Transcription
FedRAMP MasterAcronym and GlossaryVersion 1.607/23/2020i nfo@fedramp.govfedramp.gov
Master Acronyms and GlossaryDOCUMENT REVISION 151.0AllInitial issueFedRAMP PMO04/06/20161.1AllAddressed minor correctionsthroughout documentFedRAMP PMO08/30/20161.2AllAdded Glossary and additionalacronyms from all FedRAMPtemplates and documentsFedRAMP PMO04/06/20171.2CoverUpdated FedRAMP logoFedRAMP PMO11/10/20171.3AllAddressed minor correctionsthroughout documentFedRAMP PMO11/20/20171.4AllUpdated to latest FedRAMPtemplate formatFedRAMP PMO07/01/20191.5AllUpdated Glossary and Acronymslist to reflect current FedRAMPtemplate and documentterminologyFedRAMP PMO07/01/20201.6AllUpdated to align with terminologyfound in current FedRAMPtemplates and documentsFedRAMP PMOfedramp.govpage 1
Master Acronyms and GlossaryTABLE OF CONTENTSAbout This Document1Who Should Use This Document1How To Contact Us1Acronyms1Glossaryfedramp.gov15page 2
Master Acronyms and GlossaryAbout This DocumentThis document provides a list of acronyms used in FedRAMP documents and templates, as well as aglossary. There is nothing to fill out in this document.Who Should Use This DocumentThis document is intended to be used by individuals who use FedRAMP documents and templates.How To Contact UsQuestions about FedRAMP, or this document, should be directed to info@fedramp.gov .For more information about FedRAMP, visit the website at https://www.fedramp.gov .AcronymsBelow is the master list of FedRAMP acronym definitions for all FedRAMP templates and documents.Please send s uggestions about corrections, additions, or deletions to info@fedramp.gov .AcronymDefinition3PAOThird Party Assessment OrganizationA2LAAmerican Association of Laboratory AccreditationAAAnnual Assessmentfedramp.govpage 1
Master Acronyms and GlossaryAALAuthenticator Assurance LevelACAccess Control (security control family)ACLAccess Control ListAICPAAmerican Institute of Certified Public AccountantsAOAuthorizing OfficialAPIApplication Programming InterfaceAPLApproved Products List (DoD)ASHRAEAmerican Society of Heating, Refrigerating and Air-conditioning EngineersATAwareness and Training (security control family)ATOAuthority to OperateAUAudit and Accountability (security control family)BCPBusiness Continuity PlanBCRBaltimore Cyber RangeBIABusiness Impact Analysis / Business Impact AssessmentBODBinding Operational Directive (DHS)BPABlanket Purchase AgreementC&ACertification and AccreditationCASecurity Assessment and Authorization (security control family)CACCommon Access CardCAPCorrective Action PlanCAPTCHACompletely Automated Public Turing test to tell Computers and HumansApartCCBChange Control Board / Configuration Control BoardCDMContinuous Diagnostics and MitigationCD-ROMCompact Disc Read-Only Memoryfedramp.govpage 2
Master Acronyms and GlossaryCERTComputer Emergency Readiness TeamCIConfiguration ItemCI/CDContinuous Integration/Continuous DeploymentCIAConfidentiality, Integrity, AvailabilityCIDRClassless Inter-Domain RoutingCIMCommon Information ModelCIOChief Information OfficerCIOCChief Information Officer CouncilCIRTComputer Incident Response TeamCISControl Implementation SummaryCISOChief Information Security OfficerCLICommand Line InterfaceCMConfiguration Management (security control family)CMMICapability Maturity Model IntegrationCMPConfiguration Management PlanCMVPCryptographic Module Validation ProgramCOContracting OfficerCoLoCo LocationConMonContinuous MonitoringCONOPSConcept of OperationsCONUSContinental/Contiguous United StatesCOOPContinuity of Operations PlanCORContracting Officer’s RepresentativeCOTSCommercial Off-The-Shelffedramp.govpage 3
Master Acronyms and GlossaryCPContingency Planning (security control family)CPCContingency Planning CoordinatorCPDContingency Planning DirectorCRChange RequestCRMCustomer Relationship ManagementCSACloud Security AllianceCSIRCComputer Security Incident Response CenterCSOCloud Service OfferingCSPCloud Service ProviderCSVComma Separated ValuesCTOChief Technology OfficerCTWControl Tailoring WorkbookCUIControlled Unclassified InformationCVECommon Vulnerabilities and ExposuresCVSSCommon Vulnerability Scoring SystemD&ADocument and Assess (LI-SaaS)DAADesignated Approving AuthorityDASDirect Attached StorageDDoSDistributed Denial of ServiceDFRDetailed Finding ReviewDHCPDynamic Host Configuration ProtocolDHSDepartment of Homeland SecurityDISADefense Information Systems AgencyDMZDemilitarized Zonefedramp.govpage 4
Master Acronyms and GlossaryDNSDomain Name System / Domain Name ServerDNSSECDomain Name System Security ExtensionsDoDDepartment of DefenseDoHDNS over HTTPSDoSDenial of ServiceDoTDNS over TLSDRDeviation RequestDSDatabase ScanEAEnterprise Architecture (OMB)E-AuthenticationElectronic AuthenticationE-DiscoveryElectronic DiscoveryEC-CouncilInternational Council of Electronic Commerce ConsultantsECSBEnterprise Cloud Service BrokerESIElectronically Stored InformationFALFederation Assurance LevelFAQFrequently Asked QuestionsFARFederal Acquisition RegulationFDCCIFederal Data Center Consolidation InitiativeFDICFederal Deposit Insurance CorporationFEDFederal GovernmentFedRAMPFederal Risk and Authorization Management ProgramFFRDCFederally Funded Research and Development CenterFICAMFederal Identity, Credential, and Access ManagementFIPSFederal Information Processing Standardsfedramp.govpage 5
Master Acronyms and GlossaryFIPS PUBFederal Information Processing Standard PublicationFISMAFederal Information Security Management Act (2002)FISMAFederal Information Security Modernization Act (2014)FOCFinal Operating CapabilityFOIAFreedom of Information ActFPFalse PositiveFPSFederal Protective ServiceFRAFederal Records ActFTPFile Transfer ProtocolGFIGovernment Furnished InformationGIACGlobal Information Assurance CertificationGMTGreenwich Mean TimeGSAGeneral Services AdministrationGSSGeneral Support SystemGUIGraphical User InterfaceHFHigh FrequencyHIDSHost Intrusion Detection SystemHIPAAHealth Insurance Portability and Accountability ActHIPSHost Intrusion Prevention SystemHRTHardware Recovery TeamHSMHardware Security ModuleHSPDHomeland Security Presidential DirectiveHSTSHTTP Strict Transport SecurityHTTPHypertext Transfer Protocolfedramp.govpage 6
Master Acronyms and GlossaryHWHardwareIAIdentification and Authentication (security control family)IAIndependent Auditor / AssessorIAAInter-Agency AgreementIaaSInfrastructure as a ServiceIALIdentity Assurance LevelIAOIndependent Assessment OrganizationsIAPInternet Access PointsIAWIn Accordance WithIDIdentificationIGInspector GeneralIOCInitial Operating CapabilityIPInternet ProtocolIPv4Internet Protocol version 4IPv6Internet Protocol version 6IPSecInternet Protocol SecurityIPTIntegrated Product TeamIRIncident Response (security control family)IRPIncident Response PlanISInformation SystemISAInterconnection Security AgreementISCPInformation System Contingency PlaniSCSIInternet Small Computer System InterfaceISConMonInformation Security Continuous Monitoringfedramp.govpage 7
Master Acronyms and GlossaryISIMCInformation Security and Identity Management CommitteeISO/IECInternational Organization for Standardization / InternationalElectrotechnical CommissionISPInternet Service ProviderISPPInformation Security Policies and ProceduresISSOInformation System Security OfficerITInformation TechnologyITCPIT Contingency PlanIV&VIndependent Verification and ValidationIXPInternet Exchange PointJABJoint Authorization Board (FedRAMP)JSONJavaScript Object NotationLANLocal Area NetworkLDAPLightweight Directory Access ProtocolLI-SaaSLow Impact Software as a ServiceLMSLearning Management SystemMAMaintenance (security control family)MACMedia Access ControlMAXMAX.gov (Secure Repository)MFAMulti-Factor AuthenticationMOAMemorandum of AgreementMOUMemorandum of UnderstandingMPMedia Protection (security control family)MSSPManaged Security Service ProviderMTManual Testfedramp.govpage 8
Master Acronyms and GlossaryMTIPSManaged Trusted IP ServiceN/ANot ApplicableNARANational Archives and Records AdministrationNASNetwork Attached StorageNATNetwork Address TranslationNDANon-Disclosure AgreementNetBIOSNetwork Basic Input/Output SystemNFPANational Fire Protection AssociationNGONon-Governmental OrganizationNIAPNational Information Assurance PartnershipNISNetwork Information SystemNISPNational Industrial Security ProgramNISTNational Institute of Standards and TechnologyNIST SPNIST Special PublicationNNTPNetwork News Transfer ProtocolNOCNetwork Operations CenterNPPDNational Protection and Programs Directorate (DHS)NSANational Security AgencyNTPNetwork Time ProtocolNTTAANational Technology Transfer and Advancement ActNVDNational Vulnerability DatabaseNVINAT Virtual InterfaceODALOutage and Damage Assessment LeadOEPOccupant Emergency Planfedramp.govpage 9
Master Acronyms and GlossaryOGCOffice of the General CounselOIGOffice of the Inspector GeneralOMBOffice of Management and BudgetOROperational RequirementOSOperating SystemOSINTOpen Source IntelligenceOSCALOpen Security Controls Assessment LanguageOSCPOnline Certificate Status ProtocolOWASPOpen Web Application Security ProjectP&PPolicies and ProceduresPAProvisional AuthorizationPaaSPlatform as a ServiceP-ATOProvisional Authority to OperatePCIPayment Card Industry (Data Security Standard)PDFPortable Document FormatPDSProtective Distribution SystemPEPhysical and Environmental Protection (security control family)PHIProtected Health InformationPIAPrivacy Impact AssessmentPIIPersonally Identifiable InformationPIVPersonal Identity VerificationPKIPublic Key InfrastructurePLPlanning (security control family)PLPublic Lawfedramp.govpage 10
Master Acronyms and GlossaryPLCProcurement and Logistics CoordinatorPMProgram ManagementPMOProgram Management OfficePOA&MPlan of Action and MilestonesPOCPoint of ContactPOSIXPortable Operating System InterfacePSPersonnel Security (security control family)PTAPrivacy Threshold AnalysisPTRPenetration Test ReportPUBPublicationQAQuality AssuranceQCQuality ControlQMQuality ManagementRARisk Assessment (security control family)RARisk AdjustmentRARReadiness Assessment ReportRBACRole-Based Access ControlRFCRequest for ChangeRFIRequest for InformationRFPRequest for ProposalRFQRequest for QuotationRIPRouting Information ProtocolRMFRisk Management FrameworkROBRules of Behaviorfedramp.govpage 11
Master Acronyms and GlossaryROERules of EngagementROIReturn On InvestmentRPRelying PartyRTORecovery Time ObjectiveSASystem and Services Acquisition (security control family)SaaSSoftware as a ServiceSAFSecurity Assessment FrameworkSAMLSecurity Assertion Markup LanguageSANStorage Area NetworkSAPSecurity Assessment PlanSARSecurity Assessment ReportSASSecurity Assessment SupportSCSystem and Communications Protection (security control family)SCSecurity CoordinatorSCAPSecurity Content Automation ProtocolSCRSignificant Change RequestSCSISmall Computer System InterfaceSDSecure DigitalSDLCSystem Development Life CycleSISystem and Information Integrity (security control family)SIASecurity Impact AnalysisSIEMSecurity Information and Event ManagementSLAService Level AgreementSMESubject Matter Expertfedramp.govpage 12
Master Acronyms and GlossarySMSShort Message ServiceSMTPSimple Mail Transfer ProtocolSOSystem OwnerSOCSecurity Operations CenterSOCSystem and Organization Controls (AICPA)SOPStandard Operating ProcedureSORNSystem of Records NoticeSPService ProcessorSQLStructured Query LanguageSRTSoftware Recovery TeamSSLSecure Sockets LayerSSOSingle Sign-OnSSPSystem Security PlanSDOStandards Developing OrganizationSWSoftwareTAATrade Agreements ActTCPTransmission Control ProtocolTFTPTrivial FTPTICTrusted Internet ConnectionTICAPTrusted Internet Connection Access ProvidersTLDTop Level DomainTLSTransport Layer SecurityTOSTerms of ServiceTPTest Planfedramp.govpage 13
Master Acronyms and GlossaryTRTechnical Representative / ReviewerTTTelecommunications TeamTTSTechnology Transformation ServicesUHFUltra-High FrequencyUDPUser Datagram ProtocolUPSUninterruptible Power SupplyUSUnited StatesUSGCBUnited States Government Configuration BaselineURLUniform Resource LocatorUSBUniversal Serial BusUSCUnited States CodeUS-CERTUnited States Computer Emergency Readiness TeamUTCUniversal Time CoordinatedUUCPUnix-to-Unix Copy ProtocolVDVendor DependencyVHFVery High FrequencyVLANVirtual Local Area NetworkVMVirtual MachineVPNVirtual Private NetworkVoIPVoice over Internet ProtocolWANWide Area NetworkXMLExtensible Markup Languagefedramp.govpage 14
Master Acronyms and GlossaryGlossaryBelow is the master list of FedRAMP glossary terms for all FedRAMP templates.Please send suggestions about corrections, additions, or deletions to i nfo@fedramp.gov .TermMeaningAgency Authorityto OperateAn authorization that is issued by a federal department, office, or agencyCloud AccessTo make contact with or gain access to a cloud serviceCloud AuditorA party that can conduct independent assessment of cloud services, informationsystem operations, and/or performance and security of the cloud implementationCloud BrokerAn entity that manages the use, performance, and delivery of cloud services andnegotiates relationships between Cloud Providers and Cloud ConsumersCloud CarrierThe intermediary that provides connectivity and transport of cloud services betweenCloud Service Providers and Cloud ConsumersCloud ConsumerPerson or organization that maintains a business relationship with, and uses servicesfrom, Cloud Service ProvidersCloudDistributionThe process of transporting cloud data between Cloud Service Providers and CloudConsumersCloud ProviderA person, organization or entity responsible for making a service available to serviceconsumersCloud ServiceManagementIncludes all the service-related functions that are necessary for the management andoperations of those services required by or proposed to customersCommunityCloudThe cloud infrastructure is provisioned for exclusive use by a specific community ofconsumers from organizations that have shared concerns (e.g., mission, securityrequirements, policy, and compliance considerations). It may be owned, managed,and operated by one or more of the organizations in the community, a third party, orsome combination of them, and it may exist on or off premises.Configured byCustomerA control where the customer needs to apply a configuration in order to meet thecontrol requirementfedramp.govpage 15
Master Acronyms and GlossaryContainerA container consists of an entire runtime environment: an application, plus all itsdependencies, libraries and other binaries, and configuration files needed to run it,bundled into one package.CSA STARCertificationThe CSA STAR Certification is a third party independent assessment of the securityof a cloud service provider. The technology-neutral certification leverages therequirements of the ISO/IEC 27001 management system standard together with theCSA Cloud Controls Matrix, a specified set of criteria that measures the capabilitylevels of the cloud service.Data PortabilityThe ability to transfer data from one system to another without being required torecreate or re-enter data descriptions or to modify significantly the application beingtransported.DigitalAuthenticationThe process of establishing confidence in user identities presented digitally to asystem, which was previously referred to as Electronic A FedRAMP initiative to reduce the decision time for applications for a JAB P-ATO tosix months. FedRAMP Accelerated is now the JAB Authorization Process. SeeFedRAMP Accelerated, A Case Study for Change Within Government .FedRAMPAuthorizationPackageAuthorization packages contain the body of evidence needed by authorizing officialsto make risk-based decisions regarding the information systems providing cloudservices. This includes, as a minimum, the System Security Plan (SSP) and itsattachments, a Security Assessment Report (SAR), a Plan of Action and Milestones(POA&M) and a Continuous Monitoring Plan.FedRAMPConnectThe process facilitated by the FedRAMP PMO by which CSPs are evaluated againstthe prioritization criteria and recommended to the JAB and CIO Council to worktoward a JAB P-ATOFedRAMPIn-ProcessFedRAMP In-Process is a designation provided to CSPs that are actively workingtoward a FedRAMP Authorization with either the JAB or a federal agencyFedRAMP P-ATOA FedRAMP Provisional Authority to Operate is an initial statement of risk andapproval of an authorization package by the JAB, pending the issuance of a finalAuthority to Operate by the executive department or agency acquiring the cloudservice.FedRAMP ReadyFedRAMP Ready is a designation which is intended to demonstrate a CSP's ability tocomplete the full FedRAMP authorization process. It is a mandatory step in pursuinga JAB P-ATO authorization and is optional for those pursuing an Agency-basedFedRAMP Authorization. To be listed as FedRAMP Ready, CSPs work with a 3PAO tosubmit a Readiness Assessment Report (RAR) which must be reviewed andapproved by the FedRAMP PMO.FedRAMPTailoredFor Low Impact Software as a Service (LI-SaaS); page 16
Master Acronyms and GlossaryFederalInformationProcessingStandards (FIPS)Under the Information Technology Management Reform Act (Public Law 104-106),the Secretary of Commerce approves the standards and guidelines that the NationalInstitute of Standards and Technology (NIST) develops for federal computer systems.NIST issues these standards and guidelines as Federal Information ProcessingStandards (FIPS) for governmentwide use. NIST develops FIPS when there arecompelling federal government requirements, such as for security andinteroperability, and there are no acceptable industry standards or solutions. FIPSdocuments are available online on the FIPS home page:http://www.nist.gov/itl/fips.cfm .Fixed EndpointsA physical device, fixed in its location, which provides a man/machine interface tocloud services and applications. A fixed endpoint typically uses one method andprotocol to connect to cloud services and applications.Government OnlyCloudA cloud deployment model (see SSP Table 8-2). The cloud services and infrastructureare shared by several organizations/agencies with the same policy and complianceconsiderations.Hybrid CloudA cloud deployment model (see SSP Table 8-2). The cloud services and infrastructureare a composition of two or more distinct cloud infrastructures (private, community,or public) that remain unique entities, but are bound together by standardized orproprietary technology that enables data and application portability (e.g., cloudbursting for load balancing between clouds).InformationSecurityManagementSystem (ISMS)A framework of policies and procedures that includes all legal, physical, and technicalcontrols involved in an organization's information risk management processesInfrastructure asa Service (IaaS)The capability provided to the consumer is to provision processing, storage, networks,and other fundamental computing resources where the consumer is able to deployand run arbitrary software, which can include operating systems and applications.The consumer does not manage or control the underlying cloud infrastructure but hascontrol over operating systems, storage, and deployed applications; and possiblylimited control of select networking components (e.g., host firewalls).Inherited fromPre-existingAuthorizationA control that is inherited from another CSP that has already received anAuthorizationInteroperabilityThe capability to communicate, to execute programs, or to transfer data amongvarious functional units under specified conditionsISO 27001A specification for an information security management system (ISMS)JointAuthorizationBoard (JAB)Consists of the DOD, GSA, and DHS CIOsfedramp.govpage 17
Master Acronyms and GlossaryJointAuthorizationBoard (JAB)ProvisionalAuthorit
Master Acronyms and Glossary DOCUMENT REVISION HISTORY Date Version Page(s) Description Author 09/10/2015 1.0 All Initial issue FedRAMP PMO 04/06/2016 1.1 All Addressed minor corrections throughout document FedRAMP PMO 08/30/2016 1.2 All Added Glo
