Terms

Access control is the set of mechanisms and policies used to restrict access to resources and enforce authorization decisions.

Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.

The association of an RP subscriber account with information that is already held by the RP prior to the federation transaction and outside of a trust agreement.

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed upon set of security controls.

Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.

The process of inputting an activation factor into a multi factor authenticator to enable its use for authentication.

A pass phrase, personal identification number (PIN), biometric data, or other mechanisms of equivalent authentication robustness used to protect access to any use of a private key, except for private keys associated with System or Device certificates.

An additional authentication factor that is used to enable successful authentication with a multi factor authenticator.

A process that includes the procurement of FIPS approved blank PIV Cards or hardware/software tokens (for Derived PIV Credential), initializing them using appropriate software and data elements, personalization of these cards/tokens with the identity credentials of authorized subjects, and pick up/delivery of the personalized cards/tokens to the authorized subjects, along with appropriate instructions for protection and use.

An attack on a secure communication protocol where the attacker transmits data to the claimant, Credential Service Provider (CSP), verifier, or Relying Party (RP). Examples of active attacks include man in the middle (MitM), impersonation, and session hijacking.

The observable state or behavior of an assessment object (device, software, person, credential, account, etc.) at the point in time when the collector generates security related information. In particular, the actual state includes the states or behaviors that might indicate the presence of security defects.

Adversaries may attempt to position themselves between two or more networked devices using an adversary in the middle (AiTM) technique to support follow on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

Authentication is the process of verifying the identity of a user, device, or system before granting access.

Authorization is the process of determining what an authenticated principal is permitted to do.