Chief Information Officer
IC Technical Specifications
ORCON Need to Know Access
Overview
This Access Control Encoding Specification for ORCON (OC-NTK.ACES.XML) defines detailed implementation guidance for providing access utilizing OC (Originator Controlled) data. This Access Control Encoding Specification (ACES) defines the use of combinational logic between data and user/entity attributes. This logic is intended to be used in the decisional process of access control decisions based on XML elements and attributes that represent OC data concepts and the associated user attributes.
The Access Control Encoding ORCON specification (OC.NTK.ACES.V1) furthers IC Enterprise goals by codifying mappings and combinational logic between data attributes and user/entity attributes to facilitate consistent enterprise-wide Boolean access decisions. Historically, access control decisions have been made in local environments based on local interpretations of agreements and policies resulting in decisions that are not uniform across the entire enterprise. OC-NTK.ACES hopes to reduce the need for such local interpretations and further the goal of improving data exchanges and processing of information by documenting and encoding the enterprise interpretation. OC-NTK.ACES provides both abstract and concrete guidance for making access control decisions. The generic abstract guidance is intended to be used in various contexts for making informed access decision logic, but it is the goal of OC-NTK.ACES to also provide concrete guidance in appendixes or separate annexes for certain contexts.
Data assets on the enterprise may be marked with a dissemination control of ORCON, or originator controlled. Persons or NPEs wishing to access or distribute such data must first be granted the ability to do so by the originator of the data asset. Access control systems need to be able to determine the meaning of the attributes related to ORCON on data assets as well as the relation between those attributes and the attributes that belong to entities in order to make informed available and accurate dissemination decisions.
This is the first release of the specification and therefore provides no backward capability.
Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.
The IC Chief Information Officer maintains this specification via the Data Coordination Activity (DCA) and Entity Specification Tiger Team (ESTT).
Technical Specification Downloads
Latest Approved Public Release:
Mission Requirements
This specification depends upon the following specifications:
- XML Data Encoding Specification for Need-To-Know (NTK.XML.V8+) version 8 or higher
- XML Data Encoding Specification for Originator Control Need-To-Know Profile (OC-NTK.XML v1+) ~ OC-NTK.XML
- XML Data Encoding Specification Information Security Markings (ISM.XML v9+)
- XML CVE Encoding Specification for US Government Agency Acronyms
This specification defines & baselines Access Control Encoding for OC (Originator Controlled) and establishes allowable use of encoding logic values between data and user/entity attributes for the IC Enterprise.
This specification is designed to fulfill a number of requirements in support of the transformational efforts of the Intelligence Community. Many of these requirements are articulated in IC Directives 208, 209, 500-20, 500-21, 501, 710, and ICPM) - 2007-200-2 among others. This specification is designed to support the Intelligence Community Information Technology Enterprise (IC ITE) Increment 1 Implementation Plan. This specification supports common understanding and use of access control encoding for originator controlled mappings to enable overall information sharing strategies and policies of the IC as established in relevant law, policy, and directives.
Chief Information Officer
IC Technical Specifications
CVE Data Encoding Specification for US Agency Acronyms
Overview
This CVE Data Encoding Specification for US Agency Acronyms (USAgency.CES) defines detailed implementation guidance for using Extensible Markup Language (XML) to encode US Agency data. This CVE Encoding Specification (CES) defines the XML elements and attributes, associated structures and relationships, mandatory and cardinality requirements, and permissible values for representing US Agency data concepts using XML. Versions 1 and higher of this CES can be utilized with a Trusted Data Format (TDF) structure and valid PUBS instances that use a TDF wrapper. A TDF instance may conform with multiple DES simultaneously assuming none of the criterion are in conflict.
This CES lists and defines a set of US Agency Acronyms (with their definitions) in various Controlled Vocabulary Enumeration (CVE) file formats for use by agencies in the IC Enterprise. It contains valid acronyms for use within the IC Enterprise for IC Agency publishing organizations, agencies, and Cabinet Offices.
This specification contains tagging structures for information resource metadata, mixed textual and media content found in the body of publications, source reference citations, classification and control markings, and knowledge assertions.
Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.
This specification is maintained by the IC Chief Information Officer via the Data Standards Coordination Activity (DSCA) and Common Metadata Standards Tiger Team (CMSTT).
Technical Specification Downloads
Latest Approved Public Release:
- CVE Encoding Specification for US Agency Acronyms (V2022-JUL - Standalone Package)
- CVE Encoding Specification for US Agency Acronyms (V2022-JUL - Convenience Package)
- CVE Encoding Specification for US Agency Acronyms (V2022-JUL - Light Package)
Mission Requirements
This specification defines & baselines a Controlled Vocabulary Enumeration for US Agency acronyms / definitions and establishes allowable US Agency Acronym values for the IC Enterprise.
This specification is designed to fulfill a number of requirements in support of the transformational efforts of the Intelligence Community. Many of these requirements are articulated in IC Directives 208, 209, 500-21, 501, 710, and ICPM- 2007-200-2 among others.
This specification is designed to support the Intelligence Community Information Technology Enterprise (IC ITE) Increment 1 Implementation Plan.
This specification supports common understanding and use of US Agency Acronyms to enable overall information sharing strategies and policies of the IC as established in relevant law, policy, and directives.
IC Implementations shall conform to this specification and MUST adhere to all normative aspects of the specification.
Chief Information Officer
IC Technical Specifications
Multi Audience Tearline
Overview
This Data Encoding Specification (DES) defines the XML elements and attributes; associated structures and relationships; mandatory and cardinality requirements; and permissible values for representing Multi Audience Tearlines... metadata associated with an information resource or part of an information resource using XML. MAT.XML can be incorporated into other Data Encoding Specifications.
These metadata are used to represent the system-specific properties assigned to an information resource that will be used, in conjunction with information about the user, and possibly other information, to determine the user’s access to the data. A single information resource may include multiple occurrences of these metadata in order to specify MAT information according to multiple, different access systems.
Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.
This specification is maintained by the IC Chief Information Officer via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).
Technical Specification Downloads
Latest Approved Public Release:
- Multi Audience Tearlines have now been replaced by Multi Audience Collection.
Mission Requirements
Information sharing within the national intelligence enterprise frequently relies on being able to determine an individual’s MAT as one component in determining whether to allow access to data. The enterprise will increasingly rely on MAT metadata to allow users and systems to find and access a wide-range of data throughout the enterprise. A successful information sharing enterprise depends on the ability of data creators and or providers to specify means by which MAT can be established in a manner to facilitate discovery and access via automated means.
This DES provides a common specification for the means by which a data producer can encode, in their data, the information that an access system needs in order to determine how to grant access. This DES enables a comprehensive capability to appropriately protect data across the enterprise while also allowing access by individuals having appropriate MAT. The nature of the information to be encoded will vary system by system and could include lists of individuals or groups permitted access, descriptions of subject matter in terms defined by the access system, or other traits to be used in evaluating the access an individual has to the data.
This DES provides that common specification. Currently the particulars of any access system’s data needs are not defined. Details for specifying access information and documenting access parameters for particular access systems are to be added in the near future. The systems for which access information will be recorded and constrained will be expanded as their applicability’s are identified to the enterprise.
Chief Information Officer
IC Technical Specifications
Need-To-Know Metadata
Overview
This Data Encoding Specification (DES) defines the XML elements and attributes; associated structures and relationships; mandatory and cardinality requirements; and permissible values for representing NTK metadata associated with an information resource or part of an information resource using XML. NTK.XML can be incorporated into other Data Encoding Specifications.
NTK metadata facilitates automated systems making a “need-to-know” (NTK) access determination about an information resource. These metadata are used to represent the system-specific properties assigned to an information resource that will be used, in conjunction with information about the user, and possibly other information, to determine the user’s access to the data. A single information resource may include multiple occurrences of these metadata in order to specify NTK information according to multiple, different access systems.
Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.
This specification is maintained by the IC Chief Information Officer via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).
Technical Specification Downloads
Latest Approved Public Release:
- Need To Know Metadata (V2015-AUG - Standalone Package)
- Need To Know Metadata (V2015-AUG - Convenience Package)
- Need To Know Metadata (V2015-AUG - Light Package)
Mission Requirements
Information sharing within the national intelligence enterprise frequently relies on being able to determine an individual’s NTK as one component in determining whether to allow access to data. The enterprise will increasingly rely on NTK metadata to allow users and systems to find and access a wide-range of data throughout the enterprise. A successful information sharing enterprise depends on the ability of data creators and or providers to specify means by which NTK can be established in a manner to facilitate discovery and access via automated means.
This DES provides a common specification for the means by which a data producer can encode, in their data, the information that an access system needs in order to determine how to grant access. This DES enables a comprehensive capability to appropriately protect data across the enterprise while also allowing access by individuals having appropriate NTK. The nature of the information to be encoded will vary system by system and could include lists of individuals or groups permitted access, descriptions of subject matter in terms defined by the access system, or other traits to be used in evaluating the access an individual has to the data.
This DES provides that common specification. Currently the particulars of any access system’s data needs are not defined. Details for specifying access information and documenting access parameters for particular access systems are to be added in the near future. The systems for which access information will be recorded and constrained will be expanded as their applicability’s are identified to the enterprise.
Chief Information Officer
IC Technical Specifications
Information Security Marking Metadata
Overview
This XML Data Encoding Specification for Information Security Markings (ISM.XML) defines detailed implementation guidance for using XML to encode Information Security Markings (ISM.XML) data. This Data Encoding Specification (DES) defines the XML elements and attributes, associated structures and relationships, mandatory and cardinality requirements, and permissible values for representing security markings and Need-to-Know (NTK) data concepts using XML, and for wrapping security markings and NTK attributes together in an Access Rights and Handling (ARH) XML container.
This standard supports Executive Order (EO) 13526, Classified National Security Information which “prescribes a uniform system for classifying, safeguarding, and declassifying national security information”, across national security disciplines, networks, services, and data.
This standard is a critical technical bridge between:
- Security marking requirements defined by the National Archives and Records Administration (NARA)/Information Security Oversight Office (ISOO),
- IC security markings register maintained by the Office of the Director of National Intelligence (ODNI)/Controlled Access Program Coordination Office (CAPCO), and
- Information technology solutions that implement structured security marking metadata.
Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.
This specification changed names and numeric designators multiple times since its inception in the late 1990's.
The IC Chief Information Officer maintains this specification via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).
Technical Specification Downloads
Latest Approved Public Release:
- XML Data Encoding Specification for Information Security Markings (V2021-NOVr2022-NOV -Standalone Package)
- XML Data Encoding Specification for Information Security Markings (V2021-NOVr2022-NOV -Convenience Package)
- XML Data Encoding Specification for Information Security Markings (V2021-NOVr2022-NOV -Light Package)
Mission Requirements
Information sharing within the national intelligence enterprise will increasingly rely on information assurance metadata (including information security markings) to allow interagency access control, automated exchanges, and appropriate protection of shared intelligence when necessary.
A structured, verifiable representation of security marking metadata bound to the intelligence data is required in order for the enterprise to become inherently “smarter” about the information flowing in and around it. Such a representation, when implemented with other data formats, improved user interfaces, and data processing utilities, can provide part of a larger, robust information assurance infrastructure capable of automating some of the management and exchange decisions today being performed by human beings.
Throughout the intelligence life cycle, the enterprise needs:
- User interfaces and processing logic that helps users and services to reliably assign and manipulate information security markings at the portion and document level.
- Automated rendering of electronic portion markings, security banners, classification authority blocks, and other security control markings in accordance with the IC's classification and control marking system and associated executive orders, statutes, and DNI policies.
- Marking validation to ensure controlled values and business rules are followed.
- Cross-domain discovery, access, and dissemination capabilities based on access policy logic that leverages electronic security markings along with other key metadata about users, services, clearances, and access environments.