FedRAMP MASTER ACRONYMS AND

GLOSSARY

Version 1.4

November 20, 2017

|i

DOCUMENT REVISION HISTORY

ATE VERSION PAGE(S) DESCRIPTION AUTHOR

9/10/2015 1.0 All Initialissue FedRAMPPMO

4/6/2016 1.1 All Minorcorrectionsthroughout FedRAMPPMO

8/30/2016 1.2 All AddedGlossaryandadditionalacronymsfromallFedRAMPtemplatesanddocuments

FedRAMPPMO

4/6/2017 1.2 Cover Updatedlogo FedRAMPPMO

11/10/2017 1.3 All Minorcorrectionsthroughout FedRAMPPMO

11/20/2017 1.4 All Updatedtolatestformat FedRAMPPMO

HOW TO CONTACT US

QuestionsaboutFedRAMPorthisdocumentshouldbedirectedtoinfo@fedramp.gov.

FormoreinformationaboutFedRAMP,visitthewebsiteathttp://www.fedramp.gov.

|ii

TABLE OF CONTENTS

1. ACRONYMS..........................................................................................................................................1

2. GLOSSARY............................................................................................................................................9

|1

1. ACRONYMS

BelowisthemasterlistofFedRAMPacronymdefinitionsforallFedRAMPtemplatesanddocuments.

Pleasesendsuggestionsaboutcorrections,additions,ordeletionstoinfo@fedramp.gov.

Table 1 – Master Acronyms

ACRONYM DEFINITION

3PAO ThirdPartyAssessmentOrganization

A2LA AmericanAssociationofLaboratoryAccreditors

AC AccessControl(SSPTable131SummaryofRequiredSecurityControls)

ACL AccessControlList

AO AuthorizingOfficial

API ApplicationProgrammingInterface

APL ApprovedProductsList(DODlist)

ASHRAE AmericanSocietyofHeating,RefrigeratingandAir-conditioningEngineers(seePE-14)

AT AwarenessandTraining

ATO AuthorizationToOperate

AU AuditandAccountability(SSPTable131SummaryofRequiredSecurityControls)

BCP BusinessContinuityPlan

BIA BusinessImpactAnalysis/BusinessImpactAssessment

C&A Certification&Accreditation

CASecurityAssessmentandAuthorization(SSPTable131SummaryofRequiredSecurityControls)

CAP CorrectiveActionPlan

CapEx CapitalExpense

CAPTCHA CompletelyAutomatedPublicTuringtesttotellComputersandHumansApart

CCB ChangeControlBoard

CDM ContinuousDiagnosticsandMitigation

CERT ComputerEmergencyResponseTeam

CI ConfigurationItem

|2

CIDR ClasslessInter-DomainRouting

CIOC ChiefInformationOfficerCouncil

CIRT ConsumerIncidentResponseTeam

CIS ControlImplementationSummary/ControlInformationSummary

CISO ChiefInformationSecurityOfficer

CLI CommandLineInterface

CM ConfigurationManagement(SSPTable131SummaryofRequiredSecurityControls)

CMP ConfigurationManagementPlan

CMVP CryptographicModuleValidationProgram

CO ContractingOfficer

ConMon ContinuousMonitoring

CONOPS ConceptofOperations

COOP ContinuityofOperationsPlan

COR ContractingOfficer’sRepresentative

COTS CommercialOff-The-Shelf

CP ContingencyPlanning(SSPTable131SummaryofRequiredSecurityControls)

CPD ContingencyPlanningDirector

CR ChangeRequest

CRM CustomerRelationshipManagement

CSIRC ComputerSecurityIncidentResponseCenter

CSP CloudServiceProvider

CTW ControlTailoringWorkbook

CUI ConfidentialUnclassifiedInformation

DAA DesignatedApprovingAuthority

DAS DirectAttachedStorage

DDoS DistributedDenialofService(DDoS)

DHS DepartmentofHomelandSecurity

DMZ DemilitarizedZones[SC-7(13)]

DNS DomainNameSystem

DoD DepartmentofDefense

E-Authentication ElectronicAuthentication

|3

EC-Council InternationalCouncilofElectronicCommerceConsultants

ECSB EnterpriseCloudServiceBroker

FDCCI FederalDataCenterConsolidationInitiative

FedRAMP FederalRiskandAuthorizationManagementProgram

FIPS FederalInformationProcessingStandards

FIPS199 FederalInformationProcessingStandardPublication199

FIPSPUB FederalInformationProcessingStandardPublication

FIPSPUB199 FederalInformationProcessingStandardPublication

FISMA FederalInformationSecurityManagementActof2014

FOC FinalOperatingCapability

FOIA FreedomofInformationAct

FTP FileTransferProtocol

GIAC GlobalInformationAssuranceCertification

gov Government

GSA GeneralServicesAdministration

GSS GeneralSupportSystem

GUI GraphicalUserInterface

HIDS HostIntrusionDetectionSystem

HIPAA HealthInsurancePortabilityandAccountabilityAct(of1996)

HIPS HostIntrusionPreventionSystem

HSM HardwareSecurityModule

HSPD HomelandSecurityPresidentialDirective

HSPD12 HomelandSecurityPresidentialDirective12

HTTP HyperTextTransportProtocol

IA IdentificationandAuthentication

IAA Inter-AgencyAgreement

IaaS InfrastructureasaService(Model)

IAP InternetAccessPoints[SC-7(13)]

IATO InterimAuthorizationtoOperate

ID Identification

IEC InternationalElectrotechnicalCommission

|4

IG InspectorGeneral/ImplementationGuidance

IOC InitialOperatingCapability

IP InternetProtocol

IPv4 InternetProtocolversion4

IPv6 InternetProtocolversion6

IR IncidentResponse

ISCP ThisInformationTechnologyContingencyPlan

iSCSI InternetSmallComputerSystemInterface

ISIMC InformationSecurityandIdentityManagementCommittee

ISO InternationalOrganizationforStandardization

ISO/IEC InternationalOrganizationforStandardization/InternationalElectrotechicalCommission

ISP InternetServiceProvider

ISPP InformationSecurityPoliciesandProcedures

ISSO InformationSystemSecurityOfficer

IT InformationTechnology

ITCP ITContingencyPlan

JAB (FedRAMP)JointAuthorizationBoard

LAN LocalAreaNetwork

LMS LearningManagementSystem

MA Maintenance(SSPTable131SummaryofRequiredSecurityControls)

MAS MultipleAwardSchedule

MAX MAX.gov(SecureRepository)

mil Military

MOU MemorandumofUnderstanding

MP MediaProtection(SSPTable131SummaryofRequiredSecurityControls)

MSSP ManagedSecurityServiceProvider

MT ManualTest

MTIPS ManagedTrustedIPService

N/A NotApplicable

NARA NationalArchivesandRecordsAdministration

NAS NetworkAttachedStorage

|5

NAT NetworkAddressTranslation

NFPA NationalFireProtectionAssociation

NGO Non-GovernmentalOrganization

NIAP NationalInformationAssurancePartnership[IA-2(11)]

NISP NationalIndustrialSecurityProgram

NIST NationalInstituteofStandardsandTechnology

NIST-SP NISTSpecialPublication

NLA NoLogicalAccess(SSPTable91PersonnelRolesandPrivileges)

NNTP NetworkNewsTransferProtocol

NP Non-Privileged(SSPTable91PersonnelRolesandPrivileges)

NPPD NationalProtectionandProgramsDirectorate(ofDHS)

NTP NetworkTimeProtocol

NVI NATVirtualInterface

ODAL OutageandDamageAssessmentLead

OEP OccupantEmergencyPlan

OIG OfficeoftheInspectorGeneral

OMB OfficeofManagementandBudget

OpEx OperatingExpense

OR OperationalRequirement

OSINT OpenSourceIntelligence

OWASP OpenWebApplicationSecurityProject

P Privileged(SSPTable91PersonnelRolesandPrivileges)

PA ProvisionalAuthorization

PaaS PlatformasaService(Model)

P-ATO ProvisionalAuthorizationtoOperate

PDF PortableDocumentFormat

PDS ProtectiveDistributionSystem

PEPhysicalandEnvironmentalProtection(SSPTable131SummaryofRequiredSecurityControls)

PIA PrivacyImpactAssessment

PII PersonallyIdentifiableInformation

|6

PIV PersonalIdentityVerification

PKI PublicKeyInfrastructure[SC-7(13)]

PL Planning(SSPTable131SummaryofRequiredSecurityControls)

PL PublicLaw

PLC ProcurementandLogisticsCoordinator

PM ProgramManagement

PMO ProgramManagementOffice

POA&M PlanofActionandMilestones

POC PointofContact

PS PersonnelSecurity(SSPTable131SummaryofRequiredSecurityControls)

PTA PrivacyThresholdAnalysis

PTR PenetrationTestReport

PUB Publication

QA QualityAssurance

QC QualityControl

QM QualityManagement

R1 Revision1

RA RiskAssessment

RBAC Role-BasedAccessControl

Rev Revision

RFC RequestforChange

RFI RequestforInformation

RFP RequestforProposal

RIP RoutingInformationProtocol

RMF RiskManagementFramework

RoB RulesofBehavior

ROE RulesofEngagement

RTO RecoveryTimeObjective

SA SystemandServicesAcquisition(SSPTable131SummaryofRequiredSecurityControls)

SA SecurityAssessment

SaaS SoftwareasaService

|7

SAF SecurityAssessmentFramework

SAML SecurityAssertionMarkupLanguage

SAN StorageAreaNetworks

SAP SecurityAssessmentPlan

SAR SecurityAssessmentReport

SAS SecurityAssessmentSupport

SCSystemandCommunicationsProtection(SSPTable131SummaryofRequiredSecurityControls)

SCSI SmallComputerSystemInterface

SDLC SystemDevelopmentLifeCycle

SI SystemandInformationIntegrity(SSPTable131SummaryofRequiredSecurityControls)

SLA ServiceLevelAgreement

SME SubjectMatterExpert

SMS ShortMessageService

SMTP SimpleMailTransferProtocol

SOP StandardOperatingProcedure

SORN SystemofRecordsNotice

SP ServiceProcessor(SSPTable111SystemInterconnections)

SP SpecialPublication

SQL StructuredQueryLanguage

SSL SecureSocketsLayer

SSO SingleSign-On

SSP SystemSecurityPlan

TCP TransmissionControlProtocol

TFTP TrivialFTP

TIC TrustedInternetConnection

TICAP TrustedInternetConnectionAccessProviders

TLS TransportLayerSecurity

TP TestPlan

TR TechnicalRepresentative

TR-R TechnicalRepresentative’sRepresentative

|8

TTS TechnologyTransformationServices

US UnitedStates

UDP UserDiagramProtocol

UPS UninterruptablePowerSupply

URL uniformresourcelocator

USC UnitedStatesCode

US-CERT UnitedStatesComputerEmergencyReadinessTeam

UUCP Unix-to-UnixCopyProtocol

V2 Version2

VLAN VirtualLocalAreaNetwork

VPN VirtualPrivateNetwork(SSPTable111SystemInterconnections)

|9

2. GLOSSARY

BelowisthemasterlistofFedRAMPglossarytermsforallFedRAMPtemplates.

Pleasesendsuggestionsaboutcorrections,additions,ordeletionstoinfo@fedramp.gov.

Table 2 – Master Glossary

TERM MEANING

AgencyAuthorizationtoOperate

AnAgencyATOisanauthorizationthatisissuedbyaFederalDepartment,Office,orAgency.

CloudAccess TomakecontactwithorgainaccesstoCloudServices.

CloudAuditorApartythatcanconductindependentassessmentofcloudservices,informationsystemoperations,performanceandsecurityofthecloudimplementation.

CloudBroker Anentitythatmanagestheuse,performanceanddeliveryofcloudservices,andnegotiatesrelationshipsbetweenCloudProvidersandCloudConsumers.

CloudCarrierTheintermediarythatprovidesconnectivityandtransportofcloudservicesbetweenCloudProvidersandCloudConsumers.

CloudConsumerPersonororganizationthatmaintainsabusinessrelationshipwith,andusesservicesfrom,CloudServiceProviders.

CloudDistribution TheprocessoftransportingclouddatabetweenCloudProvidersandCloudConsumers.

CloudProviderPerson,organizationorentityresponsibleformakingaserviceavailabletoserviceconsumers.

CloudServiceManagement

CloudServiceManagementincludesalltheservice-relatedfunctionsthatarenecessaryforthemanagementandoperationsofthoseservicesrequiredbyorproposedtocustomers.

CommunityCloud

Thecloudinfrastructureisprovisionedforexclusiveusebyaspecificcommunityofconsumersfromorganizationsthathavesharedconcerns(e.g.,mission,securityrequirements,policy,andcomplianceconsiderations).Itmaybeowned,managed,andoperatedbyoneormoreoftheorganizationsinthecommunity,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.

ConfiguredbyCustomer

Acontrolherethecustomerneedstoapplyaconfigurationinordertomeetthecontrolrequirement.

|10

DataPortabilityTheabilitytotransferdatafromonesystemtoanotherwithoutbeingrequiredtorecreateorreenterdatadescriptionsortomodifysignificantlytheapplicationbeingtransported.

FedRAMPAuthorizationPackage

Authorizationpackagescontainthebodyofevidenceneededbyauthorizingofficialstomakerisk-baseddecisionsregardingtheinformationsystemsprovidingcloudservices.Thisincludes,asaminimum,theSecurityPlan,SecurityAssessmentReport,PlanofActionandMilestonesandaContinuousMonitoringPlan.

FedRAMPAuthorized TBD,afterdifferencesaresettled.

FedRAMPIn-Process FedRAMPIn-ProcessisadesignationforApplicantsthatareintheJABP-ATOorAgencyATO[authorizationapplication]paths.

FedRAMPP-ATO

FedRAMPProvisionalAuthorizationtoOperate.

AprovisionalauthorizationisaninitialstatementofriskandapprovalofanauthorizationpackagebytheJABpendingtheissuanceofafinalauthorizationtooperatebytheExecutivedepartmentoragencyacquiringthecloudservice.

FedRAMPReady

FedRAMPReadyisadesignationwhichisintendedtodemonstrateaCSP'sabilitytocompletethefullFedRAMPauthorizationprocess.ItisamandatorystepinpursuingaJABP-ATOauthorizationandisoptionalforthosepursuinganAgency-basedFedRAMPAuthorization.TobelistedasFedRAMPReady,CSPsworkwitha3PAOtosubmitaReadinessAssessmentReportwhichmustbereviewedandapprovedbytheFedRAMPPMO.

FixedEndpointsAphysicaldevice,fixedinitslocationthatprovidedaman/machineinterfacetocloudservicesandapplications.Afixedendpointtypicallyusesonemethodandprotocoltoconnecttocloudservicesandapplications.

HybridCloud

Thecloudinfrastructureisacompositionoftwoormoredistinctcloudinfrastructures(private,community,orpublic)thatremainuniqueentities,butareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability(e.g.,cloudburstingforloadbalancingbetweenclouds).

InformationSystemSecurityOfficer(ISSO)

TheFedRAMPISSOreferstotheISSOwhoreviewssecuritypackagesintendedfortheJAB.

InfrastructureasaService(IaaS)

Thecapabilityprovidedtotheconsumeristoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheconsumerisabletodeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructurebuthascontroloveroperatingsystems,storage,anddeployedapplications;andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).

|11

Inheritedfrompre-existingAuthorization

AcontrolthatisinheritedfromanotherCSPNamesystemthathasalreadyreceivedanAuthorization.

Interoperability Thecapabilitytocommunicate,toexecuteprograms,ortotransferdataamongvariousfunctionalunitsunderspecifiedconditions.

JointAuthorizationBoard

TheJABconsistsoftheCIOsoftheDOD,GSA,andtheDHS.

JointAuthorizationBoardProvisionalAuthorizationtoOperate

AFedRAMPJABP-ATOisaFedRAMPProvisionalAuthorizationtoOperateissuedbytheJAB.

Metering Provideameasuringcapabilityatsomelevelofabstractionappropriatetothetypeofservice(e.g,storage,processing,bandwidth,andactiveuseraccounts).

MobileEndpointsAphysicaldevice,oftencarriedbytheuserthatprovidedaman/machineinterfacetocloudservicesandapplications.AMobileEndpointmayusemultiplemethodsandprotocolstoconnecttocloudservicesandapplications.

MonitoringandReporting

Discoverandmonitorthevirtualresources,monitorcloudoperationsandevents,andgenerateperformancereports.

PerformanceAuditSystematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedperformancecriteria.

PhysicalResourceLayer

Includesallthephysicalresourcesusedtoprovidecloudservices,mostnotably,thehardwareandthefacility.

PlatformasaService

Thecapabilityprovidedtotheconsumeristodeployontothecloudinfrastructureconsumer-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.

Portability

1. Theabilitytotransferdatafromonesystemtoanotherwithoutbeingrequiredtorecreateorreenterdatadescriptionsortomodifysignificantlytheapplicationbeingtransported.

2. Theabilityofsoftwareorofasystemtorunonmorethanonetypeorsizeofcomputerundermorethanoneoperatingsystem.SeePOSIX.

3. Ofequipment,thequalityofbeingabletofunctionnormallywhilebeingconveyed.

PrivacyInformationprivacyistheassured,proper,andconsistentcollection,processing,communication,useanddispositionofdispositionofpersonalinformation(PI)andpersonallyidentifiableinformation(PII)throughoutitslifecycle.

|12

Privacy-ImpactAuditSystematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedprivacy-impactcriteria.

PrivateCloud

Thecloudinfrastructureisprovisionedforexclusiveusebyasingleorganizationcomprisingmultipleconsumers(e.g.,businessunits).Itmaybeowned,managed,andoperatedbytheorganization,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.

ProvidedbyCustomerAcontrolwherethecustomerneedstoprovideadditionalhardwareorsoftwareinordertomeetthecontrolrequirement.

Provisioning/Configuration Processofpreparingandequippingacloudtoallowittoprovideservicestoitsusers.

PublicCloud

Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganization,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.

RapidProvisioning Automaticallydeployingcloudsystembasedontherequestedservice/resources/capabilities.

ResourceAbstractionandControlLayer

Entailssoftwareelements,suchashypervisor,virtualmachines,virtualdatastorage,andsupportingsoftwarecomponents,usedtorealizetheinfrastructureuponwhichacloudservicecanbeestablished.

ResourceChange Adjustconfiguration/resourceassignmentforrepairs,upgrades,andjoiningnewnodesintothecloud.

SecurityReferstoinformationsecurity."Informationsecurity"meansprotectinginformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,perusal,inspection,recordingordestruction.

SecurityAudit Systematicevaluationofacloudsystembymeasuringhowwellitconformstoasetofestablishedsecuritycriteria.

ServiceAggregation

Anaggregationbrokerageservicecombinesmultipleservicesintooneormorenewservices.Itwillensurethatdataismodeledacrossallcomponentservicesandintegratedaswellasensuringthemovementandsecurityofdatabetweentheserviceconsumerandmultipleproviders.

ServiceArbitrage

Cloudservicearbitrageissimilartocloudserviceaggregation.Thedifferencebetweenthemisthattheservicesbeingaggregatedarenotfixed.Indeedthegoalofarbitrageistoprovideflexibilityandopportunisticchoicesfortheserviceaggregator,e.g.,providingmultipleemailservicesthroughoneserviceproviderorprovidingacredit-scoringservicethatchecksmultiplescoringagenciesandselectsthebestscore.

ServiceConsumption ACloudBrokerintheactofusingaCloudService.

|13

ServiceDeployment Alloftheactivitiesandorganizationneededtomakeacloudserviceavailable.

ServiceIntermediationAnintermediationbrokerprovidesaservicethatdirectlyenhancesagivenservicedeliveredtooneormoreserviceconsumers,essentiallyaddingvalueontopofagivenservicetoenhancesomespecificcapability.

ServiceProviderCorporate

AcontrolthatoriginatesfromtheCSPNamecorporatenetwork.

ServiceProviderHybridAcontrolthatmakesuseofbothcorporatecontrolsandadditionalcontrolsspecifictoaparticularsystemattheCSPName.

ServiceProviderSystemSpecific

AcontrolspecifictoaparticularsystemattheCSPNameandthecontrolisnotpartoftheserviceprovidercorporatecontrols.

SharedAcontrolthatismanagedandimplementedpartiallybytheCSPNameandpartiallybythecustomer.

SupportTeam TheFedRAMPsupportteamisthegroupofindividualsthatrespondstoinfo@fedramp.gov.

ThreatAnadversarialforceorphenomenonthatcouldimpacttheavailability,integrity,orconfidentialityofaninformationsystemanditsnetworksincludingthefacilitythathousesthehardwareandsoftware.

ThreatActor Anentitythatinitiatesthelaunchofathreatagentisreferredtoasathreatactor.

ThreatAgent Anelementthatprovidesthedeliverymechanismforathreat.

ValidationandVerification

ThePMBOKguide,astandardadoptedbyIEEE,definesthemasfollowsinits4thedition:[2]https://en.wikipedia.org/wiki/Verification_and_validation-cite_note-pmboked4-2

"Validation.Theassurancethataproduct,service,orsystemmeetstheneedsofthecustomerandotheridentifiedstakeholders.Itofteninvolvesacceptanceandsuitabilitywithexternalcustomers.Contrastwithverification."

"Verification.Theevaluationofwhetherornotaproduct,service,orsystemcomplieswitharegulation,requirement,specification,orimposedcondition.Itisoftenaninternalprocess.Contrastwithvalidation."

Vulnerability

Aninherentweaknessinaninformationsystemthatcanbeexploitedbyathreatorthreatagent,resultinginanundesirableimpactintheprotectionoftheconfidentiality,integrity,oravailabilityofthesystem(applicationandassociateddata).