ORCON Need-To-Know Access

ORCON Need to Know Access

Chief Information Officer

IC Technical Specifications

ORCON Need to Know Access


This Access Control Encoding Specification for ORCON (OC-NTK.ACES.XML) defines detailed implementation guidance for providing access utilizing OC (Originator Controlled) data. This Access Control Encoding Specification (ACES) defines the use of combinational logic between data and user/entity attributes. This logic is intended to be used in the decisional process of access control decisions based on XML elements and attributes that represent OC data concepts and the associated user attributes.


The Access Control Encoding ORCON specification (OC.NTK.ACES.V1) furthers IC Enterprise goals by codifying mappings and combinational logic between data attributes and user/entity attributes to facilitate consistent enterprise-wide Boolean access decisions. Historically, access control decisions have been made in local environments based on local interpretations of agreements and policies resulting in decisions that are not uniform across the entire enterprise. OC-NTK.ACES hopes to reduce the need for such local interpretations and further the goal of improving data exchanges and processing of information by documenting and encoding the enterprise interpretation. OC-NTK.ACES provides both abstract and concrete guidance for making access control decisions. The generic abstract guidance is intended to be used in various contexts for making informed access decision logic, but it is the goal of OC-NTK.ACES to also provide concrete guidance in appendixes or separate annexes for certain contexts.


Data assets on the enterprise may be marked with a dissemination control of ORCON, or originator controlled. Persons or NPEs wishing to access or distribute such data must first be granted the ability to do so by the originator of the data asset. Access control systems need to be able to determine the meaning of the attributes related to ORCON on data assets as well as the relation between those attributes and the attributes that belong to entities in order to make informed available and accurate dissemination decisions.

This is the first release of the specification and therefore provides no backward capability.

Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.

The IC Chief Information Officer maintains this specification  via the Data Coordination Activity (DCA) and Entity Specification Tiger Team (ESTT). 


Technical Specification Downloads


Latest Approved Public Release:

Mission Requirements


This specification depends upon the following specifications:

  • XML Data Encoding Specification for Need-To-Know (NTK.XML.V8+) version 8 or higher
  • XML Data Encoding Specification for Originator Control Need-To-Know Profile (OC-NTK.XML v1+) ~ OC-NTK.XML
  • XML Data Encoding Specification Information Security Markings (ISM.XML v9+)
  • XML CVE Encoding Specification for US Government Agency Acronyms

This specification defines & baselines Access Control Encoding for OC (Originator Controlled) and establishes allowable use of encoding logic values between data and user/entity attributes for the IC Enterprise.


This specification is designed to fulfill a number of requirements in support of the transformational efforts of the Intelligence Community. Many of these requirements are articulated in IC Directives 208, 209, 500-20, 500-21, 501, 710, and ICPM) - 2007-200-2 among others. This specification is designed to support the Intelligence Community Information Technology Enterprise (IC ITE) Increment 1 Implementation Plan. This specification supports common understanding and use of access control encoding for originator controlled mappings to enable overall information sharing strategies and policies of the IC as established in relevant law, policy, and directives.