Begin Main Content Area


​Definition​Points of Reference


​Accessible​Refers to a site, work environment, service, or program that is easy to approach, enter, operate, participate in, and/or use safely and with dignity by a person with a disability.​ITP-ACC001
​Access Point​A wireless local access network (WLAN) transmitter/receiver that acts as a connection between wireless clients and wired networks.​ITP-NET001
​Account​The online credential being presented as representing a person.​ITP-SEC039
​Account Lockout
​The disabling or suspension of an account ID, generally as a result of a number of failed attempts to authenticate with that account ID.
​Active Directory
​A management tool for managing directory-based identity-related services.
​Agency/Delivery Center Personnel
​Employees responsible for the management of agency electronic media data cleansing.
​Agile Model
​A highly iterative software application development model that involves an interactive, cross-functional, and focused team approach to build software solutions in a time boxed (sprints) development methodology.  The Agile model uses feedback and checklists, tightly integrated cross functional teams, and multi-faceted iterations or sprints to quickly build custom software applications.  The feedback is driven by regular tests and releases of the evolving software.
​Algorithm​A series of discrete, conditional instructions. In computing, algorithms enumerate a list of operations to carry out. An algorithm informs a computer of the steps it must take to deliver a desired result.​ITP-BUS012
​American National Standards Institute (ANSI)​ANSI serves as a quasi-national standards organization. It provides area charters for groups that establish standards in specific fields. ANSI is unique among the world’s standards groups as a nongovernmental body granted the sole vote for the United States in the International Standards Organization (ISO).​ITP-INF001
​Anonymous logon (login)​Access to a system which does not require any information on the person accessing the system.​ITP-SEC039
​Application Inactivity
​The length of time an application is accessed (i.e., the account ID is logged in) without any interaction with the user.
​Application Inventory
​A centrally managed repository used to capture data and assess risk profiles for all enterprise and agency-level applications that support the business needs of the commonwealth.
​Application Lifecycle Management (ALM)
​A tool or set of tools that aids the development teams in the entire application development and product lifecycle management (e.g., governance, development, and maintenance). It encompasses requirements management, software architecture, programming, software testing, software maintenance, change management, continuous integration, project management, defect management, versioning and release management.
​Application Programming Interface (API)​API or Web API as used in the context of Keystone Login, is an interface containing multiple web-exposed endpoints to a defined request-response data transfer system and/or messaging system​ITP-SEC039
​Application Software
​Often called productivity programs or end-user programs because they enable the user to complete tasks, such as creating documents, spreadsheets, databases, and publications, doing online research, sending email, designing graphics, and running businesses. 
​Archived Digital Content
Digital Content that is no longer actively available to end-users but is still subject to record retention plans
​Artificial Intelligence (AI)​A technology used to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialog with people, enhancing human cognitive performance (also known as cognitive computing), or conducting the execution of nonroutine tasks.​ITP-BUS012
​Authentication​The process of establishing confidence in the validity of a person’s logon account, usually as a prerequisite for granting access to resources in an information system.​ITP-SEC039
​Authentication Method​The type of authentication being used to validate a person’s logon account.  There are three categories: 1. Something you know (e.g. PIN, password, shared information) 2. Something you possess (e.g. token, smart card, digital certificate) 3. Something you are (biometrics – e.g. fingerprint, voice, iris, face)​ITP-SEC039
​Authorization​The process of verifying that an authenticated account is permitted to have access to a system based on the person’s business responsibilities.​ITP-SEC039
​Authorized Users​(MD version) Commonwealth of Pennsylvania employees, contractors, consultants, volunteers, or any other user who utilizes or has access to IT Resources.

(ITP version) Commonwealth employees, contracted resources, consultants, volunteers, or any other users who have been granted access to, and are authorized by the Commonwealth to use, Commonwealth IT Resources.
​MD 205.34
MD 205.42
MD 240.11
​Authorizing Official (AO)
​Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.

​People who produce digital content, including but not limited to web developers, designers, writers, etc.
​Authoring Tool Accessibility Guidelines (ATAG)
​ATAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses Authoring Tools.  ATAG includes three levels of conformance: A, AA, and AAA.
​Authoring Tools
​Software and services that Authors use to produce digital content, including but not limited to content management tools.
​Availability​Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Availability (SLA-defined)​A service level metric that measures the percentage of time the application is available during the applicable Measurement Window. This measurement is by application, not by server instance. Calculation: A = (T-M-D) / (T-M) x 100%. A = Availability, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Downtime​RFD-SER001A (pending)

B​ ​

​Business Partner​Any entity identified by statute, regulation, or contract as being an agent of the Commonwealth of Pennsylvania. A business partner connection is an interface for connecting business partners to the Commonwealth of Pennsylvania (COPA) network.​ITP-NET008
​Business Process Management (BPM)​A management practice that emphasizes the control, management, and continuous improvement of business processes. Business Process Management Suites (BPMS) are an integrated collection of software technologies that support the BPM practice.​N/A
​Business Proposal
​An artifact designed to influence a targeted audience of a solution to a business opportunity or problem.
​Business Rules Engine (BRE)​A software system that executes one or more business rules in a runtime production environment. The rules might come from company policy, (“All customers that spend more than $100 at one time will receive a 10% discount”), legal rules, or other sources.​N/A
​Capital Planning​The management and decision-making process associated with the planning, selection, control, and evaluation of investments in resources.​N/A
​Chain of Custody
​The chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
​Chain of Custody Tracking Form
​The document utilized by agencies to track all electronic media transfers throughout the process involving the sanitization and/or destruction of commonwealth electronic media.
​Change Management​The process of setting expectations and involving stakeholders in how a process or activity will be changed.​N/A
​Chatbot​An artificial intelligence (AI) program that simulates interactive human conversation by using key pre-calculated user phrases and auditory or text-based signals. A chatbot is known as an artificial conversational entity (ACE), chat robot, talk bot, chatterbot or chatterbox.​ITP-BUS012
​CIA Triad​Three fundamental tenets of information security: Confidentiality, Integrity, Availability​Cybersecurity and Cyberwar (Singer & Friedman)
​Cloud Computing Service 
​A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction that is provided from a cloud service provider.
​Cloud Service Provider (CSP) 
​An entity (private or public) that provides cloud-based platforms, infrastructure, applications, security, and/or storage services for another entity/organization.
Cloud Storage 
​Infrastructure as a Services (IaaS) deployment model that provides block, file and/or object storage services delivered through various protocols. The service can be stand-alone with no requirement for additional managed services or be bundled with additional managed services.
​Commercial-off-the-Shelf (COTS) 
​A term used to describe the purchase of products that are standard manufactured products rather than custom, or bespoke, products.  COTS application software are built and delivered usually from a third party vendor and can be purchased, leased or even licensed. 
​Commonwealth Application Certification and Accreditation (CA)2​A security assessment for Commonwealth IT systems involved in the transmission or storage of electronic transactions such as electronic records and electronic signatures.​MD 210.12
​Commonwealth Data 
​Consists of, but is not limited to, data is that intellectual property of the Commonwealth, data that is protected by law, order, regulation, directive or policy and any other sensitive or confidential data that requires security controls and compliance standards.
​Commonwealth of PA Procurement and Architectural Review (COPPAR)​The review mechanism the Office for Information Technology uses to review agency requests for policy waivers and large IT-related procurements.​ITP-BUS000
​Confidentiality​Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Connection​Includes remote access system (RAS), a tool used to connect remotely to the commonwealth network. Authorized Users may need to connect to the network from home or another remote location, to perform their job functions. Remote access is coordinated by the Office of Administration, Office for Information Technology (OA/OIT), and users must have the Cisco virtual private network (VPN) client on their computer and a valid digital certificate. Connection does not include connecting with Authorized User devices to Office Outlook Web Access.
​MD 240.11
​A person identified as an expert in a particular field whom the Commonwealth engages under contract to provide professional advice and/or services to the Commonwealth for a specific purpose and duration.  A Consultant is not a Commonwealth employee.

​Contract Change Request (CCR)
​Contractual document utilized to modify, change, or delete a service and/or product within a contract.
​Contract Value
​Total dollar amount of the entire contract term (the base term and all estimated costs for option years)
​Contracted Resource
​A person whose service, under contract, are provided to the Commonwealth as an independent contractor for a specific purpose and duration.  A Contracted Resource is not a Commonwealth employee.
​The continental United States and Hawaii.
​Current level of services. The focus is on activities and intended accomplishments.  When budgeting, Cost-to-Carry includes the future cost consequences of current program policy.
​Custom Built Application Software 
​The designing of software applications for a specific user or group of users within an organization. Such application software is designed to address specific user needs precisely as opposed to the more traditional and widespread off-the-shelf application software. Custom built application software meets unique business requirements.
​Cyber Security Incident
​Any occurrence involving the unauthorized or accidental modification, destruction, disclosure, loss, damage, misuse, or access to information technology resources such as systems, files and databases.  It also includes the violation or imminent threat of violation of computer security policies, acceptable use policies, and standard security practices. 
​Data​A value or set of values representing a specific concept or concepts. Data become “information” when analyzed and possibly combined with other data in order to extract meaning, and to provide context.​ITP-INF013
​Data Architecture​Describes the data structures used by a business and its applications. The architecture sets the data standards for all information systems in the organization and communicates a model of the interactions of data in those systems.​ITP-INF013 (pending)
​Data Breach
​An unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of a system, data or personal information maintained by the entity that causes, or the entity reasonably believes has caused, or will cause loss or injury to any resident of this Commonwealth.
​Data Element Encryption​A technique that encrypts individual data elements instead of encrypting an entire file or database. Common examples of data element encryption include column level database encryption and encryption of a Social Security Number (SSN) before writing it to a file. Data element encryption is used to selectively apply encryption, and may be used to reduce encryption/decryption overhead, to protect different elements with different keys, or to simplify adding encryption to applications.​ITP-SEC020
​Data Owner
​Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Also referred to as Information Owner
​Database Management System (DBMS)​Software to manage a database that provides a common and controlled approach maintaining data integrity and accessibility in storing data, adding new data, and in modifying and retrieving existing data within a database. Security and backups are key components.​ITP-INF001
​Procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any electronic media will render the media permanently unusable.
​Demilitarized zone (DMZ)
​A perimeter network that protects an organization's internal local-area network (LAN) from untrusted traffic.
​Development Application Software
​Known as computer programming tools, are used to translate and combine computer program source code and libraries.
​Digital Accessibility
​Digital Accessibility is providing Digital Content and Services that can be used by any user, including those with visual, auditory, motor, or cognitive Disabilities.
​Digital Accessibility Maturity Assessment
​A tool for measuring the degree of maturity attained in implementing and managing Digital Accessibility.  The assessment will help people in agencies understand the ten dimensions of an accessibility program and allow them to plan and work on improving the accessibility of Digital Content and Services year over year.
​Digital Content and Services
​The delivery of information and services to end-users via data, voice, or video technologies, which includes but is not limited to:
  • Electronic content: Websites and web-based materials (Internet & Intranet), Microsoft Office (Word, Excel, PowerPoint), Adobe InDesign & PDF documents, training materials (e.g., online training materials, tests, online surveys), multimedia (video/audio), digital materials (e.g., documents, templates, forms, reports, surveys), maps and infographics, electronic emergency notifications, and subscription services (e.g., news feeds, alert services, professional journals);
  • Software:  Web, desktop, server, and mobile client applications, authoring tools, associated infrastructure, and service offerings (SaaS, PaaS, IaaS);
  • Hardware:  Computers & laptops, servers, tablets, printers and copiers, scanners, peripheral equipment (e.g., keyboards, mice), kiosks and mobile phones;
  • Support documentation and services:  Training services, help desk or call center, automated self-service & technical support, and product informational materials.
​Disability (with respect to an individual)
  • ​A physical or mental impairment that substantially limits one or more major life activities of an individual
  • A record of such an impairment; or
  • Being regarded as having such an impairment.  This terms does not include current, illegal use of or addiction to a controlled substance, as defined in Section 102 of the Controlled Substances Act, 21 U.S.C. § 802.
​Disk Wipe
​Procedure that uses a single character to overwrite all addressable locations on a magnetic drive.
​DoD 5220.22-M
​Known as the National Industrial Security Program, that stipulates the requirement of three passes where the entire magnetic drive is overwritten.
​DoD Rated Degausser
​Department of Defense-type degaussers that meet or exceed DoD Type I or Type II media sanitization standards.

Type I: Equipment rated to degauss magnetic media having a maximum coercivity of 350 oersteds.

Type II: Equipment rated to degauss magnetic media having a maximum coercivity of 750 oersteds.


​eDiscovery​Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which electronically stored information is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Electronically stored information, for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.​OA Legal
​e-Discovery​Any process in which electronically stored information (ESI) is identified, collected, searched, and analyzed for production in the discovery phase of litigation.​ITP-INF009
​Electronic​Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.​MD 210.12
​Electronic Device
​Devices that contain electronic media which include, but are not limited to, PCs, printers, multifunction systems, scanners, fax machines, and handheld devices such as cellular phones, smartphones and tablets.
​Electronic Media
​Material on which data are or may be recorded via an electrically based process, such as, but are not limited to, magnetic tape, magnetic disks (hard drives), solid state devices/SSD (flash drives, SD cards, SIM cards), optical discs (CDs, DVDs).
​Electronic Record​A record created, generated, sent, communicated, received, or stored by electronic means. This term includes permits, licenses, applications, and other documents required or issued by an executive agency.​MD 210.12
​Electronic Signature​(MD version) An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

(ITP version) an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Although Electronic Signatures are represented digitally (i.e., as a series of ones and zeros), they can take many forms and can be created by many different technologies. This should not be confused with the Digital Signature terminology, which is used in public key cryptography.
​MD 210.12

​Electronic Storage System​A system to prepare, record, transfer, index, store, preserve, retrieve, and reproduce books and records by either electronically imaging hardcopy (paper) documents to an electronic storage media or transferring computerized books and records to an electronic storage media.​MD 210.12
IRS Rev. Procedure 97-22
​Electronic Transaction​The electronic sharing of information including: Electronic posting of data on a network. The exchange of an electronic record or electronic signature by an executive agency with a person or automated system to: facilitate access to restricted information; purchase, sell, or lease goods, services, or construction; transfer funds; facilitate the submission of an electronic record or electronic signature required or accepted by the commonwealth; or create a record upon which the commonwealth or another person will reasonably rely.​MD 210.12
​Electronically Stored Information (ESI)​Any data or information produced or received on commonwealth IT Resources that resides on commonwealth-managed storage solutions, either on premise or off premise (i.e. cloud storage, backup tapes).​ITP-INF009
​Emergency Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that is causing major disruptions to one or more agencies.​ITP-SYM010
​Enterprise Architecture​The analysis and documentation of an enterprise in its current and future states from an integrated strategy, business, and technology perspective.​N/A
​Enterprise Architecture Artifact​A documentation product such as a text document, diagram, spreadsheet, briefing slides, or video clip that document EA components in a consistent way across the entire architecture.​N/A
​Enterprise Architecture Component​Changeable resources that provide capabilities at each level of a framework. Examples include strategic goals and initiatives, business services, web services, software applications, voice/data/mobile networks, buildings.​N/A
​Enterprise Information Security Office (EISO)​Office within the Office of Administration, Office for Information Technology tasked with managing the enterprise IT security posture for the commonwealth as it pertains to governance, risk, and compliance.​ITP-SEC000
​Enterprise IT Service Offering​An Enterprise IT Service Offering is made up from a combination of people, processes and technology that supports a customer's business. An Enterprise IT Service Offering is a means of delivering value to customers by facilitating the outcomes customers want to achieve without the ownership of costs and risks.​ITP-BUS007
​Enterprise Maintenance (Enterprise Services)​Maintenance is considered Enterprise if:
  • It affects any Enterprise infrastructure component or Enterprise service
  • It affects two or more agencies at one site
  • It affects two or more agencies at multiple sites
  • It affects one agency at multiple sites
​Enterprise Service Bus (ESB)
​Refers to a software architecture construct. This construct is typically implemented by technologies found in a category of middleware infrastructure products, based on recognized standards, which provide fundamental services for more complex architectures via an event-driven and standards-based messaging engine (the bus).​N/A
​Enterprise Service Catalog
​A document that describes the Enterprise IT Service Offerings.
​Enterprise Standard
​An Enterprise IT Service Offering that is required to be utilized and consumed by Agencies.
​Event (Security)​An observable occurrence in a system or network. Events include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (e-mail), and a firewall blocking a connection attempt.​ITP-SEC021
​Event Correlation (Security)​The process of monitoring events in order to identify patterns that may signify attacks, intrusions, misuse or failure.​ITP-SEC021
​Executive Agency​A department, board, commission, council, authority, officer, or agency subject to the policy, supervision, and control of the Governor.​MD 210.12

F ​

​Federal Information Processing Standards (FIPS)​A federal IT standard established by the National Institute of Standards and Technology​ITP-SEC000

​File Encryption​A technique that encrypts files on a file system, without encrypting the file system itself or the entire disk. A file encrypting application may include functionality to: archive multiple files into a single file before or after encrypting; produce self-decrypting files; or automatically encrypt files or folders based on policies or locations. File encryption is often used to protect files being sent through email or written to removable media.​ITP-SEC020
​Forensic Analysis
​Evidence found in computers and digital storage media as part of a formal investigation using systematic and sound methods to examine digital media with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.
​Full Disk EncryptionA computer security technique that encrypts data stored on a mass storage or removable device, and automatically decrypts the information when an authorized user requests it. Full disk encryption is often used to signify that everything on a disk or removable device, including the operating system and other executable, is encrypted. Full disk encryption includes hardware encryption, such as configuring a tape drive to encrypt all backup data before write.​ITP-SEC020
​Functional Testing​Validating an application correctly performs functions identified in requirements documents. This includes testing for normal and erroneous input. Functional testing can be performed manually or automated.​ITP-SFT000


​Network hardware that enables data and resources to be shared easily and securely over the internet.
​General Maintenance (Enterprise Services)​Maintenance performed by a service provider. This type of maintenance is performed on the service offering which affects multiple customers, and is vital to the integrity of the services provided.​ITP-SYM010
​Globally Unique Identifier (GUID)
​An alpha-numeric code which uniquely identifies a person.  
​Guideline​A recommended best practice or course of action usually with some latitude in its use and implementation.​ITP-BUS004


​Any computerized machine or related device used on behalf of the Commonwealth.  
​High-level Data Model (HDM)​Used to communicate core data concepts, rules, and definitions to a business user as part of an application development initiative.​S. Hobermen. Data Modeling for Business
​A computer connected to the internet.


​Identify and Access Management (IAM)​Processes and tools used to manage user IT accounts throughout the account lifecycle. These include the creation (provisioning) of the account, management of attributes and privileges during the account's active lifetime, password management, and finally the removal (de-provisioning) of the account when that lifetime is over.
​Identity Proofing​The process of verifying the real life identity being claimed by a person.​ITP-SEC039
​Identity Verification​A service is used to ensure that users provide information that is associated with the identity of a real person.  It can involve the verification of identity information (fields) against independent and authoritative sources, such as credit bureau or commonwealth data.​ITP-SEC039
​IEEE​The Institute of Electrical and Electronics Engineers, a non-profit, technical professional association and leading authority in technical areas ranging from computer engineering, biomedical technology and telecommunications, to electric power, aerospace and consumer electronics, among others.​ITP-NET001
​Illegal Use​Use which violates local, state, or federal law as well as CoPA or agency IT policy.​MD 245.18
​Imaged Document​A copy of an original hardcopy (paper) record that has been electronically imaged to an electronic storage system. An imaged document contains all the recorded information that appears on the original document and be able to serves the purpose(s) for which the original was created or retained.​MD 210.12
IRS Rev. Procedure 97-22
​Immediate Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that has the potential to cause major disruptions to one or more agencies.​ITP-SYM010
​Inactive Account
​An account that hasn't been used in 18 months or one which lacks any role or related attribute that would be used to authorize its use to access an information technology system; or any account where the AD userAccountControl attribute is set to disabled.
​Inappropriate Use​A violation of the goals, purpose and intended use of the network.
​MD 245.18
​Incident (Security)​A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of an incident are denial of service, malicious code, unauthorized access and inappropriate usage.​ITP-SEC021
​Incident Response (Security)​The manual and automated procedures used to respond to reported incidents (real or suspected), system failures and errors, and other undesirable events.​ITP-SEC021
​Information​Data, text, images, sounds, codes, computer programs, software, data bases, or the like.​MD 210.12
​Information Resources​Information and related resources, such as personnel, equipment, funds, and information technology​44 U.S.C. Section 3502
​Information Security​Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Integrity, Confidentiality, Availability.​44 U.S.C. Section 3542
​Information System​A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.​NIST 800-39
​Information Technology​The resources applied in an enterprise for the purpose of storing, retrieving, transmitting, and manipulating data through use of software and hardware infrastructure.​ITP-BUS000
​Information Technology Policy (IT Policy, ITP)​A document published by OA/OIT that defines the expectations, requirements, standards, technical specifications, procedures, and guidelines to agencies that use and manage IT resources and services. Defined general areas (domains) in which IT policies encompass and are categorized. The policy domains and their abbreviations are: Accessibility (ACC), Application (APP), Business (BUS), Information (INF, INFG, INFRM), Integration (INT), IT Procurement (PRO), Network (NET), Platform (PLT), Privacy (PRV), Project Management (EPM), Security (SEC), Services (SER), Software (SFT), Systems Management (SYM)​ITP-BUS000
​Information Type​A specific category of information (e.g. privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, specific law, executive order, directive, policy, or regulation.​Federal Information Processing Standards (FIPS) 199
​Refers to the enterprise's entire collection of hardware, software, networks, data centers, facilities and related equipment used to develop, test, operate, monitor, manage and/or support information technology services.
​Infrastructure as a Service (IaaS)
A Cloud Computing Service through which agencies provision processing, storage, networks, and other computing resources where the agency can deploy and run software, which can include operating systems and applications. The agency does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components.
​Integrated Development Environments (IDE)
​Provides frameworks used in modern programming languages and provide components with similar-user interfaces, minimizing the amount of mode switching compared to discrete collections of disparate development programs. IDEs offer robust capabilities to create service-oriented architecture (SOA) components and applications.. IDEs increase productivity by providing customizable interfaces, integrated debugging, testing and deployment tools, and integration with existing technology through SOA.
​Integration Testing​The phase of software testing in which individual software modules are combined and tested as a group. It follows unit testing and precedes system testing.​ITP-SFT000
​Integrity​Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. A  loss of integrity is the unauthorized modification or destruction of information.​44 U.S.C. Section 3542
Federal Information Processing Standards (FIPS) 199
​Internet Facing Web Application
​An application that uses the Internet to provide citizens, Commonwealth employees, and business partners with access to agency-specific data or services and that resides on Commonwealth IT Resources.  This includes content generated from a data visualization or business analytics platform.
​Internet Security Protocol (IPsec)
​Consists of a set of open standards to provide security equivalence to a private network in the shared public infrastructure (internet). IPsec provides security at the network layer and encrypts data within application communications.
​Invitation For Bids (IFB)​All documents, including those either attached or incorporated by reference, used for soliciting bids.​ITP-BUS002
​Invitation To Qualify (ITQ)​The name given to certain multiple-award contracts issued by the Commonwealth pursuant to Section 517 of the Procurement Code. ITQ contracts are issued to pre-qualified suppliers that will compete in the request for quote (RFQ) process.​ITP-BUS002
​ISO​Information Security Office/Officer
​MD 240.12
​IT Governance 
​The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. It requires specification of the decision rights and accountability framework to encourage desirable behavior in the use of information technology.
​IT Investment
​The purpose or procurement of any IT services that meet the specified criteria
​IT Operations

Commonwealth-sponsored ongoing routine IT activities or business processes which include, but are not limited to, reportable activities which support existing IT products or services throughout their defined service lifecycle, and do not meet the planning and classification criteria for an IT Project.
​IT Policy Business Owner​OA/OIT personnel or program area responsible for ensuring assigned IT policy aligns with the enterprise's current IT environment.​ITP-BUS000
​IT Policy Coordinator​OA/OIT personnel responsible for the management of the IT policy life cycle and facilitating the IT policy governance process.​ITP-BUS000
​IT Policy Domain Owner​​OA/OIT personnel responsible for the management of a specific domain of IT policies.​ITP-BUS000
​IT Policy Waiver​A temporary exemption granted to commonwealth agencies for non-compliance with a specific OA/OIT IT Policy.​ITP-BUS004
​IT Project
​A Commonwealth-sponsored IT Project is an undertaking that is not a routine operation or business process, but a specific set of tasks that are planned, organized, tracked, and executed by multiple resources, and has a defined start and end date.  IT Projects are classified in one of three Investment Classes: Run, Grow or Transform.
​IT Resources​(MD version): Include, but are not limited to, the following: the commonwealth’s computer systems, together with any electronic resource used for communications, which includes, but is not limited to laptops, individual desktop computers, wired or wireless telephones, cellular phones, pagers, beepers, personal data assistants and handheld devices, and, further, includes use of the internet, electronic mail (email), instant messaging, texting, voice mail, facsimile, copiers, printers or other electronic messaging through commonwealth facilities, equipment or networks (collectively "IT Resources").

(ITP version): Include, but are not limited to, the staff, software,  hardware, systems, services, tools, plans, data, and related training materials and documentation that, in combination, support business activities. Examples of IT Resources include, but not limited to, desktop computers, mobile devices, email. telephones, servers, and network switches/routers.
​MD 205.34
MD 205.42
MD 240.11



​Jailbreaking/Rooting​The process used to modify the operating system on a mobile device.  The act of “jailbreaking” or “rooting” a mobile device allows the user control over the device including removing any vendor imposed restrictions on the products.​ITP-SEC035
​Java Database Connectivity (JDBC)​A set of programming Application Programming Interfaces (APIs) that allow easy connection to a wide range of databases through Java programs.​ITP-INF001


​Keystone Key​The online account established for a person and stored in the enterprise citizen directory SRPROD​ITP-SEC039
​Keystone Login
​An account management system for the Commonwealth of Pennsylvania online services.
​Keystone Login Multi-Factor Authentication (MFA)A security system that verifies a user's identity by requiring the user to provide multiple types of credentials which can include simple authentication credentials, One-time passcodes, automated phone calls and/or biometrics.​ITP-SEC039
​Knowledge Based Authentication (KBA)​An identity verification method where the person is asked a selection of questions gathered from information on that person from a variety of public and commercial data systems with the assumption that the real person would know the correct answers whereas an imposter would not.​ITP-SEC039


​Any application or platform that is based on older technology that continues to provide core services to an organization.

​Level of Assurance (LOA)


The measurement of the degree or level of confidence that the person is who they are claiming to be.

The Commonwealth recognizes two levels of assurance:

LOA1 - little or no confidence in the user's identity beyond what the user claims.

LOA2 - information provided by the user has been verified by a third party.


​Load Testing

​Covers both performance testing and stress testing.

​Local Area Network (LAN)​A network that connects computers, printers and perhaps other devices within a department, building or house.​ITP-NET001
​Log (Security)​A file that lists actions that have occurred.​ITP-SEC021
​Logon Banner​A display that provides a definitive warning about access, authorization, and monitoring activity requirements and allows a user to acknowledge this display prior to logging into an IT Resource.​ITP-SEC012


​Machine Learning (ML)​A technique involving the use of a computer to train and improve an algorithm or model with minimal human participation to generating useful predictions and conclusions.​ITP-BUS012
​Major Change Request
​An alteration to an existing IT Project that meets the designated criteria as outlined in the policy.
​Maximum Session Lifetime
​The maximum time a system, device, or application may be accessed by a user, regardless of the user's activity, before the user must re-authenticate to the system, device, or application.
​Mbps​Millions of bits per second, or Megabits per Second, is the measurement of bandwidth on a telecommunication medium. Bandwidth is also sometimes measured in Kbps (kilobits per second), or Gbps (billions of bits per second).​ITP-NET001
​The moving from one operating environment to another or involving moving to new hardware, new software, or both.  
​Mobile Application
​A computer program designed to run on mobile devices and as an add-on to existing applications.
​Mobile Application Management (MAM)​The process of developing, procuring, deploying and managing the configuration, distribution and access of in-house and commercially developed mobile apps through an enterprise app virtual marketplace or a consumer app store.​ITP-SEC035
​Mobile Communication Device (Mobile Devices)​Any mobile phone, smartphone, laptop, or media tablet that transmits, stores, and receives data, text, and/or voice with a connection to a wireless LAN and/or cellular network.​ITP-SEC035
​Mobile Device​(MD version) A device easily removable and stores data that can be connected to the Commonwealth network, workstation or other computing device via cable, Universal Serial Bus (USB), Firewire (IEEE 1394), I-LINK, infrared, radio frequency, personal computer memory card international association (PCMCIA), or any other external connection that would allow data to be transferred and removed.
(ITP version). Mobile devices include, but are not limited to smart phones, laptops, tablets, zip drives, floppy diskettes, recording and re-writeable compact disks (CD), recordable and re-writeable digital video disks (DVD), USB flash digital media devices (thumb drives), memory sticks/cards, PC card storage devices of all types and external hard drives.
​MD 240.12
​Mobile Device Management (MDM)​Software technologies that secure, monitor, manage and support mobile devices deployed across the enterprise. By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs, security, and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime.​ITP-SEC035
​Mobile Device Service Plan
​Any service agreement established with a cellular service provider to grant mobile device access to cellular networks for the transmission of voice and data traffic.
​Mobile Email Management (MEM)​Mobile Email Management (MEM) controls which mobile devices that can access email, prevents data loss, encrypts sensitive data and enforces compliance policies.​ITP-SEC035
​The transition or transformation of existing IT assets to enhance performance, functionality, reliability, scalability, security, quality of service, and/or revitalized applications or extend the useful life of computing platforms and infrastructure used to support business operations.
​Modified off-the-Shelf (MOTS) 
​A commercial-off-the-shelf (COTS) product whose source code can be modified. The product may be customized by the purchaser, vendor, or another party to meet business requirements. MOTS is a software delivery concept that enables source code or programmatic customization of a standard prepackaged, market-available software.
​Multi-Factor Authentication​The use of two or more of the Authentication Methods.  Two-factor would employ one each of two of the methods; three-factor would employ one each of all three methods.​ITP-SEC037
​Multi-Function Device (MFD)
​A device the consolidates the functionality of a printer, copier, scanner, and/or fax into one machine.
​Multi-Homed/Split Tunneling​Simultaneously using two different networks or connections, such as USB, wireless, cellular, or Bluetooth, or near-field communications (NFC).​ITP-SEC035


​NASCIO​National Association of State Chief Information Officers
​National Institute of Standards and Technology (NIST)​A division of the federal Department of Commerce tasked with research and, including establishment of federal IT standards.​ITP-SEC000

​National Strategy for Trusted Identity in Cyberspace (NSTIC)​A federal initiative for secure, privacy enhancing identities in cyberspace.
​Network Timing Protocol (NTP)
​A networking protocol designed to synchronize the clocks of computers over a network. Typical NTP configurations utilize multiple redundant servers and diverse network paths to achieve high accuracy and reliability.
​Non-Degradation of Service Availability (SLA-defined)​A service level metric that measures the percentage of time the application is non-degraded during the applicable Measurement Window. This measurement is by application, not by server instance. Degradation shall mean a Service that tests as fully operational but is degraded below the baselines established during acceptance testing. This includes, but is not limited to slow performance and/or intermittent system errors. Calculation: N = (T - M - D) / (T - M) x 100%. N = Non-Degradation, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Time Service is Degraded.​RFD-SER001A (pending)
​Notice of Forth Coming Procurement (NFP)​Public notice posted to the Pennsylvania eMarketplace ( website notifying vendors of an upcoming procurement. Required for all procurement in excess of $250,000.​ITP-BUS002


​Unit of the magnetic field H in the centimeter–gram–second system of units (CGS)
​Office Class Print Device
​An advanced printer with specifications suitable to the office environment including network card availability, print speed and volume, memory, with features such as integrated card readers, multi-purpose trays, and two-sided printing.
​Office of Administration, Office for Information Technology (OA/OIT)​Consists of the offices managed by the Commonwealth Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Director of Office of Strategy and Management, and Director of Enterprise Services and their respective program areas.
​Office Productivity Software
​Application software dedicated to producing information, such as documents, presentations, worksheets, databases, charts, graphs, and digital video.

​Open Data​Data that can be freely used, re-used, and distributed by any entity, subject only, to the requirements to attribute.
​Open Database Connectivity (ODBC)​Vendor-neutral interface, based on the SQL Access Group (SAG) specifications, that permits maximum interoperability among diverse Database Management Systems. The ODBC interface defines: function calls that allow an application to connect to a DBMS, execute SQL statements, and retrieve results; a standard way to connect and log on to a DBMS; and a standardized representation for data types. Database drivers link the application to their choice of DBMS.​ITP-INF001
​Outsourced Services
​Activities, functions, and/or solutions delivered through third-party entities.


​PDF/UA (PDF/Universal Accessibility)
​PDF/UA is a technical specification intended for developers implementing PDF writing and processing software.  PDF/UA provides definitive terms and requirements for accessibility in PDF documents and applications. For those equipped with appropriate software, conformance with PDF/UA ensures accessibility for people with Disabilities who use assistive technologies such as screen readers, screen magnifiers, joysticks, and other technologies to navigate and read electronic content. PDF/UA is included within the revised Section 508 Standards.
​Pennsylvania Computer Security Incident Response Team (PA-CSIRT)
​A group of Commonwealth subject matter experts that handle computer security incidents.
​Pennsylvania Information Sharing and Analysis Center (PA-ISAC)
​A centralized Commonwealth resource for gathering information on Cyber Security Incidents.
​Performance Testing​Identifies bottlenecks during high volume simulation.
​Personal Identification Number (PIN)
​A secret number that an individual memorizes and uses to authenticate his or her identity.  PINs are generally only decimal digits.
​Personally Identifiable Information (PII)​Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.​ITP-INF000
NIST SP 800-122
​A project that consists of a scaled down, but fully functional environment with the exact same capabilities that would be enabled if the environment were to be promoted to production.
​Platform-as-a-Service (PaaS)
A Cloud Computing Service through which agencies provision, instantiate, run, and manage agency-created or acquired applications.  The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
​Policy Driven Adoption for Accessibility (PDAA)
​PDAA is the integration of digital content and services accessibility governance into Commonwealth policies.  The PDAA methodology was created by a work group of the National Association of State CIOs (NASCIO)
​Privately Owned​Authorized user owned or leased asset in which the Commonwealth has no responsibility for the procurement or maintenance of the asset and it is solely the responsibility of the Authorized User.​ITP-PLT012
​Privileged Account​(MD version) An account that have virtually unlimited access to all programs, files, and  resources on a computer system. Users shall not be given access to privileged accounts without the specific approval of the agency chief security officer. Privileged accounts must be used only for the purposes for which they were authorized and only for conducting CoPA business.
​MD 245.18

​Privileged Identity Management Solution​Software or tool that provides IT administrators a method of managing privileged user accounts and access rights to IT resources.​ITP-SEC038
​Privileged User​A user who, by virtue of function, has been allocated powers within a computer system, which are greater than those available to the majority of users of said computer system.

(ITP version) Authorized Users who have elevated access, with the ability to create, modify, and delete electronic resources, data, and/or system configurations.
​Procedure​Operational document that outlines predefined step-by-step sequence of instructions, activities, or course of action that must be followed in order to correctly accomplish a particular task.​ITP-BUS004
​Project Level
​IT Project categorization based on complexity, visibility, duration, and cost. A Project Level score determines the Level of a Project, with a higher-level project representing a more rigorous project management process
Level One: 75-100 score
Level Two: 50-74 score
Level Three: < 50 score
​Project Request Process (PRP)
​The investment review process for agency requests of IT Project approvals
​Project Revision Request (PRR)
​A formal request to be submitted to support new programs or major changes in existing programs.
​Project Scaling Process
​The process used to assist in the evaluation process and determining the Project Level of status reporting required.
​Promiscuous Mode​A mode for a network controller that causes the controller to pass all traffic it receives to the device rather than passing only the frames that the controller is intended to receive. This mode is normally used for packet sniffing.​ITP-SEC035
​Proof of Concept 
​A project that is evaluated exclusively on pass or fail success criteria. Failed success criteria can still be considered a successful proof of concept as the results gave definitive proof that the concept was not viable.
​Public Computer
​Various computers available in public areas (i.e., libraries, schools, coffee shops) that many different individual users can access throughout the course of a day.
​Public Record​A record of a Commonwealth agency that is: Not exempt under Section 708 of the Right-to-Know-Law;  Not exempt from being disclosed under any other Federal or State law or regulation or judicial order or degree; Bot protected by privilege.​ITP-BUS009 (pending)


​Record​Information, regardless of physical form or characteristics, that document a transaction or activity of an agency and that is created, received or retained pursuant to law or in connection with a transaction, business or activity of the agency.  The term includes a document, paper, letter, map, book, tape, photograph, film or sound recording, information stored or maintained electronically, and a data-processed or image-processed document.​MD 205.42
MD 210.12
​Regression Testing​Allows a consistent and repeatable validation of each new release of an application. This ensures no new defects have been introduced with the latest maintenance.​ITP-SFT000
​Remote Access​Ability for an organization's users to access its non-public computing resources from external locations other than the organization's facilities.​NIST SP 800-46
​Request for Proposal (RFP)​An RFP is a competitive sealed method of procurement where proposals are solicited and the award is made to the responsible offeror whose proposal is determined, in writing, to be the most advantageous to the purchasing Agency. An RFP is scored in three separate parts; (1) Technical Evaluation, (2) Cost Evaluation, and (3) Small Diverse Business (SBD) Participation.​ITP-BUS002
​Request for Quote (RFQ)​An RFQ is a competitive sealed method of procurement where quotes are solicited and the award is made to the responsible contractor whose quote is determined, in writing, to be the most advantageous to the purchasing Agency. An RFQ can be awarded via a best value determination or scored in three separate parts; (1) Technical Evaluation, (2) Cost Evaluation, and (3) Small Diverse Business (SBD) Participation.​ITP-BUS002
​Resolution Time (SLA-defined)​Also referred to as Problem Circumvention, a service level metric that details the time required for circumvention or solution after reporting a problem.​RFD-SER001A (pending)
​Reverse-Proxy Server
​A type of proxy server that typically sits behind the firewall and directs client requests to the appropriate backend server.


​Sanitization​A process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. Three categories: Clear, Purge, and Destroy.​NIST SP 800-88 Rev. 1
​Service Organization
​Third-party vendors, licensors, contractors, or suppliers that provide business or technology solutions and services procured by the Commonwealth that are hosted within the Service Organization's or it's Subservice organizations managed infrastructure.
​Scope (IT Policy)​This ITP applies to all departments, boards, commissions and councils under the Governor’s jurisdiction. Agencies not under the Governor’s jurisdiction are strongly encouraged to follow this ITP.​All ITPs
​Section 508 Standards (Revised)
​A final rule, published in January of 2017, updating accessibility requirements for information and communication technology (ICT) covered by Section 508 of the Rehabilitation Act of 1973, 29 U.S.C. § 701 et seq.
​Security Assessment​A process conducted by the Office of Administration, Office for Information Technology’s Enterprise Information Security Office that defines, identifies, and classifies security vulnerabilities of IT Resources.​MD 310.24
​Security Information and Event Managers (SIEM)​A set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents and provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more.​ITP-SEC021
​Server and Desktop Systems​Applies to all Commonwealth-associated platforms and infrastructure utilized to run and access IT Resources.  This includes software (e.g., operating systems) and the hardware (e.g., routers, switches, etc.).
​A service provided by an IT service provider which is made up of a combination of information technology, people and processes.
​Service Design Coordinator
​Role responsible for providing oversight of all design activities and associated processes of service design and evaluation for new or changes to existing services. Coordinates with Business Relationship Managers, technical staff, product vendors, procurement, project managers, transition teams, and other key stakeholders to ensure the completeness and successful implementation of the Service Design Package for enabling and sustainment of the IT services.
​Service Design Package (SDP)
​Documentation defining all aspects of an IT service and its requirements through each stage of its lifecycle. SDP defines the service model, requirements (utility & warranty), tools, architecture, metrics, and blueprints needed by the service transition team to build, test/validate, and deliver the service and their underpinning components. A service design package is developed for new, major changes, and retirement of an IT service.
​Service Engagement Review Process (SERP)​Commonwealth review process to ensure new services being introduced into IT environments to mitigate potential risks and disruptions of Commonwealth business.​ITP-NET008
​Service Owner​Accountable for the availability, performance, quality, and cost of one or more services. Deals directly with the Service Customer or proxy, usually in the context of a Service Level Agreement or Operating Level Agreement. Service Owner is responsible for day-to-day operation of the service.​N/A
​Service Set Identifier (SSID)​Identifies and specifies which 802.11 network is being joined.​ITP-NET001
​Session Inactivity
​The length of time a system or device is accessed (i.e., the account ID is logged in) without any interaction with the user.
​Shared Resource
​A device, such as a printer, set up on the network to be used by more than one user.
​A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent.  Thus, the definition of "signed" in the Uniform Commercial Code includes "any symbol" so long as it is "executed or adopted by a party with present intention to authenticate the writing." A Signature may, for example, signify an intent to be bound to the terms of a contract, the approval of a subordinate's request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had the opportunity to review them.
​Single Sign-On (SSO)​A property of identity and access management that enables users to securely authenticate with multiple applications and websites by logging in only once - with just one set of credentials (username and password).​ITP-SEC039
​Smartphone​A mobile communication device with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where additional software can be obtained for installation on the mobile device.​ITP-SEC035
​Social Media​Web-based and mobile technologies used to turn communication into interactive dialogue. The term includes, but is not limited to, blogs, RSS, discussion boards, wikis, video sharing sites, mash-ups and folksonomies.​MD 205.42
​A collection of instructions and data that tell a computer how to work or what to do.
​Software Application Development Methodology (SADM)
​A software application development methodology is a structured framework of procedures and processes used to develop custom software applications.  Software application development methodologies are essentially derivatives from the system development life cycle model but are unique in their respective processes and execution. 
​Software-as-a-Service (SaaS)
A Cloud Computing Service through which agencies use third-party vendors, licensors, contractors, or suppliers to provision applications running on a cloud infrastructure.  The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, apart from limited user-specific application configuration settings.
​Software Development Life Cycle (SDLC)
​A conceptual model used in software engineering as well as project management that describes the phases involved in an information system solution development and delivery. An SDLC framework consists of multiple phases to assure high quality systems are delivered, provide strong management controls over IT projects, and ensure that the information system can, and will, work as required and is effectively maintained to support agency’s missions. SDLC can be applied to Commercial-off-the-Shelf (COTS), Software-as-a-Service, (SaaS), or custom-built applications. SDLC frameworks should be intently integrated into key service life cycle phases (e.g., strategy, design, transition, operations) and affiliated processes. 
​Sole Source​The process by which an agency requests a sole/single vendor to procure materials or services.
​Spiral Model
​An incremental software development process model that incorporates requirements, design, build/construct, test/simulations, and deploy prototype phases separated by planning and risk assessment. A prototype is created with each iteration and evaluated until a final production ready (i.e., fully functional and validated) prototype model has been created. This method can be used to create temporary prototype solutions that are later discarded or for large, expensive, and complicated projects using each iterative prototype build as a phase gate and/or milestone. Documentation in this process is dynamic and incrementally refined. Documentation is finalized with the implementation of the final production ready prototype.
​Stakeholder​Everyone who is or will be affected by a policy, program, project, activity, or resource.​N/A
​Standard​Universally or widely accepted, agreed upon written definition, limit, or rule, approved and monitored for compliance by an authoritative agency, professional organization, or recognized body as a minimum acceptable benchmark.​ITP-BUS004
​Standard Maintenance (Enterprise Services)​OA-approved, risk-assessed, routine administrative maintenance on an Enterprise infrastructure component or Enterprise service.​ITP-SYM010
​Stress Testing​Used to determine the load under which the application ceases to perform acceptably.​ITP-SFT000
​Structured Query Language (SQL)​A relational data language that provides a consistent, English keyword-oriented set of facilities for query, data definition, data manipulation and data control. It is a programmed interface to relational database management systems.​ITP-INF001
System Software
​The programs that are dedicated to managing the computer itself, such as the operating system. The operating system manages the computer hardware resources in addition to applications and data. Without systems software installed in our computers we would have to type the instructions for everything we wanted the computer to do.  
​System Testing​Testing conducted on a complete integrated system to evaluate the system's compliance with its specified requirements.​ITP-SFT000
​System Unavailability Notification (SLA-defined)​A service level metric that details the time from discovering or receiving notice of system unavailability until notification is sent to the Commonwealth.​RFD-SER001A (pending)


​Tablet​An open-face wireless device with touch screen display, primarily used in the consumption of media. These devices may also have messaging, scheduling, email, and Internet capabilities and a camera. Tablets may have open-source OSs (such as Android) or closed OSs under the control of OS vendors and/or device manufacturers (such as Apple and Microsoft). Media tablets may or may not support a mobile application store.​ITP-SEC035
​Technical Specification​An explicit set of requirements outlining the specific characteristics, features, capabilities, of a product or technology (e.g., levels of quality, architectural, functions, performance, usability, compatibility, reliability, safety, scalability, interoperability, or other dimensions)​ITP-BUS004
​Technology Maturity Lifecycle (TML)​The technology maturity life cycle (TML) defines the varying life span stages in which a technology product development sustains its competitive and economic value over a particular timeframe. The TML has four distinct stages: Current: Technologies/standards that are supported by the commonwealth and meeting the requirements of the enterprise architecture. They are recommended for use. Contained: Technologies/standards that no longer meet the requirements of the current enterprise architecture.  They are not recommended for use. They are to be phased out over time.  No date has been set for their discontinuance. Retire: Technologies/standards are being phased out. Plans are to be developed for their replacement, especially if there is risk involved, such as lack of vendor support. A date for retirement has been set. Emerging: Technologies/standards that have the potential to become current technologies/standards. At the present time, they are to be used only in pilot or test environments where they can be evaluated. Use of these technologies is restricted to a limited production mode, and requires approval of a waiver request. Research technologies are less widely accepted and time will determine if they will become a standard.​ITP-BUS004
​Telecommunications Management Officer (TMO)​A commonwealth employee designated by the agency head to oversee the communications services of the agency and/or worksite.​MD 240.11

​Threat Modeling​Identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and analyzing the information to determine where security controls need to be improved or added.​NIST SP 800-46
​Technology Investment and Policy Review (TIPR)
​The review mechanism the Office for Information Technology uses to review agency requests for  IT Investments.
​Transaction Security Levels
​A value assigned to a transaction to determine the level of security that should be applied to the Electronic Signature of that transaction. The three levels are:

Low Risk / Low Impact Transactions (Level A) - Transactions in this category have little value to potential hackers and would have minimal consequences if compromised.

Low to Medium Risk / Medium to High Impact Transactions (Level B) - Transactions in this category have moderate to high value to potential hackers and/or have moderate to high consequences if compromised.

High Risk / High Impact Transactions (Level C) - Transactions are high risk, high consequence transactions that require high security measures.

​Transitory Record​Records that have little or no documentary or evidential value and that need not to be set aside for future use. ​ITP-BUS009 (pending)
​Transport Layer Security (TLS)
​A protocol created to provide authentication, confidentiality, and data integrity between two communicating applications. TLS is based on a precursor protocol, Secure Sockets Layer version 3.0 (SSL 3.0) which is deprecated.


​Unified Telecommunications Services (UTS)
​Enterprise telecommunications group responsible for policy and standards on platform, equipment, and all related telecommunication items.
​Unit Testing​Functional testing on each module in an application. Used early in development process before all components are completed.​ITP-SFT000
​United States Jurisdiction 
​Consists of all fifty (50) States of the United States and the District of Columbia.
​US-CERT​United States Computer Emergency Readiness Team tasked with providing Cybersecurity resources and notifications for information security officers.​ITP-SYM006
​User Acceptance Testing (UAT)
Generally the last phase of the software testing process.  During UAT, actual software users test the software to make sure it can handle required tasks in real-world scenarios, per requirements.
​User Agency Accessibility Guidelines (UAAG)
​UAAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses User Agents (User Agents include browsers, extensions, media players, readers and other applications that render web content). UAAG includes three levels of conformance: A, AA, and AAA.


​Video Sharing Service
​An enterprise application or service where Authorized Users can create, upload, view, publish, and share videos.
​Virtual Desktop Infrastructure (VDI)​The practice of hosting a desktop operating system within a virtual machine (VM) running on a hosted, centralized or remote server.​ITP-NET019
​Virtual Machine​A software implementation of a computing environment in which an operating system or program can be installed or run.​ITP-NET019
​Virtual Private Network (VPN)
​A network technology that creates a secure network connection over a public network such as the internet or a private network owned by a service provider.
​Volume Level Encryption
​Protects a smaller subset of the drive, possibly down to the individual folders.  This can span a single disk or multiple disks.
​Voluntary Product Accessibility Template® (VPAT)
​A VPAT is an industry accepted tool to measure a supplier's ability to demonstrated their product's (hardware, software {COTS, SaaS}, electronic content and support documentation and services) support for accessibility.


​Waterfall Model
​A software development process model that involves distinct sequential phases (i.e., conception, requirements, design, build/construct, test, and implementation).  Solution progress is flowing steadily downwards (like a waterfall) through each of the phases.  This means that any phase in the development process may begin only if the previous phase is complete.  There can be some slight variations in the waterfall approach (i.e., modified water fall) that define the circumstances and processes to go back to the previous phase.  Documentation in this process is also sequential.  Documentation is typically created, delivered, and approved with each phase as a prerequisite for the next phase to begin.  Each phase in this model is a phase gate or key milestone.
​Web Application Firewall (WAF)
​Addresses the needs of limiting Internet attacks and monitoring of web applications located in the Commonwealth.  A WAF provides a number of key benefits to the Commonwealth's Enterprise Data Center (EDC) and agencies that house web applications there.  
​Web Content Accessibility Guidelines (WCAG)
​WCAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses digital content. WCAG includes three levels of conformance: A, AA, and AAA. 
​Web Development Framework
​A software framework designed to support development of dynamic web sites, web applications, and web services. Using a framework eases tedious and repetitive programming tasks and alleviates the overhead associated with common activities such as setting up session management and database access and provides structure and services and is deployed along with the application.
​Wireless Communication Devices ​A device that transmits and receives data, text, and/or voice with a wireless connection to a network. This definition includes; but is not limited to, such devices as satellite and cellular telephones, pagers, wireless internet services, wireless data devices, wireless laptops, and cellular telephone/two-way radio combination devices. This definition does not include the radio devices that interface with the 800 MHz Statewide Radio System.MD 240.11