Glossary

Access

A specific type of interaction between a process and an object that results in the flow of information from one to the other.

Accreditation Range

A set of sensitivity labels. See System Accreditation Range and User Accreditation Range.

Adjudication

When two information labels are combined, the determination of the information label that represents the proper combination of the two.

Canonical Form

A standard format for a label. A human-readable sensitivity label is in canonical form if it consists of a short classification name followed by any zero or more words, with any words present appearing in the same order as they appear in the SENSITIVITY LABELS: section of the encodings. A human-readable clearance is in canonical form if it consists of a short classification name followed by any zero or more words, with any words present appearing in the same order as they appear in the CLEARANCES: section of the encodings. A human-readable information label is in canonical form if it consists of a long classification name followed by any zero or more words, with any words present appearing in the same order as they appear in the INFORMATION LABELS: section of the encodings.

Classification

A designation applied to data indicating the sensitivity of the data with respect to national security. The designation, as described by executive order 12356, is one of the following, given in increasing order of sensitivity: UNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET.

Clearance

A designation applied to a person, indicating the sensitivity of data to which the person is allowed access when the person has an established need to know for the data. The designation consists of one of the classification levels with the possible addition of compartments, such as A or B. “Clearance” is also called security level of a user (or person) in some contexts.

Codeword

As used throughout this document, a word on which mandatory access control is not directly based (i.e., users are not specifically “cleared” or “briefed into” the word), but which implies a compartment on which mandatory access control is directly based.

Default bit. An initial compartment or marking bit that is not inverse. Default bits are associated with default words.

Compartment

A designation applied to a type of sensitive information, indicating the special handling procedures to be used for the information and the general class of people who may have access to the information. As used in this document, “compartment” has the same meaning as the word “category” in the National Computer Security Center's Trusted Computer System Evaluation Criteria, DoD 5200.28-STD. As used in this document, “compartment” refers to what the intelligence community calls compartments, subcompartments, SAPs, or SAPIs.

Default word

A word associated with only default bits. A default word appears in all labels containing the classification with which the word's default bits are associated, but can be prevented from appearing in the human-readable representation of a label with an output minimum classification.

Dominate

Security level SL1 dominates security level SL2 if the classification in SL1 is greater than or equal to the classification in SL2 and all the compartments in SL2 are also contained in SL1. A sensitivity label is said to dominate an information label if the security level in the sensitivity label dominates the security level in the information label. More generally, any bit string S1 dominates bit string S2 if all of the bits on in S1 are also on in S2.

IL. Information Label

Information Label. A piece of information that accurately represents the sensitivity of the data in a subject or object. An information label consists of an information level and other required security markings (e.g., codewords and handling caveats, control and release markings), to be used for data labeling purposes. The term information label is used when referring to both the information level and markings, and the term information level is used when referring to only the level portion of the label (not including the markings).

Information Level

The security level in an information label. An information level represents the actual classification and compartments of the data in a subject or object with which the level is associated. Information levels are used for data labeling, not for mandatory access control.

Initial bit

A compartment or marking bit specified in the initial compartments or initial markings associated with some classification.

Inverse bit

A compartment or marking bit in the internal representation of a label whose 0 value is associated with the presence of a word in a human-readable label and that is specified as 1 in the initial compartments or the initial markings for one or more classifications. An inverse bit is 1 in a label that does not contain any of the inverse words associated with the bit, and is therefore 1 in a label that contains no words.

Inverse word

A component of a human-readable label, other than a classification, whose internal representation contains at least one inverse bit. Adding an inverse word to a label either decreases or changes the sensitivity of the label, but never increases the sensitivity (i.e., changes at least one bit from 1 to 0).

ISSO

Information System Security Officer.

Label

A piece of information that represents either a clearance, a sensitivity level (see Sensitivity Label), or an information level and markings (see Information Label).

Level

See Security Level.

Mandatory Access Control

Control of access to an object by a process, host, or person on the basis of the sensitivity label of the object and the sensitivity label of the process attempting access to the object.

Markings

Information, other than security level, that must be associated with data within a computer system and with human-readable output. Markings include codewords and handling caveats, control and release markings. Markings are a portion of an information label.

Maximum Sensitivity Label

A well-formed sensitivity label that dominates all sensitivity labels in the system accreditation range.

Minimum Clearance

The lowest clearance of any user on the system.

Minimum Information Label

A well-formed information label that is dominated by all other information labels possible on the system. Empty objects are created with the minimum information label.

Minimum Sensitivity Label

A well-formed sensitivity label that is dominated by all sensitivity labels in the system accreditation range.

Normal user

Any system user designated by the ISSO as a normal user. Normal users typically include at least those users that are not operators, administrators, or ISSOs. Normal users are constrained to create only sensitivity labels that appear in the accreditation range of the system.

Normal word

A component of a human-readable label, other than a classification, whose internal representation includes no inverse bits. Adding a normal word to a label increases the sensitivity of the label.

Object

A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bytes, words, fields, processors, video displays, keyboards, clocks, printers, network nodes, etc.

Process

An independent unit of activity operating on behalf of a specific system user or on behalf of the system itself. A process can be thought of as a program in execution, but different users running the same program have different processes running the programs. Similarly, the same user running multiple different programs can have different processes running the programs, and the same user running a program more than once has different processes running the program.

SAP

Special Access Program.

SAPI

Special Access Program for Intelligence. Those special access programs involving intelligence activities that fall within the statutory authority and responsibility of the Director of Central Intelligence. Within these provisions, only those programs that require, as a condition of access, the signing of a nondisclosure statement are considered to be SAPIs. SAPIs are thereby given the status of SCI compartments and subcompartments in terms of the minimum required security levels necessary for their protection.

SCI

Sensitive Compartmented Information. All information and materials requiring special Community controls indicating restricted handling within present and future Community intelligence collection programs and their end products. These special Community controls are formal systems of restricted access established to protect the sensitive aspects of intelligence sources and methods and analytical procedures of foreign intelligence programs. The term does not include Restricted Data as defined in Section II, Public Law 585, Atomic Energy Act of 1954, as amended.

Security Level

A hierarchical classification and a set of nonhierarchical compartments, and any SAPs and/or SAPIs.

Sensitivity Label

A piece of information that represents the sensitivity level of a subject or an object and that describes the sensitivity (e.g., classification) of the data in the subject or object. Sensitivity labels/levels are used as the basis for mandatory access control decisions. Sensitivity labels/levels, because they are used for mandatory access control, must represent the sensitivity of both the subject or object and the data in the subject or object. Therefore, sensitivity labels/levels sometimes overrepresent the sensitivity of the data itself. The information label associated with subjects and objects is generally a more accurate representation of the sensitivity of the data in the subject or object. In the intelligence community, sensitivity labels typically represent the classification, compartments, subcompartments, SAPs and/or SAPIs associated with the subject or object.

Sensitivity Level

The security level in a sensitivity label. See Sensitivity Label.

SL

Sensitivity Label.

Special inverse bit

A compartment or marking bit in the internal representation of a label whose 0 value is associated with the presence of a word in a human-readable label and that is specified as 1 in the prefix associated with the word. A special inverse bit is 0 in a label that does not contain any of the special inverse words associated with the prefix that specifies the bit and is therefore 0 in a label that contains no words.

System Accreditation Range

A set of sensitivity labels, denoted by a well-formed minimum sensitivity label and a well-formed maximum sensitivity label, that represents those sensitivity labels that can be processed by the system as a whole. All sensitivity labels and clearances processed by the system must be well formed, must dominate the minimum sensitivity label, and must be dominated by the maximum sensitivity label.

User Accreditation Range

The subset of the system accreditation range that normal (non-authorized) users of the system can set (i.e., those sensitivity labels at which users can create subjects or objects, or to which users can change existing sensitivity labels). The user accreditation range applies only to sensitivity labels to be associated with subjects and objects and used for mandatory access control.

Visible Word

A word is said to be visible in a label if the presence of the word in the label does not cause the label to violate the dominance constraint on the label. The classification and compartments portion of each information label must be dominated by the associated sensitivity label, which in turn must be dominated by the associated user's clearance. If adding a word to an information label increases the sensitivity of the label such that the associated sensitivity label no longer dominates the information label, then the word is not visible in that information label.

Well Formed Label

A label that satisfies the set of well-formedness criteria specified in the encodings. These criteria include 1) the initial compartments and markings associated with each classification; 2) the minimum classification, output minimum classification, and maximum classification associated with each word; 3) the hierarchies defined by the bit patterns chosen for each word; 4) the required combinations of words; and 5) the combination constraints that apply to the words.

Word

A component of a human-readable label other than a classification.