FedRAMP Master Acronyms and Glossary v1.4€¦ · CapEx Capital Expense ... GUI Graphical User...
Transcript of FedRAMP Master Acronyms and Glossary v1.4€¦ · CapEx Capital Expense ... GUI Graphical User...
|i
DOCUMENT REVISION HISTORY
ATE VERSION PAGE(S) DESCRIPTION AUTHOR
9/10/2015 1.0 All Initialissue FedRAMPPMO
4/6/2016 1.1 All Minorcorrectionsthroughout FedRAMPPMO
8/30/2016 1.2 All AddedGlossaryandadditionalacronymsfromallFedRAMPtemplatesanddocuments
FedRAMPPMO
4/6/2017 1.2 Cover Updatedlogo FedRAMPPMO
11/10/2017 1.3 All Minorcorrectionsthroughout FedRAMPPMO
11/20/2017 1.4 All Updatedtolatestformat FedRAMPPMO
HOW TO CONTACT US
QuestionsaboutFedRAMPorthisdocumentshouldbedirectedtoinfo@fedramp.gov.
FormoreinformationaboutFedRAMP,visitthewebsiteathttp://www.fedramp.gov.
|ii
TABLE OF CONTENTS
1. ACRONYMS..........................................................................................................................................1
2. GLOSSARY............................................................................................................................................9
|1
1. ACRONYMS
BelowisthemasterlistofFedRAMPacronymdefinitionsforallFedRAMPtemplatesanddocuments.
Pleasesendsuggestionsaboutcorrections,additions,[email protected].
Table 1 – Master Acronyms
ACRONYM DEFINITION
3PAO ThirdPartyAssessmentOrganization
A2LA AmericanAssociationofLaboratoryAccreditors
AC AccessControl(SSPTable131SummaryofRequiredSecurityControls)
ACL AccessControlList
AO AuthorizingOfficial
API ApplicationProgrammingInterface
APL ApprovedProductsList(DODlist)
ASHRAE AmericanSocietyofHeating,RefrigeratingandAir-conditioningEngineers(seePE-14)
AT AwarenessandTraining
ATO AuthorizationToOperate
AU AuditandAccountability(SSPTable131SummaryofRequiredSecurityControls)
BCP BusinessContinuityPlan
BIA BusinessImpactAnalysis/BusinessImpactAssessment
C&A Certification&Accreditation
CASecurityAssessmentandAuthorization(SSPTable131SummaryofRequiredSecurityControls)
CAP CorrectiveActionPlan
CapEx CapitalExpense
CAPTCHA CompletelyAutomatedPublicTuringtesttotellComputersandHumansApart
CCB ChangeControlBoard
CDM ContinuousDiagnosticsandMitigation
CERT ComputerEmergencyResponseTeam
CI ConfigurationItem
|2
CIDR ClasslessInter-DomainRouting
CIOC ChiefInformationOfficerCouncil
CIRT ConsumerIncidentResponseTeam
CIS ControlImplementationSummary/ControlInformationSummary
CISO ChiefInformationSecurityOfficer
CLI CommandLineInterface
CM ConfigurationManagement(SSPTable131SummaryofRequiredSecurityControls)
CMP ConfigurationManagementPlan
CMVP CryptographicModuleValidationProgram
CO ContractingOfficer
ConMon ContinuousMonitoring
CONOPS ConceptofOperations
COOP ContinuityofOperationsPlan
COR ContractingOfficer’sRepresentative
COTS CommercialOff-The-Shelf
CP ContingencyPlanning(SSPTable131SummaryofRequiredSecurityControls)
CPD ContingencyPlanningDirector
CR ChangeRequest
CRM CustomerRelationshipManagement
CSIRC ComputerSecurityIncidentResponseCenter
CSP CloudServiceProvider
CTW ControlTailoringWorkbook
CUI ConfidentialUnclassifiedInformation
DAA DesignatedApprovingAuthority
DAS DirectAttachedStorage
DDoS DistributedDenialofService(DDoS)
DHS DepartmentofHomelandSecurity
DMZ DemilitarizedZones[SC-7(13)]
DNS DomainNameSystem
DoD DepartmentofDefense
E-Authentication ElectronicAuthentication
|3
EC-Council InternationalCouncilofElectronicCommerceConsultants
ECSB EnterpriseCloudServiceBroker
FDCCI FederalDataCenterConsolidationInitiative
FedRAMP FederalRiskandAuthorizationManagementProgram
FIPS FederalInformationProcessingStandards
FIPS199 FederalInformationProcessingStandardPublication199
FIPSPUB FederalInformationProcessingStandardPublication
FIPSPUB199 FederalInformationProcessingStandardPublication
FISMA FederalInformationSecurityManagementActof2014
FOC FinalOperatingCapability
FOIA FreedomofInformationAct
FTP FileTransferProtocol
GIAC GlobalInformationAssuranceCertification
gov Government
GSA GeneralServicesAdministration
GSS GeneralSupportSystem
GUI GraphicalUserInterface
HIDS HostIntrusionDetectionSystem
HIPAA HealthInsurancePortabilityandAccountabilityAct(of1996)
HIPS HostIntrusionPreventionSystem
HSM HardwareSecurityModule
HSPD HomelandSecurityPresidentialDirective
HSPD12 HomelandSecurityPresidentialDirective12
HTTP HyperTextTransportProtocol
IA IdentificationandAuthentication
IAA Inter-AgencyAgreement
IaaS InfrastructureasaService(Model)
IAP InternetAccessPoints[SC-7(13)]
IATO InterimAuthorizationtoOperate
ID Identification
IEC InternationalElectrotechnicalCommission
|4
IG InspectorGeneral/ImplementationGuidance
IOC InitialOperatingCapability
IP InternetProtocol
IPv4 InternetProtocolversion4
IPv6 InternetProtocolversion6
IR IncidentResponse
ISCP ThisInformationTechnologyContingencyPlan
iSCSI InternetSmallComputerSystemInterface
ISIMC InformationSecurityandIdentityManagementCommittee
ISO InternationalOrganizationforStandardization
ISO/IEC InternationalOrganizationforStandardization/InternationalElectrotechicalCommission
ISP InternetServiceProvider
ISPP InformationSecurityPoliciesandProcedures
ISSO InformationSystemSecurityOfficer
IT InformationTechnology
ITCP ITContingencyPlan
JAB (FedRAMP)JointAuthorizationBoard
LAN LocalAreaNetwork
LMS LearningManagementSystem
MA Maintenance(SSPTable131SummaryofRequiredSecurityControls)
MAS MultipleAwardSchedule
MAX MAX.gov(SecureRepository)
mil Military
MOU MemorandumofUnderstanding
MP MediaProtection(SSPTable131SummaryofRequiredSecurityControls)
MSSP ManagedSecurityServiceProvider
MT ManualTest
MTIPS ManagedTrustedIPService
N/A NotApplicable
NARA NationalArchivesandRecordsAdministration
NAS NetworkAttachedStorage
|5
NAT NetworkAddressTranslation
NFPA NationalFireProtectionAssociation
NGO Non-GovernmentalOrganization
NIAP NationalInformationAssurancePartnership[IA-2(11)]
NISP NationalIndustrialSecurityProgram
NIST NationalInstituteofStandardsandTechnology
NIST-SP NISTSpecialPublication
NLA NoLogicalAccess(SSPTable91PersonnelRolesandPrivileges)
NNTP NetworkNewsTransferProtocol
NP Non-Privileged(SSPTable91PersonnelRolesandPrivileges)
NPPD NationalProtectionandProgramsDirectorate(ofDHS)
NTP NetworkTimeProtocol
NVI NATVirtualInterface
ODAL OutageandDamageAssessmentLead
OEP OccupantEmergencyPlan
OIG OfficeoftheInspectorGeneral
OMB OfficeofManagementandBudget
OpEx OperatingExpense
OR OperationalRequirement
OSINT OpenSourceIntelligence
OWASP OpenWebApplicationSecurityProject
P Privileged(SSPTable91PersonnelRolesandPrivileges)
PA ProvisionalAuthorization
PaaS PlatformasaService(Model)
P-ATO ProvisionalAuthorizationtoOperate
PDF PortableDocumentFormat
PDS ProtectiveDistributionSystem
PEPhysicalandEnvironmentalProtection(SSPTable131SummaryofRequiredSecurityControls)
PIA PrivacyImpactAssessment
PII PersonallyIdentifiableInformation
|6
PIV PersonalIdentityVerification
PKI PublicKeyInfrastructure[SC-7(13)]
PL Planning(SSPTable131SummaryofRequiredSecurityControls)
PL PublicLaw
PLC ProcurementandLogisticsCoordinator
PM ProgramManagement
PMO ProgramManagementOffice
POA&M PlanofActionandMilestones
POC PointofContact
PS PersonnelSecurity(SSPTable131SummaryofRequiredSecurityControls)
PTA PrivacyThresholdAnalysis
PTR PenetrationTestReport
PUB Publication
QA QualityAssurance
QC QualityControl
QM QualityManagement
R1 Revision1
RA RiskAssessment
RBAC Role-BasedAccessControl
Rev Revision
RFC RequestforChange
RFI RequestforInformation
RFP RequestforProposal
RIP RoutingInformationProtocol
RMF RiskManagementFramework
RoB RulesofBehavior
ROE RulesofEngagement
RTO RecoveryTimeObjective
SA SystemandServicesAcquisition(SSPTable131SummaryofRequiredSecurityControls)
SA SecurityAssessment
SaaS SoftwareasaService
|7
SAF SecurityAssessmentFramework
SAML SecurityAssertionMarkupLanguage
SAN StorageAreaNetworks
SAP SecurityAssessmentPlan
SAR SecurityAssessmentReport
SAS SecurityAssessmentSupport
SCSystemandCommunicationsProtection(SSPTable131SummaryofRequiredSecurityControls)
SCSI SmallComputerSystemInterface
SDLC SystemDevelopmentLifeCycle
SI SystemandInformationIntegrity(SSPTable131SummaryofRequiredSecurityControls)
SLA ServiceLevelAgreement
SME SubjectMatterExpert
SMS ShortMessageService
SMTP SimpleMailTransferProtocol
SOP StandardOperatingProcedure
SORN SystemofRecordsNotice
SP ServiceProcessor(SSPTable111SystemInterconnections)
SP SpecialPublication
SQL StructuredQueryLanguage
SSL SecureSocketsLayer
SSO SingleSign-On
SSP SystemSecurityPlan
TCP TransmissionControlProtocol
TFTP TrivialFTP
TIC TrustedInternetConnection
TICAP TrustedInternetConnectionAccessProviders
TLS TransportLayerSecurity
TP TestPlan
TR TechnicalRepresentative
TR-R TechnicalRepresentative’sRepresentative
|8
TTS TechnologyTransformationServices
US UnitedStates
UDP UserDiagramProtocol
UPS UninterruptablePowerSupply
URL uniformresourcelocator
USC UnitedStatesCode
US-CERT UnitedStatesComputerEmergencyReadinessTeam
UUCP Unix-to-UnixCopyProtocol
V2 Version2
VLAN VirtualLocalAreaNetwork
VPN VirtualPrivateNetwork(SSPTable111SystemInterconnections)
|9
2. GLOSSARY
BelowisthemasterlistofFedRAMPglossarytermsforallFedRAMPtemplates.
Pleasesendsuggestionsaboutcorrections,additions,[email protected].
Table 2 – Master Glossary
TERM MEANING
AgencyAuthorizationtoOperate
AnAgencyATOisanauthorizationthatisissuedbyaFederalDepartment,Office,orAgency.
CloudAccess TomakecontactwithorgainaccesstoCloudServices.
CloudAuditorApartythatcanconductindependentassessmentofcloudservices,informationsystemoperations,performanceandsecurityofthecloudimplementation.
CloudBroker Anentitythatmanagestheuse,performanceanddeliveryofcloudservices,andnegotiatesrelationshipsbetweenCloudProvidersandCloudConsumers.
CloudCarrierTheintermediarythatprovidesconnectivityandtransportofcloudservicesbetweenCloudProvidersandCloudConsumers.
CloudConsumerPersonororganizationthatmaintainsabusinessrelationshipwith,andusesservicesfrom,CloudServiceProviders.
CloudDistribution TheprocessoftransportingclouddatabetweenCloudProvidersandCloudConsumers.
CloudProviderPerson,organizationorentityresponsibleformakingaserviceavailabletoserviceconsumers.
CloudServiceManagement
CloudServiceManagementincludesalltheservice-relatedfunctionsthatarenecessaryforthemanagementandoperationsofthoseservicesrequiredbyorproposedtocustomers.
CommunityCloud
Thecloudinfrastructureisprovisionedforexclusiveusebyaspecificcommunityofconsumersfromorganizationsthathavesharedconcerns(e.g.,mission,securityrequirements,policy,andcomplianceconsiderations).Itmaybeowned,managed,andoperatedbyoneormoreoftheorganizationsinthecommunity,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.
ConfiguredbyCustomer
Acontrolherethecustomerneedstoapplyaconfigurationinordertomeetthecontrolrequirement.
|10
DataPortabilityTheabilitytotransferdatafromonesystemtoanotherwithoutbeingrequiredtorecreateorreenterdatadescriptionsortomodifysignificantlytheapplicationbeingtransported.
FedRAMPAuthorizationPackage
Authorizationpackagescontainthebodyofevidenceneededbyauthorizingofficialstomakerisk-baseddecisionsregardingtheinformationsystemsprovidingcloudservices.Thisincludes,asaminimum,theSecurityPlan,SecurityAssessmentReport,PlanofActionandMilestonesandaContinuousMonitoringPlan.
FedRAMPAuthorized TBD,afterdifferencesaresettled.
FedRAMPIn-Process FedRAMPIn-ProcessisadesignationforApplicantsthatareintheJABP-ATOorAgencyATO[authorizationapplication]paths.
FedRAMPP-ATO
FedRAMPProvisionalAuthorizationtoOperate.
AprovisionalauthorizationisaninitialstatementofriskandapprovalofanauthorizationpackagebytheJABpendingtheissuanceofafinalauthorizationtooperatebytheExecutivedepartmentoragencyacquiringthecloudservice.
FedRAMPReady
FedRAMPReadyisadesignationwhichisintendedtodemonstrateaCSP'sabilitytocompletethefullFedRAMPauthorizationprocess.ItisamandatorystepinpursuingaJABP-ATOauthorizationandisoptionalforthosepursuinganAgency-basedFedRAMPAuthorization.TobelistedasFedRAMPReady,CSPsworkwitha3PAOtosubmitaReadinessAssessmentReportwhichmustbereviewedandapprovedbytheFedRAMPPMO.
FixedEndpointsAphysicaldevice,fixedinitslocationthatprovidedaman/machineinterfacetocloudservicesandapplications.Afixedendpointtypicallyusesonemethodandprotocoltoconnecttocloudservicesandapplications.
HybridCloud
Thecloudinfrastructureisacompositionoftwoormoredistinctcloudinfrastructures(private,community,orpublic)thatremainuniqueentities,butareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability(e.g.,cloudburstingforloadbalancingbetweenclouds).
InformationSystemSecurityOfficer(ISSO)
TheFedRAMPISSOreferstotheISSOwhoreviewssecuritypackagesintendedfortheJAB.
InfrastructureasaService(IaaS)
Thecapabilityprovidedtotheconsumeristoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheconsumerisabletodeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructurebuthascontroloveroperatingsystems,storage,anddeployedapplications;andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).
|11
Inheritedfrompre-existingAuthorization
AcontrolthatisinheritedfromanotherCSPNamesystemthathasalreadyreceivedanAuthorization.
Interoperability Thecapabilitytocommunicate,toexecuteprograms,ortotransferdataamongvariousfunctionalunitsunderspecifiedconditions.
JointAuthorizationBoard
TheJABconsistsoftheCIOsoftheDOD,GSA,andtheDHS.
JointAuthorizationBoardProvisionalAuthorizationtoOperate
AFedRAMPJABP-ATOisaFedRAMPProvisionalAuthorizationtoOperateissuedbytheJAB.
Metering Provideameasuringcapabilityatsomelevelofabstractionappropriatetothetypeofservice(e.g,storage,processing,bandwidth,andactiveuseraccounts).
MobileEndpointsAphysicaldevice,oftencarriedbytheuserthatprovidedaman/machineinterfacetocloudservicesandapplications.AMobileEndpointmayusemultiplemethodsandprotocolstoconnecttocloudservicesandapplications.
MonitoringandReporting
Discoverandmonitorthevirtualresources,monitorcloudoperationsandevents,andgenerateperformancereports.
PerformanceAuditSystematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedperformancecriteria.
PhysicalResourceLayer
Includesallthephysicalresourcesusedtoprovidecloudservices,mostnotably,thehardwareandthefacility.
PlatformasaService
Thecapabilityprovidedtotheconsumeristodeployontothecloudinfrastructureconsumer-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.
Portability
1. Theabilitytotransferdatafromonesystemtoanotherwithoutbeingrequiredtorecreateorreenterdatadescriptionsortomodifysignificantlytheapplicationbeingtransported.
2. Theabilityofsoftwareorofasystemtorunonmorethanonetypeorsizeofcomputerundermorethanoneoperatingsystem.SeePOSIX.
3. Ofequipment,thequalityofbeingabletofunctionnormallywhilebeingconveyed.
PrivacyInformationprivacyistheassured,proper,andconsistentcollection,processing,communication,useanddispositionofdispositionofpersonalinformation(PI)andpersonallyidentifiableinformation(PII)throughoutitslifecycle.
|12
Privacy-ImpactAuditSystematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedprivacy-impactcriteria.
PrivateCloud
Thecloudinfrastructureisprovisionedforexclusiveusebyasingleorganizationcomprisingmultipleconsumers(e.g.,businessunits).Itmaybeowned,managed,andoperatedbytheorganization,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.
ProvidedbyCustomerAcontrolwherethecustomerneedstoprovideadditionalhardwareorsoftwareinordertomeetthecontrolrequirement.
Provisioning/Configuration Processofpreparingandequippingacloudtoallowittoprovideservicestoitsusers.
PublicCloud
Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganization,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.
RapidProvisioning Automaticallydeployingcloudsystembasedontherequestedservice/resources/capabilities.
ResourceAbstractionandControlLayer
Entailssoftwareelements,suchashypervisor,virtualmachines,virtualdatastorage,andsupportingsoftwarecomponents,usedtorealizetheinfrastructureuponwhichacloudservicecanbeestablished.
ResourceChange Adjustconfiguration/resourceassignmentforrepairs,upgrades,andjoiningnewnodesintothecloud.
SecurityReferstoinformationsecurity."Informationsecurity"meansprotectinginformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,perusal,inspection,recordingordestruction.
SecurityAudit Systematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedsecuritycriteria.
ServiceAggregation
Anaggregationbrokerageservicecombinesmultipleservicesintooneormorenewservices.Itwillensurethatdataismodeledacrossallcomponentservicesandintegratedaswellasensuringthemovementandsecurityofdatabetweentheserviceconsumerandmultipleproviders.
ServiceArbitrage
Cloudservicearbitrageissimilartocloudserviceaggregation.Thedifferencebetweenthemisthattheservicesbeingaggregatedarenotfixed.Indeedthegoalofarbitrageistoprovideflexibilityandopportunisticchoicesfortheserviceaggregator,e.g.,providingmultipleemailservicesthroughoneserviceproviderorprovidingacredit-scoringservicethatchecksmultiplescoringagenciesandselectsthebestscore.
ServiceConsumption ACloudBrokerintheactofusingaCloudService.
|13
ServiceDeployment Alloftheactivitiesandorganizationneededtomakeacloudserviceavailable.
ServiceIntermediationAnintermediationbrokerprovidesaservicethatdirectlyenhancesagivenservicedeliveredtooneormoreserviceconsumers,essentiallyaddingvalueontopofagivenservicetoenhancesomespecificcapability.
ServiceProviderCorporate
AcontrolthatoriginatesfromtheCSPNamecorporatenetwork.
ServiceProviderHybridAcontrolthatmakesuseofbothcorporatecontrolsandadditionalcontrolsspecifictoaparticularsystemattheCSPName.
ServiceProviderSystemSpecific
AcontrolspecifictoaparticularsystemattheCSPNameandthecontrolisnotpartoftheserviceprovidercorporatecontrols.
SharedAcontrolthatismanagedandimplementedpartiallybytheCSPNameandpartiallybythecustomer.
SupportTeam TheFedRAMPsupportteamisthegroupofindividualsthatrespondstoinfo@fedramp.gov.
ThreatAnadversarialforceorphenomenonthatcouldimpacttheavailability,integrity,orconfidentialityofaninformationsystemanditsnetworksincludingthefacilitythathousesthehardwareandsoftware.
ThreatActor Anentitythatinitiatesthelaunchofathreatagentisreferredtoasathreatactor.
ThreatAgent Anelementthatprovidesthedeliverymechanismforathreat.
ValidationandVerification
ThePMBOKguide,astandardadoptedbyIEEE,definesthemasfollowsinits4thedition:[2]https://en.wikipedia.org/wiki/Verification_and_validation-cite_note-pmboked4-2
"Validation.Theassurancethataproduct,service,orsystemmeetstheneedsofthecustomerandotheridentifiedstakeholders.Itofteninvolvesacceptanceandsuitabilitywithexternalcustomers.Contrastwithverification."
"Verification.Theevaluationofwhetherornotaproduct,service,orsystemcomplieswitharegulation,requirement,specification,orimposedcondition.Itisoftenaninternalprocess.Contrastwithvalidation."
Vulnerability
Aninherentweaknessinaninformationsystemthatcanbeexploitedbyathreatorthreatagent,resultinginanundesirableimpactintheprotectionoftheconfidentiality,integrity,oravailabilityofthesystem(applicationandassociateddata).