accrediting authority (C.F.D.)

Synonymous with designated accrediting authority (DAA). See also authorizing official.
Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called authorizing official (AO).


Stakeholder that acquires or procures a product or service.
Source: NIST IR 7622, ISO/IEC 15288 (adapted)

activation data

A pass-phrase, personal identification number (PIN), biometric data, or other mechanisms of equivalent authentication robustness used to protect access to any use of a private key, except for private keys associated with System or Device certificates.
Source: CNSSI No. 1300

active attack

An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relaying Party. Examples of active attacks include man-in-the middle, impersonation, and session hijacking.
Source: NIST SP 800-63-2

active content

Electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user.
Source: NIST SP 800-28

active cyber defense

Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities.
Source: DSOC 2011

activities (assessment)

An assessment object that includes specific protection related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).
Source: NIST SP 800-53A Rev 1

add-on security (C.F.D.)

Incorporation of new or additional hardware, software, or firmware safeguards in an operational information system.

adequate security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Source: OMB Circular A-130

administrative incident (COMSEC)

A violation of procedures or practices dangerous to security that is not serious enough to jeopardize the integrity of a controlled cryptographic item (CCI), but requires corrective action to ensure the violation does not recur or possibly lead to a reportable COMSEC incident.
Source: CNSSI No. 4001 (adapted)