RISK MANAGEMENT FRAMEWORK
(RMF) OVERVIEW AND CONCEPTS
Advanced Persistent Threat (APT) - ANSWER-A threat that pursues its objectives
repeatedly over an extended period of time; adapts to defenders' efforts to resist it; and
is determined to maintain the level of interaction needed to execute its objectives.
Authenticity - ANSWER-The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message originator.
Authorization (to operate) - ANSWER-The official management decision given by a
senior organizational official to authorize operation of an information system and to
explicitly accept the risk to organizational operations based on the implementation of an
agreed-upon set of security controls.
Certification - ANSWER-A comprehensive assessment of the management, operational,
and technical security controls in an information system, made in support of security
accreditation, to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system.
Community of Interest - ANSWER-A collaborative group of users who exchange
information in pursuit of their shared goals, interests, missions, or business processes,
and who therefore must have a shared vocabulary for the information they exchange.
General Support System - ANSWER-An interconnected set of information resources
under the same direct management control that shares common functionality. It
normally includes hardware, software, information, data, applications, communications,
and people.
Individual - ANSWER-A citizen of the United States or an alien lawfully admitted for
permanent residence.
Integrity - ANSWER-Guarding against improper information modification or destruction,
and includes ensuring information non-repudiation and authenticity.
Major Application - ANSWER-An application that requires special attention to security
due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized
access to or modification of the information in the application.
Mission/Business Segment - ANSWER-Elements of organizations describing mission
areas, common/shared business services, and organization-wide services.
,National Security Information - ANSWER-Information that has been determined to
require protection against unauthorized disclosure and is marked to indicate its
classified status.
National Security System - ANSWER-Any information system (including any
telecommunications system) used or operated by an agency or by a contractor of an
agency, or other organization on behalf of an agency.
Net-Centric Architecture - ANSWER-A complex system of systems composed of
subsystems and services that are part of a continuously evolving, complex community
of people, devices, information and services interconnected by a network that enhances
information sharing and collaboration. Subsystems and services may or may not be
developed or owned by the same entity, and, in general, will not be continually present
during the full life cycle of the system of systems. Examples of this architecture include
service-oriented architectures and cloud computing architectures.
Organization - ANSWER-An entity of any size, complexity, or positioning within an
organizational structure (e.g., a federal agency, or, as appropriate, any of its operational
elements).
Predisposing Condition - ANSWER-A condition that exists within an organization, a
mission/business process, enterprise architecture, or information system including its
environment of operation, which contributes to (i.e., increases or decreases) the
likelihood that one or more threat events, once initiated, will result in undesirable
consequences or adverse impact to organizational operations and assets, individuals,
other organizations, or the Nation.
Supply Chain - ANSWER-A system of organizations, people, activities, information, and
resources, possibly international in scope, that provides products or services to
consumers.
Threat - ANSWER-Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
Threat Assessment - ANSWER-Process of formally evaluating the degree of threat to
an information system or enterprise and describing the nature of the threat.
Threat Event - ANSWER-An event or situation that has the potential for causing
undesirable consequences or impact.
Threat Scenario - ANSWER-A set of discrete threat events, associated with a specific
threat source or multiple threat sources, partially ordered in time.
, Threat Source - ANSWER-The intent and method targeted at the intentional exploitation
of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Synonymous with Threat Agent.
Interview - ANSWER-A type of assessment method that is characterized by the process
of conducting discussions with individuals or groups within an organization to facilitate
understanding, achieve clarification, or lead to the location of evidence, the results of
which are used to support the determination of security control effectiveness over time.
Media - ANSWER-Physical devices or writing surfaces including but not limited to
magnetic tapes, optical disks, magnetic disks, Large Scale Integration (LSI) memory
chips, and printouts (but not including display media) onto which information is
recorded, stored, or printed within an information system.
Mission Critical - ANSWER-Any telecommunications or information system that is
defined as a national security system (Federal Information Security Management Act of
2002 - FISMA) or processes any information the loss, misuse, disclosure, or
unauthorized access to or modification of, would have a debilitating impact on the
mission of an agency.
Network Sniffing - ANSWER-A passive technique that monitors network communication,
decodes protocols, and examines headers and payloads for information of interest. It is
both a review technique and a target identification and analysis technique.
Non-repudiation - ANSWER-Assurance that the sender of information is provided with
proof of delivery and the recipient is provided with proof of the sender's identity, so
neither can later deny having processed the information.
Active Security Testing - ANSWER-Security testing that involves direct interaction with a
target, such as sending packets to a target.
Assurance Case - ANSWER-A structured set of arguments and a body of evidence
showing that an information system satisfies specific claims with respect to a given
quality attribute.
Authorization Boundary - ANSWER-All components of an information system to be
authorized for operation by an authorizing official and excludes separately authorized
systems, to which the information system is connected.
Clear - ANSWER-To use software or hardware products to overwrite storage space on
the media with nonsensitive data. This process may include overwriting not only the
logical storage location of a file(s) (e.g., file allocation table) but also may include all
addressable locations.
Common Control - ANSWER-A security control that is inherited by one or more
organizational information systems.
(RMF) OVERVIEW AND CONCEPTS
Advanced Persistent Threat (APT) - ANSWER-A threat that pursues its objectives
repeatedly over an extended period of time; adapts to defenders' efforts to resist it; and
is determined to maintain the level of interaction needed to execute its objectives.
Authenticity - ANSWER-The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message originator.
Authorization (to operate) - ANSWER-The official management decision given by a
senior organizational official to authorize operation of an information system and to
explicitly accept the risk to organizational operations based on the implementation of an
agreed-upon set of security controls.
Certification - ANSWER-A comprehensive assessment of the management, operational,
and technical security controls in an information system, made in support of security
accreditation, to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system.
Community of Interest - ANSWER-A collaborative group of users who exchange
information in pursuit of their shared goals, interests, missions, or business processes,
and who therefore must have a shared vocabulary for the information they exchange.
General Support System - ANSWER-An interconnected set of information resources
under the same direct management control that shares common functionality. It
normally includes hardware, software, information, data, applications, communications,
and people.
Individual - ANSWER-A citizen of the United States or an alien lawfully admitted for
permanent residence.
Integrity - ANSWER-Guarding against improper information modification or destruction,
and includes ensuring information non-repudiation and authenticity.
Major Application - ANSWER-An application that requires special attention to security
due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized
access to or modification of the information in the application.
Mission/Business Segment - ANSWER-Elements of organizations describing mission
areas, common/shared business services, and organization-wide services.
,National Security Information - ANSWER-Information that has been determined to
require protection against unauthorized disclosure and is marked to indicate its
classified status.
National Security System - ANSWER-Any information system (including any
telecommunications system) used or operated by an agency or by a contractor of an
agency, or other organization on behalf of an agency.
Net-Centric Architecture - ANSWER-A complex system of systems composed of
subsystems and services that are part of a continuously evolving, complex community
of people, devices, information and services interconnected by a network that enhances
information sharing and collaboration. Subsystems and services may or may not be
developed or owned by the same entity, and, in general, will not be continually present
during the full life cycle of the system of systems. Examples of this architecture include
service-oriented architectures and cloud computing architectures.
Organization - ANSWER-An entity of any size, complexity, or positioning within an
organizational structure (e.g., a federal agency, or, as appropriate, any of its operational
elements).
Predisposing Condition - ANSWER-A condition that exists within an organization, a
mission/business process, enterprise architecture, or information system including its
environment of operation, which contributes to (i.e., increases or decreases) the
likelihood that one or more threat events, once initiated, will result in undesirable
consequences or adverse impact to organizational operations and assets, individuals,
other organizations, or the Nation.
Supply Chain - ANSWER-A system of organizations, people, activities, information, and
resources, possibly international in scope, that provides products or services to
consumers.
Threat - ANSWER-Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation through an
information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
Threat Assessment - ANSWER-Process of formally evaluating the degree of threat to
an information system or enterprise and describing the nature of the threat.
Threat Event - ANSWER-An event or situation that has the potential for causing
undesirable consequences or impact.
Threat Scenario - ANSWER-A set of discrete threat events, associated with a specific
threat source or multiple threat sources, partially ordered in time.
, Threat Source - ANSWER-The intent and method targeted at the intentional exploitation
of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Synonymous with Threat Agent.
Interview - ANSWER-A type of assessment method that is characterized by the process
of conducting discussions with individuals or groups within an organization to facilitate
understanding, achieve clarification, or lead to the location of evidence, the results of
which are used to support the determination of security control effectiveness over time.
Media - ANSWER-Physical devices or writing surfaces including but not limited to
magnetic tapes, optical disks, magnetic disks, Large Scale Integration (LSI) memory
chips, and printouts (but not including display media) onto which information is
recorded, stored, or printed within an information system.
Mission Critical - ANSWER-Any telecommunications or information system that is
defined as a national security system (Federal Information Security Management Act of
2002 - FISMA) or processes any information the loss, misuse, disclosure, or
unauthorized access to or modification of, would have a debilitating impact on the
mission of an agency.
Network Sniffing - ANSWER-A passive technique that monitors network communication,
decodes protocols, and examines headers and payloads for information of interest. It is
both a review technique and a target identification and analysis technique.
Non-repudiation - ANSWER-Assurance that the sender of information is provided with
proof of delivery and the recipient is provided with proof of the sender's identity, so
neither can later deny having processed the information.
Active Security Testing - ANSWER-Security testing that involves direct interaction with a
target, such as sending packets to a target.
Assurance Case - ANSWER-A structured set of arguments and a body of evidence
showing that an information system satisfies specific claims with respect to a given
quality attribute.
Authorization Boundary - ANSWER-All components of an information system to be
authorized for operation by an authorizing official and excludes separately authorized
systems, to which the information system is connected.
Clear - ANSWER-To use software or hardware products to overwrite storage space on
the media with nonsensitive data. This process may include overwriting not only the
logical storage location of a file(s) (e.g., file allocation table) but also may include all
addressable locations.
Common Control - ANSWER-A security control that is inherited by one or more
organizational information systems.
