35+ YEARS OF FREEDOM OF INFORMATION ACTION
Cyber Glossary - N
Naming Authority – An organizational entity responsible for assigning distinguished names (DNs) and for assuring that each DN is meaningful and unique within its domain. (SP 800-32 (NISTIR)
National Critical Functions - The functions of government and the private sector that are so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these elements. SOURCE: Cyberspace Solarium Commission Final Report, 2020
National Cybersecurity Assistance Fund - A proposed fund administered by the Federal Emergency Management Agency that would distribute grants to public and private entities for solutions, projects, and programs where a) there is a clearly defined, critical risk to be mitigated, b) market forces do not pro- vide sufficient private sector incentives to mitigate the risk without government investment, and c) there is clear federal need, role, and responsibility in mitigating the risk. SOURCE: Cyberspace Solarium Commission Final Report, 2020
National Cybersecurity Certification and Labeling Authority - A proposed organization that would be charged with certifying critical information technologies against frameworks based on identified and vetted security standards and with supporting and endorsing product labeling, building on existing work on Software Bills of Material at the National Telecommunications and Information Administration. SOURCE: Cyberspace Solarium Commission Final Report, 2020
National Information Assurance Partnership (NIAP) – A U.S. government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security.
NIAP was originally established as a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program.
The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. government-sponsored and endorsed program for conducting internationally recognized security evaluations of commercial off-the-shelf (COTS) Information Assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. CC evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408). (CNSSI-4009) (NISTIR)
National Information Infrastructure – Nationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the Internet, the public switched network, and cable, wireless, and satellite communications. (CNSSI-4009) (NISTIR)
National Security Emergency Preparedness Telecommunications Services – Telecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States. (SP 800-53; CNSSI-4009; 47 C.F.R., Part 64, App A) (NISTIR)
National Security Industrial Sector - The worldwide industrial complex that enables research and development, as well as the design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements (also referred to as the defense industrial base). SOURCE: Cyberspace Solarium Commission Final Report, 2020
National Security Information – Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status. (SP 800-53A; SP 800-60; FIPS 200) (NISTIR)
National Security System – Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. [44 U.S.C., SEC. 3542] (FIPS 200; SP 800-37; SP 800-53; SP 800-53A; SP 800-60) (NISTIR)
Any information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.) (CNSSI-4009) (NISTIR)
National Vulnerability Database – (NVD) The U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA). (http://nvd.nist.gov/) (NISTIR)
Need-To-Know – A method of isolating information resources based on a user’s need to have access to that resource in order to perform their job but no more. The terms ‘need-to know” and “least privilege” express the same idea. Need-to-know is generally applied to people, while least privilege is generally applied to processes. (CNSSI-4009) (NISTIR)
Need To Know Determination – Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties. (CNSSI-4009) (NISTIR)
Needs Assessment (IT Security Awareness and Training) – A process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs. (SP 800-50) (NISTIR)
Net-centric Architecture – A complex system of systems composed of subsystems and services that are part of a continuously evolving, complex community of people, devices, information and services interconnected by a network that enhances information sharing and collaboration. Subsystems and services may or may not be developed or owned by the same entity, and, in general, will not be continually present during the full life cycle of the system of systems. Examples of this architecture include service-oriented architectures and cloud computing architectures. (SP 800-37) (NISTIR)
Network – Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. (SP 800-53; CNSSI-4009) (NISTIR)
A collection of host computers, together with the sub-network or inter-network, through which they can exchange data. (UK 2016)
Network Access – Access to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). (SP 800-53; CNSSI-4009) (NISTIR)
Network Access Control (NAC) – A feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device. (SP 800-41) (NISTIR)
Network Address Translation (NAT) – A routing technology used by many firewalls to hide internal system addresses from an external network through use of an addressing schema. (SP 800-41) (NISTIR)
Network-Based IDS – A network-based IDS system monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments, and traffic on other means of communication (like phone lines) can't be monitored. Network-based IDS involves looking at the packets on the network as they pass by some sensor.
Network Front-End – Device implementing protocols that allow attachment of a computer system to a network. (CNSSI-4009) (NISTIR)
Network Reference Monitor – See Reference Monitor. ((NISTIR)
Network Resilience – A computing infrastructure that provides continuous business operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged), rapid recovery if failure does occur, and the ability to scale to meet rapid or unpredictable demands. (CNSSI-4009) (NISTIR)
The ability of a network to: (1) provide continuous operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged); (2) recover effectively if failure does occur; and (3) scale to meet rapid or unpredictable demands. (Adapted from: CNSSI 4009) (NICCS)
Network Security – See Information Assurance. Network Security Officer – See Information Systems Security Officer. (NISTIR)
Network Services – Definition: In the NICE Workforce Framework, cybersecurity work where a person: Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. (From: NICE Workforce Framework) (NICCS)
Network Sniffing – A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique. (SP 800-115) (NISTIR)
Network Sponsor – Individual or organization responsible for stating the security policy enforced by the network, designing the network security architecture to properly enforce that policy, and ensuring that the network is implemented in such a way that the policy is enforced. (CNSSI-4009) (NISTIR)
Network System – System implemented with a collection of interconnected components. A network system is based on a coherent security architecture and design. (CNSSI-4009) (NISTIR)
Network Weaving – Penetration technique in which different communication networks are linked to access an information system to avoid detection and traceback. (CNSSI-4009) (NISTIR)
Non-Repudiation – Definition: A property achieved through cryptographic methods to protect against an individual or entity falsely denying having performed a particular action related to data.
Extended Definition: Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. (Adapted from: CNSSI 4009; From: NIST SP 800-53 Rev 4) (NICCS)
Related Term(s): integrity, authenticity
Non-state Actor - An organization or individual that is not affiliated with a nation-state. SOURCE: Cyberspace Solarium Commission Final Report, 2020
No-Lone Zone (NLZ) – Area, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity. (CNSSI-4009) (NISTIR)
Non-Deterministic Random Bit Generator (NRBG) – An RBG that (when working properly) produces outputs that have full entropy. Contrast with a DRBG. Other names for nondeterministic RBGs are True Random Number (or Bit) Generators and, simply, Random Number (or Bit) Generators. (SP 800-90A) (NISTIR)
Non-Local Maintenance – Maintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. (SP 800-53) (NISTIR)
Non-Organizational User – A user who is not an organizational user (including public users). (SP 800-53) (NISTIR)
Non-repudiation – Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. (CNSSI-4009; SP 800-60) (NISTIR)
Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. (SP 800-53; SP 800-18) (NISTIR)
The security service by which the entities involved in a communication cannot deny having participated. Specifically, the sending entity cannot deny having sent a message (non-repudiation with proof of origin), and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery). (FIPS 191 (NISTIR)
A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory). (FIPS 186) (NISTIR)
Nonce – A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge response authentication protocols generally must not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable. (SP 800-63) (NISTIR)
A random or non-repeating value that is included in data exchanged by a protocol, usually for the purpose of guaranteeing the transmittal of live data rather than replayed data, thus detecting and protecting against replay attacks. (CNSSI-4009) (NISTIR)
Norm - A collective expectation for the proper behavior of actors with a given identity. SOURCE: Cyberspace Solarium Commission Final Report, 2020
NSA-Approved Cryptography – Cryptography that consists of: (i) an approved algorithm; (ii) an implementation that has been approved for the protection of classified information in a particular environment; and (iii) a supporting key management infrastructure. (SP 800-53) (NISTIR)
Null – Dummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes. (CNSSI-4009) (NISTIR)