Welcome To DITSCAP.US - The Definitive Site For DITSCAP Information Welcome To DITSCAP-US The Definitive DoD DITSCAP Information Site
What is DITSCAP?
The DoD Information Technology Security Certification
and Accreditation Process

Department of Defense - INSTRUCTION DOCUMENT
December 30, 1997 - NUMBER 5200.40 - ASD (C31)
Revised August 07, 2002
Reformatted

DEFINITIONS

  • E2.1. Terms used in this Instruction are selected from the NSTISSI 4009 (reference(k)) definitions when possible. Where new terms are used, the revised or new definitions will be submitted as changes to reference (k).
  • E2.1.1. Accountability. Property that allows auditing of IT system activities to be traced to persons or processes that may then be held responsible for their actions. Accountability includes authenticity and non-repudiation.
  • E2.1.2. Accreditation. Formal declaration by the DAA that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
  • E2.1.3. Architecture. The configuration of any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; includes computers, ancillary equipment, and services, including support services and related resources.
  • E2.1.4. Acquisition Organization. The Government organization that is responsible for developing a system.
  • E2.1.5. Assurance. Measure of confidence that the security features, practices, procedures and architecture of an IT system accurately mediates and enforces the security policy.
  • E2.1.6. Authenticity. The property that allows the ability to validate the claimed identity of a system entity.
  • E2.1.7. Availability. Timely, reliable access to data and information services for authorized users.
  • E2.1.8. Certification. Comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements.
  • E2.1.9. Certification Authority (CA). The official responsible for performing the comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the accreditation process, to establish the extent that a particular design and implementation meet a set of specified security requirements.
  • E2.1.10. Computing Environment. The total environment in that an automated information system, network, or a component operates. The environment includes physical, administrative, and personnel procedures as well as communication and networking relationships with other information systems.
  • E2.1.11. Communications Security (COMSEC). Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. Communications security includes cryptosecurity, transmission security, emission security, and physical security of COMSEC material.
  • E2.1.12. Confidentiality. Assurance that information is not disclosed to unauthorized persons, processes, or devices.
  • E2.1.13. Configuration Control. Process of controlling modifications to a IT system's hardware, firmware, software, and documentation to ensure the system is protected against improper modifications prior to, during, and after system implementation.
  • E2.1.14. Configuration Management. Management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life-cycle of the IT.
  • E2.1.15. Configuration Manager. The individual or organization responsible for Configuration Control or Configuration Management.
  • E2.1.16. Data Integrity. The attribute of data that is related to the preservation of its meaning and completeness, the consistency of its representation(s), and its correspondence to what it represents.
  • E2.1.17. Defense Information Infrastructure (DII). The DII is the seamless web of communications networks, computers, software, databases, applications, data, security services, and other capabilities that meets the information processing and transport needs of DoD users in peace and in all crises, conflict, humanitarian support, and wartime roles.
  • E2.1.18. Designated Approving Authority (DAA or Accreditor). Official with the authority to formally assume the responsibility for operating a system or network at an acceptable level of risk.
  • E2.1.19. Developer. The organization that develops the information system.
  • E2.1.20. DoD Information Technology Security Certification and Accreditation Process (DITSCAP). The standard DoD process for identifying information security requirements, providing security solutions, and managing information system security activities.
  • E2.1.21. Emissions security (EMSEC). Measures taken to deny unauthorized persons information derived from intercept and analysis of compromising emanations from crypto-equipment or an IT system.
  • E2.1.22. Environment. Aggregate of external procedures, conditions, and objects effecting the development, operation, and maintenance of an IT system.
  • E2.1.23. Evolutionary Program Strategies. Generally characterized by design, development, and deployment of a preliminary capability that includes provisions for the evolutionary addition of future functionality and changes, as requirements are further defined, DoD Directive 5000.1 (reference (i)).
  • E2.1.24. Governing Security Requisites. Those security requirements that must be addressed in all systems. These requirements are set by policy, directive, or common practice set; e.g., by E.O, OMB, the OSD, a Military Service or a DoD Agency. Those requirements are typically high-level. While implementation will vary from case to case, those requisites are fundamental and shall be addressed.
  • E2.1.25. Grand Design Program Strategies. Characterized by acquisition, development, and deployment of the total functional capability in a single increment, reference (i).
  • E2.1.26. Incremental Program Strategies. Characterized by acquisition, development, and deployment of functionality through a number of clearly defined system "increments" that stand on their own, reference (i).
  • E2.1.27. Information Category. The term used to bound information and tie it to an information security policy.
  • E2.1.28. Infrastructure-Centric. A security management approach that considers information systems and their computing environment as a single entity.
  • E2.1.29. Information Security Policy. The aggregate of public law, directives, regulations, rules, and regulate how an organization manages, protects, and distributes information. For example, the information security policy for financial data processed on DoD systems may be in U.S.C., E.O., DoD Directives, and local regulations. The information security policy lists all the security requirements applicable to specific information.
  • E2.1.30. Information System. Any telecommunication or computer-related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data, and includes software, firmware, and hardware.
  • E2.1.31. Information System Security Officer (ISSO). The person responsible to the DAA for ensuring the security of an IT system is approved, operated, and maintained throughout its life-cycle in accordance with the SSAA.
  • E2.1.32. Information Technology (IT). The hardware, firmware, and software used as part of the information system to perform DoD information functions. This definition includes computers, telecommunications, automated information systems, and automatic data processing equipment. IT includes any assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information.
  • E2.1.33. Information Technology Security (ITSEC). Protection of information technology against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. Protection and maintenance of confidentiality, integrity, availability, and accountability.
  • E2.1.34. Integrator. An organization or individual that unites, combines, or otherwise incorporates information system components with another system(s).
  • E2.1.35. Integrity. Quality of an IT system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. It is composed of data integrity and system integrity.
  • E2.1.36. Legacy Information System. An operational information system that existed before to the implementation of the DITSCAP.
  • E2.1.37. Maintainer. The organization or individual that maintains the information system.
  • E2.1.38. Maintenance Organization. The organization that keeps an IT system operating in accordance with prescribed laws, policy, procedures and regulations. In the case of a contractor maintained system, the maintenance organization is the government organization responsible for, or sponsoring the operation of the IT system.
  • E2.1.39. Mission. The assigned duties to be performed by a resource.
  • E2.1.40. Non-Developmental Item (NDI). Any item that is available in the commercial marketplace; any previously developed item that is in use by a Department or Agency of the United States, a State or local government, or a foreign government with which the United States has a mutual defense cooperation agreement; any item described above, that requires only minor modifications in order to meet the requirements of the procuring Agency; or any item that is currently being produced that does not meet the requirements of definitions above, solely because the item is not yet in use or is not yet available in the commercial market place.
  • E2.1.41. Other Program Strategies. Strategies intended to encompass variations and/or combinations of the grand design, incremental, evolutionary, or other program strategies, DoD Directive 5000.1 (reference (i)).
  • E2.1.42. Program Manager. The person ultimately responsible for the overall procurement, development, integration, modification, or operation and maintenance of the IT system.
  • E2.1.43. Risk. A combination of the likelihood that a threat will occur, the likelihood that a threat occurrence will result in an adverse impact, and the severity of the resulting impact.
  • E2.1.44. Risk Assessment. Process of analyzing threats to, and vulnerabilities of, an IT system, and the potential impact that the loss of information or capabilities of a system would have on national security. The resulting analysis is used as a basis for identifying appropriate and effective measures.
  • E2.1.45. Risk Management. Process concerned with the identification, measurement, control, and minimization of security risks in IT systems to a level commensurate with the value of the assets protected.
  • E2.1.46. Security. Measures and controls that ensure confidentiality, integrity, availability, and accountability of the information processed and stored by a computer.
  • E2.1.47. Security Inspection. Examination of an IT system to determine compliance with security policy, procedures, and practices.
  • E2.1.48. Security Process. The series of activities that monitor, evaluate, test, certify, accredit, and maintain the system accreditation throughout the system life-cycle.
  • E2.1.49. Security Requirements. Types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy.
  • E2.1.50. Security Specification. Detailed description of the safeguards required to protect an IT system.
  • E2.1.51. Security Test and Evaluation (ST&E). Examination and analysis of the safeguards required to protect an IT system, as they have been applied in an operational environment, to determine the security posture of that system.
  • E2.1.52. Sensitive Information. Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (reference (l)), but that has not been specifically authorized under criteria established by an E.O. or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
  • E2.1.53. System. A set of interrelated components consisting of mission, environment, and architecture as a whole.
  • E2.1.54. System Entity. A system subject (user or process) or object.
  • E2.1.55. System Integrity. Quality of an IT system to perform its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
  • E2.1.56. System Security Authorization Agreement (SSAA). A formal agreement among the DAA(s), the CA, the IT system user representative, and the program manager. It is used throughout the entire DITSCAP to guide actions, document decisions, specify ITSEC requirements, document certification tailoring and level-of-effort, identify potential solutions, and maintain operational systems security.
  • E2.1.57. TEMPEST. Short name referring to investigation, study, and control of compromising emanations from IT equipment.
  • E2.1.58. Threat. Any circumstance or event with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.
  • E2.1.59. Threat Assessment. Formal description and evaluation of threat to an IT system.
  • E2.1.60. Trusted Computing Base (TCB). Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.
  • E2.1.61. User. Person or process authorized to access an IT system.
  • E2.1.62. User Representative. The individual or organization that represents the user or user community in the definition of information system requirements.
  • E2.1.63. Utility. An element of the DII providing information services to DoD users. Those services include Defense Information Systems Agency Mega-Centers, information processing, and wide-area network communications services.
  • E2.1.64. Validation. Determination of the correct implementation in the completed IT system with the security requirements and approach agreed on by the users, acquisition authority, and the DAA.
  • E2.1.65. Verification. The process of determining compliance of the evolving IT system specification, design, or code with the security requirements and approach agreed on by the users, acquisition authority, and the DAA.
  • E2.1.66. Vulnerability. Weakness in an information system, or cryptographic system, or components (e.g., system security procedures, hardware design, internal controls) that could be exploited.
  • E2.1.67. Vulnerability Assessment. Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
U.S. Army sealU.S. Marine Corps sealU.S. Navy sealU.S. Air Force sealU.S. Coast Guard sealdisalogo2.gif (35678 bytes)

Please feel free to contact us at
  ditscap @ regulatorypro . us *
 (spammers beware)

Last Updated: Thursday October 04, 2007

Website Design By WebFossil

Copyright © 2000-2007
DITSCAP.us & DITSCAP-US are Trademarks
All Rights Reserved Worldwide & Webwide
CLICK HERE FOR LEGAL NOTICE & TERMS AND CONDITIONS

 VERIFIED WEBSITE OPERATOR
 

* Sorry about the spaces in our email addresses - this is done to prevent SPAM harvesting - copy and paste then remove the spaces.