Determination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.
Sources:
CNSSI 4009-2015
NIST SP 800-53 Rev. 5
from
CNSSI 4009-2015