Chapter 2

Question 1

Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.

Answer 1

Accreditation

Question 2

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging.

Answer 2

Accreditation Boundary

Question 3

For the purposes of identifying the protection level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system.

Answer 3

Accreditation Boundary

Question 4

Product comprised of a system security plan (SSP) and a report documenting the basis for the accreditation decision.

Answer 4

Accreditation Package

Question 5

The designated accrediting authority (DAA)

Answer 5

Accrediting Authority

Question 6

An attack on the authentication protocol where the attack transmits data to a claimant, credential service provider, verifier, or relaying party.

Answer 6

Active Attack

Question 7

Examples of this attack include MitM, impersonation, and session hijacking.

Answer 7

Active Attack

Question 8

An adversary with sophisticated levels of expertise and significant resources who is able to use multiple different attack vectors (e,g., cyber, physical, and deception) to achieve its objectives.

Answer 8

APT

Question 9

Its objectives are typically to establish and extend footholds within the information technology infrastructure of organizations in order to continually exfiltrate information and/or to undermine or impede critical aspects of a mission, program, or organization, or place itself in a position to do so in the future.

Answer 9

APT

Question 10

Pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives.

Answer 10

APT

Question 11

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

Answer 11

Adversary

Question 12

Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

Answer 12

Attack

Question 13

A branching hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specific way.

Answer 13

Attack Tree

Question 14

Ensuring timely and reliable access to and use of information.

Answer 14

Availability

Question 15

Timely, reliable access to data and information services for authorized users.

Answer 15

Availability

Question 16

The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers.

Answer 16

Blue Team

Question 17

Must defend against real or simulated attacks (i) over a significant period of time, (ii) in a representative operational context (e.g., as part of an operational exercise), and (iii) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise.

Answer 17

Blue Team

Question 18

A security control that is inherited by one or more organizational information systems.

Answer 18

Common Control

Question 19

An organizational official responsible for the development, implementation, assessment, and monitoring of common controls.

Answer 19

Common Control Provider

Question 20

The security controls employed in lieu of the recommended controls in the security control baselines described in NIST SP 800-53 and CNSS Instruction 1253 that provide equivalent or comparable protection for an information system or organization.

Answer 20

Compensating Security Control

Question 21

Disclosure to information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.

Answer 21

Compromise

Question 22

Disclosure of classified data to persons not authorized to receive that data.

Answer 22

Compromise

Question 23

A violation of the security policy of a system such that an unauthorized disclosure, modification, or destruction of sensitive information has occurred.

Answer 23

Compromise

Question 24

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Answer 24

Confidentiality

Question 25

Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications prior to, during, and after system implementation.

Answer 25

Configuration Control

Question 26

Maintaining ongoing awareness to support organizational risk decisions.

Answer 26

Continuous Monitoring

Question 27

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system.

Answer 27

Countermeasures

Question 28

A time-phased or situation-dependent combination of risk response measures.

Answer 28

Course of Action (COA)

Question 29

Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein.

Answer 29

Cyber Incident

Question 30

The prevention of authorized access to resources or the delaying of time-critical operations.

Answer 30

Denial of Service (DOS)

Question 31

An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risk and performance.

Answer 31

Enterprise

Question 32

May consist of all or some of the following business aspects: acquisition, program management, financial management, human resources, security, and information systems, information, and mission management.

Answer 32

Enterprise

Question 33

A strategic asset baseline that defines the mission, the information necessary to perform them mission, and the transitional process for implementing new technologies in response to changing mission needs.

Answer 33

Enterprise Architecture (EA)

Question 34

Includes a baseline architecture, target architecture, and sequencing plan.

Answer 34

Enterprise Architecture

Question 35

The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions.

Answer 35

Enterprise Risk Management

Question 36

Involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.

Answer 36

Enterprise Risk Management

Question 37

An observable occurrence in a network or system.

Answer 37

Event

Question 38

Unauthorized user who attempts or gains access to an information system.

Answer 38

Hacker

Question 39

The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.

Answer 39

High Impact

Question 40

Causes one or more of the following: (i) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced, (ii) results in major damage to organizational assets, (iii) results in major financial loss, and (iv) results in severe or catastrophic harm to individuals involving loss of life or serious life threating injuries.

Answer 40

High Impact

Question 41

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of high.

Answer 41

High-impact System

Question 42

The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation of a loss of confidentiality, integrity, or availability of information or an information system.

Answer 42

Impact

Question 43

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, unauthorized modification, unauthorized destruction, or loss of information or information system availability.

Answer 43

Impact Level

Question 44

An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security policies, or acceptable use policies.

Answer 44

Incident

Question 45

The mitigation of violations of security policies and recommended practices.

Answer 45

Incident Handling

Question 46

The mitigation of violations of security practices and recommended practices.

Answer 46

Incident Response

Question 47

Facts and ideas, which can be represented (encoded) as various forms of data.

Answer 47

Information

Question 48

Knowledge–e.g., data, instructions–in any medium or form that can be communicated between system entities.

Answer 48

Information

Question 49

Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Answer 49

Information Security

Question 50

A process to: (i) define an ISCM strategy, (ii) establish an ISCM program, (iii) implement an ISCM program, (iv) analyze data and report findings, (v) respond to findings, and (vi) review and update the ISCM strategy and program.

Answer 50

Information Security Continuous Monitoring (ISCM) Process

Question 51

The risk to organizational operations, organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.

Answer 51

Information Security Risk

Question 52

A qualitative measure of the importance of the information based upon factors such as the level of robustness of the information assurance (IA) controls allocated to the protection of information.

Answer 52

Information Value

Question 53

A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or resource without having authorization to do so.

Answer 53

Intrusion

Question 54

Causes one or more of the following: (i) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced, (ii) results in minor damage to organizational assets, (iii) results in minor financial loss, and (iv) results in minor harm to individuals.

Answer 54

Low Impact

Question 55

The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.

Answer 55

Low Impact

Question 56

Elements of organizations describing mission areas, common/shared business services, and organization-wide services.

Answer 56

Mission/Business Segment

Question 57

Can be identified with one or more information systems that collectively support a mission/business process.

Answer 57

Mission/Business Segment

Question 58

Causes one or more of the following: (i) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced, (ii) results in significant damage to organizational assets, (iii) results in significant financial loss, and (iv) results in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

Answer 58

Moderate Impact

Question 59

The loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, or the national security interests of the Nation.

Answer 59

Moderate Impact

Question 60

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of moderate and no security objective is assigned a FIPS PUB 199 potential impact value of high.

Answer 60

Moderate-impact System

Question 61

An attack that does not alter systems or data.

Answer 61

Passive Attack

Question 62

The loss of confidentiality, integrity, or availability that could be expected to have a limited (low), serious (moderate), or a severe or catastrophic (high) adverse effect on organizational operations, organizational assets, or individuals.

Answer 62

Potential Impact

Question 63

A right granted to an individual, program, or process.

Answer 63

Privilege

Question 64

A group of people authorized an organized to emulate potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.

Answer 64

Red Team

Question 65

Objective is to improve enterprise cybersecurity by demonstrating the impacts to successful attacks and by demonstrating what works for defenders (i.e., Blue Team) in an operational environment.

Answer 65

Red Team

Question 66

The act or mitigating a vulnerability or a threat.

Answer 66

Remediation

Question 67

Portion of risk remaining after security measures have been applied.

Answer 67

Residual Risk

Question 68

A measure of the extent to which an entity is threatened by a potential circumstance or event.

Answer 68

Risk

Question 69

A function of: (i) the adverse impacts that would arise if the circumstance or event occurs, and (ii) the likelihood of occurrence.

Answer 69

Risk

Question 70

The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation that would results from the operation of an information system.

Answer 70

Risk Assessment

Question 71

Incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

Answer 71

Risk Assessment

Question 72

Report that contains the results of performing a risk assessment or the formal output from the process of assessing risk.

Answer 72

Risk Assessment Report (RAR)

Question 73

The individual, group, or organization responsible for conducting a risk assessment.

Answer 73

Risk Assessor

Question 74

An individual or group within an organization that helps to ensure that (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) risk management form individual information systems is consistent across organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.

Answer 74

Risk Executive (Function)

Question 75

The program and supporting processes to manage information security risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

Answer 75

Risk Management

Question 76

Includes (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.

Answer 76

Risk Management

Question 77

A structure approach used to oversee and manage risk for an enterprise.

Answer 77

Risk Management Framework (RMF)

Question 78

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended for the risk management process.

Answer 78

Risk Mitigation

Question 79

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations, organizational assets, individuals, other organizations, or the Nation.

Answer 79

Risk Response

Question 80

The level of risk an entity is willing to assume in order to achieve a potential desired result.

Answer 80

Risk Tolerance

Question 81

Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting an identified vulnerabilities in the security controls.

Answer 81

Security Assessment Report (SAR)

Question 82

Documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls.

Answer 82

Security Authorization Package

Question 83

Contains: (i) the security plan; (ii) the security assessment report (SAR); and (iii) the plan of action and milestones.

Answer 83

Security Authorization Package

Question 84

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

Answer 84

Security Category

Question 85

The process of determining the security category for information or an information system.

Answer 85

Security Categorization

Question 86

Methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS PUB 199 for other than national security systems.

Answer 86

Security Categorization

Question 87

Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.

Answer 87

Security Plan

Question 88

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

Answer 88

Sensitivity

Question 89

Formal document that provides and overview of the security requirements for an information system and describes the security controls in place or planned to meeting those requirements

Answer 89

System Security Plan (SSP)

Question 90

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through an information security system via unauthorized access, destruction, disclosure, modification or information, and/or denial of service.

Answer 90

Threat

Question 91

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.

Answer 91

Threat Assessment

Question 92

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.

Answer 92

Threat Source

Question 93

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Answer 93

Vulnerability

Question 94

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data to help predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Answer 94

Vulnerability Assessment

Question 95

Risk that occurs at a strategic level.

Answer 95

Organizational Risk

Question 96

Organization-wide information security programs, policies, procedures, and guidance.

Answer 96

Organizational Risk Example

Question 97

The types of appropriate risk countermeasures.

Answer 97

Organizational Risk Example

Question 98

Investment decisions for information technologies/systems.

Answer 98

Organizational Risk Example

Question 99

Procurements

Answer 99

Organizational Risk Example

Question 100

Minimum organization-wide security controls.

Answer 100

Organizational Risk Example

Question 101

Conformance to enterprise/security architectures.

Answer 101

Organizational Risk Example

Question 102

Monitoring strategies and ongoing authorizations of information systems and common controls.

Answer 102

Organizational Risk Example

Question 103

An example of a common organization-wide documentation; the security policies and procedures for an organization.

Answer 103

Dash-1 Security Controls

Question 104

Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk.

Answer 104

Risk Management Framework (RMF)

Question 105

Emphasizes organization-wide preparation necessary to manage security and privacy risks.

Answer 105

Risk Management Framework (RMF)

Question 106

Facilitates the categorization of information and systems, the selection, implementation, assessment, and monitoring of controls, and the authorization of information systems and common controls.

Answer 106

Risk Management Framework (RMF)

Question 107

Promotes the use of automation for near real-time risk management and ongoing system and control authorization through the implementation of continuous monitoring processes.

Answer 107

Risk Management Framework (RMF)

Question 108

Encourages the use of correct and timely metrics to provide senior leaders and managers with the necessary information to make cost-effective, risk-based decisions for information systems supporting their missions and business functions.

Answer 108

Risk Management Framework (RMF)

Question 109

Facilitates the integration of security and privacy requirements and controls into enterprise architecture, SDLC, acquisition processes, and system engineering processes.

Answer 109

Risk Management Framework (RMF)

Question 110

Connects risk management processes at the organization and mission or business process levels to risk management processes at the information system level though a senior accountable official for risk management and risk executive function.

Answer 110

Risk Management Framework (RMF)

Question 111

Establishes responsibility and accountability for controls implemented within information systems and inherited by those systems.

Answer 111

Risk Management Framework (RMF)

Question 112

Steps include: (i) prepare, (ii) categorize, (iii) select, (iv) implement, (v) assess, (vi) authorize, and (vii) monitor.

Answer 112

RMF

Question 113

Establishes the scope of protection for an information system.

Answer 113

Authorization Boundary

Question 114

Security and privacy requirements and risks identified by the organization, lead to the need for security and privacy controls to respond to the risk.

Answer 114

Derived Requirements

Question 115

Commonly addressed by putting in place organization-wide or company-wide security policies, processes, and standard operating procedures.

Answer 115

Organizational Risk

Question 116

The security-relevant risk for a particular business unit within an organization.

Answer 116

Mission and Business Risk

Question 117

Design decisions: (i) selection, tailoring, and supplementation of security controls, and (ii) selection of information technology products for organizational information systems.

Answer 117

Information System Risk Example

Question 118

Implementation decisions: whether specific information technology products or product configurations meet security control requirements.

Answer 118

Information System Risk Example

Question 119

Operational decisions: (i) level of monitoring activity, and (ii) frequency of ongoing information system authorizations.

Answer 119

Information System Risk Example

Question 120

The characteristics of the system are described and documented.

Answer 120

RMF Categorize Task

Question 121

A security categorization of the system, including the information processed by the system represented by the organization-identified information types, is completed.

Answer 121

RMF Categorize Task

Question 122

The security categorization results are reviewed, and the categorization decision is approved by senior leaders in the organization.

Answer 122

RMF Categorize Task

Question 123

{(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, and HIGH.

Answer 123

System Categorization

Question 124

Control baseline necessary to protect the system commensurate with risk is selected.

Answer 124

RMF Select Task

Question 125

Controls are tailored producing tailored control baselines.

Answer 125

RMF Select Task

Question 126

Controls are designed as system-specific, hybrid, or common controls and allocated to the specific system elements.

Answer 126

RMF Select Task

Question 127

Controls and associated tailoring actions are documented in security and privacy plans or equivalent documents.

Answer 127

RMF Select Task

Question 128

A continuous monitoring strategy for the system that reflects the organizational risk management strategy is developed.

Answer 128

RMF Select Task

Question 129

Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.

Answer 129

RMF Select Task

Question 130

Controls specified in the security and privacy plans are implemented.

Answer 130

RMF Implement Task

Question 131

Changes to the planned implementation of controls are documented and the security and control plans are updated based on the changes.

Answer 131

RMF Implement Task

Question 132

An assessor or assessment team (with the appropriate level of independence) is selected to conduct the control assessment.

Answer 132

RMF Assess Task

Question 133

Documentation needed to conduct the assessments is provided to the assessor or assessment team.

Answer 133

RMF Assess Task

Question 134

Control assessment is conducted in accordance with the security and privacy plans.

Answer 134

RMF Assess Task

Question 135

Secuity and privacy assessment reports that provide findgins and recommendations are completed.

Answer 135

RMF Assess Task

Question 136

Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken and security and privacy plans are updated to reflect the remediation actions.

Answer 136

RMF Assess Task

Question 137

A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment repots is developed.

Answer 137

RMF Assess Task

Question 138

An authorizing package is developed for submission to the authorizing official.

Answer 138

RMF Authorize Task

Question 139

A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance is rendered.

Answer 139

RMF Authorize Task

Question 140

Risk responses for determined risks are provided.

Answer 140

RMF Authorize Task

Question 141

The authorization for the system for the common controls is approved or denied.

Answer 141

RMF Authorize Task

Question 142

Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials.

Answer 142

RMF Authorize Task

Question 143

The information system and environment of operation are monitored in accordance with the continuous monitoring strategy.

Answer 143

RMF Monitor Task

Question 144

Ongoing assessments of control effectiveness are conducted in accordance with the continuous monitoring strategy.

Answer 144

RMF Monitor Task

Question 145

The output of continuous monitoring activities is analyzed and responded to appropriately.

Answer 145

RMF Monitor Task

Question 146

Risk management documents are updated based on continuous monitoring activities.

Answer 146

RMF Monitor Task

Question 147

A process is in place to report the security and privacy posture to the authorizing official and other senior leaders and executives.

Answer 147

RMF Monitor Task

Question 148

A system disposal strategy is developed and implemented as needed.

Answer 148

RMF Monitor Task

Question 149

Frames the environment, or scope, of where the risk is being assessed.

Answer 149

Risk Context

Question 150

Identifies: (i) threats to organizations or threats directed through organizations against other organizations or the Nation, (ii) vulnerabilities internal and external to organizations, (iii) the harm that may occur given the potential for threats exploiting vulnerabilities, and (iv) the likelihood of that will occur.

Answer 150

Risk Assessment Purpose

Question 151

Includes: (i) frame, (ii) assess, (iii) respond, and (iv) monitor.

Answer 151

Risk Assessment Steps

Question 152

Example of a risk assessment method that combines qualitative and quantitative assessment methods.

Answer 152

Heat Map

Question 153

Results are time boxed and not accurate for longer periods of time.

Answer 153

Risk Assessment

Question 154

The process of identifying, estimating, and prioritizing information security risks.

Answer 154

Risk Assessment

Question 155

Typically includes: (i) a risk assessment process, (ii) and explicit risk model, (iii) an assessment approach, and (iv) and analysis approach.

Answer 155

Risk Assessment Methodology

Question 156

Defines key terms and assessable risk factors and the relationships among factors.

Answer 156

Risk Model

Question 157

Specifies the range of values risk factors can assume during the risk assessment and how combinations of risk factors are identified/analyzed so that values of those factors can be functionally combined to evaluate risk.

Answer 157

Assessment Approach

Question 158

Describes how combinations of risk factors are identified/analyzed to ensure adequate coverage of the problem space at a consistent level of detail.

Answer 158

Analysis Approach

Question 159

Defines the risk factors to be assessed and the relationships among those factors.

Answer 159

Risk Model

Question 160

Documentation includes: (i) identification of risk factors, and (ii) identification of the relationships among risk factors.

Answer 160

Risk Model

Question 161

Include the following: (i) threats, (ii) vulnerabilities, (iii) impact, (iv) likelihood, and (v) predisposing condition.

Answer 161

Risk Factors

Question 162

Hostile cyber or physical attack.

Answer 162

Threat Source

Question 163

Human error of omission or commission.

Answer 163

Threat Source

Question 164

Structural failure of organization-controlled resources.

Answer 164

Threat Source

Question 165

Natural and man-made disasters, accidents, and failures beyond the control of an organization.

Answer 165

Threat Source

Question 166

Can be either: (i) a single event, action, or circumstance; or (ii) sets and/or sequences of actions, activities, and/or circumstances.

Answer 166

Threat Event

Question 167

A set of discrete threat events, attributed to a specific threat source or multiple threat sources, ordered in time, that results in adverse effects.

Answer 167

Threat Scenario

Question 168

The response of adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which adversaries change some characteristic of their intent/targeting in order to avoid and/or overcome those safeguards/countermeasures.

Answer 168

Threat Shifting

Question 169

Can occur in one or more domains including: (i) the time domain, (ii) the target domain, (iii) the resource domain, or (iv) the attack planning/attack method domain.

Answer 169

Threat Shifting

Question 170

A condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation which affects the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation.

Answer 170

Predisposing Condition

Question 171

An assessment of the relative importance of mitigating/remediating the vulnerability.

Answer 171

Vulnerability Severity

Question 172

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Answer 172

Level of Impact