| Vulnerability Management | Cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. |
| Audit Reduction | The process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. |
| XACTA | The enterprise solution for cyber risk management and compliance automation. |
| eMASS | Service-oriented computer application that supports Information Assurance (IA) program management and automates the DoD Information Assurance Certification and Accreditation Process (DIACAP) and Risk Management Framework (RMF) process. |
| STIG | A cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security. |
| IAVA | Notification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk. |
The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk that is, the risk to the organization or to individuals associated with the operation of a system. The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for a system—the security controls necessary to protect individuals and the operations and assets of the organization.
The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure.
The protection of Controlled Unclassified Information (CUI) resident in non-federal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in non-federal systems and organizations; when the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.