In this example, the organization m

In this example, the organization must define the minimum password complexity
(part 1a), the number of characters changed when a new password is created (part
1b), the minimum and maximum password lifetime (part 1d), and rules on password
reuse (part 1e). Defining these variables enables all information system developers
across the organization to have a common set of requirements with which to build
information systems. Defining these variables is also a requirement for the RMF
itself and failure to do so will not only result in differences of requirement implementation
across the enterprise, but will also cause information systems to fail the
security control assessment for this enhancement.
Defining terms early in the risk management process helps reduce confusion when
developing, documenting, and assessing the information system. Common terms often
have different meanings to different people. NIST has developed a glossary of key
information security terms, NIST IR 7298, which, at the time of this writing, is in draft
form for revision 2. The Committee on National Security Systems (CNSS) produced a
glossary titled National Information Assurance (IA) Glossary, CNSSI 4009, which is
also under revision. Organizations can turn to these documents to begin building the
organizational lexicon for common security and information systems terms. An organization
can greatly assist system developers, technical writers, and assessors by
defining its interpretations of these common terms. For example, how long is near-real
time? What is the organization’s definition of automatic versus automated?