Subscribe to ODNI news via emailSubscribe via RSStumblr offtwitter off 2Like ODNI on FacebookView ODNI photos on FlickrVisit ODNI’s YouTube Channelscribd off

Organization

IdAM: Authorization Attribute Set

Friday, August 17, 2012

Chief Information Officer

IC Technical Specifications

IdAM: Authorization Attribute Set

Overview


The IC Enterprise Authorization Attribute Exchange between IC Attribute Services, Authorization Attribute Set v1.0 codifies the minimum set of enterprise-level authorization attributes that IC elements are expected to provide if they participate in the Intelligence Community Unified Authorization and Attribute Service (UAAS) architecture. It provides a common, consistent way to identify IC enterprise authorization attributes of IC persons produced by, stored within, or shared throughout the IC’s TS/SCI information domain.

The name, definition, cardinality, and controlled vocabulary for each attribute are defined in order to promote interoperability between UAAS-compliant attribute services established by participating IC Agencies. The set of authorization attributes described in the specification is designed for implementation within products and servers that are capable of supporting the Encrypted Mode option of the OASIS SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems, Committee Specification 01.

Value Proposition

IC Enterprise Authorization Attribute Exchange between IC Attribute Services, Authorization Attribute Set v1.0 establishes detailed requirements for enterprise-level authorization attributes that IC elements are expected to provide if they participate in the Intelligence Community Unified Authorization and Attribute Service federation. Its function is to facilitate the availability, accuracy, and standardization of these attributes across the IC TS/SCI enterprise, building a consistent basis for the exchange of this information between IC Elements.


Defining the mandatory minimum set of IC enterprise authorization attributes and values for sharing through the IC UAAS federation supports consistent and assured information sharing across the enterprise. The IC UAAS supports Attribute-Based Access Control (ABAC) to promote on-demand access to information and other resources by IC users and services, and reduces authorization vulnerabilities by strengthening the access control decision process.


The primary audience for this document is the implementer and/or administrator who must configure an Attribute Service to meet the requirements for participation in the IC UAAS federation. The audience for this document also includes those responsible for implementing and managing the capabilities that create, provide, modify, store, exchange, search, display, or further process IC enterprise authorization attributes.


Latest Approved Version

CDR: Manage Component

Friday, August 17, 2012

Chief Information Officer

IC Technical Specifications

CDR: Manage Component (Manage Service)

Overview


This IC enterprise service encoding specification defines requirements and provides guidance for the realization of the Content Discovery and Retrieval (CDR) Manage Component (Manage Service) as a RESTful web service and as a web service using the SOAP style binding.  The Manage Component, as defined by the IC DoD CDR Specification Framework (CDR-SF), serves as the primary mechanism to manage CDR resources, where a CDR resource is defined as one explicitly created and used to support CDR functions.

The content of this specification describes the Manage Service's behavior, interface and other aspects in detail, providing enough information for Manage Service providers and consumers to create and use CDR-conformant Manage Services.  Specific uses of the Manage Service, such as to create, read, update, delete, and search for Saved Searches, will be elaborated as profiles in the corresponding documents for those uses.

This standard supports Executive Order (EO) 13526, Classified National Security Information which "prescribes a uniform system for classifying, safeguarding, and declassifying national security information," across national security disciplines, networks, services, and data.

 Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.

The IC Chief Information Officer maintains this specification via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).

 

Technical Specification Downloads


Latest Approved Version


Mission Requirements

The Manage Service provides a coordinated set of functions that enables service consumers to create, read, update, delete, and search for instances of any defined type of CDR resources.  The CDR resource type corresponding to specific uses of Manage is associated with a Uniform Resource Identifier (URI), where the Web-accessible resource accessed through that URI will identify the structure and semantics of the CDR resource type designed for that use (i.e., Query Management (QM) defines the Saved Search type as the CDR resource relevant to that use).
 

For all uses, The CDR resource description comprises the characteristic description metadata that aids in the discovery of CDR resource instances.  Some of this description will be generated as part of the resource creation or update, while other description data will be supplied by someone with responsibility for the resource.  It is anticipated that a basic description vocabulary appropriate for any CDR resource will contain a general set of properties while the description vocabulary associated with a particular resource type will add additional properties.  The ability to save and retrieve resource instances over time will require implementers to adopt a persistence mechanism, which this document refers to as a CDR Resource Collection.

Geopolitical Entities, Names, and Codes

Friday, August 17, 2012

Chief Information Officer

IC Technical Specifications

Geopolitical Entities, Names, and Codes

Overview


This IC enterprise CVE encoding specification defines XML elements and attributes, associated structures and relationships, mandatory and cardinality requirements, permissible values, and constraint rules for representing Geopolitical Entities, Names, and Codes (GENC) data concepts.

This specification supports ISO-3166-1 (which replaced FIPS 10-4), moving from a two-character country code base to a three character code.  This profile is considered to be the authoritative set of country codes and names for use by the Federal Government for information exchange.  Although GENC will use ISO-3166 code elements whenever possible, they may be modified where necessary to comply with U.S. law and U.S. government recognition policy.

This specification provides a subset of the permissible GENC codespaces and code values that are used in the IC.  Specifically, this specification only utilizes the short Uniform Resource Number (URN) based codespaces with the three-character codes.

Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.

The IC Chief Information Officer maintains this specification via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).

 

Technical Specification Downloads


Latest Approved Version


Mission Requirements

Many IC encoding specifications use Controlled Vocabulary Enumerations (CVEs) to define allowable values for various elements and attributes.  However, over time several encoding specifications became dependent on the same list of values and dual (or more) maintenance was required to keep the lists aligned.  Changes to a specification's CVEs also caused an entire version of that specification to be created.

To prevent these two situations from occurring, a new type of encoding specification, the CVE Encoding Specification (CES), was created to decouple the vocabulary from the specifications.  Each CES contains one or more CVEs and optionally a master schema defining

Fine Access Control

Friday, August 17, 2012

Chief Information Officer

IC Technical Specifications

Fine Access Control

Overview


Any IT system performing entity authentication may use this specification to determine if a given entity should be granted access to a specific piece of data.

This specification applies to the IC, as defined by the National Security Act of 1947, as amended, and ICS 500-27, Collection and Sharing of Audit Data,  and such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of National Intelligence (DNI) and  the head of the department or agency concerned, as an element of the IC.  Joint and Coalition forces may use this specification but it is not required.

Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.

This specification is maintained by the IC Chief Information Officer via the Data Services Coordination Activity (DSCA) and Common Metadata Standards Tiger Team (CMSTT).

 

Technical Specification Downloads


Latest Approved Version


Mission Requirements

Information sharing within the national intelligence enterprise relies on the ability to discover and access intelligence content from any location, at any time, with as few restrictions as possible.  ICD 501 empowers analysts, operators, and collectors with a wide range of capabilities for discovering, using, and sharing content within the IC and with partners.  This authority comes with great responsibility, a responsibility that must be tracked, analyzed, and reported on.

The auditing of person and non-person entities within the IC protects the nation from abuse, voluntary or involuntary disclosure, as well as insider and outside threats.  The audit specification is derived from the fundamental mission requirement to track and audit the discovery and access of intelligence content and information resources within the IC enterprise.

Community Shared Resources

Friday, August 17, 2012

Chief Information Officer

IC Technical Specifications

Community Shared Resources

Overview


This IC enterprise data encoding specification defines detailed implementation guidance for Community Shared Resources (CSR) to sub-set the large possible combinations of specification versions.  CSRs are systems or services that live on the enterprise and are made available for use by the community.  This specification defines the minimum relationship sets of specifications mandatory for consuming systems (CSRs that receive data), and the allowed relationship sets for production systems (CSRs that transmit data).

This standard supports Executive Order (EO) 13526, Classified National Security Information which "prescribes a uniform system for classifying, safeguarding, and declassifying national security information," across national security disciplines, networks, services, and data.

Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.

This specification is maintained by the IC Chief Information Officer via the Data Services Coordination Activity (DSCA) and Common Metadata Standards Tiger Team (CMSTT).

 

Technical Specification Downloads


Latest Approved Version


Mission Requirements

All systems at the enterprise level need to be able to send and receive with a common vocabulary to permit understanding.  Since the decoupling of the IC Technical Specifications from one another, permitting them to revision independently, the potential combinations of versions of the specifications that can be mixed and matched together have grown exponentially.  This puts a large burden on data producers and consumers on the enterprise to be able to produce and/or interpret all possible combinations. The ever-growing number of combinations leads to a need to have a minimal number of sets of combinations that CSRs must be able to produce/consume to relieve them of the infeasible burden of being able to produce/consume all possible combinations.

You are leaving DNI.gov

You have selected to open
http://www.anotherwebsite.com

If you would like to not see this alert again, please click the
"Do not show me this again" check box below