Trustmark Definition (TD):
Security - Minimum Physical and Environmental Protection

Metadata


Identifierhttps://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/security-minimum-physical-and-environmental-protection/1.0/
NameSecurity - Minimum Physical and Environmental Protection
Version1.0
Publication Date2015-06-19
Trustmark Defining Organization
Identifierhttps://trustmark.gtri.gatech.edu/
NameGeorgia Tech Research Institute
PRIMARY Contact
EmailTrustmarkFeedback@gtri.gatech.edu
Telephone404-407-8956
Mailing Address75 5th Street NW, Suite 900, Atlanta, GA 30308
DescriptionThis Trustmark Definition defines the conformance and assessment criteria for organizational compliance with minimum security requirements for Physical and Environmental Protection based on NIST Federal Information Processing Standard 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 and the information assurance controls for 'low impact' systems as defined by NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Including updates as of 01-15-2014)
Target StakeholdersOrganizations and relying parties interested in systems' compliance with NIST 800-53 standards.
Target RecipientsOrganizations that desire to provide and/or consume services compliant with NIST 800-53 standards.
Target Relying PartiesRelying parties interested in systems' compliance with NIST 800-53 standards.
Target ProvidersTrustmark Providers evaluating organizations for compliance with NIST 800-53 standards.
Provider CriteriaAny organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.
Assessor QualificationsAny individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.
Trustmark Revocation CriteriaFor any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.
Extension DescriptionThis Trustmark Definition requires no extension data.
Legal NoticeThis document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.
NotesThe Georgia Tech Research Institute (GTRI) has published this document with the support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) via the National Institute of Standards and Technology (NIST). The views expressed herein do not necessarily reflect the official policies of GTRI, NIST or NSTIC; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.

Conformance Criteria (15)


1: FIPS-Physical-Access

Organizations must limit physical access to information systems, equipment, and the respective operating environments to authorized individuals.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

2: FIPS-Physical-Infrastructure

Organizations must protect the physical plant and support infrastructure for information systems.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

3: FIPS-Physical-Utilities

Organizations must provide supporting utilities for information systems.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

4: FIPS-Physical-Environmental-Hazards

Organizations must protect information systems against environmental hazards.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

5: FIPS-Physical-Environmental-Controls

Organizations must provide appropriate environmental controls in facilities containing information systems.

Citation(s)
  • FIPS-200Section 3, Minimum Security Requirements

6: PE-1

Organizations must implement security control PE-1, Physical and Environmental Protection Policy and Procedures, in accordance with NIST SP800-53R4.

Citation(s)

7: PE-2

Organizations must implement security control PE-2, Physical Access Authorizations, in accordance with NIST SP800-53R4.

Citation(s)

8: PE-3

Organizations must implement security control PE-3, Physical Access Control, in accordance with NIST SP800-53R4.

Citation(s)

9: PE-6

Organizations must implement security control PE-6, Monitoring Physical Access, in accordance with NIST SP800-53R4.

Citation(s)

10: PE-8

Organizations must implement security control PE-8, Visitor Access Records, in accordance with NIST SP800-53R4.

Citation(s)

11: PE-12

Organizations must implement security control PE-12, Emergency Lighting, in accordance with NIST SP800-53R4.

Citation(s)

12: PE-13

Organizations must implement security control PE-13, Fire Protection, in accordance with NIST SP800-53R4.

Citation(s)

13: PE-14

Organizations must implement security control PE-14, Temperature and Humidity Controls, in accordance with NIST SP800-53R4.

Citation(s)

14: PE-15

Organizations must implement security control PE-15, Water Damage Protection, in accordance with NIST SP800-53R4.

Citation(s)

15: PE-16

Organizations must implement security control PE-16, Delivery and Removal, in accordance with NIST SP800-53R4.

Citation(s)

Assessment Steps (15)


Assessment Steps

1: FIPS-Physical-Access-Step (FIPS_Physical_Access_Step)

Does the organization limit physical access to information systems, equipment, and the respective operating environments to authorized individuals?

Required Artifact(s)
  • FIPS-Physical-Access

    Provide evidence (policies, procedures, actual FIPS compliance report, etc.) and a brief description of the controls that are in place to ensure that physical access to information systems, equipment, and the respective operating environments is limited to authorized individuals.

2: FIPS-Physical-Infrastructure-Step (FIPS_Physical_Infrastructure_Step)

Does the organization protect the physical plant and support infrastructure for information systems?

Required Artifact(s)
  • FIPS-Physical-Infrastructure

    Provide evidence (policies, procedures, actual FIPS compliance report, etc.) and a brief description of the controls that are in place to ensure that the physical plant and support infrastructure for information systems are protected.

3: FIPS-Physical-Utilities-Step (FIPS_Physical_Utilities_Step)

Does the organization provide supporting utilities for information systems?

Required Artifact(s)
  • FIPS-Physical-Utilities

    Provide evidence (policies, procedures, actual FIPS compliance report, etc.) and a brief description of the controls that are in place to ensure that supporting utilities are provided information systems.

4: FIPS-Physical-Environmental-Hazards-Step (FIPS_Physical_Environmental_Hazards_Step)

Does the organization protect information systems against environmental hazards?

Required Artifact(s)
  • FIPS-Physical-Environmental-Hazards

    Provide evidence (policies, procedures, actual FIPS compliance report, etc.) and a brief description of the controls that are in place to ensure that information systems are protected against environmental hazards.

5: FIPS-Physical-Environmental-Controls-Step (FIPS_Physical_Environmental_Controls_Step)

Does the organization provide appropriate environmental controls in facilities containing information systems?

Required Artifact(s)
  • FIPS-Physical-Environmental-Controls

    Provide evidence (policies, actual FIPS compliance report, etc.) and a brief description of the controls that are in place to ensure that appropriate environmental controls are provided in facilities containing information systems.

6: PE-1-Step (PE_1_Step)

Does the organization implement security control PE-1, Physical and Environmental Protection Policy and Procedures, in accordance with NIST SP800-53R4?

Control: The organization:

a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

  1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

b. Reviews and updates the current:

  1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
  2. Physical and environmental protection procedures [Assignment: organization-defined frequency].
Required Artifact(s)
  • PE-1

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-1, Physical and Environmental Protection Policy and Procedures, in accordance with NIST SP800-53R4.

7: PE-2-Step (PE_2_Step)

Does the organization implement security control PE-2, Physical Access Authorizations, in accordance with NIST SP800-53R4?

Control: The organization:

a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

b. Issues authorization credentials for facility access;

c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and

d. Removes individuals from the facility access list when access is no longer required.

Required Artifact(s)
  • PE-2

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-2, Physical Access Authorizations, in accordance with NIST SP800-53R4.

8: PE-3-Step (PE_3_Step)

Does the organization implement security control PE-3, Physical Access Control, in accordance with NIST SP800-53R4?

Control: The organization:

a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;

  1. Verifying individual access authorizations before granting access to the facility; and
  2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards_];

b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];

c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;

d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];

e. Secures keys, combinations, and other physical access devices;

f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and

g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

Required Artifact(s)
  • PE-3

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-3, Physical Access Control, in accordance with NIST SP800-53R4.

9: PE-6-Step (PE_6_Step)

Does the organization implement security control PE-6, Monitoring Physical Access, in accordance with NIST SP800-53R4?

Control: The organization:

a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

c. Coordinates results of reviews and investigations with the organizational incident response capability.

Required Artifact(s)
  • PE-6

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-6, Monitoring Physical Access, in accordance with NIST SP800-53R4.

10: PE-8-Step (PE_8_Step)

Does the organization implement security control PE-8, Visitor Access Records, in accordance with NIST SP800-53R4?

Control: The organization:

a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and

b. Reviews visitor access records [Assignment: organization-defined frequency].

Required Artifact(s)
  • PE-8

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-8, Visitor Access Records, in accordance with NIST SP800-53R4.

11: PE-12-Step (PE_12_Step)

Does the organization implement security control PE-12, Emergency Lighting, in accordance with NIST SP800-53R4?

Control: The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Required Artifact(s)
  • PE-12

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-12, Emergency Lighting, in accordance with NIST SP800-53R4.

12: PE-13-Step (PE_13_Step)

Does the organization implement security control PE-13, Fire Protection, in accordance with NIST SP800-53R4?

Control: The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

Required Artifact(s)
  • PE-13

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-13, Fire Protection, in accordance with NIST SP800-53R4.

13: PE-14-Step (PE_14_Step)

Does the organization implement security control PE-14, Temperature and Humidity Controls, in accordance with NIST SP800-53R4?

Control: The organization:

a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and

b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].

Required Artifact(s)
  • PE-14

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-14, Temperature and Humidity Controls, in accordance with NIST SP800-53R4.

14: PE-15-Step (PE_15_Step)

Does the organization implement security control PE-15, Water Damage Protection, in accordance with NIST SP800-53R4?

Control: The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

Required Artifact(s)
  • PE-15

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-15, Water Damage Protection, in accordance with NIST SP800-53R4.

15: PE-16-Step (PE_16_Step)

Does the organization implement security control PE-16, Delivery and Removal, in accordance with NIST SP800-53R4?

Control: The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.

Required Artifact(s)
  • PE-16

    Provide evidence (policies, actual FIPS compliance report, etc.) that controls are in place to ensure that the organization implements security control PE-16, Delivery and Removal, in accordance with NIST SP800-53R4.

Issuance Criteria


yes(ALL)

Sources (2)


FIPS-200
Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, National Institute of Standards and Technology, March 2006.
SP800-53R4
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology, April 2013 (Includes updates as of 01-15-2014)

Terms (54)


Accreditation

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [OMB Circular A-130, Appendix III]

Agency

Any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: (i) the Government Accountability Office; (ii) the Federal Election Commission; (iii) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (iv) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities. [44 U.S.C., SEC. 3502]

Authentication

Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Authorizing Official

Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Synonymous with Accreditation Authority.

Availability

Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542]

Certification

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Chief Information Officer

Agency official responsible for: (i) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; (ii) developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the agency; and (iii) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. [44 U.S.C., Sec. 5125(b)]

Chief Information Security Officer

See Senior Agency Information Security Officer.

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]

Countermeasures

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [CNSS Instruction 4009] Synonymous with security controls and safeguards.

Environment

Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system. [CNSS Instruction 4009]

Executive Agency

An executive department specified in 5 U.S.C., SEC. 101; a military department specified in 5 U.S.C., SEC. 102; an independent establishment as defined in 5 U.S.C., SEC. 104(1); and a wholly-owned Government corporation fully subject to the provisions of 31 U.S.C., CHAPTER 91. [41 U.S.C., SEC. 403]

Federal Agency

See Agency.

Federal Information System

An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [40 U.S.C., SEC. 11331]

High-Impact System

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.

Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Information

An instance of an information type. [FIPS Publication 199]

Information Owner

Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. [CNSS Instruction 4009]

Information Resources

Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502]

Information Security

The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., SEC. 3542]

Information System

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., SEC. 3502]

Information System Owner

Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. [CNSS Instruction 4009 Adapted]

Information Technology

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. [40 U.S.C., SEC. 1401]

Information Type

A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation. [FIPS Publication 199]

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542]

Low-Impact System

An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.

Management Controls

The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.

Media

Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Moderate-Impact System

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high.

National Security Information

Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.

National Security System

Any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency - (i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. [44 U.S.C., SEC. 3542]

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).

Organization

A federal agency or, as appropriate, any of its operational elements.

Potential Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. [FIPS Publication 199]

Records

All books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the Government or because of the informational value of the data in them. [44 U.S.C. SEC. 3301]

Risk

The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

Risk Management

The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS Instruction 4009 Adapted] Synonymous with security controls and countermeasures.

Sanitization

Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs. [CNSS Instruction 4009 Adapted]

Security Category

The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals. [FIPS Publication 199]

Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. [FIPS Publication 199]

Security Control Baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

Security Objective

Confidentiality, integrity, or availability. [FIPS Publication 199]

Security Plan

See System Security Plan.

Security Requirements

Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.

Senior Agency Information Security Officer

Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer's primary liaison to the agency's authorizing officials, information system owners, and information system security officers. [44 U.S.C., Sec. 3544]

System

See information system.

System Security Plan

Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. [NIST Special Publication 800-18, Revision 1]

Technical Controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. [CNSS Instruction 4009 Adapted]

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.

User

Individual or (system) process authorized to access an information system. [CNSS Instruction 4009]

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. [CNSS Instruction 4009 Adapted]