Glossary

Note

This page is supplementary material for the NIST SP 1800-35 publication.

Managed Devices

Personal computers, laptops, mobile devices, virtual machines, and infrastructure components require management agents, allowing information technology staff to discover, maintain, and control them. Those with broken or missing agents cannot be seen or managed by agent-based security products. [NIST SP 1800-15 Vol. B]

Policy

Statements, rules, or assertions that specify the correct or expected behavior of an entity. For example, an authorization policy might specify the correct access control rules for a software component. [NIST SP 800-95 and NIST IR 7621 Rev. 1]

Policy Administrator (PA)

An access control mechanism component that executes the PE’s policy decision by sending commands to a PEP to establish and terminate the communications path between the subject and the resource.

Policy Decision Point (PDP)

An access control mechanism component that computes access decisions by evaluating the applicable policies. The functions of the PE and PA comprise a PDP. [NIST SP 800-162, adapted]

Policy Enforcement Point (PEP)

An access control mechanism component that enforces access policy decisions in response to a request from a subject requesting access to a protected resource. [NIST SP 800-162, adapted]

Policy Engine (PE)

An access control mechanism component that decides whether to grant, deny, or revoke access to a resource for a given subject based on enterprise policy, information from supporting components, and a trust algorithm.

Policy Information Point (PIP)

An access control mechanism component that provides telemetry and other information generated by policy or collected by supporting components that the PDP needs for making policy decisions. [NIST SP 800-162, adapted]

Risk

The net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. [NIST SP 1800-15 Vol. B]

Security Control

A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. [NIST SP 800-53 Rev. 5]

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. [Federal Information Processing Standards 200]

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. [NIST SP 800-37 Rev. 2]

Zero Trust

A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. [NIST SP 800-207]

Zero Trust Architecture (ZTA)

An enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. [NIST SP 800-207]