Glossary for Military and Emergency Service Acronyms

What is an Air Force Base (AFB)?

An Air Force Base (AFB) is a military facility, usually part of the complex that includes an airport, that consists of housing for military personnel, hangars for airplanes and other aircraft, and workshops for maintenance and repairs.

What is an Air Force Civil Engineer Center (AFCEC)?

The Air Force Civil Engineer Center (AFCEC) provides responsive, flexible civil engineering expertise and support to Air Force installations and the warfighter. The AFCEC team delivers capabilities across the broad civil engineering spectrum to enable ready engineers and maintain the facilities and platforms that are the backbone of the Air Force mission. AFCEC missions include:

  • Acquisition and Program Management
  • Design and Construction
  • Energy Support
  • Environmental Compliance And Restoration
  • Facility Investment Planning
  • Operations Support
  • Readiness and Emergency Management
  • Real Property Management

While the AFCEC headquarters are at Joint Base San Antonio-Lackland, Texas, the team conducts operations at more than 75 locations worldwide.

What is an Air Force Instruction (AFI)?

Air Force Instruction (AFI) is a set of policies or guidelines on creating, coordinating, and managing the United States Air Force Academy’s (USAFA’s) publications and forms. These policies extend to the guidance, procedures, and standards that govern standard publications and documents throughout the Air Force to meet USAFA publishing needs. They also apply to all Air Force, civilian, and contractor personnel who prepare, manage, review, certify, approve, or use publications and forms.

What is the Air Force Special Operations Command (AFWERX)?

The Air Force Special Operations Command (AFWERX) is a program office at the Air Force Research Laboratory (AFRL) that connects innovators across government, industry, and academia; it expands technology, talent, and transition partnerships for rapid and affordable commercial and military capability.

What is Artificial Intelligence/Machine Learning (AI/ML)?

Artificial Intelligence (AI)/Machine Learning is a branch of computer science devoted to developing data processing systems that performs functions normally associated with human intelligence behavior, such as reasoning, learning, and self-improvement.

Machine learning is the subset of AI where systems can automatically learn from data without an individual explicitly programming.

What is an Application Programming Interface (API)?

Application programming interfaces enable companies to open up their applications’ data and functionality to external third-party developers, business partners, and internal departments within their companies. An API allows services and products to communicate and leverage each other’s data and functionality through a documented interface.

What is Assessment and Authorization (A&A)?

A&A stands for services assessment and authorization. The A&A process is a comprehensive evaluation of:

  • Documentation
  • Information system policies
  • Policies
  • Safeguards
  • Technical and non-technical security components
  • Vulnerabilities

The A&A process helps ensure a particular design and implementation meets specified organizational, governmental, and federal security requirements and results in a formal authorization package.

What Is Assured Compliance Assessment Solution (ACAS)?

Assured Compliance Assessment Solution (ACAS) is a suite of information security tools, solutions, and requirements that the United States Department of Defense (DoD) uses for vulnerability scans, risk assessments, and device configuration assessments. Tenable, a Unified Security Monitoring (USM) leader, developed the requisite technology to be DoD compliant and won the ACAS contract with the Defense Information Systems Agency (DISA) in 2012.

What is Authorizing Official (AO)?

The Authorizing Official (AO) is a senior government official or executive who is responsible for a mission and has the authority to operate an information system at an acceptable level of risk to:

  • Organizational operations (including mission, function, image, or reputation)
  • Organizational assets
  • Individuals
  • Other organizations
  • The Nation

What is an Authorizing Official Designated Representative (AODR)?

An Authorizing Official Designated Representative (AODR) is an organizational official acting on behalf of an Authorizing Official (AO) in carrying out and coordinating the required activities associated with security authorization or privacy authorization. The AODR also provides technical and organizational support.

What is an Approval to Connect (ATC)?

Approval to Connect (ATC) is a formal statement by the Connection Approval Office granting approval for an Information System (IS) to connect to the Defense Information Systems Network (DISN). The Approval Office cannot grant the ATC for longer than the associated Authority to Operate (ATO) period (three years).

What is Authority/Authorization to Operate (ATO)?

An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes the operation of a Business Product and explicitly accepts its risks. These risks could impact:

  • agency operations
  • organizational assets
  • individuals
  • other organizations
  • The Nation

The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational.

What is the Authorization to Operate with Conditions (ATOC)?

(Also see ATO) An Authorization to Operate with Conditions (ATOC) is an official management decision given by a senior organizational official that authorizes the operation of a Business Product/Information System and explicitly accepts the risks that come with it. These risks could affect:

  • Agency operations
  • Organizational assets
  • Individuals
  • Other organizations
  • The Nation

What is a Body of Evidence (BoE)?

A body of evidence (BoE) is the totality of evidence that stakeholders use to substantiate trust, trustworthiness, and risk relative to the system.

What is the Bottom Line Up Front (BLUF)?

Bottom Line Up Front declares the purpose of the email and the action required. The BLUF will quickly answer the five W’s:

  • Who
  • What
  • Where
  • When
  • Why

Essentially, an effective BLUF distills the most critical information to the reader first.

What is a Building Automation System (BAS)?

A Building Automation System (BAS) monitors and controls both the mechanical and electrical equipment in a building. The centralized computer-based control system enables building operators to make educated decisions in order to ensure their safety while increasing the building’s productivity and efficiency.

What is a Civil Engineer (CE)?

A civil engineer (CE) conceives, designs, builds, supervises, operates, constructs, and maintains infrastructure projects and systems in the public and private sector, including, but not limited to:

  • Airports
  • Bridges
  • Buildings
  • Dams
  • Roads
  • Sewage treatment systems
  • Tunnels
  • Water supply

What Are Conceptual Operations (CONOPS)?

Conceptual Operations (ConOps) is a user-oriented document that describes system characteristics for a proposed system from a user’s viewpoint. The text communicates overall quantitative and qualitative system characteristics to the user, buyer, developer. ConOps also describes the user’s organization(s), mission(s), and objectives from an integrated systems point of view.

What is Condition-Based Maintenance (CBM)?

Condition-Based Maintenance (CMB) is a predictive maintenance strategy where various elements of an operating asset are measured over time to identify and prevent deterioration and possible failure at the earliest possible moment. Under CBM, maintenance only occurs when data indicates a decline in performance or the early warning signs of failure.

What is the Configuration Control Board (CCB)?

A Configuration Control Board (CCB) is a group of qualified individuals with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.

What is Cybersecurity Maturity Model Certification (CMMC)?

The Under Secretary of Defense for Acquisition and Sustainment OUSD (A&S)—in conjunction with Department of Defense (DoD) stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry—developed the Cybersecurity Maturity Model Certification (CMMC) framework. The CMMC helps organizations such as the DoD measure cybersecurity capabilities and make risk-informed decisions about their Defense Industrial Base (DIB) partners.

What Is A Chief Information Security Officer (CISO)?

A chief information security officer (CISO) is a senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, data security, and cybersecurity to protect information assets and technologies.

What is a Contracting Officer Representative (COR)?

A Contracting Officer Representative (COR) is a federal employee who has the authority to sign government contracts and take actions on behalf of the contracting agency. CORs conduct negotiations with vendors, approve contract modifications, resolve disputes about contractor performance, and approve payment requests up to specified dollar limits.

What is a Course of Action (COA)?

In incident-level decision making, a course of action (COA) is an overall plan that describes the selected strategies and management actions intended to achieve indecent objectives, comply with incident requirements, and are based on current and expected conditions.

What is a Defender Multi-Domain Situational Awareness Tool (DMSAT)?

A Defender Multi-Domain Situational Awareness Tool is a mobile common operating picture interface and kit for all Defenders. It is a critical component of command and control centers.

What is the Defense Information Systems Agency (DISA)?

The Defense Information Systems Agency (DISA) is a United States Department of Defense combat support agency. Over 7,000 military, federal civilians, and contractors compose the organization. DISA provides, operates, and assures command, control, and information-sharing capabilities and a globally accessible enterprise information infrastructure.

What is an Emergency Operations Center (EOC)?

An Emergency Operations Center is a physical or virtual location where trained personnel coordinate and support incident management activities.

What Are Energy Management Control Systems (EMCs)?

Energy Management Control Systems control the power, HVAC, lighting, and an array of sensors and services. These systems have become attack vectors for cyber criminals.

What is an Enterprise Mission Assurance Support Service (eMASS)?

An Enterprise Mission Assurance Support Service (eMASS) is a government-owned web-based application with a broad range of comprehensive, fully integrated cybersecurity management services. Features include:

  • Dashboard reporting
  • Controls scorecard measurement
  • The generation of a system security authorization package

eMASS provides an integrated suite of authorization capabilities and prevents cyberattacks by establishing strict process control mechanisms for obtaining authorization decisions.

What Are Facility-Related Control Systems (FRCS)?

Facility-Related Control Systems (FRCSs) are subsets of control systems used to monitor and control equipment and systems related to Department of Defense (DoD) property (e.g., building control systems, utility control systems, electronic security systems, and fire and life safety systems).

What is Force Protection Condition (FPCON)?

Force Protection Condition (FPCON) is a Department of Defense-approved system standardizing DoD’s identification of and recommended preventive actions and responses to terrorist threats against U.S. personnel and facilities. The system is the principal means for a commander to apply an operational decision on protecting against terrorism and facilitates coordination among DoD Components and support for antiterrorism activities. There are five FPCON levels of increasing Antiterrorism protective measures:

  1. FPCON Normal: a possible terrorist activity exists and warrants a routine security posture
  2. FPCON Alpha: a general threat of possible terrorist activity against personnel or facilities, and the nature and extent of the threat are unpredictable
  3. FPCON Bravo: an increased or more predictable threat of terrorist activity exists; may affect operational capability and military-civil relationships with local authorities
  4. FPCON Charlie: an incident occurs, or intelligence is received indicating some form of terrorist action or targeting against personnel or facilities is likely; may create hardship and affect the activities of the unit and its personnel
  5. FPCON Delta: the immediate area where a terrorist attack has occurred, or intelligence has received that terrorist action against a specific location or person is imminent

What is Information Security (INFOSEC)?

Information security is the protection of information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction.

What is Information Security Continuous Monitoring (ISCM)?

Information Security Continuous Monitoring (ISCM) is an organization’s efforts, process, and strategy of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

What is an Information System Security Manager (ISSM)?

An information systems security manager (ISSM) is an individual responsible for the information assurance of a program, organization, system, or enclave. The Authorizing Official (AO) will direct the ISSM to configure and review information technology services and products.

What is an Information Systems Security Officer (ISSO)?

The Information Systems Security Officer (ISSO) maintains the appropriate operational security posture for an information system or program through its entire lifecycle. A chief information security officer (CISO) or authorizing official (AO) assigns the ISSO.

What is the Initial Operational Capability (IOC)?

The Initial Operational Capability (IOC) is a point in time during the Production & Deployment (PD) Phase where a system can meet the minimum operational (Threshold and Objective) capabilities for a user’s stated need. The operational capability consists of support, training, logistics, and system interoperability within the Department of Defense’s (DoD) operational environment.

What is an Integrated Master Plan (IMP)?

An Integrated Master Plan (IMP) is a living document, top-level plan that stakeholders use to develop, design, schedule, and manage projects over time. The objective of an integrated master plan is to serve as a basis for developing a detailed Integrated Master Schedule (IMS) that can accomplish the work contemplated in the IMP.

What is an Integrated Master Schedule (IMS)?

An Integrated Master Schedule (IMS) is a scheduling tool that combines estimating, tracking, and controlling the work for a project. An IMS usually includes a network diagram, task datasheet, resource tables, and an assignment schedule. The schedule may also include durations, predecessors, successors, and milestones. It also manages project resources, tracks schedule progress, and identifies risk areas that need attention.

What is an Interim Authority to Test (IATT)?

An Interim Authorization to Test (IATT) is a temporary authorization to test a Department of Defense information system (Is) in a specified operational information environment or with live data for a specified timeframe and under the conditions or constraints enumerated in the written authorization decision.

What is a Monthly Status Report (MSR)?

A monthly status report is a specific type of progress update delivery in the government contract industry. It is a requirement that allows both sides of a business relationship to understand duties, responsibilities, and accomplishments to continue down the path toward completion.

What is the National Institute of Standards & Technology (NIST)?

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce. It promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve the quality of life. NIST’s vision is to be a world learning in creating critical measurement solutions and promoting equitable standards. Our efforts stimulate innovation, foster industrial competitiveness, and improve the quality of life.

What is Operations Security (OPSEC)?

Operations Security (OPSEC) is the process of protecting critical information, whether classified or unclassified. OPSEC focuses on preventing adversaries’ access to information and actions that may compromise an operation, challenging us to look at ourselves through the eyes of an adversary and deny the adversary the ability to act.

What is the Other Transaction Authority (OT/OTA)?

Other Transaction Authority gives certain federal agencies the flexibility to use a special award mechanism. Some agencies with authority to use OTAs are:

  • National Aeronautics and Space Administration (NASA)
  • The Department of Defense (DoD)
  • The Department of Health and Human Services (including NIH)
  • The Department of Energy (DOE)

OTAs are not grants, cooperative agreements, or contracts; they are a fast way to contract nontraditional defense suppliers.

What is a Performance Work Statement (PWS)?

A performance work statement is a statement of work for performance based-acquisitions that describes the required results in clear, specific, and objective terms with measurable outcomes.

What is Ports, Protocols, and Services Management (PPSM)?

Ports, Protocols, and Services Management (PPSM) is a Department of Defense Instruction that standardized procedures for cataloging, regulating, and controlling how people use and manage protocols in the internal protocol suite and in associated ports.

What is Predictive Maintenance (PdM)?

Predictive Maintenance (PdM) is the practice of identifying a fault in a machine or system, determining when it will occur, and taking preventive measures to mitigate its downtime. Predictive maintenance aims to ultimately reduce overall costs by mitigating the risk of unforeseen failure either through time-based maintenance, frequency-based maintenance, or condition monitoring.

What is Program Management Review (PMR)?

A Program Management Review (PMR) is a management level review held by a Systems Program Office or Systems Program Manager to determine the status of an assigned system. PMRs are tools to identify problems and develop appropriate follow-up actions as required.

What are Random Antiterrorism Measures (RAM)?

Random Antiterrorism Measures (RAMs) are multiple security measures that consistently change an installation’s force protection program. These measures introduce uncertainty to an installation’s overall force protection program to defeat surveillance attempts and make it difficult for terrorists to predict and perform actions accurately.

What is Real Property Installed Equipment (RPIE)?

Real Property Installed Equipment (RPIE) equipment is government-owned or leased accessory equipment, apparatuses, and fixtures that are essential to the function of the real property and are permanently attached to, integrated into, or on government-owned or leased property.

What is the Risk Management Framework (RMF)?

The Risk Management Framework (RMF) is a structured approach organizations use to oversee and manage risk. The RMF provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers:

  • Effectiveness
  • Efficiency
  • Constraints due to applicable laws
  • Directives
  • Executive Orders
  • Policies
  • Standards
  • Regulations

What is a Robotic Process Automation (RPA)?

Robotic process automation (RPA) is the term used for software tools that partially or fully automate human activities that are manual, rule-based, and repetitive. They work by replicating the actions of a human interacting with one or more software applications to perform tasks such as data entry, process standard transactions, or respond to simple customer service queries.

What is a Security Assessment Report (SAR)?

A Security Assessment Report (SAR) provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.

What is a Security Controls Assessor (SCA)?

A Security Controls Assessor (SCA) is an individual, group, or organization responsible for conducting a security control assessment. A security control assessment involves:

  • testing and evaluating security controls to determine the extent to which an organization have implemented the controls correctly
  • operating as intended
  • producing the desired result with respect to meeting the security requirements for an information system or organization

What is a Security Control Assessor Representative (SCAR)?

The Air Force CISO appoints a Security Control Assessor (SCA). The SCA can appoint a Security Control Assessor Representative (SCAR), which may be an individual or organization. A SCAR gives risk recommendations to the (AO) based on a risk assessment of operating a system and applying the risk management framework process to Air Force Life Cycle Management Center (AFLCMC) systems and products.

What is Situational Awareness (SA)?

Situational awareness is an enterprise’s ability to comprehensively identify and correlate anomalous conditions and threats pertaining to industrial control systems, IT resources, access to buildings, facilities, and other business mission‐essential resources.

What is a Security Impact Assessment (SIA)?

A Security Impact Assessment (SIA) is an analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

What is a Statement of Objectives (SOO)?

The Statement of Objectives (SOO) is a Government prepared document that provides the primary, high-level objectives of the acquisition. In this approach, the contractors’ proposal contains their statements of work and performance metrics. The use of an SOO opens the acquisition up to a broader range of potential solutions.

What Are Sustainment Management Systems (SMSs)?

Sustainment Management Systems (SMSs) are web-based software applications developed by ERDC’s Construction Engineering Research Laboratory (CERL) to help civil engineers, technicians, and managers decide when, where, and how to maintain building infrastructure.

What is a System Security Plan (SSP)?

A System Security Plan (SSP) is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.

What is a Security Technical Implementation Guide (STIG)?

A Security Technical Implementation Guide (STIG) is a configuration standard consisting of cybersecurity policies, requirements, and security controls for a specific product. These guides enhance the security of products such as:

  • Networks
  • Servers
  • Computers
  • Software
  • Hardware

What is a Security Test Plan (STP)?

A Security Test Plan (STP) describes plans for qualification testing of Computer Software Configuration Items (CSCIs) and software systems. It also outlines the product test strategy, list of testing deliverables, the plan for development, the evolution of the plan, reference material, and agency definitions.

The STP should prescribe the scope, approach, resources, and schedule of all testing activities.

What is a Tactical Assault Kit (TAK)?

A Tactical Assault Kit (TAK) is a map-based software application that enables coordination among users with features such as position data, chat, mission planning, and shared overlays.

What is a Tailored Assessment Control Baseline (TACB)?

A Tailored Assessment Control Baseline is a tool used to assess all the control activities in an organization and evaluate their effectiveness; it develops a baseline from which an operator can measure progress.

What is a Tailored Continuous Monitoring Baseline (TCMB)?

A Tailored Continuous Monitoring Baseline (TACB) is a case-by-case information security control baselining technique tailored to an organization’s unique needs, business operations, infrastructure, and risk exposures. A TCMB enables each organization to individually select information security controls that mitigate its risks to achieve and maintain compliance with pertinent government regulations and industry standards.

What is a Tailored Security Control Baseline (TSCB)?

A Tailored Security Control Baseline (TSCB) is a configuration that contains security controls specific to an agency’s or organization’s mission and information systems. The implementation of the TSCB requires tailoring to meet the unique needs of each agency or organization, as appropriate for its risk environment.

What Are Unified Facilities Criteria (UFC)?

Unified Facilities Criteria are documents that provide planning, design, construction, sustainment, restoration, and modernization criteria that apply to Military Departments, Defense Agencies, and DoD Field Activities. UFC are distributed only in electronic media and are effective upon issuance.