NSTISS                         NATIONAL MANAGER
NATIONAL SECURITY                                    5 June 1992


    l.  National Security Telecommunications and Information
Systems Security Instruction (NSTISSI) No. 4009, "National
Information Systems Security (INFOSEC) Glossary," provides
standard definitions for many of the specialized terms relating
to the disciplines of communications security (COMSEC) and
automated information systems security (AISS), sometimes
referred to as computer security (COMPUSEC).  In general,
communications and data management terms that do not relate
closely to telecommunications and automated information systems
security are outside the scope of this document and are not

    2.  The definitions contained in this glossary are
prescriptive for all elements of the U.S. Government and for its
contractors with respect to national security systems.

    3.  This document is divided into three sections:  Section I
contains terms and definitions, Section II is a list of commonly
used abbreviations and acronym expansions, and Section III
contains applicable references.  In the definitions section,
explanatory information is presented in notes following the
definitions with which they are associated.  Such notes are not
part of the definitions to which they relate.

    4.  This document supersedes NCSC-9, "National
Communications Security (COMSEC) Glossary," dated l September

    5.  Representatives of the National Security
Telecommunications and Information Systems Security Committee
may obtain additional copies of this instruction from:

        Executive Secretariat
        National Security Telecommunications and
        Information Systems Security Committee (NSTISSC)
        National Security Agency
        Fort George G. Meade, MD  20755-6000

    6.  U.S. Government contractors are to contact their appropriate
government agency or Contracting Officer Representative regarding 
distribution of this document.

    7.  Readers are encuraged to review this glossary and suggest
additions, deletions, or changes at any time.  Recommendations for
revising the document may be sent to the Executive Secretariat at the
above address, via the appropriate NSTISSC representative.

                              J. M. McConnell
			Vice Admiral, U.S. Navy
                                              NSTISSI No. 4009

                                   SECTION I
                             TERMS AND DEFINITIONS


access                      (COMSEC) Capability and opportunity to
                            gain knowledge of or to alter information
                            or material.

                            (AIS)  Ability and means to communicate
                            with (i.e. input to or receive output
                            from), or otherwise make use of any
                            information, resource, or component in an

                            NOTE:  An individual does not have
                            "access~ if the proper authority or a
                            physical, technical, or procedural
                            measure prevents them from obtaining
                            knowledge or having an opportunity to
                            alter information, material, resources,
                            or components.

access control              Process of limiting access to the
                            resources of an AIS only to authorized
                            users, programs, processes, or other

access control list         Mechanism implementing discretionary
                            access control in an AIS that identifies
                            the users who may access an object and
                            the type of access to the object that a
                            user is permitted.

access control mechanism    Security safeguards designed to detect
                            and prevent unauthorized access, and to
                            permit authorized access in an AIS.
                                        NSTISSI No. 4009

access level                Hierarchical portion of the security
                            level used to identify the sensitivity of
                            AIS data and the clearance or
                            authorization of users.

                            NOTE:  Access level, in conjunction with
                            the non-hierarchical categories, forms
                            the sensitivity label of an object.  See

access list                 (COMSEC) Roster of persons authorized
                            admittance to a controlled area.

                            (AIS)  Compilation of users, programs,
                            and/or processes and the access levels
                            and types to which each is authorized.

access period               Segment of time, generally expressed in
                            days or weeks, during which access rights

access port                 Logical or physical identifier a computer
                            uses to distinguish different terminal
                            input/output data streams or the physical
                            connection for attaching an external

access type                 Privilege to perform an action on a
                            program or file.

                            NOTE:  Read, write, execute, append,
                            modify, delete, and create are examples
                            of access types.

accessible space            Area within which the user is aware of
                            all persons entering and leaving, which
                            denies the opportunity for concealed
                            TEMPEST surveillance, and which
                            delineates the closest point of potential
                            tempest intercept from a vehicle.

accountability              (COMSEC)  Principle that an individual is
                            responsible for safeguarding and
                            controlling of COMSEC equipment, keying
                            material, and information entrusted to
                            his/her care and is answerable to proper
                            authority for the loss or misuse of that
                            equipment or information.

                                                    NSTISSI No. 4009

accountability              (AIS)  Property that allows auditing of
                            activities on an AIS to be traced to
                            persons who may then be held responsible
                            for their actions.

accounting legend           Numeric code used to indicate the
  code                      minimum accounting controls required for
                            items of accountable COMSEC material
                            within the COMSEC Material Control

                            NOTE:  National-level accounting legend
                            codes are:

                            ALC-l - continuously accountable by
                            serial number.

                            ALC-2 - continuously accountable by

                            ALC-4 - report of initial receipt
                            required.  After acknowledging receipt,
                            users may control in accordance with
                            Service, department, or agency

accounting number           Number assigned to an item of COMSEC
                            material to facilitate its control.

accreditation               Formal declaration by a designated
                            approving authority that an AIS is
                            approved to operate in a particular
                            security mode using a prescribed set of

accreditation authority     Synonymous with designated approving

add-on security             Incorporation of new hardware, software,
                            or firmware safeguards in an operational

adversary                   Person or organization that must be
                            denied access to critical information.

                                              NSTISSI No. 4009

alternate COMSEC            Person designated by proper authority to
  custodian                 perform the duties of the COMSEC
                            custodian during the temporary absence of
                            the COMSEC custodian.

anti-jam                    Measures to ensure that intended
                            transmitted information can be received
                            despite deliberate jamming attempts.

anti-spoof                  Measures to prevent an opponent's
                            participation in a telecommunications
                            network or operation/control of a
                            cryptographic or COMSEC system.

assembly                    Group of parts, elements, subassemblies,
                            or circuits that are removable items of
                            COMSEC equipment.

assurance                   Measure of confidence that the security
                            features and architecture of an AIS
                            accurately mediate and enforce the
                            security policy.

attack                      Act of trying to defeat AIS safeguards.

audit                       Independent review and examination of
                            records and activities to assess the
                            adequacy of system controls, to ensure
                            compliance with established policies and
                            operational procedures, and to recommend
                            necessary changes in controls, policies,
                            or procedures.

audit trail                 Chronological record of system activities
                            to enable the reconstruction and
                            examination of the sequence of events
                            and/or changes in an event.

                            NOTE:  Audit trail may apple to
                            information in an AIS, to message routing
                            in a communications system, or to the
                            transfer of COMSEC material.

                                              NSTISSI No. 4009

authenticate                Verify the identity of a user, user
                            device, or other entity, or the integrity
                            of data stored, transmitted, or otherwise
                            exposed to unauthorized modification in
                            an automated information system, or
                            establish the validity of a transmitted

authentication              Security measure designed to establish
                            the validity of a transmission, message,
                            or originator, or a means of verifying an
                            individual's eligibility to receive
                            specific categories of information.

authentication system       Cryptosystem or process used for

authenticator               Means used to confirm the identity or
                            eligibility of a station, originator, or

authorization               Access rights granted to a user, program,
                            or process.

authorized vendor           Manufacturer of existing COMSEC equipment
                            who is authorized to produce quantities
                            in excess of contractual requirements for
                            direct sale to eligible buyers.

Authorized Vendor           Program in which a vendor, producing a
  Program                   COMSEC product under contract to the
                            National Security Agency, is authorized
                            to produce that product in numbers
                            exceeding the contracted requirements for
                            direct marketing and sale to eligible

                            NOTE:  Eligible buyers are typically U.S.
                            Government organizations or U.S.
                            Government contractors.  Products
                            approved for marketing and sale through
                            the Authorized Vendor Program are placed
                            on the Endorsed Cryptographic Products

                                              NSTISSI No. 4009

auto-manual system          Programmable, hand-held crypto-equipment
                            used to perform encoding and decoding

automated information       Any equipment or interconnected system
  systems                   or subsystems of equipment that is used
                            in the automatic acquisition, storage,
                            manipulation, management, movement,
                            control, display, switching, interchange,
                            transmission or reception of data and
                            includes computer software, firmware, and

                            NOTE:  Included are computers, word
                            processing systems, networks, or other
                            electronic information handling systems,
                            and associated equipment.

automated information       Synonymous with computer security.
  systems security

automated security          Use of automated procedures to ensure
  monitoring                security controls for an AIS are not

automatic remote            Procedure to rekey a distant crypto-
  rekeying                  equipment electronically without specific
                            actions by the receiving terminal

availability of data        Data that is in the place, at the time,
                            and in the form needed by the user.

                                              NSTISSI No. 4009


backdoor                    Synonymous with trap door.

Bell-La Padula              Formal-state transition model of a
security model              computer security policy that describes a
                            formal set of access controls based on
                            information sensitivity and subject
                            authorizations.  (See star (*) property
                            and simple security property.)

benign                      Condition of cryptographic data such that
                            it cannot be compromised by human access
                            to the data.

                            NOTE:  The term benign may be used to
                            modify a variety of COMSEC-related terms,
                            (e.g., key, data, storage, fill, and key
                            distribution techniques).

benign environment          Nonhostile environment that may be
                            protected from external hostile elements
                            by physical, personnel, and procedural
                            security countermeasures.

beyond Al                   Level of trust employed by the DoD
                            Trusted Computer System Evaluation
                            Criteria that was beyond the state-of-
                            the-art technology at the time the
                            criteria was developed.

                            NOTE:  As defined in the "Orange Book,"
                            beyond Al includes all the Al-level
                            features, plus others not required at the
                            Al level.

binding                     Process of associating a specific
                            communications terminal with a specific
                            cryptographic key or associating two
                            related elements of information.

bit error rate              Ratio between the number of bits
                            incorrectly received and the total number
                            of bits transmitted in a
                            telecommunications system.

                                              NSTISSI No. 4009

BLACK                       Designation applied to telecommunications
                            and automated information systems, and to
                            associated areas, circuits, components,
                            and equipment, in which only unclassified
                            signals are processed.

                            NOTE:  Encrypted signals are

BLACK key                   Encrypted key.  (See RED key.)

brevity list                List containing words and phrases used to
                            shorten messages.

browsing                    Act of searching through AIS storage to
                            locate or acquire information, without
                            necessarily knowing the existence or
                            format of information being sought.

bulk encryption             Simultaneous encryption of all channels
                            of a multichannel telecommunications

                                               NSTISSI No. 4009


call back                   Procedure for identifying a remote AIS
                            terminal, whereby the host system
                            disconnects the caller and then dials the
                            authorized telephone number of the remote
                            terminal to re-establish the connection.

call sign cipher            Cryptosystem used to encipher/decipher
                            call signs, address groups, and address
                            indicating groups.

canister                    Type of protective package used to
                            contain and dispense key in punched or
                            printed tape form.

capability                  Unforgeable ticket that provides
                            incontestable proof that the presenter is
                            authorized access to the object named in
                            the ticket.

capability-based            AIS in which access to protected objects
  system                    is granted if the subject possesses a
                            capability for the object.

category                    Restrictive label that has been applied
                            to both classified and unclassified data,
                            thereby increasing the requirement for
                            protection of, and restricting the access
                            to, the data.

                            NOTE:  Examples include sensitive
                            compartmented information, proprietary
                            information, and North Atlantic Treaty
                            Organization information.  Individuals
                            are granted access to special category
                            information only after being granted
                            formal access authorization.

CCI assembly                Device embodying a cryptographic logic or
                            other COMSEC design that the National
                            Security Agency has approved as a
                            controlled cryptographic item and
                            performs the entire COMSEC function, but
                            is dependent upon the host equipment to

                                              NSTISSI No. 4009

CCI component               Device embodying a cryptographic logic or
                            other COMSEC design, which the National
                            Security Agency has approved as a
                            controlled cryptographic item, that does
                            not perform the entire COMSEC function
                            and is dependent upon the host equipment
                            or assembly to complete and operate the
                            COMSEC function.

CCI equipment               Telecommunications or information
                            handling equipment that embodies a
                            controlled cryptographic item component
                            or controlled cryptographic item assembly
                            and performs the entire COMSEC function
                            without dependence on a host equipment to

central office of           Office of a federal department or agency
  record                    that keeps records of accountable COMSEC
                            material held by elements subject to its

certificate of action       Statement attached to a COMSEC audit
  statement                 report by which a COMSEC custodian
                            certifies that all actions have been

certification               Comprehensive evaluation of the technical
                            and nontechnical security features of an
                            AIS and other safeguards, made in support
                            of the accreditation process, to
                            establish the extent to which a
                            particular design and implementation
                            meets a set of specified security

certified TEMPEST           U.S. Government or U.S. Government
  technical authority       contractor employee designated to review
                            the TEMPEST countermeasures programs of a
                            federal department or agency.

challenge and reply         Prearranged procedure in which
  authentication            one communicator requests authentication
                            of another and the latter establishes
                            his/her validity with a correct reply.

                                               NSTISSI No. 4009

checksum                    Value computed, via some parity or
                            hashing algorithm, on information
                            requiring protection against error or

                            NOTE:  Checksums are stored or
                            transmitted with data and are intended to
                            detect data integrity problems.

check word                  Cipher text generated by a cryptographic
                            logic to detect failures in the

cipher                      Cryptographic system in which units of
                            plain text are substituted according to a
                            predetermined key.

cipher text                 Enciphered information.

cipher text auto-key        Cryptographic logic which uses previous
                            cipher text to generate a key stream.

ciphony                     Process of enciphering audio information,
                            resulting in encrypted speech.

classified information      National security information that has
                            been classified pursuant to Executive
                            Order 12356.

clearing                    Removal of data from an AIS, its storage
                            devices, and other peripheral devices
                            with storage capacity, in such a way that
                            the data may not be reconstructed using
                            normal system capabilities (i.e., through
                            the keyboard).

                            NOTE:  An AIS need not be disconnected
                            from any external network before clearing
                            takes place.  Clearing enables a product
                            to be reused within, but not outside of,
                            a secure facility.  It does not produce a
                            declassified product by itself, but may
                            be the first step in the declassification
                            process.  See purge.

                                              NSTISSI No. 4009

closed security             Environment that provides sufficient
  environment               assurance that applications and equipment
                            are protected against the introduction of
                            malicious logic prior to or during the
                            operation of a system.

                            NOTE:  Closed security is predicated upon
                            a system's developers, operators, and
                            maintenance personnel having sufficient
                            clearances, authorization, and
                            configuration control.

code                        System of communication in which
                            arbitrary groups of letters, numbers, or
                            symbols represent units of plain text of
                            varying length.

                            NOTE:  Codes may or may not provide
                            security.  Common uses include:  (a)
                            converting information into a form
                            suitable for communications or
                            encryption, (b) reducing the length of
                            time required to transmit information,
                            (c) describing the instructions which
                            control the operation of a computer, and
                            (d) converting plain text to meaningless
                            combinations of letters or numbers and
                            vice versa.

code book                   Book or other document containing plain
                            text and code equivalents in a systematic
                            arrangement, or a technique of machine
                            encryption using a word substitution

code group                  Group of letters, numbers, or both in a
                            code system used to represent a plain
                            text word, phrase, or sentence.

code vocabulary             Set of plain text words, numerals,
                            phrases, or sentences for which code
                            equivalents are assigned in a code

cold start                  Procedure for initially keying crypto-

                                              NSTISSI No. 4009

command authority           Individual responsible for the
                            appointment of user representatives for a
                            department, agency, or organization and
                            their key ordering privileges.

Commercial COMSEC           Relationship between the National
  Endorsement Program       Security Agency and industry, in which
                            the National Security Agency provides the
                            COMSEC expertise (i.e., standards,
                            algorithms, evaluations, and guidance)
                            and industry provides design,
                            development, and production capabilities
                            to produce a type l or type 2 product.

                            NOTE:  Products developed under the
                            Commercial COMSEC Endorsement Program may
                            include modules, subsystems, equipment,
                            systems, and ancillary devices.

common fill device          One of a family of devices developed to
                            read-in, transfer, or store key.
                            NOTE:  KYK-l3 Electronic Transfer Device,
                            KYX-l5 Net Control Device, and KOI-l8
                            General Purpose Tape Reader are examples
                            of common fill devices.

communications cover        Concealing or altering of characteristic
                            communications patterns to hide
                            information that could be of value to an

communications              Deliberate transmission, retransmission,
  deception                 or alteration of communications to
                            mislead an adversary's interpretation of
                            the communications.  (See imitative
                            communications deception and manipulative
                            communications deception.)

                                              NSTISSI No. 4009

communications              Analytic model of communications
 profile                    associated with an organization or

                            NOTE:  The model is prepared from a
                            systematic examination of communications
                            content and patterns, the functions they
                            reflect, and the communications security
                            measures applied.

communications              Measures and controls taken to deny
  security                  unauthorized persons information derived
                            from telecommunications and ensure the
                            authenticity of such telecommunications.

                            NOTE:  Communications security includes
                            cryptosecurity, transmission security,
                            emission security, and physical security
                            of COMSEC material.

compartmented mode          AIS security mode of operation wherein
                            each user with direct or indirect access
                            to the system, its peripherals, remote
                            terminals, or remote hosts has all of the

                            a.  Valid security clearance for the most
                            restricted information processed in the

                            b.  Formal access approval and signed
                            non-disclosure agreements for that
                            information to which a user is to have

                            c.  Valid need-to-know for information to
                            which a user is to have access.

                                              NSTISSI No. 4009

compromise                  Disclosure of information or data to
                            unauthorized persons, or a violation of
                            the security policy of a system in which
                            unauthorized intentional or unintentional
                            disclosure, modification, destruction, or
                            loss of an object may have occurred.

compromising                Unintentional signals that, if
  emanations                intercepted and analyzed, would disclose
                            the information transmitted, received,
                            handled, or otherwise processed by
                            telecommunications or automated
                            information systems equipment.  (See

computer abuse              Intentional or reckless misuse,
                            alteration, disruption, or destruction of
                            data processing resources.

computer                    Use of a crypto-algorithm program
  cryptography              stored in software or firmware, by a
                            general purpose computer to authenticate
                            or encrypt/decrypt data for storage or

computer security           Measures and controls that ensure
                            confidentiality, integrity, and
                            availability of the information processed
                            and stored by a computer.

computer security           Any event in which a computer system is
  incident                  attacked, intruded into, or threatened
                            with an attack or intrusion.

computer security           Device designed to provide limited
  subsystem                 computer security features in a larger
                            system environment.

Computer Security           Program that focuses on technical
  Technical                 vulnerabilities in commercially
  Vulnerability             available hardware, firmware and
  Reporting Program         software products acquired by DoD.

                            NOTE:  The Computer Security Technical
                            Vulnerability Reporting Program provides
                            for reporting, cataloging, and discrete
                            dissemination of technical vulnerability
                            and corrective-measure information on a
                            need-to-know basis.

                                              NSTISSI No. 4009

COMSEC account              Administrative entity, identified by an
                            account number, used to maintain
                            accountability, custody and control of
                            COMSEC material.

COMSEC account audit        Examination of the holdings, records, and
                            procedures of a COMSEC account to ensure
                            that all accountable COMSEC material is
                            properly handled and safeguarded.

COMSEC aid                  COMSEC material, other than an equipment
                            or device, that assists in securing
                            telecommunications and which is required
                            in the production, operation, or
                            maintenance of COMSEC systems and their

                            NOTE:  COMSEC keying material, callsign/
                            frequency systems, and supporting
                            documentation, such as operating and
                            maintenance manuals, are examples of
                            COMSEC aids.

COMSEC boundary             Definable perimeter within a
                            telecommunications equipment or system
                            within which all hardware, firmware, and
                            software components that perform critical
                            COMSEC functions are located.

                            NOTE:  Key generation and key handling
                            and storage are critical COMSEC

COMSEC chip set             Collection of National Security Agency
                            approved microchips furnished to a
                            manufacturer to secure or protect
                            telecommunications equipment.  (See
                            secure communications and protected

                                              NSTISSI No. 4009

COMSEC control              Set of instructions or routines for
  program                   a computer that controls or affects the
                            externally performed functions of key
                            generation, key distribution, message
                            encryption/decryption, or authentication.

COMSEC custodian            Person designated by proper authority to
                            be responsible for the receipt, transfer,
                            accounting, safeguarding and destruction
                            of COMSEC material assigned to a COMSEC

                            NOTE:  The term COMSEC manager is
                            replacing the term COMSEC custodian.
                            These terms are not synonymous, since the
                            responsibilities of the COMSEC manager
                            extend beyond the functions required for
                            effective operation of a COMSEC account.

COMSEC end item             Equipment or combination of components
                            ready for its intended use in a COMSEC

COMSEC equipment            Equipment designed to provide security to
                            telecommunications by converting
                            information to a form unintelligible to
                            an unauthorized interceptor and,
                            subsequently, by reconverting such
                            information to its original form for
                            authorized recipients; also, equipment
                            designed specifically to aid in, or as an
                            essential element of, the conversion

                            NOTE:  COMSEC equipment includes crypto-
                            equipment, crypto-ancillary equipment,
                            cryptoproduction equipment, and
                            authentication equipment.

COMSEC facility             Space employed primarily for the purpose
                            of generating, storing, repairing, or
                            using COMSEC material.

COMSEC incident             Occurrence that potentially jeopardizes
                            the security of COMSEC material or the
                            secure electrical transmission of
                            national security information.

                                              NSTISSI No. 4009

COMSEC insecurity           COMSEC incident that has been
                            investigated, evaluated, and determined
                            to jeopardize the security of COMSEC
                            material or the secure transmission of

COMSEC manager              Person who manages the COMSEC resources
                            of a command or activity.  (See the note
                            following the definition for COMSEC

COMSEC material             Item designed to secure or authenticate

                            NOTE:  COMSEC material includes, but is
                            not limited to, key, equipment, devices,
                            documents, firmware or software that
                            embodies or describes cryptographic logic
                            and other items that perform COMSEC

COMSEC Material             Logistics and accounting system
  Control System            through which COMSEC material
                            marked "CRYPTO" is distributed,
                            controlled, and safeguarded.

                            NOTE:  Included are the COMSEC central
                            offices of record, cryptologistic depots,
                            and COMSEC accounts.  COMSEC material
                            other than key may be handled through the
                            COMSEC Material Control System.

COMSEC modification         Electrical, mechanical, or software
                            change to a National Security Agency
                            approved COMSEC end item.

                            NOTE:  Categories of COMSEC modifications
                            are: mandatory, optional, special
                            mission mandatory, special mission
                            optional, human safety mandatory, and
                            repair actions.

COMSEC module               Removable component that performs COMSEC
                            functions in a telecommunications
                            equipment or system.

                                              NSTISSI No. 4009

COMSEC monitoring           Act of listening to, copying, or
                            recording transmissions of one's own
                            official telecommunications to provide
                            material for analysis, so that the degree
                            of security being provided to those
                            transmissions may be determined.

COMSEC profile              Statement of the COMSEC measures and
                            materials used to protect a given
                            operation, system, or organization.

COMSEC survey               Organized collection of COMSEC and
                            communications data relative to a given
                            operation, system, or organization.

COMSEC system data          Information required by a COMSEC
                            equipment or system to enable it to
                            properly handle and control key.

COMSEC training             Teaching of hands-on skills relating to
                            COMSEC accounting, the use of COMSEC
                            aids, or the installation, use,
                            maintenance, and repair of COMSEC

confidentiality             Assurance that information is not
                            disclosed to unauthorized entities or

configuration control       Process of controlling modifications to a
                            telecommunications or automated
                            information systems hardware, firmware,
                            software, and documentation to ensure the
                            system is protected against improper
                            modifications prior to, during, and after
                            system implementation.

configuration management    Management of security features and
                            assurances through control of changes
                            made to hardware, software, firmware,
                            documentation, test, test fixtures and
                            test documentation of an automated
                            information system, throughout the
                            development and operational life of a

confinement property        Synonymous with star (*) property.

                                              NSTISSI No. 4009

contingency key             Key held for use under specific
                            operational conditions or in support of
                            specific contingency plans.

contingency plan            Plan maintained for emergency response,
                            backup operations, and post-disaster
                            recovery for an AIS, as a part of its
                            security program, that will ensure the
                            availability of critical resources and
                            facilitate the continuity of operations
                            in an emergency situation.

controlled access           Log-in procedures, audit of security
  protection                relevant events, and resource isolation
                            as prescribed for class C2 in the Orange

controlled                  Secure telecommunications or information
  cryptographic item        handling equipment, or associated
                            cryptographic component, that is
                            unclassified but governed by a special
                            set of control requirements.

                            NOTE:  Such items are marked "CONTROLLED
                            CRYPT0GRAPHIC ITEM" or, where space is
                            limited, "CCI."

controlled sharing          Condition which exists when access
                            control is applied to all users and
                            components of an AIS.

controlled space            Three-dimensional space surrounding
                            telecommunications and automated
                            information systems equipment, within
                            which unauthorized persons are denied
                            unrestricted access and are either
                            escorted by authorized persons or are
                            under continuous physical or electronic

controlling                 Official responsible for directing
  authority                 the operation of a cryptonet and for
                            managing the operational use and control
                            of keying material assigned to the

                                              NSTISSI No. 4009

cooperative key             Electronically exchanging functions of
  generation                locally generated, random components,
                            from which both terminals of a secure
                            circuit construct traffic encryption key
                            or key encryption key for use on that

cooperative remote          Synonymous with manual remote
  rekeying                  rekeying.

cost-benefit analysis       Assessment of the costs of providing
                            protection or security to a
                            telecommunications or AIS versus risk and
                            cost associated with asset loss or

countermeasure              Action, device, procedure, technique, or
                            other measure that reduces the
                            vulnerability of an AIS.

covert channel              Unintended and/or unauthorized
                            communications path that can be used to
                            transfer information in a manner that
                            violates an AIS security policy.  (See
                            overt channel and exploitable channel.)

covert storage              Covert channel that involves the
  channel                   direct or indirect writing to a storage
                            location by one process and the direct or
                            indirect reading of the storage location
                            by another process.

                            NOTE:  Covert storage channels typically
                            involve a finite resource (e.g., sectors
                            on a disk) that is shared by two subjects
                            at different security levels.

covert timing               Covert channel in which one
  channel                   process signals information to another
                            process by modulating its own use of
                            system resources (e.g., central
                            processing unit time) in such a way that
                            this manipulation affects the real
                            response time observed by the second

                                              NSTISSI No. 4009

credentials                 Information passed from one entity to
                            another, that is used to establish the
                            sending entity's access rights.

cryptanalysis               Operations performed in converting
                            encryped messages to plain text without
                            initial knowledge of the crypto-algorithm
                            and/or key employed in the encryption.

CRYPTO                      Marking or designator identifying COMSEC
                            keying material used to secure or 
                            authenticate telecommunication carrying 
                            classified or sensitive U.S. Government
                            or U.S. Government-derived information.

                            NOTE: When written in all upper case
                            letters, CRYPTO has the meaning stated
                            above. When written in lower case as a 
                            prefix, crypto and crypt are
                            abreviations for cryptographic.

crypto-alarm                Circuit or device which detects failures
                            or aberrations in the logic or operation
                            of crypto-equipment.

                            NOTE:  Crypto-alarm may inhibit
                            transmission or may provide a visible
                            and/or audible alarm.

crypto-algorithm            well-defined procedure or sequence of
                            rules or steps used to produce cipher
                            text from plain text and vice versa.

crypto-ancillary            Equipment designed specifically to
  equipment                 facilitate efficient or reliable
                            operation of crypto-equipment, but that
                            does not perform cryptographic functions

crypto-equipment            Equipment that embodies a cryptographic

cryptographic               Pertaining to, or concerned with,

                                              NSTISSI No. 4009

cryptographic               Hardware or firmware embodiment of the
  component                 cryptographic logic.

                            NOTE:  Cryptographic component may be a
                            modular assembly, a printed wiring
                            assembly, a microcircuit, or a
                            combination of these items.

cryptographic               Function used to set the state of
  initialization            a cryptographic logic prior to key
                            generation, encryption, or other
                            operating mode.

cryptographic logic         Well-defined procedure or sequence of
                            rules or steps used to produce cipher
                            text from plain text, and vice versa, or
                            to produce a key stream, plus delays,
                            alarms, and checks which are essential to
                            effective performance of the
                            cryptographic process.  (See crypto-

cryptographic               Function which randomly determines the
  randomization             transmit state of a cryptographic logic.

cryptography                Principles, means, and methods for
                            rendering plain information
                            unintelligible and for restoring
                            encrypted information to intelligible

crypto-ignition key         Device or electronic key used to unlock
                            the secure mode of crypto-equipment.

cryptonet                   Stations that hold a specific key for

                            NOTE:  Activities that hold key for other
                            than use, such as cryptologistic depots,
                            are not cryptonet members for that key.
                            Controlling authorities are defacto
                            members of the cryptonets they control.

                                              NSTISSI No. 4009

cryptoperiod                Time span during which each key setting
                            remains in effect.

cryptosecurity              Component of communications security that
                            results from the provision of technically
                            sound cryptosystems and their proper use.

cryptosynchronization       Process by which a receiving decrypting
                            cryptographic logic attains the same
                            internal state as the transmitting
                            encrypting logic.

cryptosystem                Associated COMSEC items interacting to
                            provide a single means of encryption or

cryptosystem                Process of establishing the
  assessment                exploitability of a cryptosystem,
                            normally by reviewing transmitted traffic
                            protected or secured by the system under

cryptosystem                Process of determining vulnerabilities
  evaluation                of a cryptosystem.

cryptosystem review         Examination of a cryptosystem by the
                            controlling authority to ensure its
                            adequacy of design and content, continued
                            need, and proper distribution.

cryptosystem survey         Management technique in which actual
                            holders of a cryptosystem express
                            opinions on the system's suitability and
                            provide usage information for technical

                                              NSTISSI No. 4009


data encryption             Cryptographic algorithm, designed for
  standard                  the protection of unclassified data and
                            published by the National Institute of
                            Standards and Technology in Federal
                            Information Processing Standard
                            Publication 46.

data flow control           Synonymous with information flow control.

data integrity              Condition that exists when data is
                            unchanged from its source and has not
                            been accidentally or maliciously
                            modified, altered, or destroyed.

data origin                 Corroboration that the source of data is
  authentication            as claimed.

data security               Protection of data from unauthorized
                            (accidental or intentional) modification,
                            destruction, or disclosure.

decertification             Revocation of the certification of an AIS
                            item or equipment for cause.

decipher                    Convert enciphered text to the equivalent
                            plain text by means of a cipher system.

decode                      Convert encoded text to its equivalent
                            plain text by means of a code.

decrypt                     Generic term encompassing decode and

dedicated mode              AIS security mode of operation wherein
                            each user, with direct or indirect access
                            to the system, its peripherals, remote
                            terminals, or remote hosts, has all of
                            the following:

                            a.  Valid security clearance for all
                            information within the system.

                                              NSTISSI No. 4009

                            b.  Formal access approval and signed
                            non-disclosure agreements for all the
                            information stored and/or processed
                            (including all compartments,
                            subcompartments, and/or special access

                            c.  Valid need-to-know for all
                            information contained within the AIS.

                            NOTE:  When in the dedicated security
                            mode, a system is specifically and
                            exclusively dedicated to and controlled
                            for the processing of one particular type
                            or classification of information, either
                            for full-time operation or for a
                            specified period of time.

default classification      Temporary classification reflecting the
                            highest classification being processed in
                            an AIS.

                            NOTE:  Default classification is included
                            in the caution statement affixed to the

degauss                     Destroy information contained in magnetic
                            media by subjecting that media to high-
                            intensity alternating magnetic fields,
                            following which the magnetic fields
                            slowly decrease.

delegated development       Information systems security program
  program                   in which the Director, National Security
                            Agency, delegates the development and/or
                            production of the entire telecommunica-
                            tions product, including the information
                            systems security portion, to a lead
                            department or agency.

denial of service           Result of any action or series of actions
                            that prevents any part of a
                            telecommunications or AIS from

                                              NSTISSI No. 4009

descriptive top-level       Top-level specification that is
  specification             written in a natural language (e.g.,
                            English), an informal design notation, or
                            a combination of the two.
                            NOTE:  Descriptive top-level
                            specification, required for a class B2
                            and B3 AIS, completely and accurately
                            describes a trusted computing base.
                            See formal top-level specification.

designated approving        Official with the authority to formally
  authority                 assume responsibility for operating an
                            AIS or network at an acceptable level of

design controlled           Part or subassembly for a COMSEC
  spare part                equipment or device with a National
                            Security Agency controlled design.

dial back                   Synonymous with call back.

digital signature           Synonymous with electronic signature.

direct shipment             Shipment of COMSEC material directly from
                            the National Security Agency to user
                            COMSEC accounts.

discretionary access        Means of restricting access to
  control                   objects based on the identity and need-
                            to-know of users and/or groups to which
                            the object belongs.

                            NOTE:  Controls are discretionary in the
                            sense that a subject with a certain
                            access permission is capable of passing
                            that permission (directly or indirectly)
                            to any other subject.  See mandatory
                            access control.

                                              NSTISSI No. 4009

DoD Trusted Computer        Document containing basic requirements
  System Evaluation         and evaluation classes for assessing
  Criteria                  degrees of effectiveness of hardware and
                            software security controls built into

                            NOTE:  This document, DoD 5200.28 STD,
                            is frequently referred to as the Orange

domain                      Unique context (e.g., access control
                            parameters) in which a program is
                            operating; in effect, the set of objects
                            that a subject has the ability to access.

dominate                    Term used to compare AIS security levels.

                            NOTE:  Security level S1 is said to
                            dominate security level S2 if the
                            hierarchical classification of S1 is
                            greater than, or equal to, that of S2 and
                            the non-hierarchical categories of S1
                            include all those of S2 as a subset.

drop accountability         Procedure under which a COMSEC account
                            custodian initially receipts for COMSEC
                            material, and then provides no further
                            accounting for it to its central office
                            of record.

                            NOTE:  Local accountability of the COMSEC
                            material may continue to be required.
                            See also accounting legend code, ALC-3
                            and ALC-4.

dummy group                 Textual group having the appearance of a
                            valid code or cipher group which has no
                            plain text significance.

                                              NSTISSI No. 4009


electronically              Key produced only in non-physical
  generated key             form.

                            NOTE:  Electronically generated key
                            stored magnetically (e.g., on a floppy
                            disc) is not considered hard copy key.

electronic signature        Process that operates on a message to
                            assure message source authenticity and
                            integrity, and source non-repudiation.

electronic security         Protection resulting from all measures
                            designed to deny unauthorized persons
                            information of value which might be
                            derived from the interception and
                            analysis of non-communications
                            electromagnetic radiations, such as

element                     Removable item of COMSEC equipment,
                            assembly, or subassembly which normally
                            consists of a single piece or group of
                            replaceable parts.

embedded computer           Computer system that is an integral part
                            of a larger system or subsystem that
                            performs or controls a function, either
                            in whole or in part.

embedded cryptography       Cryptography which is engineered into an
                            equipment or system the basic function of
                            which is not cryptographic.

                            NOTE:  Components comprising the
                            cryptographic module are inside the
                            equipment or system add share host device
                            power and housing.  The cryptographic
                            function may be dispersed or identifiable
                            as a separate module within the host.

                                              NSTISSI No. 4009

embedded cryptographic      Cryptosystem that performs or controls
  system                    a function, either in whole or in part,
                            as an integral element of a larger system
                            or subsystem.

emission security           Protection resulting from all measures
                            taken to deny unauthorized persons
                            information of value which might be
                            derived from intercept and analysis of
                            compromising emanations from crypto-
                            equipment, AIS, and telecommunications

encipher                    Convert plain text to equivalent cipher
                            text by means of a cipher.

encode                      Convert plain text to equivalent cipher
                            text by means of a code.

encrypt                     Generic term encompassing encipher and

end-item accounting         Accounting for all the accountable
                            components of a COMSEC equipment
                            configuration by a single short title.

endorsed DES                Unclassified equipment that embodies
  equipment                 unclassified data encryption standard
                            cryptographic logic and has been endorsed
                            by the National Security Agency for the
                            protection of national security

endorsed for unclassified   Unclassified cryptographic equipment
  cryptographic item        that embodies a U.S. Government
                            classified cryptographic logic and is
                            endorsed by the National Security Agency
                            for the protection of national security
                            information.  (See type 2 product.)

                                              NSTISSI No. 4009

endorsement                 National Security Agency approval of a
                            commercially-developed telecommunications
                            or automated information systems
                            protection equipment or system for
                            safeguarding national security

end-to-end encryption       Encryption of information at its origin,
                            and decryption at its intended
                            destination, without any intermediate

end-to-end security         Safeguarding information in a secure
                            telecommunications system by
                            cryptographic or protected distribution
                            system means from point of origin to
                            point of destination.

entrapment                  Deliberate planting of apparent flaws in
                            an AIS for the purpose of detecting
                            attempted penetrations.

environment                 Procedures, conditions, and objects that
                            affect the development, operation, and
                            maintenance of an AIS.

erasure                     Process intended to render stored data
                            irretrievable by normal means.

executive state             One of several states in which an AIS may
                            operate, and the only one in which
                            certain privileged instructions may be

                            NOTE:  Such privileged instructions
                            cannot be executed when the system is
                            operating in other (e.g., user) states.

exercise key                Key intended to safeguard transmissions
                            associated with exercises.

exploitable channel         Covert channel that is intended to
                            violate the security policy governing an
                            AIS and is useable or detectable by
                            subjects external to the trusted
                            computing base.  (See covert channel.)

                                              NSTISSI No. 4009

exploratory development     Assembly of preliminary circuits or parts
  model                     in line with commercial practice to
                            investigate, test, or evaluate the
                            soundness of a concept, device, circuit,
                            equipment, or system in a "breadboard" or
                            rough experimental form, without regard
                            to eventual overall physical form or

extraction resistance       Capability of a crypto-equipment or a
                            secure telecommunications system or
                            equipment to resist efforts to extract

                                              NSTISSI No. 4009


fail safe                   Pertaining to the automatic protection of
                            programs and/or processing systems to
                            maintain safety when a hardware or
                            software failure is detected in a system.

fail soft                   Pertaining to the selective termination
                            of affected nonessential processing when
                            a hardware or software failure is
                            determined to be imminent in an AIS.

failure access              Unauthorized and usually inadvertent
                            access to data resulting from a hardware
                            or software failure in an AIS.

failure control             Methodology used to detect and provide
                            fail safe or fail soft recovery from
                            hardware and software failures in an AIS.

fetch protection            AIS-provided restriction to prevent a
                            program from accessing data in another
                            user's segment of storage.

fielded equipment           COMSEC end-item shipped to the user
                            subsequent to first article testing on
                            the initial production contract.

file protection             Aggregate of all processes and procedures
                            established in an AIS designed to inhibit
                            unauthorized access, contamination,
                            elimination, modification, or destruction
                            of a file or any of its contents.

file security               Means by which access to computer files
                            is limited to authorized users only.

fill device                 COMSEC item used to transfer or store key
                            in electronic form or to insert key into
                            a crypto-equipment.

FIREFLY                     Key management protocol based on public
                            key cryptography.

                                              NSTISSI No. 4009

fixed COMSEC facility       COMSEC facility that is located in an
                            immobile structure or aboard a ship.

flaw                        Error of commission, omission, or
                            oversight in an AIS that may allow
                            protection mechanisms to be bypassed.

flaw hypothesis             System analysis and penetration
  methodology               technique in which the specification and
                            documentation for an AIS are analyzed and
                            then flaws in the system are

                            NOTE:  List of hypothesized flaws is
                            prioritized on the basis of the estimated
                            probability that a flaw exists and,
                            assuming a flaw does exist, on the ease
                            of exploiting it, and on the extent of
                            control or compromise it would provide.
                            The prioritized list is used to perform
                            penetration testing of a system.

formal access               Documented approval by a data
  approval                  owner to allow access to a particular
                            category of information.

formal proof                Complete and convincing mathematical
                            argument, presenting the full logical
                            justification for each proof step, for
                            the truth of a theorem or set of

                            NOTE:  In computer security, these formal
                            proofs provide A1, and beyond A1
                            assurance under the DoD Trusted Computer
                            System Evaluation Criteria.

formal security policy      Mathematically precise statement of a
  model                     security policy.

                            NOTE:  Such a model must define a secure
                            state, an initial state, and how the
                            model represents changes in state.  The
                            model must be shown to be secure by
                            proving that the initial state is secure
                            and that all possible subsequent states
                            remain secure.

                                              NSTISSI No. 4009

formal top-level            Top-level specification that is written
  specification             in a formal mathematical language to
                            allow theorems, showing the correspon-
                            dence of the system specification to its
                            formal requirements, to be hypothesized
                            and formally proven.

                            NOTE:  Formal top-level specification,
                            required for a class A1 AIS, completely
                            and accurately describes the trusted
                            computing base.  See descriptive top-
                            level specification.

formal verification         Process of using formal proofs to
                            demonstrate the consistency between
                            formal specification of a system and
                            formal security policy model (design
                            verification) or between formal
                            specification and its high-level program
                            implementation (implementation

frequency hopping           Repeated switching of frequencies during
                            radio transmission according to a
                            specified algorithm, to minimize
                            unauthorized interception or jamming of

front-end security          Security filter, which could be
  filter                    implemented in hardware or software, that
                            is logically separated from the remainder
                            of an AIS to protect the integrity of the

full maintenance            Complete diagnostic repair, modification,
                            and overhaul of information systems
                            security equipment, including repair of
                            defective assemblies by piece part
                            replacement.  (See limited maintenance.)

functional testing          Segment of security tasting in which
                            advertised security mechanisms of an AIS
                            are tested under operational conditions.

                                              NSTISSI No. 4009


granularity                 Relative fineness or coarseness to which
                            an access control mechanism can be

                            NOTE:  Protection at the file level is
                            considered coarse granularity, whereas
                            protection at the field level is
                            considered to be a finer granularity.

guard                       Processor that provides a filter between
                            two disparate systems operating at
                            different security levels or between a
                            user terminal and a data base to remove
                            data for which the user is not authorized

                                              NSTISSI No. 4009


handshaking procedures      Dialogue between two entities (e.g., a
                            user and a computer, a computer and
                            another computer, or a program and
                            another program) for the purpose of
                            identifying and authenticating these
                            entities to one another.

hard copy key               Physical keying material, such as printed
                            key lists, punched or printed key tapes,
                            or programmable, read-only memories.

hardwired key               Key that is permanently installed.

hashing                     Iterative process that computes a value
                            (referred to as a hashword) from a
                            particular data unit in a manner that,
                            when a hashword is protected,
                            manipulation of the data is detectable.

hashword                    Synonymous with checksum.

high risk environment       Specific location or geographic area
                            where there are insufficient friendly
                            security forces to ensure the
                            safeguarding of information systems
                            security equipment.

hostile cognizant agent     Person, authorized access to national
                            security information, who intentionally
                            makes that information available to an
                            intelligence service or other group, the
                            goals of which are inimical to the
                            interests of the United States Government
                            or its allies.

host to front-end           Set of conventions governing the
  protocol                  format and control of data that is passed
                            from a host to a front-end machine.

                                              NSTISSI No. 4009


identification              Process that enables recognition of an
                            entity by an AIS.

                            NOTE:  This is generally accomplished by
                            the use of unique machine-readable user

imitative communications    Introduction of deceptive messages or
  deception                 signals into an adversary's
                            telecommunications signals.  See
                            communications deception and manipulative
                            communications deception.

impersonation               Synonymous with spoofing.

implant                     Electronic device or component
                            modification to electronic equipment that
                            is designed to gain unauthorized
                            interception of information-bearing
                            energy via technical means.

inadvertent                 Accidental exposure of information
  disclosure                to a person not authorized access.

incomplete parameter        AIS design flaw that results when
  checking                  all parameters have not been fully
                            anticipated for accuracy and consistency,
                            thus making the system vulnerable to

individual accountability   Ability to associate positively the
                            identity of a user with the time, method,
                            and degree of access to an AIS.

information flow            Procedure to ensure that information
  control                   transfers within an AIS are not made from
                            a higher security level object to an
                            object of a lower security level.

                                              NSTISSI No. 4009

information label           Piece of information that accurately and
                            completely represents the sensitivity of
                            the data in a subject or object.

                            NOTE:  Information label consists of a
                            security label as well as other required
                            security markings (e.g., codewords,
                            dissemination control markings, and
                            handling caveats), to be used for data
                            information security labeling purposes.

information system          Any telecommunications and/or computer
                            related equipment or interconnected
                            system or subsystems of equipment that is
                            used in the acquisition, storage,
                            manipulation, management, movement,
                            control, display, switching, interchange,
                            transmission, or reception of voice
                            and/or data, and includes software,
                            firmware, and hardware.

information systems         The protection of information systems
  security (INFOSEC)        against unauthorized access to or
                            modification of information, whether in
                            storage, processing or transit, and
                            against the denial of service to
                            authorized users or the provision of
                            service to unauthorized users, including
                            those measures necessary to detect,
                            document, and counter such threats.

information system          Person responsible to the designated
  security officer          approving authority who ensures that
                            security of an information system is
                            implemented through its design,
                            development, operation, maintenance, and
                            secure disposal stages.

information systems         Item (chip, module, assembly, or
  security product          equipment), technique, or service that
                            performs or relates to information
                            systems security.

initialize                  Setting the state of a cryptographic
                            logic prior to key generation,
                            encryption, or other operating mode.

integrity check value       Checksum that is capable of detecting
                            malicious modification of an AIS.

                                              NSTISSI No. 4009

interim approval            Temporary authorization granted by a
                            designated approving authority for an AIS
                            to process classified information and
                            information governed by 10 U.S.C. Section
                            2315 or 44 U.S.C. 3502(2) in its
                            operational environment based on
                            preliminary results of a security
                            evaluation of the system.

internet private line       Network cryptographic unit that
  interface                 provides secure connections, singularly
                            or in simultaneous multiple connections,
                            between a host and a predetermined set of
                            corresponding hosts.

internet protocol           Standard protocol for transmission of
                            data from source to destinations in
                            packet-switched communications networks
                            and interconnected systems of such

                                              NSTISSI No. 4009


key                         Information (usually a sequence of random
                            or pseudorandom binary digits) used
                            initially to set up and periodically
                            change the operations performed in
                            crypto-equipment for the purpose of
                            encrypting or decrypting electronic
                            signals, for determining electronic
                            counter-countermeasures patterns (e.g.,
                            frequency hopping or spread spectrum), or
                            for producing other key.

                            NOTE:  "Key" has replaced the terms
                            "variable," "key(ing) variable," and

key-auto-key                Cryptographic logic which uses previous
                            key to produce key.

key card                    Paper card, containing a pattern of
                            punched holes, which establishes the key
                            for a specific cryptonet at a specific

key encryption key          Key that encrypts or decrypts other key
                            for transmission or storage.

key list                    Printed series of key settings for a
                            specific cryptonet.

                            NOTE:  Key lists may be produced in list,
                            pad, or printed tape format.

key management              Process by which key is generated,
                            stored, protected, transferred, loaded,
                            used, and destroyed.

key production key          Key that is used to initialize a
                            keystream generator for the production of
                            other electronically generated key.

                                              NSTISSI No. 4009

key stream                  Sequence of symbols (or their electrical
                            or mechanical equivalents) produced in a
                            machine or auto-manual cryptosystem to
                            combine with plain text to produce cipher
                            text, control transmission security
                            processes, or produce key.

key tag                     Identification information associated
                            with certain types of electronic key.

key tape                    Punched or magnetic tape containing key.

                            NOTE:  Printed key in tape form is
                            referred to as a key list.

key updating                Irreversible cryptographic process for
                            modifying key automatically or manually.

keying material             Key, code, or authentication information
                            in physical or magnetic form.

                                              NSTISSI No. 4009


least privilege             Principle that requires that each subject
                            be granted the most restrictive set of
                            privileges needed for the performance of
                            authorized tasks.

                            NOTE:  Application of this principle
                            limits the damage that can result from
                            accident, error, or unauthorized use of
                            an AIS.

limited access              Synonymous with access control.

limited maintenance         COMSEC maintenance restricted to fault
                            isolation, removal, and replacement of
                            plug-in assemblies.

                            NOTE:  Soldering or unsoldering usually
                            is prohibited in limited maintenance.
                            See full maintenance.

line conduction             Unintentional signals or noise induced or
                            conducted on a telecommunications or
                            automated information system signal,
                            power, control, indicator, or other
                            external interface line.

link encryption             Encryption of data in individual links of
                            a telecommunications system.

list-oriented               Computer protection in which each
                            protected object has a list of all
                            subjects authorized to access it.  (See
                            also ticket-oriented.);

lock and key                Protection system that involves
 protection system          matching a key or password with a
                            specific access requirement.

logic bomb                  Resident computer program that triggers
                            an unauthorized act when particular
                            states of an AIS are realized.

                                              NSTISSI No. 4009

logical completeness        Means for assessing the effectiveness
  measure                   and degree to which a set of security and
                            access control mechanisms meets the
                            requirements of security specifications.

long title                  Descriptive title of a COMSEC item.

low probability of          Result of measures used to hide or
  detection                 disguise intentional electromagnetic

low probability of          Result of measures to prevent the
  intercept                 intercept of intentional electromagnetic

                                              NSTISSI No. 4009


machine cryptosystem        Cryptosystem in which cryptographic
                            processes are performed by crypto-

magnetic remanence          Magnetic representation of residual
                            information that remains on a magnetic
                            medium after the medium has been erased
                            or overwritten.

                            NOTE:  Magnetic remanence refers to data
                            remaining on magnetic storage media after
                            removal of the power or after degaussing.

maintenance hook            Special instructions in software to allow
                            easy maintenance and additional feature

                            NOTE:  Maintenance hooks are not clearly
                            defined during access for design
                            specification.  Since maintenance hooks
                            frequently allow entry into the code at
                            unusual points or without the usual
                            checks, they are a serious security risk
                            if they are not removed prior to live
                            implementation.  Maintenance hooks are
                            special types of trap doors.

maintenance key             Key intended only for off-the-air in-shop

malicious logic             Hardware, software, or firmware that is
                            intentionally included in an AIS for an
                            unauthorized purpose.

                            NOTE:  Trojan horse is a form of
                            malicious logic.

                                               NSTISSI No. 4009

mandatory access            Means of restricting access to objects
  control                   based on the sensitivity (as represented
                            by a label) of the information contained
                            in the objects and the formal
                            authorization (i.e., clearance) of
                            subjects to access information of such
                            sensitivity.  (See discretionary access

mandatory                   Change to a COMSEC end item that the
  modification              National Security Agency requires to be
                            completed and reported by a specified

                            NOTE:  This type of modification should
                            not be confused with modifications that
                            are optional to the National Security
                            Agency, but have been adjudged mandatory
                            by a given department or agency.  The
                            latter modification may have an
                            installation deadline established and
                            controlled solely by the user's

manipulative                Alteration or simulation of friendly
  communications            telecommunications for the purpose
  deception                 of deception.

                            NOTE:  Manipulative communications
                            deception may involve establishment of
                            bogus communications structures,
                            transmission of deception messages, and
                            expansion or creation of communications
                            schedules on existing structures to
                            display an artificial volume of messages.
                            See communications deception and
                            imitative communications deception.

manual cryptosystem         Cryptosystem in which the cryptographic
                            processes are performed manually without
                            the use of crypto-equipment or auto-
                            manual devices.

manual remote               Procedure by which a distant crypto-
  rekeying                  equipment is rekeyed electrically, with
                            specific actions required by the
                            receiving terminal operator.

                                              NSTISSI No. 4009

masquerading                Synonymous with spoofing.

master crypto-ignition      Crypto-ignition key that is able to
  key                       initialize crypto-ignition key, when
                            interacting with its associated crypto-

material symbol             Communications circuit identifier used
                            for key card resupply purposes.

memory bounds               Limits in the range of storage addresses
                            for a protected region in the memory of
                            an AIS.

message authentication      Data element associated with an
  code                      authenticated message which allows a
                            receiver to verify the integrity of the

message externals           Non-textual (outside the message text)
                            characteristics of transmitted messages.

message indicator           Sequence of bits transmitted over a
                            telecommunications system for the purpose
                            of crypto-equipment synchronization.

                            NOTE:  Some off-line cryptosystems, such
                            as the KL-5l and one-time pad systems,
                            employ message indicators to establish
                            decryption starting points.

mimicking                   Synonymous with spoof ing.

mobile COMSEC facility      COMSEC facility that can be readily moved
                            from one location to another.

mode of operation           Description of the conditions under which
                            an AIS operates, based on the sensitivity
                            of data processed and the clearance
                            levels and authorizations of the users.

                            NOTE:  Five modes of operation are
                            authorized for an AIS processing
                            information and for networks transmitting
                            information.  See compartmented mode,
                            dedicated mode, multilevel mode,
                            partitioned security mode, and system-
                            high mode.

                                              NSTISSI No. 4009

multilevel device           Device that is trusted to properly
                            maintain and separate data of different
                            security levels.

multilevel mode             AIS security mode of operation wherein
                            all the following statements are
                            satisfied concerning the users who have
                            direct or indirect access to the system,
                            its peripherals, remote terminals, or
                            remote hosts:

                            a.  Some users do not have a valid
                            security clearance for all the
                            information processed in the AIS.

                            b.  All users have the proper security
                            clearance and appropriate formal access
                            approval for that information to which
                            they have access.

                            c.  All users have a valid need-to-know
                            only for information to which they have

multilevel security         Concept of processing information with
                            different classifications and categories
                            that simultaneously permits access by
                            users with different security clearances,
                            but prevents users from obtaining access
                            to information for which they lack

mutual suspicion            Condition in which two entities need to
                            rely upon each other to perform a
                            service, yet neither entity trusts the
                            other to properly protect shared data.

                                              NSTISSI No. 4009


national security           Information that has been determined,
  information               pursuant to Executive Order 12356 or any
                            predecessor order, to require protection
                            against unauthorized disclosure, and that
                            is so designated.

national security           Telecommunications and automated infor-
  systems                   mation systems operated by the U.S.
                            Government, its contractors, or its
                            agents, that contain classified
                            information or, as set forth in 10 U.S.C.
                            Section 2315, that involves intelligence
                            activities, involves cryptologic
                            activities related to national security,
                            involves command and control of military
                            forces, involves equipment that is an
                            integral part of a weapon or weapon
                            system, or involves equipment that is
                            critical to the direct fulfillment of
                            military or intelligence missions.

need-to-know                Access to, or knowledge or possession of,
                            specific information required to carry
                            out official duties.

net control station         Terminal in a secure telecommunications
                            net responsible for distributing key in
                            electronic form to the members of the

network front end           Device that implements the needed
                            security-related protocols to allow a
                            computer system to be attached to a

network reference           Access control concept that refers to
  monitor                   an abstract machine that mediates all
                            access to objects within a network by
                            subjects within the network.  See
                            reference monitor.

                                              NSTISSI No. 4009

network security            Protection of networks and their services
                            from unauthorized modification,
                            destruction, or disclosure, and
                            provision of assurance that the network
                            performs its critical functions correctly
                            and there are no harmful side-effects.

                            NOTE:  Network security includes
                            providing for data integrity.

network security            Individual formally appointed by a
  officer                   designated approving authority to ensure
                            that the provisions of all applicable
                            directives are implemented throughout the
                            life cycle of an automated information
                            system network.  See information system
                            security officer.

network system              System that is implemented with a
                            collection of interconnected network

                            NOTE:  A network system is based on a
                            coherent security architecture and

network trusted             Totality of protection mechanisms
  computing base            within a network system, including
                            hardware, firmware, and software, the
                            combination of which is responsible for
                            enforcing a security policy.  See trusted
                            computing base.

no-lone zone                Area, room, or space which, when manned,
                            must be occupied by two or more
                            appropriately cleared individuals who
                            remain within sight of each other.  (See
                            two person integrity.)

noncooperative              Synonymous with automatic remote
  remote rekeying           rekeying.

                                              NSTISSI No. 4009

non-repudiation             Method by which the sender of data is
                            provided with proof of delivery and the
                            recipient is assured of the sender's
                            identity, so that neither can later deny
                            having processed the data.

non-secret encryption       Synonymous with public key cryptography.

null                        Dummy letter, letter symbol, or code
                            group inserted in an encrypted message to
                            delay or prevent its decryption or to
                            complete encrypted groups for transmis-
                            sion or transmission security purposes.

                                              NSTISSI No. 4009


object                      Passive entity that contains or receives

                            NOTE:  Access to an object implies access
                            to the information it contains.  Examples
                            of objects are:  records, blocks, pages,
                            segments, files, directories, directory
                            trees and programs, as well as bits,
                            bytes, words, fields, processors, video
                            displays, keyboards, clocks, printers,
                            and network nodes.

object reuse                Reassignment of a storage medium (e.g.,
                            page frame, disk sector, magnetic tape)
                            that contained one or more objects, after
                            ensuring that no residual data remained
                            on the storage medium.

off-line cryptosystem       Cryptosystem in which encryption and
                            decryption are performed independently of
                            the transmission and reception functions.

one-part code               Code in which plain text elements and
                            their accompanying code groups are
                            arranged in alphabetical, numerical, or
                            other systematic order, so that one
                            listing serves for both encoding and

                            NOTE:  One-part codes are normally small
                            codes that are used to pass small volumes
                            of low-sensitivity information.

one-time                    Cryptosystem employing key which is
  cryptosystem              used only once.

one-time pad                Manual one-time cryptosystem produced in
                            pad form.

one-time tape               Punched paper tape used to provide key
                            streams on a one-time basis in certain
                            machine cryptosystems.

                                              NSTISSI No. 4009

on-line cryptosystem        Cryptosystem in which encryption and
                            decryption are performed in association
                            with the transmitting and receiving

open security               Environment that does not provide
  environment               sufficient assurance that applications
                            and equipment are protected against the
                            introduction of malicious logic prior to
                            or during the operation of a system.

open storage                Storage of classified information within
                            an accredited facility, but not in
                            General Services Adminstration approved
                            secure containers, while the facility is
                            unoccupied by authorized personnel.

operational data            Protection of data from either
  security                  accidental or unauthorized intentional
                            modification, destruction, or disclosure
                            during input, processing, or output

operational key             Key intended for use on-the-air for
                            protection of operational information or
                            for the production or secure electrical
                            transmission of key streams.

operational waiver          Authority for continued use of unmodified
                            COMSEC end-items, pending the completion
                            of a mandatory modification.

operations code             Code composed largely of words and
                            phrases which are suitable for general
                            communications use.

operations security         Process denying to potential adversaries
                            information about capabilities and/or
                            intentions by identifying, controlling
                            and protecting generally unclassified
                            evidence of the planning and execution of
                            sensitive activities.

                                              NSTISSI No. 4009

optional modification       National Security Agency approved
                            modification that is not required for
                            universal implementation by all holders
                            of a COMSEC end-item.

                            NOTE:  This class of modification
                            requires all of the engineering/
                            doctrinal control of mandatory
                            modification, but is usually not related
                            to security, safety, TEMPEST, or

Orange Book                 Synonymous with DoD Trusted Computer
                            System Evaluation Criteria.

organizational              Limited maintenance performed by a
  maintenance               user organization.

overt channel               Communications path within a computer
                            system or network that is designed for
                            the authorized transfer of data.  (See
                            covert channel.)

over-the-air key            Providing electronic key via
  distribution              over-the-air rekeying, over-the-air key
                            transfer, or cooperative key generation.

over-the-air key transfer   Electronically distributing key without
                            changing traffic encryption key used on
                            the secured communications path over
                            which the transfer is accomplished.

over-the-air rekeying       Changing traffic encryption key or
                            transmission security key in remote
                            crypto-equipment by sending new key
                            directly to the remote crypto-equipment
                            over the communications path it secures.

overwrite procedure         Process which removes or destroys data
                            recorded on an AIS storage medium by
                            writing patterns of data over, or on top
                            of, the data stored on the medium.

                                              NSTISSI No. 4009


parity                      Set of bits used to determine whether a
                            block of data (key or data stored in
                            computers) has been intentionally or
                            unintentionally altered.

partitioned security mode   AIS security mode of operation wherein
                            all personnel have the clearance, but not
                            necessarily formal access approval and
                            need-to-know, for all information handled
                            by an AIS.

                            NOTE:  This security mode encompasses the
                            compartmented mode and applies to non-
                            intelligence DoD organizations and DoD

passphrase                  Sequence of characters, longer than the
                            acceptable length of a password, that is
                            transformed by a password system into a
                            virtual password of acceptable length.

password                    Protected/private character string used
                            to authenticate an identity or to
                            authorize access to data.

penetration                 Unauthorized act of bypassing the
                            security mechanisms of a cryptographic
                            system or AIS.

penetration testing         Security testing in which evaluators
                            attempt to circumvent the security
                            features of an AIS based on their
                            understanding of the system design and

per-call key                Unique traffic encryption key generated
                            automatically by certain secure
                            telecommunications systems to secure
                            single voice or data transmissions.
                            (See cooperative key generation.)

                                              NSTISSI No. 4009

periods processing          Processing of various levels of
                            classified and unclassified information
                            at distinctly different times.

                            NOTE:  Under periods processing, the
                            system must be purged of all information
                            from one processing period before
                            transitioning to the next when there are
                            different users with differing

permuter                    Device used in a crypto-equipment to
                            change the order in which the contents of
                            a shift register are used in various
                            nonlinear combining circuits.

plain text                  Unencrypted information.

positive control            Generic term referring to a sealed
  material                  authenticator system, permissive action
                            link, coded switch system, positive
                            enable system, or nuclear command and
                            control documents, material or devices.

preproduction model         Version of a crypto-equipment that
                            employs standard parts and is in final
                            mechanical and electrical form suitable
                            for complete evaluation of form, design,
                            and performance.

                            NOTE:  Preproduction models are often
                            referred to as E-model equipment.

print suppression           Eliminating the display of characters in
                            order to preserve their secrecy.

                            NOTE:  An example of print suppression is
                            not displaying the characters of a
                            password as it is keyed at she input

privacy system              Commercial encryption system that affords
                            telecommunications limited protection to
                            deter a casual listener, but cannot
                            withstand a technically competent
                            cryptanalytic attack.

                                              NSTISSI No. 4009

production model            Crypto-equipment in its final mechanical
                            and electrical form of production design
                            made by use of production tools, jigs,
                            fixtures, and methods using standard

profile                     Detailed security description of the
                            physical structure, equipment component,
                            location, relationships, and general
                            operating environment of an AIS.

proprietary information     Material and information relating to or
                            associated with a company's products,
                            business or activities, including but not
                            limited to:  financial information; data
                            or statements; trade secrets; product
                            research and development; existing and
                            future product designs and performance
                            specifications; marketing plans or
                            techniques; schematics; client lists;
                            computer programs; processes; and know-
                            how that have been clearly identified and
                            properly marked as proprietary
                            information, trade secrets or company
                            confidential information.

                            NOTE:  Trade secrets constitute the whole
                            or any portion or phase of any technical
                            information, design process, procedure,
                            formula or improvement that is not
                            generally available to the public, that a
                            company considers company confidential
                            and that could give or gives an advantage
                            over competitors who do not know or use
                            the trade secret.

protected                   Telecommunications deriving their
  communications            protection through use of type 2 products
                            or data encryption standard equipment.
                            (See secure communications.)

protected distribution      Wireline or fiber-optic telecommuni-
    system                  cations system that includes terminals
                            and adequate acoustic, electrical,
                            electromagnetic, and physical safeguards
                            to permit its use for the unencrypted
                            transmission of classified information.

                                              NSTISSI No. 4009

protection equipment        Type 2 product or data encryption
                            standard equipment that the National
                            Security Agency has endorsed to meet
                            applicable standards for the protection
                            of telecommunications or automated
                            information systems containing national
                            security information.

protection philosophy       Informal description of the overall
                            design of an AIS that delineates each of
                            the protection mechanisms employed.

                            NOTE:  Combination, appropriate to the
                            evaluation class, of formal and informal
                            techniques used to show the mechanisms
                            are adequate to enforce the security

protection ring             One of a hierarchy of privileged modes of
                            an AIS that gives certain access rights
                            to user programs and processes authorized
                            to operate in a given mode.

protective packaging        Packaging techniques for COMSEC material
                            which discourage penetration, reveal that
                            a penetration has occurred or was
                            attempted, or inhibit viewing or copying
                            of keying material prior to the time it
                            is exposed for use.

protective technologies     Special tamper-evident features and
                            materials employed for the purpose of
                            detecting tampering and deterring
                            attempts to compromise, modify,
                            penetrate, extract, or substitute
                            information processing equipment and
                            keying material.

                                              NSTISSI No. 4009

protective                  Any penetration of information system
  technology/package        security protective technology or
  incident                  packaging, such as a crack, cut, or tear.

protocol                    Set of rules and formats, semantic and
                            syntactic, that permits entities to
                            exchange information.

public cryptography         Body of cryptographic and related
                            knowledge, study, techniques, and
                            applications that is, or intended to be,
                            in the public domain.

public key                  Type of cryptography in which the
  cryptography              encryption process is publicly available
                            and unprotected, but in which a part of
                            the decryption key is protected so that
                            only a party with knowledge of both parts
                            of the decryption process can decrypt the
                            cipher text.

                            NOTE:  Commonly called non-secret
                            encryption in professional cryptologic
                            circles.  FIREFLY is an application of
                            public key cryptography.

purge                       Removal of data from an AIS, its storage
                            devices, or other peripheral devices with
                            storage capacity in such a way that the
                            data may not be reconstructed.

                            NOTE:  An AIS must be disconnected from
                            any external network before a purge.  See

                                              NSTISSI No. 4009


QUADRANT                     Short name referring to technology which
                             provides tamper-resistant protection to


randomizer                   Analog or digital source of
                             unpredictable, unbiased, and usually
                             independent bits.

                             NOTE:  Randomizers can be used for
                             several different functions, including
                             key generation or to provide a starting
                             state for a key generator.

read                         Fundamental operation in an AIS that
                             results only in the flow of information
                             from an object to a subject.  (See
                             access type.)

read access                  Permission to read information in an

real-time reaction           Immediate response to a penetration
                             attempt that is detected and diagnosed
                             in time to prevent access.

recovery procedures          Actions necessary to restore data files
                             of an AIS and computational capability
                             after a system failure.

RED                          Designation applied to telecommuni-
                             cations and automated information
                             systems, plus associated areas,
                             circuits, components, and equipment
                             which, when classified plain text
                             signals are being processed thereIn,
                             require protection during electrical

                                              NSTISSI No. 4009

RED/BLACK concept            Separation of electrical and electronic
                             circuits, components, equipment, and
                             systems that handle classified plain
                             text (RED) information, in electrical
                             signal form, from those which handle
                             unclassified (BLACK) information in the
                             same form.

RED key                      Unencrypted key.  (See BLACK key.)

RED signal                   Telecommunications or automated
                             information systems signal that would
                             divulge classified information if
                             recovered and analyzed.

                             NOTE:  RED signals may be plain text,
                             key, subkey, initial fill, control, or
                             traffic flow related information.

reference monitor            Access control concept that refers to an
                             abstract machine that mediates all
                             accesses to objects by subjects.

reference validation         Portion of a trusted computing base, the
  mechanism                  normal function of which is to control
                             access between subjects and objects, and
                             the correct operation of which is
                             essential to the protection of data in
                             the system.

                             NOTE:  This is the implementation of
                             reference monitor.

release prefix               Prefix appended to the short title of
                             United States produced keying material
                             to indicate its foreign releasability.

                             NOTE:  "A" designate material that is
                             releasable to specific allied nations
                             and "US" designates material intended
                             exclusively for United States use.

                                              NSTISSI No. 4009

remanence                    Residual information that remains on
                             storage media after erasure.  (See
                             magnetic remanence.)

remote rekeying              Procedure by which a distant crypto-
                             equipment is rekeyed electrically.
                             (See automatic remote rekeying and
                             manual remote rekeying.)

repair action                National Security Agency approved change
                             to a COMSEC end item that does not
                             affect the original characteristics of
                             the end item and is prdvided for
                             optional application by holders.

                             NOTE:  Repair actions are limited to
                             minor electrical and/or mechanical
                             improvements to enhance operation,
                             maintenance, or reliability.  They do
                             not require an identification label,
                             marking, or control, but must be fully
                             documented by changes to the maintenance

reserve keying               Key held to satisfy unplanned
  material                   needs.  (See contingency key.)

residual risk                Portion of risk that remains after
                             security measures have been applied.

residue                      Data left in storage after automated
                             information processing operations are
                             complete, but before degaussing or
                             overwriting has taken place.

resource encapsulation       Method by which the reference monitor
                             mediates accesses to an AIS resource.

                             NOTE:  Resource is protected and not
                             directly accessible by a subject.
                             Satisfies requirement for accurate
                             auditing of resource usage.

                                             NSTISSI No. 4009

risk analysis                Synonymous with risk assessment.

risk assessment              Process of analyzing threats to and
                             vulnerabilities of an information
                             system, and the potential impact that
                             the loss of information or capabilities
                             of a system would have on national
                             security and using the analysis as a
                             basis for identifying appropriate and
                             cost-effective measures.

risk index                   Difference between the minimum clearance
                             or authorization of AIS users and the
                             maximum sensitivity (e.g.,
                             classification and categories) of data
                             processed by the system.

risk management              Process concerned with the
                             identification, measurement, control,
                             and minimization of security risks in
                             information systems.

                                              NSTISSI No. 4009


safeguarding                 Statement affixed to a computer
  statement                  output or printout that states the
                             highest classification being processed
                             at the time the product was produced,
                             and requires control of the product, at
                             that level, until determination of the
                             true classification by an authorized

sample key                   Key intended for off-the-air
                             demonstration use only.

sanitize                     To remove or edit classified or
                             sensitive data so that what remains is
                             of a lower classification or sensitivity
                             than the original data.

scavenging                   Searching through object residue to
                             acquire data.

scratch pad store            Momentary key storage in crypto-

secure communications        Telecommunications deriving security
                             through use of type l products and/or
                             protected distribution systems.

secure operating system      Resident software that controls hardware
                             and other software functions in an AIS
                             to provide a level of protection or
                             security appropriate to the
                             classification, sensitivity, and/or
                             criticality of the data and resources it

secure state                 Condition in which no subject can access
                             any object in an unauthorized manner.

                                              NSTISSI No. 4009

secure subsystem             Subsystem that contains its own
                             implementation of the reference monitor
                             concept for those resources it controls.

                             NOTE:  Secure subsystem must depend on
                             other controls and the base operating
                             system for the control of subjects and
                             the more primitive system objects.

security fault analysis      Assessment, usually performed on
                             information system hardware, to
                             determine the security properties of a
                             device when hardware fault is

security filter              AIS trusted subsystem that enforces
                             security policy on the data that passes
                             through it.

security flaw                Error of commission or omission in an
                             AIS that may allow protection mechanisms
                             to be bypassed.

security inspection          Examination of an AIS to determine
                             compliance with security policy,
                             procedures, and practices.

security kernel              Hardware, firmware, and software
                             elements of a trusted computing base
                             that implement the reference monitor

                             NOTE:  Security kernel must mediate all
                             accesses, be protected from
                             modification, and be verifiable as

security label               Piece of information that represents the
                             sensitivity of a subject or object, such
                             as its hierarchical classification
                             (CONFIDENTIAL, SECRET, TOP SECRET)
                             together with any applicable non-
                             hierarchical security categories (e.g.,
                             sensitive compartmented information,
                             critical nuclear weapon design
                             information).  (See information label
                             and sensitivity label.)

                                              NSTISSI No. 4009

security perimeter           Boundary where security controls are in
                             effect to protect AIS assets.

security range               Highest and lowest security levels that
                             are permitted in or on an AIS, system
                             component, subsystem, or network.

security requirements        Types and levels of protection necessary
                             for equipment, data, information,
                             applications and facilities to meet
                             security policy.

security requirements        Description of the minimum
  baseline                   requirements necessary for an AIS to
                             maintain an acceptable level of

security safeguards          Protective measures and controls that
                             are prescribed to meet the security
                             requirements specified for an AIS.

                             NOTE:  Safeguards may include security
                             features, as well as management
                             constraints, personnel security, and
                             security of physical structures, areas,
                             and devices.  See accreditation.

security specification       Detailed description of the safeguards
                             required to protect an AIS.

security test and            Examination and analysis of the
  evaluation                 safeguards required to protect an AIS,
                             as they have been applied in an
                             operational environment, to determine
                             the security posture of that system.

security testing             Process to determine that an AIS
                             protects data and maintains
                             functionality as intended.

                             NOTE:  Security testing may reveal
                             vulnerabilities beyond the scope of the
                             AIS design.

seed key                     Initial key used to start an updating or
                             key generation process.

                                              NSTISSI No. 4009

self-authentication          Implicit authentication, to a
                             predetermined level, of all
                             transmissions on a secure communications

sensitive information        Information, the loss, misuse, or
                             unauthorized access to or modification
                             of which could adversely affect the
                             national interest or the conduct of
                             federal programs, or the privacy to
                             which individuals are entitled under 5
                             U.S.C. Section 552a (the Privacy Act),
                             but that has not been specifically
                             authorized under criteria established by
                             an Executive Order or an Act of Congress
                             to be kept secret in the interest of
                             national defense or foreign policy.

                             NOTE:  Systems that are not national
                             security systems, but contain sensitive
                             information are to be protected in
                             accordance with the requirements of the
                             Computer Security Act of 1987 (P.L. 100-

sensitivity label            Piece of information that represents
                             elements of the security label(s) of a
                             subject and an object.

                             NOTE:  Sensitivity labels are used by
                             the trusted computing base as the basis
                             for mandatory access control decisions.

shielded enclosure           Room or container designed to attenuate
                             electromagnetic radiation.

short title                  Identifying combination of letters and
                             numbers assigned to certain COMSEC
                             materials to facilitate handling,
                             accounting, and control.

                             NOTE:  NAG-l6C/TSEC is an example of a
                             short title.

signals security             Generic term encompassing communications
                             security and electronic security.

                                              NSTISSI No. 4009

simple security              Bell-La Padula security model rule
  property                   allowing a subject read access to an
                             object only if the security level of the
                             subject dominates the security level of
                             the object.

single-level device          AIS device that is not trusted to
                             properly maintain and separate data to
                             different security levels.

single point keying          Means of distributing key to multiple,
                             local crypto-equipment or devices from a
                             single fill point.

software system test and     Process that plans, develops, and
  evaluation process         documents the quantitative demonstration
                             of the fulfillment of all baseline
                             functional performance, operational, and
                             interface requirements.

special mission              Modification that applies only
  modification               to a specific mission, purpose,
                             operational, or environmental need.

                             NOTE:  Special mission modifications may
                             be either optional or mandatory.

speech privacy               Techniques that use fixed sequence
                             permutations or voice/speech inversion
                             to render speech unintelligible to the
                             casual listener.

spelling table               Synonymous with syllabary.

split knowledge              Separation of data or information into
                             two or more parts, each part constantly
                             kept under control of separate
                             authorized individuals or teams, so that
                             no one individual or team Bill know the
                             whole data.

spoofing                     (COMSEC) Interception, alteration, and
                             retransmission of a cipher signal or
                             data in such a way as to mislead the

                             (AIS) Attempt to gain access to an AIS
                             by posing as an authorized user.

                                              NSTISSI No. 4009

spread spectrum              Telecommunications techniques in which a
                             signal is transmitted in a bandwidth
                             considerably greater than the frequency
                             content of the original information.

                             NOTE:  Frequency hopping, direct
                             sequence spreading, time scrambling, and
                             combinations of these techniques are
                             forms of spread spectrum.

star (*) property            Bell-La Padula security model rule
                             allowing a subject write access to an
                             object only if the security level of the
                             object dominates the security level of
                             the subject.

start-up KEK                 Key encryption key held in common by a
                             group of potential communicating
                             entities and used to establish ad hoc
                             tactical nets.

state variable               Variable that represents either the
                             state of an AIS or the state of some
                             system resource.

storage object               Object that supports both read and write
                             accesses to an AIS.

subassembly                  Major subdivision of a cryptographic
                             assembly which consists of a package of
                             parts, elements, and circuits that
                             performs a specific function.

subject                      Active entity in an AIS, generally in
                             the form of a person, process, or device
                             that causes information to flow among
                             objects or changes the system state.

subject security level       Sensitivity label(s) of the objects to
                             which the subject has both read and
                             write access.

                             NOTE:  Security level of a subject must
                             always be dominated by the clearance
                             level of the user with which the subject
                             is associated.

                                              NSTISSI No. 4009

superencryption              Process of encrypting encrypted

                             NOTE:  Occurs when a message, encrypted
                             off-line, is transmitted over a secured,
                             on-line circuit, or when information
                             encrypted by the originator is
                             multiplexed onto a communications trunk,
                             which is then bulk encrypted.

supersession                 Scheduled or unscheduled replacement of
                             a COMSEC aid with a different edition.

supervisor state             Synonymous with executive state.

suppression measure          Action, procedure, modification, or
                             device that reduces the level of, or
                             inhibits the generation of, compromising
                             emanations in a telecommunications or
                             automated information system.

syllabary                    List of individual letters, combination
                             of letters, or syllables, with their
                             equivalent code groups, used for
                             spelling out words or proper names not
                             present in the vocabulary of a code.

                             NOTE:  A syllabary may also be known as
                             a spelling table.

synchronous crypto-          Method of on-line crypto-operation in
  operation                  which crypto-equipment and associated
                             terminals have timing systems to keep
                             them in step.

system development           Methodologies developed through software
  methodologies              engineering to manage the complexity of
                             system development.

                             NOTE:  Development methodologies include
                             software engineering aids and high-level
                             design analysis tools.

                                              NSTISSI No. 4009

system high                  Highest security level supported by an

system high mode             AIS security mode of operation wherein
                             each user, with direct or indirect
                             access to the AIS, its peripherals,
                             remote terminals, or remote hosts, has
                             all of the following:

                             a.  Valid security clearance for all
                             information within an AIS.

                             b.  Formal access approval and signed
                             non-disclosure agreements for all the
                             information stored and/or processed
                             (including all compartments,
                             subcompartments and/or special access

                             c.  Valid need-to-know for some of the
                             information contained within the AIS.

system indicator             Symbol or group of symbols in an off-
                             line encrypted message that identifies
                             the specific cryptosystem or key used in
                             the encryption.

system integrity             Quality of an AIS when it performs its
                             intended function in an unimpaired
                             manner, free from deliberate or
                             inadvertent unauthorized manipulation of
                             the system.

system low                   Lowest security level supported by an

system security              Measure of security provided by a
                             system, as determined by evaluation of
                             the totality of all system elements and
                             COMSEC measures that support
                             telecommunications and AIS protection.

                                              NSTISSI No. 4009

system security              The efforts that help achieve maximum
  engineering                security and survivability of a system
                             during its life cycle and interfacing
                             with other program elements to ensure
                             security functions are effectively
                             integrated into the total system
                             engineering effort.

system security              Determination of the risk associated
  evaluation                 with the use of a given system,
                             considering its vulnerabilities and
                             perceived security threat.

system security              A formal document that fully describes
  management plan            the planned security tasks required to
                             meet system security requirements.

system security officer      Synonymous with information system
                             security officer.

                                              NSTISSI No. 4009


tampering                   Unauthorized modification that alters the
                            proper functioning of a cryptographic or
                            AIS security equipment or system in a
                            manner that degrades the security or
                            functionality it provides.

tape mixer                  Teletypewriter security equipment that
                            encrypts plain text and decrypts cipher
                            text by combining them with a key stream
                            from a one-time tape.

technical attack            Attack that can be perpetrated by
                            circumventing or nullifying hardware or
                            software protection mechanisms, rather
                            than by subverting system personnel or
                            other users.

technical penetration       Deliberate penetration of a security area
                            by technical means to gain unauthorized
                            interception of information-bearing

technical security hazard   Condition that could permit the technical
                            penetration of an area through equipment
                            that by reason of its normal design,
                            installation, operation, maintenance, or
                            damaged condition, allows the
                            unauthorized transmission of classified

technical security          Equipment, components, devices,
  material                  and associated documentation or other
                            media that pertains to cryptography or
                            the securing of teleqommunications and
                            automated information systems.

telecommunications          Preparation, transmission, communication,
                            or related processing of information
                            (writing, images, sounds or other data)
                            by electrical, electromagnetic,
                            electromechanical, electro-optical or
                            electronic means.

                                              NSTISSI No. 4009

telecommunications and      Protection afforded to telecommuni-
  automated information     cations and automated information
  systems security          systems, in order to prevent exploitation
                            through interception, unauthorized
                            electronic access, or related technical
                            intelligence threats and to ensure

                            NOTE:  Such protection results from the
                            application of security measures
                            (including cryptosecurity, transmission
                            security, emission security, and computer
                            security) to systems that generate,
                            store, process, transfer, or communicate
                            information of use to an adversary, and
                            also includes the physical protection of
                            technical security material and technical
                            security information.

telecommunications          Synonymous with communications security.

TEMPEST                     Short name referring to investigation,
                            study, and control of compromising
                            emanations from telecommunications and
                            automated information systems equipment.
                            (See compromising emanations.)

TEMPEST test                Laboratory or on-site test to determine
                            the nature of compromising emanations
                            associated with a telecommunications or
                            automated information system.

TEMPEST zone                Defined area within a facility where
                            equipment with appropriate TEMPEST
                            characteristics (TEMPEST zone assignment)
                            may be operated without emanating
                            electromagnetic radiation beyond the
                            controlled space boundary of the

                            NOTE:  Facility TEMPEST zones are
                            determined by measuring electromagnetic
                            attenuation provided by a building's
                            properties and the free space loss to the
                            controlled space boundary.  Equipment
                            TEMPEST zone assignments are based on the

                                              NSTISSI No. 4009

terminal                    Means used to uniquely identify a
  identification            terminal to an AIS.

test key                    Key intended for on-the-air testing of
                            COMSEC equipment or systems.

threat                      Capabilities, intentions, and attack
                            methods of adversaries to exploit, or any
                            circumstance or event with the potential
                            to cause harm to, information or an
                            information system.

threat analysis             Process of studying information to
                            identify the nature of and elements
                            comprising a threat.

threat assessment           Process of formally evaluating the degree
                            of threat to an information system and
                            describing the nature of the threat.

threat monitoring           Analysis, assessment, and review of AIS
                            audit trails and other data collected for
                            the purpose of searching out system
                            events that may constitute violations or
                            attempted violations of data or system

ticket-oriented             Computer protection system in which each
                            subject maintains a list of unforgeable
                            bit patterns called tickets, one for each
                            object that a subject is authorized to
                            access.  (See list-oriented.)

time bomb                   Logic bomb for which the logic trigger is

time compliance date        Date by which a mandatory modification to
                            a COMSEC end item must be incorporated if
                            the item is to remain approved for
                            operational use.

time-dependent              Password that is valid only at a certain
  password                  time of day or during a specified
                            interval of time.

                                              NSTISSI No. 4009

traditional COMSEC          COMSEC program in which the National
  program                   Security Agency acts as the central
                            procurement agency for the development
                            and, in some cases, the production of
                            COMSEC items.

                            NOTE:  This includes the Authorized
                            Vendor Program and user partnerships.
                            Modifications to the COMSEC end items
                            used in products developed and/or
                            produced under these programs must be
                            approved by the National Security Agency.

traffic analysis            Study of communications characteristics
                            external to the text.

traffic encryption          Key used to encrypt plain text or
  key                       to superencrypt previously encrypted text
                            and/or to decrypt cipher text.

traffic-flow security       Measure used to conceal the presence of
                            valid messages in an on-line cryptosystem
                            or secure communications system.

                            NOTE:  Encryption of sending and
                            receiving addresses and causing the
                            circuit to appear busy at all times by
                            sending dummy traffic are two methods of
                            traffic-flow security.  A more common
                            method is to send a continuous encrypted
                            signal, irrespective of whether traffic
                            is being transmitted.

traffic padding             Generation of spurious communications or
                            data units to disguise the amount of real
                            data units being sent.

training key                Cryptographic key intended for on-the-air
                            or off-the-air training.

tranquility                 Property whereby the security level of an
                            object cannot change while the object is
                            being processed by an AIS.

                                              NSTISSI No. 4009

transmission security       Component of communications security that
                            results from the application of measures
                            designed to protect transmissions from
                            interception and exploitation by means
                            other than cryptanalysis.

transmission security       Key that is used in the control of
  key                       transmission security processes, such as
                            frequency hopping and spread spectrum.

trap door                   Hidden software or hardware mechanism
                            that can be triggered to permit
                            protection mechanisms in an AIS to be

                            NOTE:  A trap door is usually activated
                            in some innocent-appearing manner; e.g.,
                            a special random key sequence at a
                            terminal.  Software developers often
                            write trap doors in their code that
                            enable them to reenter the system to
                            perform certain functions.

Trojan horse                Computer program containing an apparent
                            or actual useful function that contains
                            additional (hidden) functions that allows
                            unauthorized collection, falsification or
                            destruction of data.

trusted computer            AIS that employs sufficient
  system                    hardware and software assurance measures
                            to allow simultaneous processing of a
                            range of classified or sensitive

                                              NSTISSI No. 4009

trusted computing           Totality of protection mechanisms
  base                      within a computer system, including
                            hardware, firmware, and software, the
                            combination of which is responsible for
                            enforcing a security policy.
                            NOTE:  The ability of a trusted computing
                            base to enforce correctly a unified
                            security policy depends on the
                            correctness of the mechanisms within the
                            trusted computing base, the protection of
                            those mechanisms to ensure their
                            correctness, and the correct input of
                            parameters related to the security

trusted distribution        Method for distributing trusted computing
                            base hardware, software, and firmware
                            components, both originals and updates,
                            that provides protection of the trusted
                            computing base from modification during
                            distribution, and for the detection of
                            any changes.

trusted identification      An identification method used in
  forwarding                AIS networks whereby the sending host can
                            verify that an authorized user is
                            attempting a connection to another host.

                            NOTE:  The sending host transmits the
                            required user authentication information
                            to the receiving host.  The receiving
                            host can then verify that the user is
                            validated for access to the system.  This
                            operation may be transparent to the user.

trusted path                Mechanism by which a person using a
                            terminal can communicate directly with
                            the trusted computing base.

                            NOTE:  Trusted path can only be activated
                            by the person or the trusted computing
                            base and cannot be imitated by untrusted

                                              NSTISSI No. 4009

trusted process             Process that has privileges to circumvent
                            the system security policy and has been
                            tested and verified to operate only as

trusted software            Software portion of a trusted computing

TSEC nomenclature           System for identifying the type and
                            purpose of certain items of COMSEC

                            NOTE:  TSEC is derived from
                            telecommunications security.

two-part code               Code consisting of an encoding section,
                            in which the vocabulary items (with their
                            associated code groups) are arranged in
                            alphabetical or other systematic order,
                            and a decoding section, in which the code
                            groups (with their associated meanings)
                            are arranged in a separate alphabetical
                            or numeric order.

two-person control          Continuous surveillance and control of
                            positive control material at all times by
                            a minimum of two authorized individuals,
                            each capable of detecting incorrect and
                            unauthorized procedures with respect to
                            the task being performed, and each
                            familiar with established security and
                            safety requirements.

                                              NSTISSI No. 4009

two-person integrity        System of storage and handling designed
                            to prohibit individual access to certain
                            COMSEC keying material, by requiring the
                            presence of at least two authorized
                            persons, each capable of detecting
                            incorrect or unauthorized security
                            procedures with respect to the task being

                            NOTE:  Two-person integrity procedures
                            differ from no-lone zone procedures in
                            that, under two-person integrity
                            controls, two authorized persons must
                            directly participate in the handling and
                            safeguarding of the keying material (as
                            in accessing storage containers,
                            transportation, keying/rekeying
                            operations, and destruction).  No-lone
                            zone controls are less restrictive in
                            that the two authorized persons need only
                            to be physically present in the common
                            area where the material is located.  Two-
                            person control refers to nuclear command
                            and control COMSEC material while two-
                            person integrity refers only to COMSEC
                            keying material.

type 1 product              Classified or controlled cryptographic
                            item endorsed by the National Security
                            Agency for securing classified and
                            sensitive U.S. Government information,
                            when appropriately keyed.

                            NOTE:  The term refers only to products,
                            and not to information, key, services, or
                            controls.  Type 1 products contain
                            classified National Security Agency
                            algorithms.  They are available to U.S.
                            Government users, their contractors, and
                            federally sponsored non-U.S. Government
                            activities subject to export restrictions
                            in accordance with International Traffic
                            in Arms Regulation.

                                              NSTISSI No. 4009

type  2 product             Unclassified cryptographic equipment,
                            assembly, or component, endorsed by the
                            National Security Agency, for use in
                            telecommunications and automated
                            information systems for the protection of
                            national security information.

                            NOTE:  The term refers only to products,
                            and not to information, key, services, or
                            controls.  Type 2 products may not be
                            used for classified information, but
                            contain classified National Security
                            Agency algorithms that distinguish them
                            from products containing the unclassified
                            data encryption standard algorithm.  Type
                            2 products are available to U.S.
                            Government departments and agencies and
                            sponsored elements of state and local
                            governments, sponsored U.S. Government
                            contractors, and sponsored private sector
                            entities.  Type 2 products are subject to
                            export restrictions in accordance with
                            the International Traffic in Arms

type  3 algorithm           Cryptographic algorithm that has been
                            registered by the National Institute of
                            Standards and Technology and has been
                            published as a Federal Information
                            Processing Standard for use in protecting
                            unclassified sensitive information or
                            commercial information.

type  4 algorithm           Unclassified cryptographic algorithm that
                            has been registered by the National
                            Institute of Standards and Technology,
                            but is not a Federal Information
                            Processing Standard.

                                              NSTISSI No. 4009


unauthorized                The revelation of information to
  disclosure                individuals not authorized to receive it.

unclassified                Information that has not been determined,
                            pursuant to E.O. 12356 or any predecessor
                            order, to require protection against
                            unauthorized disclosure and that is not
                            designated as classified.

untrusted process           Process that has not been tested and
                            verified for adherence to the security

                            NOTE:  Untrusted process may include
                            incorrect or malicious code that attempts
                            to circumvent the security mechanisms.

updating                    Automatic or manual cryptographic process
                            that irreversibly modifies the state of a
                            COMSEC key, equipment, device, or system.

user                        Person or process accessing an AIS by
                            direct connections (e.g., via terminals)
                            or indirect connections.

                            NOTE:  "Indirect connection" relates to
                            persons who prepare input data or receive
                            output that is not reviewed for content
                            or classification by a responsible

user ID                     Unique symbol or character string that is
                            used by an AIS to uniquely identify a
                            specific user.

User Partnership            Partnership between the National Security
  Program                   Agency and a U.S. Government department
                            or agency to facilitate the development
                            of secure information processing and
                            communications equipment incorporating
                            National Security Agency approved
                            cryptographic security.

                                              NSTISSI No. 4009

user profile                Patterns of a user's activity on an AIS
                            that can be used to detect changes in
                            normal routines.

user representative         Person authorized by an organization to
                            order COMSEC keying material and to
                            interface with the keying system to
                            provide information to key users,
                            ensuring that the correct type of key is

U.S.-controlled facility    Base or building, access to which is
                            physically controlled by U.S. persons who
                            are authorized U.S. Government or U.S.
                            Government contractor employees.

U.S.-controlled space       Room or floor within a facility that is
                            not a U.S.-controlled facility, access to
                            which is physically controlled by U.S.
                            persons who are authorized U.S.
                            Government or U.S. Government contractor

                            NOTE:  Keys or combinations to locks
                            controlling entrance to U.S.-controlled
                            spaces must be under the exclusive
                            control of U.S. persons who are U.S.
                            Government or U.S. Government contractor

U.S. person                 United States citizen or resident alien.

                                              NSTISSI No. 4009


validation                  Process of applying specialized
                            security test and evaluation
                            procedures, tools, and equipment needed
                            to establish acceptance for joint usage
                            of an AIS by one or more departments or
                            agencies and their contractors.

                            NOTE:  This action will include, as
                            necessary, final development,
                            evaluation, and testing, preparatory to
                            acceptance by senior security test and
                            evaluation staff specialists.

variant                     One of two or more code symbols which
                            have the same plain text equivalent.

verification                The process of comparing two levels of
                            an AIS specification for proper
                            correspondence (e.g., security policy
                            model with top-level specification,
                            top-level specification with source
                            code, or source code with object code).

                            NOTE:  This process may or may not be

verified design             Computer protection class in which
                            formal security verification methods
                            are used to assure that the AIS
                            mandatory and discretionary security
                            controls can effectively protect
                            classified and sensitive information
                            stored in, or processed by; the system.

                            NOTE:  Class A1 system is verified

virtual password            AIS password computed from a passphrase
                            that meets the requirements of password
                            storage (e.g., 64 bits).

                                              NSTISSI No. 4009

virus                       Self replicating, malicious program
                            segment that attaches itself to an
                            application program or other executable
                            system component and leaves no external
                            signs of its presence.

vulnerability               Weakness in an information system, or
                            cryptographic system, or components
                            (e.g., system security procedures,
                            hardware design, internal controls)
                            that could be exploited.

vulnerability analysis      Systematic examination of an
                            information system or product to
                            determine the adequacy of security
                            measures, identify security
                            deficiencies, provide data from which
                            to predict the effectiveness of
                            proposed security measures, and confirm
                            the adequacy of such measures after

                                              NSTISSI No. 4009


work factor                 Estimate of the effort or time needed
                            by a potential perpetrator, with
                            specified expertise and resources, to
                            overcome a protective measure.

                            NOTE:  In cryptography, a work factor
                            is the number of computer binary
                            operations needed to guarantee that a
                            particular key will not be recovered
                            through cryptanalysis.

worm                        Independent program that replicates
                            from machine to machine across network
                            connections often clogging networks and
                            computer systems as it spreads.

write                       Fundamental operation in an AIS that
                            results only in the flow of information
                            from a subject to an object.  (See
                            access type.)

write access                Permission to write to an object in an


zeroize                     Remove or eliminate the key from a
                            crypto-equipment or fill device.

                                              NSTISSI No. 4009

                                  SECTION II

ACL                      access control list

ADM                      advanced development model

ADP                      automated data processing

AE                       application entity

AIG                      address indicator group

AIRK                     area interswitch rekeying key

AIS                      automated information system

AISS                     automated information systems security

AJ                       anti-jamming

AK                       automatic remote rekeying

AKDC                     automatic key distribution center

AKD/RCU                  automatic key distribution/rekeying
                         control unit

AKM                      automated key management center

ALC                      accounting legend code

AMS                      l.  auto-manual system
                         2.  autonomous message switch

ANDVT                    advanced narrowband digital voice terminal

ANSI                     American National Standards Institute

AOSS                     automated office support systems

APC                      adaptive predictive coding

APU                      auxiliary power unit

                                              NSTISSI No. 4009

ARPANET                  Advanced Research Projects Agency Network

ASCII                    American standard code for information

ASPJ                     advanced self-protection jammer

ASU                      approval for service use

AUTODIN                  Automatic Digital Network

AV                       auxiliary vector

AVP                      Authorized Vendor Program

C3                       command, control, and communications

C3I                      command, control, communications and

C4                       command, control, communications and

CA                       l.  controlling authority

                         2.  cryptanalysis

                         3.  COMSEC account

                         4.  command authority

CCEP                     Commercial COMSEC Endorsement Program

CCI                      controlled cryptographic item

CCO                      circuit control officer

CDS                      cryptographic device services

CEOI                     communications electronics operation

CEPR                     compromising emanation performance

CERT                     computer emergency response team

                                              NSTISSI No. 4009

CFD                      common fill device

CIAC                     computer incident assessment capability

CIK                      crypto-ignition key

CIP                      crypto-ignition plug

CIRK                     common interswitch rekeying key

CK                       compartment key

CKG                      cooperative key generation

CLMD                     COMSEC local management device

CMCS                     COMSEC material control system

CNCS                     cryptonet control station

CNK                      cryptonet key

COMPUSEC                 computer security

COMSEC                   communications security

COR                      central office of record

CPS                      COMSEC parent switch

CPU                      central processing unit

CRP                      COMSEC resources program (Budget)

Crypt/Crypto             cryptographic-related

CSE                      communications security element

CSS                      l.  COMSEC subordinate switch
                         2.  Constant Surveillance Service
                         3.  Continuous Signature Service (Courier)
                         4.  coded switch system
CSSO                     contractor special security officer

                                              NSTISSI No. 4009

CSTVRP                   Computer Security Technical
                         Vulnerability Reporting Program

CTAK                     cipher text auto-key

CTTA                     certified TEMPEST technical authority

CUP                      COMSEC Utility Program

DAA                      designated approving authority

DAC                      discretionary access control

DAMA                     demand assigned multiple access

DCS                      l.  Defense Communications System
                         2.  Defense Courier Service

DCSP                     design controlled spare part(s)

DDN                      Defense Data Network

DDS                      dual driver service (courier)

DES                      data encryption standard

DIB                      directory information base

DoD TCSEC                Department of Defense Trusted Computer
                         System Evaluation Criteria

DLED                     dedicated loop encryption device

DMA                      direct memory access

DPL                      Degausser Products List (a section in the
                         Information Systems Security Products and
                         Services Catalogue)

DSN                      Defense Switched Network

DSVT                     digital subscriber voice terminal

DTLS                     descriptive top-level specification

                                              NSTISSI No. 4009

DTD                      Data Transfer Device

DTS                      Diplomatic Telecommunications Service

DUA                      directory user agent

EAM                      emergency action message

ECCM                     electronic counter-countermeasures

ECM                      electronic countermeasures

ECPL                     Endorsed Cryptographic Products List (a
                         section in the Information Systems
                         Security Products and Services Catalogue)

EDAC                     error detection and correction

EDESPL                   Endorsed Data Encryption Standard Products

EDM                      engineering development model

EFD                      electronic fill device

EFTO                     encrypt for transmission only

EGADS                    Electronic Generation, Accounting, and
                         Distribution System

EKMS                     Electronic Key Management System

ELINT                    electronic intelligence

ELSEC                    electronic security

E Model                  engineering development model

EMSEC                    emission security

EPL                      Evaluated Products List (a section in the
                         Information Systems Security Products and
                         Services Catalogue)

ERTZ                     equipment radiation TEMPEST zone

ETL                      Endorsed Tools List

                                              NSTISSI No. 4009

ETPL                     Endorsed TEMPEST Products List item

EUCI                     endorsed for unclassified cryptographic

EV                       enforcement vector

FDIU                     fill device interface unit

FIPS                     Federal Information Processing Standards

FOCI                     foreign owned, controlled or influenced

FOUO                     for official use only

FSRS                     functional security requirements

FSTS                     Federal Secure Telephone Service

FTS                      Federal Telecommunications System

FTAM                     file transfer access management

FTLS                     formal top-level specification

GPS                      Global Positioning System

GTS                      Global Telecommunications Service

GWEN                     Ground Wave Emergency Network

HDM                      Hierarchical development methodology

HMS                      human safety mandatory modification

HUS                      hardened unique storage

HUSK                     hardened unique storage key

IBAC                     identity based access control

ICU                      interface control unit

IDS                      intrusion detection system

IEMATS                   Improved Emergency Message Automatic
                         Transmission System

                                              NSTISSI No. 4009

IFF                      identification, friend or foe

IFFN                     identification, friend, foe, or neutral

IIRK                     interarea interswitch rekeying key

ILS                      integrated logistics support

INFOSEC                  information systems security

IP                       internet protocol

IPM                      interpersonal messaging

IPSO                     internet protocol security option

IR                       information ratio

IRK                      interswitch rekeying key

IS                       information system

ISDN                     Integrated Services Digital Network

ISO                      International Standards Organization

ISS                      information systems security

ISSO                     information systems security officer

ITAR                     International Traffic in Arms Regulation

JTIDS                    Joint Tactical Information Distribution

KAK                      key-auto-key

KEK                      key encryption key

KMASE                    key management application service element

KMC                      key management center

KMID                     key management identification number

KMODC                    key material ordering and distribution

                                              NSTISSI No. 4009

KMP                      key management protocol

KMPDU                    key management protocol data unit

KMS                      key management system

KMSA                     key management system agent

KMUA                     key management user agent

KP                       key processor

KPK                      key production key

KVG                      key variable generator

LAN                      local area network

KG                       key generator

LEAD                     low-cost encryption/authentication device

LKG                      loop key generator

LMD                      local management device

LME                      layer management entry

LMI                      layer management interface

LOCK                     logical co-processing kernel

LPC                      linear predictive coding

LPD                      low probability of detection

LPI                      low probability of intercept

LRIP                     limited rate initial preproduction

LSI                      large scale integration

MAC                      l.  mandatory access control
                         2.  message authentication code

MAN                      mandatory modification

                                              NSTISSI No. 4009

MATSYM                   material symbol

MCCB                     modification/configuration control board

MDC                      manipulation detection code

MEECN                    Minimum Essential Emergency Communications

MEP                      management engineering plan

MER                      minimum essential requirements

MHS                      message handling system

MI                       message indicator

MIB                      management information base

MIJI                     meaconing, intrusion, jamming and

MINTERM                  miniature terminal

MIPR                     military interdepartmental purchase

MLS                      multi level security

MOA                      memorandum of agreement

MOU                      memorandum of understanding

MRK                      manual remote rekeying

MRT                      miniature receiver terminal

MSE                      mobile subscriber equipment

NACAM                    National COMSEC Advisory Memorandum

NACSEM                   National COMSEC Emanations Memorandum

NACSI                    National COMSEC Instruction

NACSIM                   National COMSEC Information Memorandum

NAK                      negative acknowledge

                                              NSTISSI No. 4009

NATO                     North Atlantic Treaty Organization

NCCD                     nuclear command and control document

NCS                      l.  National Communications System
                         2.  National Cryptologic School
                         3.  net control station

NCSC                     National Computer Security Center

NETS                     Nationwide Emergency Telecommunications

NISAC                    National Industrial Security Advisory

NIST                     National Institute of Standards and

NLZ                      no-lone zone

NSAD                     network security architecture and design

NSD                      National Security Directive

NSDD                     National Security Decision Directive

NSEP                     National Security Emergency Preparedness

NSO                      network security officer

NSTAC                    National Security Telecommunications
                         Advisory Committee

NSTISSAM                 National Security Telecommunications and
                         Information Systems Security
                         Advisory/Information Memorandum

NSTISSC                  National Security Telecommunications and
                         Information Systems Security Committee

NSTISSD                  National Security Telecommunications and
                         Information Systems Security Directive

NSTISSI                  National Security Telecommunications and
                         Information Systems Security Instruction

                                              NSTISSI No. 4009

NSTISSP                  National Security Telecommunications and
                         Information Systems Security Policy

NTCB                     network trusted computing base

NTIA                     National Telecommunications and
                         Information Administration

NTISSAM                  National Telecommunications and
                         Information Systems Security
                         Advisory/Information Memorandum

NTISSD                   National Telecommunications and
                         Information Systems Security Directive

NTISSI                   National Telecommunications and
                         Information Systems Security Instruction

NTISSP                   National Telecommunications and
                         Information Systems Security Policy

OADR                     originating agency's determination

OPCODE                   operations code

OPSEC                    operations security

OPT                      optional modification

OTAD                     over-the-air key distribution

OTAR                     over-the-air rekeying

OTAT                     over-the-air key transfer

OTP                      one-time pad

OTT                      one-time tape

PAA                      peer access approval

PAE                      peer access enforcement

PAL                      permissive action link

                                              NSTISSI No. 4009

PC                       personal computer

PCZ                      protected communications zone

PDR                      preliminary design review

PDS                      protected distribution system

PDU                      protocol data unit

PES                      positive enable system

PKA                      public key algorithm

PKC                      public key cryptography

PKSD                     programmable key storage device

P model                  preproduction model

PLSDU                    physical layer service data unit

PNEK                     post-nuclear event key

PPL                      Preferred Products List (a section in the
                         Information Systems Security Products and
                         Services Catalogue.)

PRBAC                    partition rule base access control

PROM                     programmable read-only memory

PROPIN                   proprietary information

PSDU                     physical layer service data unit

PSL                      Protected Services List

PTT                      push-to-talk

PWA                      printed wiring assembly

PWDS                     protected wireline distribution system

RAC                      repair action

RACE                     rapid automatic cryptographic equipment

RAM                      random access memory

                                              NSTISSI No. 4009

ROM                      read-only memory

RQT                      reliability qualification tests

SAMS                     semiautomatic message switch

SAO                      special access office

SAP                      l.  system acquisition plan
                         2.  special access program

SARK                     SAVILLE advanced remote keying

SCI                      sensitive compartmented information

SCIF                     sensitive compartmented information

SDNRIU                   secure digital net radio interface unit

SDNS                     Secure Data Network System

SDR                      system design review

SFA                      security fault analysis

SI                       special intelligence

SIGSEC                   signals security

SISS                     Subcommittee on Information Systems
                         Security of the NSTISSC

SMM                      special mission mandatory modification

SMO                      special mission optional modification

SMU                      secure mobile unit

SPK                      single point key(ing)

SPS                      scratch pad store

SRR                      security requirements review

SSO                      special security officer

                                              NSTISSI No. 4009

ST&E                     security test and evaluation

STS                      Subcommittee on Telecommunications
                         Security of the NSTISSC

STU                      secure telephone unit

TA                       traffic analysis

TACTED                   tactical trunk encryption device

TACTERM                  tactical terminal

TAG                      TEMPEST Advisory Group

TAISS                    telecommunications and automated
                         information systems security

TCB                      trusted computing base

TCD                      time compliance data

TCSEC                    DoD Trusted Computer System Evaluation

TD                       transfer device

TED                      trunk encryption device

TEK                      traffic encryption key

TEP                      TEMPEST Endorsement Program

TFM                      trusted facility manual

TFS                      traffic flow security

TLS                      top-level specification

TNI                      trusted network interpretation

TNIEG                    trusted network interpretation environment

TPC                      two-person control

TPI                      two-person integrity

                                              NSTISSI No. 4009

TRANSEC                  transmission security

TRB                      technical review board

TRI-TAC                  Tri-service Tactical Communications System

TSCM                     technical surveillance countermeasures

TSEC                     telecommunications security

TSK                      transmission security key

UA                       user agent

UIRK                     unique interswitch rekeying key

UIS                      user interface system

UPP                      User Partnership Program

USDE                     undesired signal data emanations

V model                  advanced development model

VST                      VINSON subscriber terminal

VTT                      VINSON trunk terminal

WAN                      wide area network

WWMCCS                   Worldwide Military Command and Control

XDM/x Model              experimental development model exploratory
                         development model

                                              NSTISSI No. 4009

                                  SECTION III


A.  National Security Directive 42, dated 5 July 1990.

B.  Executive Order 12356, National Security Information,
    dated 6 April 1982.

C.  Executive Order 12333, United States Intelligence
    Activities, dated 4 December 1981.

D.  Public Law 100-235, Computer Security Act of 1987,
    dated 8 January 1988.

E.  10 United States Code Section 2315, The Warner Amendment,
    dated 1 December 1981.

F.  44 United States Code Section 3502(2), Public Law 96-511,
    Paperwork Reduction Act of 1980, dated Il December 1980.