| Item |
Type |
Meaning |
| AAD |
acronym |
Microsoft Azure Active Directory |
| ABB |
acronym |
Architectural Building Block (ABB). A logical container, represented in the model using a SysML 'block', that corresponds to a major IT capabability delivery subsystem within the EA. Tyically equates to a FISMA-Container. |
| ABBs |
acronym |
Architectural Building Blocks (plural of ABB) |
| ACL |
acronym |
An Access Control List is a list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. |
| ACR |
acronym |
Architecture Change Request (ACR) |
| ACSI |
acronym |
American Customer Satisfaction Index |
| ACTO |
acronym |
Actual Cost to Operate (ACTO) |
| AD |
acronym |
Microsoft Active Directory |
| Adaptive Access Control |
term |
Adaptive Access Control combines the subject credentials and contextual information to determine the risk of granting the requested action be performed on an object and may add dynamic elements to ABAC through functions like additional authentication steps (e.g., static/dynamic knowledge-based authentication, one-time passwords, cryptographic authenticator). |
| ADM |
acronym |
Open Group Architecture Development Method |
| Agency Priority Goals |
term |
Agency Priority Goals (APGs) are a performance accountability structure of the GPRA Modernization Act that provides agencies a mechanism to focus leadership priorities, set outcomes, and measure results, bringing focus to mission areas where agencies need to drive significant progress and change. APG statements are outcome-oriented, ambitious, and measurable with specific targets set that reflect a near-term result or achievement agency leadership wants to accomplish within approximately 24 months. In some instances, agencies are also utilizing the APG structure to drive progress and monitor implementation of agency management reforms and priorities, a modification of the traditional APG statement format.
Agency leaders from major Federal agencies select approximately four to five goals every two years, identify responsible officials for goal achievement, and review performance on a quarterly basis to identify barriers to progress and make changes to implementation strategies to achieve goal outcomes. APGs to be achieved throughout the course of Fiscal Years 2018-2019 have been established by major Federal agencies concurrent with the release of the President's FY 2019 Budget.
<source: https://www.performance.gov/about/APG_about.html> |
| AO |
acronym |
Authorizing Official (FISMA) |
| AOR |
acronym |
Area of Responsibility. In the context of cloud governance, the AOR is logically equivilant to the scope of the applicable policy. |
| AP |
acronym |
Architectural Principle (AP) |
| APG |
acronym |
FEAF-PRM: Agency Priority Goal: Agency Priority Goals (APGs) are a performance accountability structure of the GPRA Modernization Act that provides agencies a mechanism to focus leadership priorities, set outcomes, and measure results, bringing focus to mission areas where agencies need to drive significant progress and change. For more information see https://www.performance.gov/about/APG_about.html |
| APGs |
acronym |
Agency Priority Goals (APGs) are a performance accountability structure of the GPRA Modernization Act that provides agencies a mechanism to focus leadership priorities, set outcomes, and measure results, bringing focus to mission areas where agencies need to drive significant progress and change. |
| Application encryption |
term |
Application encryption is encryption of sensitive files or specified columns in a database using an application programing interface (API). |
| AR |
acronym |
Architectural Requirement (AR) |
| ARB |
acronym |
Architecture Review Board (ARB) |
| ARD |
acronym |
architectural decision (ARD) |
| ARGO |
acronym |
Architectural Goal or Objective (ARGO) |
| ARM |
acronym |
FEAF: Application Reference Model (ARM) |
| ASG |
acronym |
Agency Strategic Goal |
| ASGO |
acronym |
Agency Stratetic Goals and Objectives (ASGO) |
| ATO |
acronym |
FISMA Authority to Operate |
| BCTO |
acronym |
Budgeted-Cost-To-Operate (BCTO) |
| BDMIS |
acronym |
Business Development Management Information System (BDMIS) |
| BEHAVE |
acronym |
Security-related behavioral training. <source: DHS-CDM> |
| BPM |
acronym |
Business Process Model (BPM) |
| BRM |
acronym |
FEAF: Business Reference Model (BRM)
|
| BSC |
acronym |
Business Service Catalog (BSC) |
| BTIC |
acronym |
Business Technology Investment Council (BTIC) |
| CA |
acronym |
Certificate Authority (CA) |
| CAF |
acronym |
Microsoft Cloud Adoption Framework (CAF) <source: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/>
|
| CAFS |
acronym |
Capital Access Finance System |
| CAP |
acronym |
Cross Agency Priority (CAP) |
| CAPEX |
acronym |
Capital Expenditure |
| CCP |
acronym |
Common Controls Program (CCP) |
| CDM |
acronym |
Continuous Diagnostics and Mitigation
https://www.dhs.gov/cisa/cdm
Consistent with the Federal Government's deployment of Information Security Continuous Monitoring (ISCM), the DHS Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides DHS, along with Federal Agencies with capabilities and tools and identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. |
| CERT |
acronym |
Cyber Event Response Team (CERT) |
| CFO |
acronym |
Chief Finance Officer |
| CGT |
acronym |
Cloud Governance Team (CGT) is a subset of CloudOps Team responsible for aligning Agency Goals (expressed as policy) with CSP resources. |
| CI |
acronym |
Configuration Item (CI) |
| Cloud Computing |
term |
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. <NIST SP 800-145> |
| CloudOps |
acronym |
Cloud Operations (CloudOps) team, responsible for SBA-HCE IaaS, PaaS, and designated cyber-sensitive resources hosted by an SBA approved CSP. |
| CLS |
acronym |
Capital Access Login System (CLS) |
| CMS |
acronym |
Contract Management System |
| Community cloud |
term |
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. <NIST SP 800-145> |
| CONOPS |
acronym |
Concept of Operations |
| COTS |
acronym |
Commercial-off-the-Shelf (COTS) |
| CPIC |
acronym |
Capital Planning and Investment Control (OMB Exhibit 300) |
| CRED |
acronym |
Credentials and authentication. <source: DHS-CDM> |
| CRM |
acronym |
Customer Relationship Management (CRM) |
| CSCTS |
acronym |
Customer Service Center Telecommunications System |
| CSM |
acronym |
Security Configuration Settings <source: DHS-CDM> |
| CSP |
acronym |
Cloud Service Provide (e.g. Azure, AWS, Google, IBM Cloud) |
| CSTCS |
acronym |
Customer Service Center Telecommunications System (CSTCS) |
| CyD |
acronym |
CyberDefense (CyD) |
| CySA |
acronym |
Cyber Situational Awareness |
| DBS |
acronym |
Design and Build in Security (DBS) |
| DCMS |
acronym |
Disaster Credit Management System |
| DHS |
acronym |
U.S. Department of Homeland Security |
| DLP |
acronym |
Data Loss Prevention |
| DRM |
acronym |
Data Reference Model (DRM) |
| DSBS |
acronym |
Dynamic Small Business Search (DSBS) |
| DSC |
acronym |
Desired State Configuration (DSC) |
| E8(a) |
acronym |
Electronic 8(a) Annual Review System |
| EA |
acronym |
a) Enterprise Architecture <model>
b) Enterprise Architect <role> |
| EAE |
acronym |
Enterprise Azure Enclave (EAE) |
| EDMIS |
acronym |
Entrepeneurial Development Management Information System (EDMIS) |
| EEO |
acronym |
Equal Employment Opportunity Management System |
| ELA |
acronym |
a) Enterprise Learning Agenda
b) Electronic Loan Application (an ODA system) |
| E-LEND |
acronym |
Electronic Lending System (E-LEND) |
| ELIPS |
acronym |
Electronic Loan Information Processing System (ELIPS) |
| EO |
acronym |
Executive Order |
| ERM |
acronym |
Enterprise Risk Management |
| ESB |
acronym |
Enterprise Service Bus |
| ESM |
acronym |
Enterprise Service Management (ESM) |
| E-TRAN |
acronym |
Electronic Transaction System (E-TRAN) |
| EXEC SEC |
acronym |
Office of the Executive Secretariat |
| FEAF |
acronym |
Federal Enterprise Architecture Framework |
| FEAF-II |
acronym |
Federal Enterprise Architecture Framework, Version 2.0 |
| FIREs |
acronym |
Federal Incident Response Evaluations (FIREs) |
| Firewall - Layer 3 |
term |
Layer 3 firewalls (i.e. packet filtering firewalls) filter traffic based solely on source/destination IP, port, and protocol. |
| Firewall - Layer 4 |
term |
Layer 4 firewalls perform L3 fw functions plus they add the ability to track active network connections, and allow/deny traffic based on the state of those sessions (i.e. stateful packet inspection). |
| Firewall - Layer 7 |
term |
Layer 7 firewalls (i.e. application gateways) can do L3 and L4 FW functions, plus they include the ability to intelligently inspect the contents of those network packets. For instance, a Layer 7 firewall could deny all HTTP POST requests from Chinese IP addresses. This level of granularity comes at a performance cost, though. |
| FISMA |
acronym |
Federal Information Security Management Modernization Act |
| FMS |
acronym |
Financial Management System (FMS) |
| FTA |
acronym |
Fiscal Transfer Agent (FTA) |
| FTE |
acronym |
Full-Time Equivalent |
| FTI |
acronym |
Federal Tax Information |
| FY |
acronym |
Fiscal Year |
| GCBD |
acronym |
Office of Government Contracting and Business Development |
| GDB |
acronym |
graph database (GDB) |
| GFE |
acronym |
Government Furnished Equipment (GFE) |
| GLS |
acronym |
General Login System (GLS) |
| GOST |
acronym |
Goals, Objectives, Strategies, Tactics (GOST) |
| GPRA |
acronym |
Government Performance and Results Act (GPRA)
https://obamawhitehouse.archives.gov/omb/mgmt-gpra/index-gpra |
| GPRAMA |
acronym |
Government Performance and Results Act (GPRA) Modernization Act of 2010 |
| GSS |
acronym |
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.
Source(s):
CNSSI 4009-2015 (OMB Circular A-130, Appendix III)
NIST SP 800-18 Rev. 1 under General Support System (OMB Circular A-130, Appendix III)
NIST SP 800-60 Vol. 1 Rev. 1 under General Support System (OMB Circular A-130, Appendix III)
NIST SP 800-60 Vol. 2 Rev. 1 under General Support System (OMB Circular A-130, Appendix III) |
| GUID |
acronym |
Globally Unique ID: TO-DO:Provide examples of GUID generation across platforms. Provide examples of non-GUID and GUID objects. |
| HADR |
acronym |
High-Availability, Disaster Recovery (HADR) |
| HASU |
acronym |
Hearing and Appeal Submission Upload |
| HCA |
acronym |
Hybrid Cloud Architecture |
| HCE |
acronym |
Hybrid Cloud Environment |
| HCOP |
acronym |
Human Capital Operating Plan |
| HQDSS |
acronym |
Headquarters Data Services System (HQDSS) |
| HSSE |
acronym |
Heath and Safety Services (HSSE) |
| HUBZone |
acronym |
Historically Underutilized Business Zone |
| HWAM |
acronym |
Hardware Asset Management <source: DHS-CDM> |
| Hybrid cloud |
term |
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). <NIST SP 800-145> |
| Hybrid IT |
term |
Hybrid IT is a term that refers to the combined and simultaneous consumptionof cloud and traditional IT models to deliverIT servicesin production. <source- OACA) |
| IAW |
acronym |
In accordance with |
| ILPERS |
acronym |
Intermediary Lending Program Electronic Reporting System (ILPERS) |
| Infrastructure as a Service (IaaS) |
term |
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). <NIST SP 800-145> |
| IRM |
acronym |
a) FEAF: Infrastructure Reference Model (IRM)
b) DHS-CDM: Information Rights Management (IRM) |
| ITSM |
acronym |
Information Technology Service Management (ITIL) |
| IZA |
acronym |
Institute of Labor Economics |
| JAAMS |
acronym |
Join Account and Adminstrative Management System |
| L/LMS |
acronym |
Loan/Lender Monitoring System |
| LAN |
acronym |
Local Area Network (LAN) |
| LLT |
acronym |
Long lived transactions (LLTs) hold on to database resources for relatively long periods of time, significantly delaying the termination of shorter and more common transactions.
A LLT is a saga if it can be written as a sequence of transactions that can be interleaved with other transactions. The database management system guarantees that either all the transactions in a saga are successfully completed or compensating transactions are run to amend a partial execution. Both the concept of saga and its implementation are relatively simple, but they have the potential to significantly impact performance significantly. <ACM O-89791-236-5/87/0005/0249>
|
| MA |
acronym |
FEAF-PRM Measurement Area |
| MC |
acronym |
FEAF-PRM Measurement category |
| MCAS |
term |
Microsoft Cloud App Security (MCAS). |
| MCS |
acronym |
Mission Critical System (MCS) |
| MCW |
acronym |
Any workload served by or hosted on an Mission Critical System (MCS) |
| MDR |
acronym |
DHS-CDM: Master Device Record |
| MIR |
acronym |
DHS-CDM: Master Incident Record |
| MNA |
acronym |
Mergers and Acquisitions (MNA) |
| MNGEVT |
acronym |
DHS-CDM: Managing Events (MNGEVT) |
| MPERS |
acronym |
Microloan Program Electronic Reporting System (MPERS) |
| MSR |
acronym |
DHS-CDM: Master System Record |
| MUR |
acronym |
DHS-CDM: Master User Record |
| NAP |
acronym |
Network Access Protection, a service that protects networks, both public and private from malware such as viruses and spyware. |
| NOC |
acronym |
Network Operations Center (NOC) |
| NVD |
acronym |
National Vulnerability Database |
| NWBC |
acronym |
National Women’s Business Council |
| OACA |
acronym |
The Open Alliance for Cloud Adoption (https://www.oaca-project.org/), a Linux Foundation Proiject |
| OAS |
acronym |
Office of Administrative Services |
| OBED |
acronym |
Office of Business and Economic Development |
| OCA |
acronym |
Office of Capital Access |
| OCIO |
acronym |
Office of the Chief Information Officer |
| OCORM |
acronym |
Office of Continuous Operations and Risk Management |
| OCRM |
acronym |
Office of Credit Risk Management (OCRM) |
| ODA |
acronym |
Office of Disaster Assistance |
| ODICR |
acronym |
Office of Diversity, Inclusion and Civil Rights |
| OED |
acronym |
Office of Entrepenurial Development |
| OEMISS |
acronym |
Office of Executive Management, Installation and Support Services |
| OGC |
acronym |
Office of the General Counsel |
| OGM |
acronym |
Office of Grants Management |
| OIG |
acronym |
Office of the Inspector General (OIG) |
| OII |
acronym |
Office of Investment and Innovation |
| OMB |
acronym |
U.S. Office of Management and Budget |
| OMC |
acronym |
Office of Marketing and Communication |
| ONO |
acronym |
Office of National Ombudsman |
| OP |
acronym |
Organizational Person |
| OPEX |
acronym |
Operational Expenditure |
| OPM |
acronym |
Office of Performance Management |
| OPS |
acronym |
Office of Personnel Security |
| OU |
acronym |
Organizational Unit |
| PACS |
acronym |
Physical Access Control System (PACS) An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules. |
| PEAP |
acronym |
Protected Extensible Authentication Protocol, is a protocol that encapsulates the extensible authentication protocol within an encrypted and authenticated transport layer security. |
| PHI |
acronym |
Protected Health Information |
| PII |
acronym |
Personally Identifiable Information |
| PIMS |
acronym |
Partner Information Management System (PIMS) |
| PKI |
acronym |
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. |
| Platform as a Service (PaaS) |
term |
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. <NIST SP 800-145> |
| PoP |
acronym |
Point-of-Precense (PoP) An artificial (logical) demarcation point or interface point between communicating entities. A common example is an Internet point of presence, the local access point that allows users to connect to the Internet with their Internet service provider (ISP) |
| Principal |
term |
A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc. |
| PRIV |
acronym |
Management and control of account/access/managed privileges. <source: DHS-CDM> |
| Privacy Data |
term |
Privacy data includes any data subject to the Privacy Act of 1974, as amended. This includes Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) among others. |
| Private cloud |
term |
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. <NIST SP 800-145> |
| PRM |
acronym |
FEAF v2: Performance Reference Model (PRM) |
| PSB |
acronym |
Preferred Surety Bond (PSB) |
| PU |
acronym |
Privileged User(s) (PU) |
| Public cloud |
term |
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. <NIST SP 800-145> |
| RACI |
acronym |
Responsible, accountable, consulted and informed. A RACI chart is a matrix of all the activities or decision making authorities undertaken in an organisation set against all the people or roles. |
| RG |
acronym |
Azure Resource Group |
| RIB |
acronym |
Routing Information Base (RIB): Synonomous with Routing Table |
| RMF |
acronym |
Risk Management Framework (NIST SP 800-37)
|
| RRAS |
acronym |
Windows Routing and Remote Access Server |
| Saga |
term |
A saga is a sequence of local transactions where each transaction updates data within a single service. The first transaction is initiated by an external request corresponding to the system operation, and then each subsequent step is triggered by the completion of the previous one. The two most means of implementing a saga transaction are:
- Events/Choreography: When there is no central coordination, each service produces and listen to other service’s events and decides if an action should be taken or not
- Command/Orchestration: when a coordinator service is responsible for centralizing the saga’s decision making and sequencing business logic.
|
| SBA |
acronym |
Small Business Administration |
| SBA Component |
term |
SBA Program Offices and the Office of Inspector General (OIG) are referred to as SBA Components. |
| SBDC |
acronym |
Small Business Development Center |
| SBG |
acronym |
Surety Bond Guarantee |
| SBIC |
acronym |
Small Business Investment Company |
| SBIR |
acronym |
Small Business Innovation Research |
| SBSS |
acronym |
Small Business Source Syscem (SBSS) |
| SCAP |
acronym |
Security Content Automation Protocol |
| SCDO |
acronym |
Secure Cloud DevOps |
| SCRM |
acronym |
FEAF: Service Componet Reference Model (SCRM) |
| SecDevOps |
acronym |
Secure Development Operations (SecDevOps) |
| SIB |
acronym |
Standards Information Base |
| SIEM |
acronym |
Security Incident and Event Management |
| SOA |
acronym |
service-oriented architecture (SOA) |
| SOC |
acronym |
Security Operations Center (SOC) |
| Software as a Service (SaaS) |
term |
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. <NIST SP 800-145> |
| SRM |
acronym |
FEAF: Security Reference Model (SRM) |
| STEP |
acronym |
State Trade Expansion Program |
| Strategic Objective |
term |
Strategic Objectives reflect the outcome or management impacts the agency is trying to achieve over the term of an Administration. They express the results or direction the agency will work to achieve to make progress on its mission. Strategic Objectives advance the long-term outcomes identified in the Agency Strategic Plan, and are supported by more specific performance goals and indicators. Annually, agency leaders review progress being made on each of its strategic objectives in the Agency Strategic Plan by conducting a Strategic Review. An annual assessment that synthesizes available performance information and other evidence, the Strategic Reviews are designed to inform budget, legislative, and management decisions. <source: https://www.performance.gov/about/objectives_about.html> |
| STTR |
acronym |
Small Business Technology Transfer |
| Subject |
term |
In a security context, a subject is any entity that requests access to an object. These are generic terms used to denote the thing requesting access and the thing the request is made against. When you log onto an application you are the subject and the application is the object. When someone knocks on your door the visitor is the subject requesting access and your home is the object access is requested of. |
| SWAM |
acronym |
Software Asset Management <source: DHS-CDM> |
| SWOT |
acronym |
Strengths, Weaknesses/Limitations, Opportunities |
| syslog-ng |
acronym |
syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. |
| TCO |
acronym |
Total Cost to Operate (TCO) |
| TOL |
acronym |
Task Order Lead (TOL) |
| TPCC |
acronym |
Trade Promotion Coordinating Committee |
| TRM |
acronym |
Technical Reference Model |
| Trustworthiness |
term |
Objective trustworthiness is a direct measure of a model/element's fidelity to what's being modeled; Verified through test.
Subjective trustworthiness is an indirect measure where measure-of-trust is declared by an authoritative organizational entity. |
| UEBA |
acronym |
User and Entity Behavior Analytics |
| USEAC |
acronym |
U.S. Export Assistance Centers |
| User |
term |
A subset of principal usually referring to a human operator. The distinction is blurring over time because the words "user" or "user ID" are commonly interchanged with "account". However, when you need to make the distinction between the broad class of things that are principals and the subset of these that are interactive operators driving transactions in a non-deterministic fashion, "user" is the right word. |
| VBOC |
acronym |
Veterans Business Outreach Center |
| VoIP |
acronym |
Voice of IP protocol. |
| VPN |
acronym |
Virtual Private Network (VPN) |
| VPS |
acronym |
Virtual private server: A virtual private server is a virtual machine sold as a service by an Internet hosting service. The virtual dedicated server has also a similar meaning. |
| VUL |
acronym |
Software Vulnerabilities <source: DHS-CDM> |
| WAN |
acronym |
Wide Area Network (WAN) |
| WBC |
acronym |
Women’s Business Center |