersecurity evolution, which is now obsolete as of 2006. DITSCAP was replaced by DoD Information Assurance Certification and Accreditation Process (DIACAP), followed by DoD RMF 8510, which is based on NIST 800-37. DITSCAP replaced the ‘Rainbow […]
Designated Accrediting Authority (DAA) - A high-ranking officer responsible for authorization approvals, typically having theoretical knowledge but not directly involved in the process details. The Authorization official must be of a senior official, or rank able to accept the risk of an operational system on behalf of the organization. The term DAA was replaced with the term Authorizing Official (AO), […]
DOD Approved Products Lists (APL) - DOD Approval Lists are lists compiled by the Department of Defense (DOD) that specify approved products, tools, or technologies eligible for use in DOD systems. Applicability: Relevant to organizations seeking accreditation (ATO) for their technologies within the DOD. These lists ensure that technologies meet security and compliance standards. URL: DOD Approved Products List (APL)

Facility Clearance Level (FCL) - A facility clearance level is issued by the Department of State and applies to the business entity. The clearance level is not the same as physical security of the office building. The FCL is a determination of the DoS as to the safeguards in place to prevent and detect foreign influence and company ownership of […]
Federal Information Processing Standards (FIPS) - Federal Information Processing Standards (FIPS) is a set of standards developed by and for Federal Information Systems. Similar to the NIST documentation, the FIPS provides the instructions for specific areas within the systems implementation. There are several FIPS standards that apply to the design and implementation of an information system, FIPS 140, FIPS 199, and […]
Federal Information Systems Modernization or Management Act (FISMA) - It’s crucial in contract language when managing federal systems or data and is required for institutions dealing with the US Government. FISMA points to the federal agencies to leverage the National Institute of Standards and Technology (NIST) special publications (SP) for implementing secure systems. FISMA also requires that each federal agency define a budget, issue […]
Federal Risk and Authorization Management Program (FedRAMP) - The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program that standardizes the security assessment, authorization, and continuous monitoring processes for cloud products and services. Applicability: Applies to cloud service providers, including infrastructure, software, and platform services. Aims to provide authorized cloud services for government agencies. URL: FedRAMP Marketplace

Information Assurance Manager (IAM) - A role previously synonymous with ISSM, focused on managing information assurance. The term IAM was replaced in 2012 with Information System Security Manager (ISSM). The position is responsible for maintaining situational awareness and remediation activities of the assigned system Applicability: Relevant in cybersecurity roles, compliance audits, and system security. URL: STIG Overview NIST RMF
Information Assurance Officer (IAO) - Conducts auditing roles within systems. The term IAO was replaced in 2012 with the Information System Security Officer (ISSO). Applicability: Relevant in auditing roles, security oversight, and compliance, URL: Navy IA Handbook Chairman of the Joint Chief of Staff Instruction (CJCSI) 8410.02
Information System Security Engineer (ISSE) - Involved in automation, STIG compliance, and software development, requires technical expertise in technical and process risk mitigation techniques. The ISSE is involved within the Requirements and Design, implementation and testing phases of the System Development Lifecycle. Applicability: Applicable in technical cybersecurity roles, STIG compliance, and automation. URL: Cybersecurity Engineering Overview NIST RMF
Information System Security Manager (ISSM) - Responsible for managing security systems, grading System Security Plans (SSP), and overseeing control responses. The ISSO is appointed by the Program Manager or the System Owner. Applicability: Applicable in cybersecurity roles, security management, and compliance. URL: NIST SP 800-37 Documentation Chairman of the Joint Chief of Staff Instruction (CJCSI) 8410.02 DoDI 8510.01 DoD RMF
Information System Security Officer (ISSO) - Conducts system audits and ensures system compliance, especially regarding Security Technical Implementation Guides (STIGs). The ISSO is appointed by the Program Manager or the System Owner. Applicability: Relevant in cybersecurity roles, compliance audits, and system security. URL: STIG Overview Chairman of the Joint Chief of Staff Instruction (CJCSI) 8410.02 DoDI 8510.01 DoD RMF
Information Types - National Institute of Standards and Technology Special Publication 800-60 describes how to label and describe the types of information within an organization. The instruction provides guidance on how to classify information and map the data to the type of information, such as privacy, medical, sensitive, trade-secret, and so on. Where this is important is to […]
Insider Threat Program - An Insider Threat Program is aimed at reducing the risk to the organization from trusted individuals that cause harm to the organization from the inside. These individuals have access to resources, strategy, personnel and locations specific to the organization and are able to exploit the weakness in processes or persuade personnel. The key steps to […]
Intelligence Community Directives (ICD) - Intelligence Community Directive (ICD) governs Intelligence Community (IC) systems, differing from FISMA, and aligns with NIST RMF controls. Applicability: This Directive applies to the IC as defined by the National Security Act of 1947, as amended, and to such elements of any other department or agency as may be designated an element of the IC […]
International Traffic in Arms Regulations (ITAR) - The International Traffic in Arms Regulations (ITAR) and United States Munitions List (USML) are described in ITAR section 121.1. This set of regulations governs the export of weapons, weapon systems, ammunition, guided missiles, and other personal weapons and weapons designed for military use. ITAR is managed by the Department of State’s Directorate of Defense Trade […]
Iron Bank - Iron Bank is a containerization certification process created by the DOD. It involves certifying and listing containerized applications for use in DOD systems. Iron Bank was developed by Platform One, and provides services for software development, such as Cloud Native Access Point (CNAP), Custom Developed Services, Continuous Integration/Continuous Deployment (CI/CD), multi-level security data transfer (Cross […]

Joint Air Force, Army, Navy Manual (JAFAN) - Joint Air Force, Army, Navy manual. Previously used in Special Access Program (SAP)s, especially before the shift to NIST SP 800-53 controls. This set of standards transitioned to the Department of Defense Manual 5205.07 DoD Special Access Security Manual, volumes 1-4. The volumes cover such topics as General Procedures, Personnel Security, Physical Security and marking […]

Kubernetes - Kubernetes is an open-source container orchestration platform used for automating the deployment, scaling, and management of containerized applications. Kubernetes builds upon the cloud infrastructure as a service and virtual machines, by proving another layer of abstraction by creating a standardized container for application developers and development organizations the ability to focus on the development stack […]

National Industrial Security Program Operating Manual (NISPOM) - Governs clearances, access, and security protocols for industrial and physical security in classified spaces. Established as a Federal Rule, which became effective in August of 2021. Parts of the rule include items such as reporting foreign travel for personnel that have Sensitive Compartmentalized Information (SCI) or Special Access Program (SAP) travel. The ‘NISPOM rule’ replaced […]
National Institute of Standards and Technology Risk Management Framework (NIST RMF) Special Publication 800-37 - The National Institute of Standards and Technology Risk Management Framework is based on Special Publication 800-37 and is used as controls for Federal systems. The Department of Defense’s (DoD) current version of 8510, is the DoD Risk Management Framework, which superseded DIACAP in the DoD in 2022. The RMF considers the threat landscape and emerging […]
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations - Refers to NIST SP 800-53, a publication that outlines security and privacy controls for federal information systems and organizations. The specifications with the NIST SP 800-53 include the technical, administrative, and physical protections necessary to reduce the risk to an information system from weakness associated with confidentiality, system and information integrity, and system and information […]
NSA's Commercial Solution for Classified Programs (CSfC) - CSfC is a program initiated by the National Security Agency (NSA) to identify commercial products and solutions suitable for securely handling classified information. Applicability: Encourages the use of commercial solutions to accelerate classified projects. Involves criteria, certifications, and approved solutions for various security needs URL: NSA CSfC
NSA's Evaluated Products List - NSA’s Evaluated Products List contains products, mainly hardware-oriented, that have undergone evaluation by the NSA for security and reliability. NSA’s Evaluated Products List contains products, mainly hardware-oriented, that have undergone evaluation by the NSA for security and reliability (NSA’s Evaluated Products List) Applicability: Focus on hardware, especially for data sanitization and destruction. Emphasizes NSA’s concern […]

Open Security Controls Assessment Language (OSCAL) - Open Security Controls Assessment Language. Ties into both NIST 800-53 revisions and helps in compliance with various versions of the controls. OSCAL can be used in both Java Script Object Notation (JSON) or eXtensible Markup Language (XML), both of which are open formats and used by information system applications to support automation. OSCAL was designed […]
Open Vulnerability and Assessment Language (OVAL) - Open Vulnerability and Assessment Language is an international, information security, community standard for representing and exchanging details about system vulnerabilities. Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard for representing and exchanging details about system vulnerabilities. OVAL (Open Vulnerability and Assessment Language) OVAL facilitates the automation of the assessment and […]
Open Worldwide Application Security Project (OWASP) - The Open Worldwide Application Security Project (OWASP) is a non-profit organization founded in 2001, and incorporated as non-profit in 2004. The organization establishes and manages multiple projects aimed at the secure development of applications to increase trustworthiness. Most notably within the application development community, is the OWASP top-10. A list of the key items that […]

Ports, Protocols and Services Manual (PPSM) - The Department of Defense (DoD) Ports, Protocols, and Services Manual (PPSM) is described DoD Instruction 8510.10. The safe use of Internet technologies relies on protections associated with internet ports, protocols and related services. Each node that connects to the internet is assigned a unique identifier as an Internet Protocol Address (IP). Much like a house […]

Security Assessment Report (SAR) - The Security Assessment Report (SAR) is the document provided by the control assessment team. The assessment report contains the results of the security control testing as described in the Security Assessment Plan (SAP). The assessors will describe the procedures used and identify any relevant gaps and risks associated with the controls that are in place […]
Security Content Automation Protocol (SCAP) - Security Content Automation Protocol (SCAP) validated tools are software tools, especially vulnerability scanners, that comply with as defined set of standards for structured data that describes the security posture of the information system. The descriptions can include the system hardware inventory, software inventory, system configurations, applied or missing patches. The SCAP definition was implemented out […]
Security Control Assessor (SCA) - Responsible for grading System Security Plans and adherence to assessment guidance such as NIST 8-00-53 alpha. The SCA performs a verification and validation of the security posture of the environment in scope of the assessment. The SCA can be one individual, or a team of individuals depending on the size, scope and breadth of the […]
Security Control Assessor Representative (SCAR) - Evaluates compliance packages, certifying or denying approval after grading by SCA. The position supports the SCA in the management, development and reporting of security associated with an information system or systems for which they are assigned. Applicability: Relevant in certifying security plans, higher-level representation in compliance. URL: NIST SP 800-53 Documentation NIST RMF Security Control […]
Security Requirements Guides (SRG) - Security Requirements Guides are documents that provide detailed security requirements for various technologies, applications,databases, and operating systems. SRGs offer guidance on how to configure and secure different technologies to meet specific security standards. THese are more generic in nature, as compared to a Security Technical Implementation Guide, which are tailor made for a specific software […]
Security Technical Implementation Guides (STIG) - Security Technical Implementation Guides are documents that provide detailed instructions for configuring and securing specific technologies and software. STIGs are more granular and technology-specific than SRGs, often providing configuration details for specific software versions. Security Technical Implementation Guides are documents that provide detailed instructions for configuring and securing specific technologies and software. STIGs (Security Technical […]
Software Bill of Material (SBOM) - SBOM, or Software Bill of Material, is a list that identifies the software components within a product, including dependencies and origins. Origins of software include Commercial Off the Shelf Software (COTS) (e.g. Microsoft Windows), internally developed software, open source software (e.g. RedHat, Python), as well as the dependencies associated with the use of the software […]
Special Access Program and Joint Special Access Program Implementation Guides (SAP and JSA) - Special Access Program and Joint Special Access Program Implementation Guides. Pertains to highly classified and sensitive information beyond top secret, controlled by JSEG, following 800-53 controls. Applicability: Relevant in the most sensitive government systems, highly restricted access, ultra-classified information. URL: Special Access Programs Overview
System Security Plan (SSP) - A System Security Plan (SSP) is a comprehensive document that outlines an organization’s security policies, descriptions of technical specifications, and procedures related to its systems and infrastructure. It describes the system’s boundaries, security controls, authorization details, and risk management strategies. The SSP is vital for compliance with various frameworks, including NIST 800-53 and CMMC, and […]

Test Objects - Interview, examination, or technical testing used in audits to verify compliance. Interview, examination, or technical testing used in audits to verify compliance. Applicability: Applicable in auditing processes, compliance verification. URL: Auditing Techniques
Third Party Assessment Organization (3PAO) - This is a FedRAMP and StateRAMP term associated with Organizations recognized to perform FedRAMP or StateRAMP Assessments or can provide consulting services.

Unclassified Naval Nuclear Propulsion Information (UNNPI) - The Unclassified Naval Nuclear Propulsion Information is one example of a CUI-specified information type. This type of information is governed by the Department of Energy. Applicability: Applies to Federal governments that use process store or display unclassified Naval Nuclear Propulsion Information URL: 471.1A-8 Rev 3.PDF (energy.gov)

Zero Trust Architecture (ZTA) - The term ‘Zero Trust’ in the context of information systems is a conceptual approach in managing the security posture in a distributed information system. Prior to the wide-spread adoption of cloud based technologies, organizations would rely on internal processes and network segmentation as a means of protecting information for the company. As cloud adoption increased, […]