A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity).
See fail safe and fail soft for comparison.
Sources:
CNSSI 4009-2015
from
IETF RFC 4949 Ver 2