Term | Meaning |
Authorization to Operate | An authorization that is issued by a federal department, office, or agency (sometimes referred to as authority to operate) |
Agency authorizations | Signed by the Federal agency’s authorizing official, indicate that an agency or a joint group of agencies assessed a CSP’s security posture in accordance with FedRAMP guidelines and found it acceptable. The FedRAMP Director is responsible for ensuring that authorizations can reasonably support the presumption of adequacy |
Cloud Access | To make contact with or gain access to a cloud service |
Cloud Auditor | Please see NIST Glossary definition |
Cloud Broker | Please see NIST Glossary definition |
Cloud Carrier | Please see NIST Glossary definition |
Cloud Consumer | Please see NIST Glossary definition |
Cloud Distribution | The process of transporting cloud data between Cloud Service Providers and Cloud Consumers |
Cloud Provider | Please see NIST Glossary definition |
Cloud Service Management | Includes all the service-related functions that are necessary for the management and operations of those services required by or proposed to customers |
Community Cloud | Please see NIST Glossary definition |
Configured by Customer | A control where the customer needs to apply a configuration in order to meet the control requirement |
Container | Please see NIST Glossary definition |
CSA STAR Certification | The CSA STAR Certification is a third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service. |
Data Portability | The ability to transfer data from one system to another without being required to recreate or re-enter data descriptions or to modify significantly the application being transported. |
Digital Authentication | Please see NIST Glossary definition |
FedRAMP Authorization Package | Authorization packages contain the body of evidence needed by authorizing officials (AOs) to make risk-based decisions regarding the information systems providing cloud services. This includes, as a minimum, the System Security Plan (SSP) and its attachments, a Security Assessment Report (SAR), a Plan of Action and Milestones (POA&M) and a Continuous Monitoring Plan. |
FedRAMP In-Process | FedRAMP In-Process is a designation provided to CSPs that are actively working toward a FedRAMP Authorization |
FedRAMP Program Authorization |
As, signed by the FedRAMP Director, indicate that FedRAMP assessed a cloud service’s security posture and found it met FedRAMP requirements and is acceptable for reuse by agency authorizing officials. |
FedRAMP Ready | FedRAMP Ready is a designation which is intended to demonstrate a CSP's ability to complete the full FedRAMP authorization process. To be listed as FedRAMP Ready, CSPs work with a 3PAO to submit a Readiness Assessment Report (RAR) which must be reviewed and approved by FedRAMP. |
FedRAMP Tailored | For Low Impact Software as a Service (LI-SaaS); see https://tailored.fedramp.gov/policy/ |
Federal Information Processing Standards (FIPS) | Please see NIST Glossary definition |
Fixed Endpoints | A physical device, fixed in its location, which provides a man/machine interface to cloud services and applications. A fixed endpoint typically uses one method and protocol to connect to cloud services and applications. |
Government Only Cloud | A cloud deployment model (see SSP Table 8-2). The cloud services and infrastructure are shared by several organizations/agencies with the same policy and compliance considerations. |
Hybrid Cloud | Please see NIST Glossary definition |
Information Security Management System (ISMS) | Please see NIST Glossary definition |
Infrastructure as a Service (IaaS) | Please see NIST Glossary definition |
Inherited from Pre-existing Authorization | A control that is inherited from another CSP that has already received an Authorization |
Interoperability | Please see NIST Glossary definition |
ISO 27001 | A specification for an information security management system (ISMS) |
Joint Authorization Board (JAB) | Consists of the DOD, GSA, and DHS CIOs - Legacy Term |
Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) | A FedRAMP Provisional Authority to Operate issued by the JAB - Legacy Term |
JavaScript Object Notation | Please see NIST Glossary definition |
Media Access Control (MAC) Address | Please see NIST Glossary definition |
Metering | Provides a measuring capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts) |
Mobile Endpoints | A physical device, often carried by the user that provided a man/machine interface to cloud services and applications. A Mobile Endpoint may use multiple methods and protocols to connect to cloud services and applications. |
Monitoring and Reporting | Discovering and monitoring the virtual resources, monitoring cloud operations and events, and generating performance reports |
Network Basic Input/Output System (NetBIOS) | Provides services related to the session layer of the OSI model, allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. |
NSO | One of six categories for FedRAMP Tailored LI-SaaS controls; NSO means FedRAMP has determined the control does not impact the security of the Cloud SaaS. |
OTG-SESS-006 | Testing for logout functionality (OWASP) |
Performance Audit | Systematic evaluation of a cloud system by measuring how well it conforms to a set of established performance criteria |
Physical Resource Layer | Includes all the physical resources used to provide cloud services, most notably the hardware and the facility |
Platform as a Service (PaaS) | Please see NIST Glossary definition |
Portability |
|
Privacy | Please see NIST Glossary definition |
Privacy-Impact Audit | Systematic evaluation of a cloud system by measuring how well it conforms to a set of established privacy-impact criteria |
Private Cloud | Please see NIST Glossary definition |
Provided by Customer | A control where the customer needs to provide additional hardware or software in order to meet the control requirement |
Provisioning/ Configuration | The process of preparing and equipping a cloud to allow it to provide services to its users |
Public Cloud | Please see NIST Glossary definition |
Rapid Provisioning | Automatically deploying cloud system based on the requested service/resources/capabilities |
Resource Abstraction and Control Layer | Entails software elements, such as hypervisor, virtual machines, virtual data storage, and supporting software components, used to realize the infrastructure upon which a cloud service can be established |
Resource Change | Adjusting configuration/resource assignment for repairs, upgrades, and joining new nodes into the cloud |
Software as a Service (SaaS) | Please see NIST Glossary definition |
Security | Refers to information security. "Information security" means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. |
Security Audit | Please see NIST Glossary definition |
Service Aggregation | An aggregation brokerage service combines multiple services into one or more new services. It will ensure that data is modeled across all component services and integrated as well as ensuring the movement and security of data between the service consumer and multiple providers. |
Service Arbitrage | Cloud service arbitrage is similar to cloud service aggregation. The difference between them is that the services being aggregated are not fixed. Indeed the goal of arbitrage is to provide flexibility and opportunistic choices for the service aggregator, e.g., providing multiple email services through one service provider or providing a credit-scoring service that checks multiple scoring agencies and selects the best score. |
Service Consumption | A Cloud Broker in the act of using a Cloud Service |
Service Deployment | All of the activities and organization needed to make a cloud service available |
Service Intermediation | An intermediation broker provides a service that directly enhances a given service delivered to one or more service consumers, essentially adding value on top of a given service to enhance some specific capability. |
Service Provider Corporate | A control that originates from the CSP’s corporate network |
Service Provider Hybrid | A control that makes use of both corporate controls and additional controls to a particular system at the CSP |
Service Provider System Specific | A control specific to a particular system when the control is not part of the service provider corporate controls |
Shared | A control that is partially implemented by the CSP and partially by the customer |
SOC 2 |
Developed by the American Institute of CPAs (AICPA), the SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include: 1. The security of the service provider’s system |
Stratum-1 Time Server | A Stratum-1 Network Time Protocol (NTP) server has a direct connection to a hardware (Stratum-0) clock and is a primary network time server. Lower stratum servers reference a server in the stratum above. Stratum indicates the distance of a time server from the source reference clock. |
Support Team | The FedRAMP Support Team is the group of individuals that responds to info@fedramp.gov |
Threat | Please see NIST Glossary definition |
Threat Actor | Please see NIST Glossary definition |
Threat Agent | Please see NIST Glossary definition |
Validation and Verification | Please see NIST Glossary definitions for “Validation” and “Verification” |
Vulnerability | Please see NIST Glossary definition |
Comments
0 comments
Please sign in to leave a comment.