Cyber Glossary - O

Object – A passive information system-related entity containing or receiving information.

Related Term(s): subject, access, access control

(Adapted from: CNSSI 4009, NIST SP 800-53 Rev 4) (NICCS)

---

Object Identifier – A specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported. (SP 800-32) (NISTIR)

---

Object Reuse – Reassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium. (CNSSI-4009) (NISTIR)

---

Off-Card – Refers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card. (FIPS 201) (NISTIR)

---

Offensive Cyber – the use of cyber capabilities to disrupt, deny, degrade or destroy computers networks and internet­ connected devices. (UK 2016)

---

Offensive Cyber Operations - Cyberspace operations intended to project power by the application of force in or through cyberspace. SOURCE: Cyberspace Solarium Commission Final Report, 2020

---

Offensive Information Operations – (Approved for removal from the next edition of JP 1-02) (Jt Pub 3-13)

---

Official Information – All information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release. (CNSSI-4009) (NISTIR)

---

Off-line Attack – An attack where the Attacker obtains some data (typically by eavesdropping on an authentication protocol run, or by penetrating a system and stealing security files) that he/she is able to analyze in a system of his/her own choosing. (SP 800-63) (NISTIR)

---

Off-line Cryptosystem – Cryptographic system in which encryption and decryption are performed independently of the transmission and reception functions. (CNSSI-4009) (NISTIR)

---

On-Card – Refers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card. (FIPS 201) (NISTIR)

---

Online Attack – An attack against an authentication protocol where the Attacker either assumes the role of a Claimant with a genuine Verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets. (SP 800-63) (NISTIR)

---

Online Certificate Status Protocol (OCSP) – An online protocol used to determine the status of a public key certificate. (FIPS 201) (NISTIR)

---

Online Cryptosystem – Cryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions. (CNSSI-4009) (NISTIR)

---

One-part Code – Code in which plain text elements and their accompanying code groups are arranged in alphabetical, numerical, or other systematic order, so one listing serves for both encoding and decoding.

One-part codes are normally small codes used to pass small volumes of lowsensitivity information. (CNSSI-4009) (NISTIR)

---

One-Time Cryptosystem – Cryptosystem employing key used only once. (CNSSI-4009) (NISTIR)

---

One-Time Pad – Manual one-time cryptosystem produced in pad form. (CNSSI-4009) (NISTIR)

---

One-Time Tape – Punched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems. (CNSSI-4009) (NISTIR)

---

One-Way Hash Algorithm – Hash algorithms which map arbitrarily long inputs into a fixed-size output such that it is very difficult (computationally infeasible) to find two different hash inputs that produce the same output. Such algorithms are an essential part of the process of producing fixed-size digital signatures that can both authenticate the signer and provide for data integrity checking (detection of input modification after signature). (SP 800-49; CNSSI-4009) (NISTIR)

---

Open Checklist Interactive Language (OCIL) – SCAP language for expressing security checks that cannot be evaluated without some human interaction or feedback. (SP 800-128) (NISTIR)

---

Open Storage – Any storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations). (CNSSI-4009) (NISTIR)

---

Open Vulnerability and Assessment Language (OVAL) – SCAP language for specifying low-level testing procedures used by checklists. (SP 800-128) (NISTIR)

---

Operate & Maintain – A NICE Workforce Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. (From: NICE Workforce Framework) (NICCS)

---

Operating System (OS) Fingerprinting – Analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. (SP 800-115) (NISTIR)

---

Operational Controls – The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems). (SP 800-53; SP 800-37; FIPS 200) (NISTIR)

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems). (CNSSI-4009; SP 800-53A) (NISTIR)

---

Operational Exercise – An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.

Extended Definition: Also referred to as operations-based exercise.

(Adapted from: DHS Homeland Security Exercise and Evaluation Program) (NICCS)

---

Operational Key – Key intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams. (CNSSI-4009) (NISTIR)

---

Operational Vulnerability Information – Information that describes the presence of an information vulnerability within a specific operational setting or network. (CNSSI-4009) (NISTIR)

---

Operational Waiver – Authority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification. (CNSSI-4009) (NISTIR)

---

Operations Code – Code composed largely of words and phrases suitable for general communications use. (CNSSI-4009) (NISTIR)

---

Operations Security (OPSEC) – Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures. (CNSSI-4009) (NISTIR)

A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: a. identify those actions that can be observed by adversary intelligence systems; b. determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and c. select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. Also called OPSEC. (JP 1-02) (Jt Pub 3-13)

---

Operations Technology – The hardware and software systems used to operate industrial control devices. (Adapted from: DHS personnel) (NICCS)

Related Term(s): Industrial Control System

---

Optional Modification – NSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification. (CNSSI-4009) (NISTIR)

---

Organization – A federal agency, or, as appropriate, any of its operational elements. SOURCE: FIPS 200 An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements). (SP 800-53; SP 800-53A; SP 800-37) (NISTIR)

---

Organizational Information Security Continuous Monitoring – Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions. (SP 800-137) (NISTIR)

---

Organizational Maintenance – Limited maintenance performed by a user organization. (CNSSI-4009) (NISTIR)

---

Organizational Registration Authority (ORA) – Entity within the PKI that authenticates the identity and the organizational affiliation of the users. (CNSSI-4009) (NISTIR)

---

Organizational User – An organizational employee or an individual the organization deems to have equivalent status of an employee (e.g., contractor, guest researcher, individual detailed from another organization, individual from allied nation). (SP 800-53) (NISTIR)

---

Outside(r) Threat – A person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets. (Adapted from: CNSSI 4009) (NICCS)

Related Term(s): inside(r) threat

An unauthorized entity outside the security domain that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. (CNSSI-4009) (NISTIR)

---

Oversight & Development – A NICE Workforce Framework category consisting of specialty areas providing leadership, management, direction, and/or development and advocacy so that all individuals and the organization may effectively conduct cybersecurity work. (From: NICE Workforce Framework) (NICCS)

---

Over-The-Air Key Distribution – Providing electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation. (CNSSI-4009) (NISTIR)

---

Over-The-Air Key Transfer – Electronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished. (CNSSI-4009) (NISTIR)

---

Over-The-Air Rekeying (OTAR) – Changing traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures. (CNSSI-4009) (NISTIR)

---

Overt Channel – Communications path within a computer system or network designed for the authorized transfer of data. See Covert Channel. (CNSSI-4009) (NISTIR)

---

Overt Testing – Security testing performed with the knowledge and consent of the organization’s IT staff. (SP 800-115) (NISTIR)

---

Overwrite Procedure – A software process that replaces data previously stored on storage media with a predetermined set of meaningless data or random patterns. (CNSSI-4009) (NISTIR)