Business Authorization Framework Version 1 BAF v.1 ... · Business Authorization Framework Version...

Business Authorization Framework Version 1

BAF v.1

Prepared by: TSCP ILH Team

Lead Author: Jean-Paul Buu-Sao, TSCP

Released to: TSCP Architecture Committee Edition: 1.3.0 Published: October 22, 2012

Business Authorization Framework Version 1.5 i

Copyright © 2012 Transglobal Secure Collaboration Program, Inc.

All rights reserved.

Terms and Conditions

Transglobal Secure Collaboration Program, Inc. (TSCP) is a consortium comprising a number of commercial and government

members (as further specified at http://www.tscp.org) (each a “TSCP Member”). This specification was developed and is being

released under this open source license by TSCP.

Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user)

agree to and accept the following terms and conditions:

1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative

works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is

permitted provided that the following conditions are met:

Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and

conditions contained herein.

Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of

conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the

distribution of the product or service.

TSCP’s name may not be used to endorse or promote products or services derived from this specification without

specific prior written permission.

2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls

under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products

and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for

its products and/or services as a result of such laws or regulations.

3. THIS SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH

TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING,

WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT,

MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE.

NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR

WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE

WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF

ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR

ANY THIRD PARTY.

4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY

CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT

LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY

RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS

SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING

TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR

ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL,

SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER

OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole

discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a

different specification.

6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict

of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of

the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and

waives any objections to the venue of such court.

Business Authorization Framework Version 1.5 ii

TABLE OF CONTENTS

1. Purpose .................................................................................................................................................. 1 2. Status of the proposal ............................................................................................................................. 2 3. Terminology ............................................................................................................................................ 3 4. Process Model ........................................................................................................................................ 4 5. Data Model ............................................................................................................................................. 5

5.1 Protection Profile .............................................................................................................................. 6 5.2 Business Authorization..................................................................................................................... 7 5.3 Policy ................................................................................................................................................ 8 5.4 Policy Authority ................................................................................................................................ 9 5.5 Business Authorization Category ................................................................................................... 10 5.6 Impact Level ................................................................................................................................... 11 5.7 Categorization Rule ........................................................................................................................ 12 5.8 Access Rule ................................................................................................................................... 14 5.9 Marking Rules ................................................................................................................................ 16

6. Interchange format ............................................................................................................................... 18 6.1 BAF Profile for XACML .................................................................................................................. 18

6.1.1 Protection Profile .................................................................................................................. 19 6.1.2 Business Authorization Category ......................................................................................... 19 6.1.3 Identification of Business Authorization Categories ............................................................. 19 6.1.4 Categorization rules ............................................................................................................. 20 6.1.5 Access Rules ........................................................................................................................ 21 6.1.6 Marking rules ........................................................................................................................ 22

6.2 Plain XML ....................................................................................................................................... 23 7. Acronyms .............................................................................................................................................. 28 8. References ........................................................................................................................................... 30 9. APPENDIX ............................................................................................................................................ 31

9.1 BAF mapping to XACML (logical models) ...................................................................................... 31 9.1.1 XACML instance of TAA#1................................................................................................... 32

Table of Figures

Figure 1. Overall Process Model ................................................................................................................... 4

Figure 2. Data Model ..................................................................................................................................... 5

Figure 3. BAF Mapping to XACML ............................................................................................................. 31

Business Authorization Framework Version 1.5 iii

CONTRIBUTORS

Richard Skedd BAE Systems

Dexter Smith The Boeing Company

Tim Bird The Boeing Company

Scott Fitch Lockheed Martin Corporation

Mark Burns Northrop Grumman Corporation

Chris Jordan UK Ministry of Defence

Jean-Paul Buu-Sao TSCP

REVISION HISTORY

Date Version Author Changes Made

3 July 2009 0-0 Jean-Paul Buu-Sao Created

10 July 2009 0-1 Jean-Paul Buu-Sao Updated with latest version of the XML Schema and

instance example. First draft circulated within IAP Tiger Team

23 July 2009 0-2 Jean-Paul Buu-Sao Updated with feedback from IAP Tiger Team

Added Process Model section

12 Nov 2009 1-0 Jean-Paul Buu-Sao

Baseline v1.0 including feedback from Nov Business Week

For Export Control Working Group validation

15 Jun 2011 1-1 Jean-Paul Buu-Sao Updated after feedback from policy SME’s (including

UK and IP)

4 Aug 2011 1-2 Jean-Paul Buu-Sao Impact Level decomposed, and accept/deny on

access rules

8 Sep 2011 1-3 Jean-Paul Buu-Sao Updated “Data Model” and “BAF Profile for XACML”

sections

Business Authorization Framework Version 1.5 Page 1 of 35

1. Purpose

TSCP is establishing a framework with the objective of streamlining all business authorization (security policies) processes that its members need to implement information asset protection throughout the various Aeronautical & Defense (A&D) programs. The general purpose of this document is to introduce this framework at a high-level, and in particular, to allow subject matter experts (SME) to validate the approach and content.

The problem statement can be briefly summarized as follows:

Policy Authorities (such as US-DDTC1) provide business authorizations (such as ITAR TAA

2) in forms that

need to be interpreted manually in order to extract information properly, for example, setting up access management rules; this is error prone (interpretation errors) and costly.

Two main factors that contribute to the problem are:

Organizations receive artifacts from policy authorities and these artifacts are not in a form that can be efficiently automated. The artifacts generally consist of textual documents that need to be manually read and interpreted before the contained information can be used in adequate applications for policy administration and implementation.

In the absence of standards and appropriate guidelines, applications implement policy artifacts with great difficulty, which results in incomplete support of the policy requirements.

The purpose of the Business Authorization Framework (BAF) is to design a framework for the administration and management of business authorizations that enables a higher level of automated processes for business protection policies.

In contrast with the factors highlighted above, BAF contributes to solving the problem statement by:

Proposing an expression of policy requirements that are specifically targeted for system processing. Note that this representation does not eliminate the need for exchanging textual documents, which is a requirement for legal reasons; future studies will include the possibility of generating the textual material from the systemic expression of the policy requirements.

Proposing a set of guidelines for the automated processing of policy requirements that software vendors can use as a source of requirements in order to deliver consistent support across applications.

BAF v.1.1 includes three main components:

1. A process model that specifies the key use-cases involved with the definition and management of business authorizations.

2. An extensible data model that specifies the data elements required to articulate a generic business authorization.

3. An XML-based interchange format which allows the exchange of business authorizations across administrative, platform, and application boundaries.

1 The Department of Defense Trace Control (DDTC) is the U.S. authority that governs Export Control

regulations and the International Traffic in Arms Regulations (ITAR) policies.

2 The Technical Assistance Agreement (TAA) is one of the licenses that organizations need to obtain and

comply with in order to export technical information under the ITAR policies.


2. Status of the proposal

The data constructs put forward in BAF v.1 are based upon the analysis of the requirements that are

specified in a limited set of Export Control and Intellectual Property policies, namely ITAR TAA, EAR3, EU

UGEA4, and generic PIEA

5. Although proven to support this initial set of policies, the BAF model is meant

to be extensible in order to cope with other policy regimes. As of the writing of this document, work is underway to support other EU

6 Export Control policies.

Despite this caveat, this proposal has the merit of setting out the foundational elements that will support

further discussions on the integration of other instances of ITAR TAA and PIEA7, as well as allowing

modeling work around other required types of business authorizations (e.g., NDA8, MTA

9, etc.).

3 EAR: The Export Administration Regulations, under the authority of the US Bureau of Industry and

Security (BIS), regulates Export Control of dual-use (civilian and military) items.

4 Union General Export Authorization: A license under the authority of the European Union that regulates

Export Control of dual-use items.

5 Manufacturing Technical Agreement: Another type of license under the ITAR policies.

6 EU: European Union

7 PIEA: A Proprietary Information Exchange Agreement.

8 NDA: A Non-Disclosure Agreement.

9 MTA: A Manufacturing Technical Agreement; this is another type of license under the ITAR policies.


3. Terminology

This section provides a primer on the business terminology used throughout this document.

Program: A business context that is formed in order to deliver a final product to a customer. For example, the Joint Strike Fighter (JSF) program aims at delivering various versions of the F35 fighter to military customers.

Policy authority: An entity that holds legal or administrative authority over one or more policy scopes. BAF recognizes three types of policy authorities: export authorities (e.g., Directorate of Defense Trade Control, a branch of the U.S. Department of State), National Security authorities (e.g., the UK Cabinet Office), and intellectual property authorities (e.g., Lockheed Martin).

Policy scope: The scope that encompasses the set of organizations and systems managed by a given policy authority. Each policy has one, and only one, policy authority.

Business authorization: The result of the analysis of a manually readable policy artifact and of the expression, in a precise manner, of all the components of information protection policies required for consistent interpretation of policy artifacts.

Business Context Specific Resource Protection Profile (shortened to Protection Profile hereafter): The result of the analysis of all the business authorizations applicable under a given business context, and capture, in a precise manner, of the components required for consistent implementation across collaboration partners.

Delegated Administrative Authority: The entity that has the responsibility of applying a given policy on behalf of its policy authority. For example, LMCO, as the prime contractor of the JSF program, is also a delegated administrative authority for ITAR policies on behalf of the DDTC policy authority.

Information Asset: A generic way to designate containers of information, whether it is a document, a webpage, or a database record.

Item: In Export Control terminology, the item designates the physical goods to be exported. Export Control regulations aim at controlling the export of items and information assets.

Risk Impact: The evaluation of risks that would occur should an information asset be disclosed. The assessment of a risk impact determines the set of security controls that is mandated in order to mitigate the risk.


4. Process Model

BAF promotes a process where policy authorities express their requirements in a form that is consistent across policy authorities, and that allows for automated processes that can be implemented by organizations that need to comply with these policies.

Figure 1 below depicts a typical A&D setting where, in a specific business context (a program), an organization playing the role of the “Delegated Administrative Authority” puts together all the applicable policy requirements for all organizations that are a part of the program to be implemented.

Figure 1. Overall Process Model

The three key business processes implied by this model are:

1. Specification of the information protection policy requirements: Policy authority administrators formulate their policy requirements in the form of business authorizations. The format of the business authorizations is standard across policy authorities.

2. Creation of the protection profile: The organization playing the role of the delegated administrative authority puts together the comprehensive set of business authorizations applicable to the program in the form of a protection profile. The protection profile is standard across program participants.

3. Administration of the information protection policy requirements: Organizations that are part of the program need to implement the protection profile before starting to collaborate.

There is one possible variation to this target model:

Some policy authorities may not produce their policy requirements in the form of business authorizations. In this case, the delegated administrative authority translates the traditional artifacts to the business authorization format.

The BAF specification is mainly focused on the definition of the standard interchange formats for business authorizations and protection profiles, which are containers of business authorizations.

This specification sets the requirements for software vendors willing to support automated processes for business authorizations in their product offers.


5. Data Model

Figure 2 below, a UML10

class-diagram,11

shows the protection profile and its key constituents. The

following sub-sections provide details on each of these components.

Figure 2. Data Model

10 Unified Modeling Language (UML): The modeling language that was used to model BAF. (For more

information, see http://en.wikipedia.org/wiki/Unified_Modeling_Language.)

11 A class-diagram represent classes (the rectangles) with relations between themselves with an

indication of the multiplicity of the relations. In UML, the multiplicity is annotated on the target class, following a convention opposite to the entity relationship’s diagrams. The absence of multiplicity indicates the default value of “1.”

http://en.wikipedia.org/wiki/Unified_Modeling_Language


5.1 Protection Profile

Concept Definition Examples

Protection Profile The result of the analysis of all the business authorizations applicable under a given business context, and capture, in a precise manner, of the components required for consistent implementation across collaboration partners.

A protection profile defining the information protection requirements for the collaboration around the design of the navigation system of Program-Z.

Business Context Name of the business context (string).

Program-Z

Version Number The version of the protection profile as managed by its issuer (string).

1.0

Identifier The unique identifier of the protection profile in the scope of its issuer.

urn:curtiss:pp:pgrm-z

Issuer The digital certificate establishing the identity of the issuer of the protection profile.

Curtiss X509 Certificate

A Protection Profile has at least one business authorization detailed hereafter.


5.2 Business Authorization


Business Authorization The result of the analysis of a human-readable policy artifact and of the expression, in a consistent and precise manner, of all the components of information protection policies required for consistent interpretation of policy artifacts.

A Technical Assistance Agreement (TAA) is a business authorization, defining information protection requirements in the context of ITAR export control’s policy scope.

Name Name of the business authorization (string).

TAA-1

Version Number The version of the business authorization as managed by the policy authority or by the delegated policy authority (string).

1.0

Validity Dates The validity dates of the business authorization defined as a start date and an end date. Either date can be left undefined, thus expressing an open-ended range.

2014/10/01

Document Locator The URL to a document that represents the human-readable form of the policy that a business authorization formalizes.

http://www.curtiss.com/ba/taa-1.pdf

Identifier A unique identifier of the business authorization as managed by the policy authority or by the delegated policy authority (URN).

urn:curtiss:ba:taa:taa-1

A business authorization is associated to a policy, and has at least one business authorization category.

http://www.curtiss.com/ba/taa-1.pdf


5.3 Policy


Policy A set of requirements that aims at protecting items and information under a given policy scope.

The ITAR policy aims at protecting items (goods) and information under the Export Control policy scope.

Name Name of the Policy (string). ITAR

Identifier A unique identifier of the policy, as managed by the policy authority.

urn:tscp:pa:us:ddtc

Types A policy can be of the following three types:

Export Control

National Security

Intellectual Property

ITAR is a policy of type Export Control for country = U.S.

A policy is associated to a policy authority.


5.4 Policy Authority


Policy Authority An entity that holds legal or administrative authority over one or more policy scopes.

The Directorate of Defense Trade Control (DDTC), a branch of the U.S. Department of State, is the policy authority defining ITAR Export Control policy scope.

Policy Authority - Name The name of the policy authority. DDTC

Policy Authority – Identifier

A unique identifier for the policy authority.

urn:tscp:pa:us:ddtc

A policy authority is authoritative on at least one policy.


5.5 Business Authorization Category


Business Authorization Category

Designates a uniquely identifiable construct that defines a subset of the requirements within a business authorization. A business authorization must contain at least one business authorization category.

The TAA, which grants to Curtiss the right to export information to Packard and Spad, in context of the design and simulation of the navigation system of Program-Z, contains two categories: one general category for the protection of information related to the GPRSNU item, and one category specifically addressed at the Y-Code subsystem of the GPRSNU item.

Name A name for the business authorization category.

TAA-1.1

URN An identifier, expressed as a URN, that is unique within an identifier scope managed by the issuer of the containing business authorization.

Category 1: urn:curtiss:ba:taa:taa-1.1

Category 2:

urn:curtiss:ba:taa:taa-1.2

OID An identifier, expressed as an OID, that is unique within an identifier scope managed by the issuer of the containing business authorization.

Category 1:

1.3.6.1.4.1.30000.300.1

Category 2:

1.3.6.1.4.1.30000.300.2

A business authorization category has one impact level and optional rules, such as the following: categorization rule, labeling rule, and access rule.


5.6 Impact Level


Impact Level The indication of the damage that would occur should the information object be compromised.

The business category TAA#1.1 specifies that all information under this category are of a “Moderate” confidentiality impact level, “Moderate” integrity impact level, and “Low” availability impact level from the “FIPS199” scale.

Scale The scale that provides definitions for the various values.

FIPS199 scale

Confidentiality Value The impact value in case of a loss of confidentiality.

Medium

Integrity Value The impact value in terms of a loss of integrity.

Medium

Availability The impact value in terms of a loss of availability.

Low


5.7 Categorization Rule


Categorization Rule Rules that define the conditions under which an information object must fall within the business authorization category; the categorization rules are provided as an input to the training for end-users who need to apply business authorization categories to documents.

IP Owning Organizations

A criterion specifying the organizations that detain intellectual property on the exchange information.

Examples of some independent categorization rules (they are extracted from two different business authorization categories):

1. All information that IP is owned by {Curtiss} (IP Owning Organization) to the destination of {Packard} (Receiving Organization), and contributes to the {Detailed Design} (Work effort) must be protected under IPL-2.1

2. All information which any information object that originates from {Curtiss} (Originating Organizations) and which is provided to {Packard} (Receiving Organization) and which covers topics {“before M3”} (Topics) and is about {GNU or EGPSU or MGPSR} (Products) and that includes information designated as {11A of USML} (Classification) and is produced by

Originating Organizations

A criterion specifying the organizations from which the information originates.

Receiving Organizations

A criterion specifying the organizations which consume the information.



Topics A criterion specifying various topics (business context decomposition) that make business sense for the end-users applying labels to information objects.

{DetailedDesign or Simulation} (Work Effort), must be protected under TAA-1.1.

Products A criterion specifying a list of product references (typically, but not limited to, with respect to a product breakdown structure).

Classification A criterion specifying a list of classification numbers that the information relates to (typically, but not limited to, a goods category designation in the designated military list).

Work Effort A criterion specifying a list of work efforts that the information contributes to (typically, but not limited to, with respect to a work breakdown structure).


5.8 Access Rule


Access Rule A rule that defines the requirements for having access to any information covered by the business authorization category. These requirements are provided as inclusion criteria (condition to permit access) or exclusion criteria (condition to deny access).

Effect Determines whether the rule permits or denies access.

Examples of some independent access rules:

1. Any (Action) access to information under this business authorization category is Denied (Effect) to all users located outside of the {US, GB, FR} (Location), or to all users which organization’s country of incorporation is not in {US, GB, FR}.

2. Any (Action) to information under this business authorization category is permitted (Effect) to all users cleared to {ITAR-Training} (Entitlement), assigned to {DetailedDesign, Integration} (Work effort), on information about {GNU, EGPSU} (Product)

Action The actions that are either permitted (Effect: Permit), or denied (Effect: Deny), if the access criteria below are all met.

Principal A criterion specifying the list of individuals to which access is denied or granted.

Entitlement A criterion specifying the list of entitlements that the subject (requestor to the information) has been assigned to.

Organization A criterion specifying the list of organizations that the subject (requestor to the information) must


Concept Definition Examples be affiliated with.

Work Effort A criterion specifying the list of work efforts that the subject (requestor to the information) must be assigned to.

Product A criterion specifying the list of products that the information is associated with.

Nationalities A criterion specifying a list of authorized nationalities, which the authorized parties (whether organizations or persons) can be affiliated with.

Locations A criterion specifying a list of authorized country locations where the requestor may reside at the time of a request for access to information.

Country of incorporation A criterion specifying a list of countries of incorporation of the organizations to which the subject is affiliated.


5.9 Marking Rules


Marking Rule A rule that defines the visual indicators on information objects that are required for the procedural enforcement of all the applicable policies.

Marking Precedence A number between 1 and 10 that determines the precedence of the visual marking of this business authorization category over other business authorization category’s visual markings appearing on the same information object. A value of 1 expresses a low precedence, whereas the value of 10 expresses the highest precedence. Labeling tools use the marking precedence to determine the position of the visual markings that need to share the same space.

In the case in which two “Email First Line Of Text” physical markings were required, the one with the higher marking precedence would appear first.

Marking Parts The visual indicators are specified as individual parts. Each part has an identifier, which defines what the part is about, and a string value. The identifiers are listed below:

Identifier:

UI – Name

A very brief (fewer than 20 characters) summary of the policy to use in a user interface, e.g., for users to select the policy from a drop down list.

“TAA-{license-number}”

Identifier:

UI – Disclaimer

Language shown to the user (by an application, e.g., SharePoint) before she can access information, and where the user (the potential recipient of the data) needs to acknowledge that she has read the disclaimer.

“This technical data requires an export license prior to dissemination to non-US persons. It is controlled by United States International Traffic in Arms Regulations (ITAR) (22 CFR 120-130). It is the responsibility of each individual in control of this data to abide by all export laws”

Identifier:

General - Summary

Short language typically located in a single place within the document, e.g., in a security control information table.

“US ITAR Export Controlled under:

TAA-1.1

Program-Z”

Identifier:

General – Warning Statement

Language typically located at the beginning of a document (e.g., on the cover page), that warns the end-user about the protection policy that must apply, and possibly the

“This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et.


Concept Definition Examples consequences of non-compliance. seq.) or the Export Administration Act

of 1979, as amended, Title 50, U.S.C., App. 2401 tense. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization.”

Identifier:

General – Distribution statement

Language typically located at the beginning of a document (e.g., on the cover page), that provides information on the distribution requirements of the document.

“Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is [Insert Company Details]”

Identifier:

Document – Header

Short language located at the top of each document's pages.

Identifier:

Document – Footer

Short language located at the bottom of each document's pages.

“Export controlled – see sheet 1”

Identifier:

Document – Watermark

Short language formatted as a watermark on each document's pages.

Identifier:

Email – First Line Of Text

Language located at the beginning of the email body.

“ITAR Export Controlled”

Identifier:

Email – Last Line Of Text

Language located at the end of the email body.

Identifier:

Email – Subject suffix

Short language located at the beginning of the email subject.

“ITAR”

Identifier:

Email – Subject prefix

Short language located at the end of the email subject.


6. Interchange format

6.1 BAF Profile for XACML

The XACML standard from OASIS can be leveraged in three scenarios:

1. Interchange of access control requirements

2. Representation of authorization request / responses between a Policy Enforcement Point12

and a Policy Decision Point13

3. Execution of authorization rules within a XACML rules engine

The BAF profile for XACML 2.0 considers the first scenario for the purpose of exchanging Business Authorizations between organizations.

Notation

The following notation is used in this section to indicate the mapping between BAF and XACML 2.0 constructs:

BAF v1.0 Data Model XACML 2.0 Construct

BAF construct <Value> - the value element from the BAF data model

A / B = <Value> denotes an element’s contents: <A> <B>Value</B> </A> A / B @C = “Value” denotes an element’s attribute: <A> <B C=”Value”> . . .</B>

</A>

The components of the Data Model that are mapped to XACML are the:

Protection Profile

Business Authorization Category Categorization Rules

Business Authorization Marking Categorization Rules

Business Authorization Category Access Rules

The other components of the Data Model (e.g., Policy Authority, Business Authorization, Impact Level) are not mapped to XACML because they served as intermediate artifacts aiming at producing final the implementable protection profile.

12 The point where the policy decisions are actually enforced, per RFC 2904.

13 The point where policy decisions are made per RFC 2904.


6.1.1 Protection Profile

A Protection Profile is expressed as a XACML PolicySet. As the XACML standard (up to 3.0) does not provide structured support for some of the administrative information related to a PolicySet, Business Context, Name, and Contact, the profile defines a loose way to convey this information as XML attributes of the Description element of a PolicySet:


Protection Profile PolicySet

Administrative Data - Identifier PolicySet @PolicySetId=<Identifier>

Administrative Data - Version PolicySet @Version=<Version>

Administrative Data - BUiness Context

PolicySet / Documentation @BusinessContext=<Business Context>

Administrative Data - Contact PolicySet / Documentation @Contact=<Contact>

6.1.2 Business Authorization Category

A Business Authorization Category is expressed as a XACML Policy.


Business Authorization Category PolicySet / Policy

6.1.3 Identification of Business Authorization Categories

The URN and OID identifiers are expressed as XACML target resource attributes:


Business Authorization Category Identifier URN

PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId = “urn:oasis:names:tc:xacml:1.0:resource:policy-id”

PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Identifier URN>

Business Authorization Category Identifier OID

PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId = “urn:oasis:names:tc:xacml:1.0:resource:policy-id:OID”

PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Identifier OID>


6.1.4 Categorization rules

The categorization rules are expressed as XACML obligations:


Business Authorization Category Categorization rules

Obligations / Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.0:categorization-rules" / AttributeAssignment = <Value>

Obligations / Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.0:categorization-rules" / AttributeAssignment @AttributeId See below the recognized values: for @AttributeId:

Business context “urn:tscp:names:baf:xacml:1.0:categorizationRule:business-context"

Originating organization “urn:tscp:names:baf:xacml:1.0:categorizationRule: originating-organization"

Receiving organization “urn:tscp:names:baf:xacml:1.0:categorizationRule: receiving-organization"

IP Owning organization “urn:tscp:names:baf:xacml:1.0:categorizationRule:owning-organization"

Classification “urn:tscp:names:baf:xacml:1.0:categorizationRule:classification"

Product “urn:tscp:names:baf:xacml:1.0:categorizationRule:product"

Work effort “urn:tscp:names:baf:xacml:1.0:categorizationRule:work-effort"


6.1.5 Access Rules

The access rules for a Business Authorization Category are made of two components:

Criteria on the resource

Criteria on the subject and of the environment

The criteria on the resource are expressed as XACML ResourceMatch attributes, whereas the criteria on the subject and the environment are expressed as XACML rule conditions:



Access Rules

Criteria on Resource: PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Value> PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId See below the recognized values: for @AttributeId:

Product: "urn:tscp:resource-product"

Classification: "urn:tscp:resource-classification"


Access Rules

Criteria on Subject: PolicySet / Policy / Rule / Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"/ Apply / AttributeValue = <Value> PolicySet / Policy / Rule / Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"/ Apply / AttributeDesignator @AttributeId See below the recognized values: for @AttributeId:

Affiliated Organization: “urn:tscp:affiliated-organization"

Work Effort: “urn:tscp:work-effort"

Nationality: “urn:tscp:nationality"

Physical Location: “urn:tscp:location"

Identifier: “urn:oasis:names:tc:xacml:1.0:subject:subject-id"


Access rules

Criteria on Environment:

PolicySet / Policy / Target / Environments / Environment / AttributeValue = <Value> PolicySet / Policy / Target / Environments / Environment / EnvironmentAttributeDesignator @AttributeId

See below the recognized values: for @AttributeId:



Readiness condition “urn:tscp:readiness-condition"

6.1.6 Marking rules

The marking rules are made of two components:

The marking precedence

The list of physical markings

Both components are expressed as XACML obligations:



Marking rules

PolicySet / Policy /Obligations / Obligation

@FulfillOn="Permit" @RuleId=" urn:tscp:names:baf:xacml:1.0:visual-marking-rules"

PolicySet / Policy /Obligations / Obligation / AttributeAssignment @AttributeId

See below the recognized values: for @AttributeId:

Marking Precedence: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:precedence"

Document Header: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Header"

Document Footer: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Footer"

Document Watermark: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Watermark"

Warning Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Warning statement"

Distribution Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Distribution statement"

Distribution Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Distribution statement"

Summary: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Summary"

First Line of Text: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email:FirstLineOfText"

Last Line of Text: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: LastLineOfText"

Subject Prefix: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: SubjectPrefix"

Subject Suffix: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: SubjectSuffix"

The reader will find instances of business authorizations that are expressed in XML and in XACML in the appendix.

6.2 Plain XML

Instances of business authorizations can be interchanged in a form which can be processed by machines by using the XML structure defined by the following XML Schema:

<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xal="urn:oasis:names:tc:ciq:xal:3" xmlns:baf="urn:tscp:names:baf:1.1"> <xs:import namespace="urn:oasis:names:tc:ciq:xal:3" schemaLocation="xalv3.xsd"/>  <xs:complexType name="BusinessAuthorization"> <xs:sequence> <xs:element ref="AdministrativeData"/> <xs:element ref="Scope"/> <xs:element ref="Included"/> <xs:element ref="Excluded"/> </xs:sequence> </xs:complexType> <xs:element name="AdministrativeData"> <xs:complexType> <xs:sequence> <xs:element ref="ProgramID"/> <xs:element ref="LicenseID"/> <xs:element ref="StartValidityDate"/> <xs:element ref="StopValidityDate"/> <xs:element ref="Applicant"/> <xs:element ref="Signatories"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Included"> <xs:complexType> <xs:sequence> <xs:element ref="BusinessAuthorizationCategory" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Excluded"> <xs:complexType> <xs:sequence> <xs:element ref="BusinessAuthorizationCategory" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="StopValidityDate"> <xs:simpleType> <xs:restriction base="xs:date"/> </xs:simpleType> </xs:element> <xs:element name="StartValidityDate"> <xs:simpleType> <xs:restriction base="xs:date"/> </xs:simpleType> </xs:element>  <xs:element name="BusinessAuthorizationCategory"> <xs:complexType> <xs:sequence> <xs:element ref="AccessRules"/> <xs:element ref="HandlingRules"/> <xs:element ref="LabelingRules"/> </xs:sequence> <xs:attribute name="Identifier" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element>  <xs:element name="ImpactLevel" type="ImpactLevel"/> <xs:complexType name="ImpactLevel" abstract="true"/> <xs:element name="Undefined_ImpactLevel" type="Undefined_ImpactLevel"/> <xs:complexType name="Undefined_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"/>

</xs:complexContent> </xs:complexType> <xs:element name="FIPS_ImpactLevel" type="FIPS_ImpactLevel"/> <xs:complexType name="FIPS_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"> <xs:sequence> <xs:element name="Value"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Low"/> <xs:enumeration value="Moderate"/> <xs:enumeration value="High"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="UK_Cabinet_ImpactLevel" type="UK_Cabinet_ImpactLevel"/> <xs:complexType name="UK_Cabinet_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"> <xs:sequence> <xs:element name="Value"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="0"/> <xs:enumeration value="1"/> <xs:enumeration value="2"/> <xs:enumeration value="3"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType>  <xs:complexType name="HandlingRule" abstract="true"/> <xs:complexType name="SecureWEBTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="StorageRule"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureWEBStorage"> <xs:complexContent> <xs:extension base="StorageRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureFileTransferTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureEmailTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="MediumAuthentication"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="FileDeletion"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType>

<xs:complexType name="DesktopStorage"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType>  <xs:element name="VisualMarkingPart"> <xs:complexType> <xs:sequence> <xs:element name="Description"/> <xs:element name="Contents"/> </xs:sequence> <xs:attribute name="type" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element>  <xs:element name="WorkEffortsScope"> <xs:complexType> <xs:sequence> <xs:element ref="WorkEfforts"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="WorkEfforts"> <xs:complexType> <xs:sequence> <xs:element ref="WorkEffort" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="WorkEffort"> <xs:complexType> <xs:sequence> <xs:element ref="Name"/> </xs:sequence> <xs:attribute name="id" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Signatories"> <xs:complexType/> </xs:element> <xs:element name="Scope"> <xs:complexType> <xs:sequence> <xs:element ref="OrganizationsScope"/> <xs:element ref="WorkEffortsScope"/> <xs:element ref="ActionsScope"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Rules"> <xs:complexType> <xs:sequence> <xs:element ref="HandlingRules"/> <xs:element ref="LabelingRules"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ProgramID"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="PRGM-Z"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="OrganizationsScope"> <xs:complexType> <xs:sequence> <xs:element ref="Organizations"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Organizations"> <xs:complexType>


<xs:sequence> <xs:element ref="Organization" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Organization"> <xs:complexType> <xs:sequence> <xs:element ref="xal:Name"/> <xs:element ref="xal:Address"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="Name" type="xs:string"/> <xs:element name="LicenseID" type="xs:anyURI"/> <xs:element name="Level"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Moderate"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="LabelingRules"> <xs:complexType> <xs:sequence> <xs:element ref="VisualMarkingPart" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="InformationScope"> <xs:complexType> <xs:sequence> <xs:element ref="ImpactLevel"/> <xs:element ref="ClassificationNumbers"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="HandlingRules"> <xs:complexType> <xs:sequence> <xs:element ref="HandlingRule" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="HandlingRule" type="HandlingRule"/> <xs:element name="Countries"> <xs:complexType/> </xs:element> <xs:element name="ClassificationNumbers"> <xs:complexType/> </xs:element> <xs:element name="BusinessAuthorization" type="BusinessAuthorization"/> <xs:element name="Applicant"> <xs:complexType> <xs:sequence> <xs:element ref="xal:Name"/> <xs:element ref="xal:Address"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="ActionsScope"> <xs:complexType> <xs:sequence> <xs:element ref="Actions"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Actions"> <xs:complexType> <xs:sequence> <xs:element ref="Action" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Action"> <xs:complexType>


<xs:sequence> <xs:element ref="Name"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="AccessRules"> <xs:complexType> <xs:sequence> <xs:element ref="AccessRule" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="AccessRule"> <xs:complexType> <xs:sequence> <xs:element ref="Organization"/> <xs:element ref="Countries"/> <xs:element ref="WorkEffort"/> <xs:element ref="Actions"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>


7. Acronyms

The following list of acronyms and corresponding descriptions will be used throughout the document.

Acronym Description

BA Business Authorization

BAF Business Authorization Framework

BAL Business Authorization Label

BAILS Business Authorization Identification and Labeling Scheme

BOM Bills Of Material

A&D Aerospace and Defense

BIS US Bureau of Industry and Security: The Bureau that regulates export control of dual-use (civilian and military) items.

DDTC US State Department - Policy - Directorate of Defense Trade Controls, regulates export control of military items

DEFCON Defense Readiness Condition: A measure of the activation and readiness level of the US Armed Forces.

DoD US Department of Defense

EBOM Engineering Bills of Material

I&AM Identity and Access Management: Overarching architecture document for the TSCP.

IAP Information Asset Protection

ITAR International Traffic in Arms Regulations

JSF Joint Strike Fighter: A major A&D program aimed at producing the F35 fighter.

MBOM Manufacturing Bills Of Material

MoD Ministry of Defense

MTA Manufacturing Technical Agreement: Another type of license under the ITAR policies.

NDA Non-Disclosure Agreement

OpenXML (OOXML): An ECMA standard for interoperable office document format. Mostly promoted by Microsoft, and used in Office 2007 and on.


Acronym Description

PDM Product Data Management

PDP Policy Decision Point

PEP Policy Enforcement Point

POC Proof Of Concept

OBS Organization Breakdown Structure

PIEA Proprietary Information Exchange Agreement

TAA Technical Assistance Agreement: One of the licenses that organizations need to obtain and comply with in order to export technical information under the ITAR policies.

TSCP Transglobal Secure Collaboration Program

UGEA Union General Export Authorization: A license under the authority of the European Union that regulates export control of dual-use items.

XACML Extensible Access Control Markup Language

WBS Work Breakdown Structure


8. References

Document URL

NIST SP 800-53 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf


9. APPENDIX

9.1 BAF mapping to XACML (logical models)

Figure 3. BAF Mapping to XACML


9.1.1 XACML instance of TAA#1

<?xml version="1.0"?> <PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <Description /> <Policy PolicyId="TAA-1.1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Policy for Business Authorization Category TAA-1.1</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">urn:curtiss:ba:taa:taa-1.1</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">1.3.6.1.4.1.30000.300.1</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id:oid" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GNU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">EGPSU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> </Target> <Rule Effect="Permit"> <Description /> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Any</AttributeValue> <ActionAttributeDesignator “urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Curtiss</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Packard</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:affiliated-organization" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GB</AttributeValue>


</Apply> <AttributeDesignator “urn:tscp:nationality" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GB</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:location" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">DetailedDesign</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Simulation</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:work-effort" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Apply> </Condition> </Rule> <Obligations> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:categorization-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:business-context">Navigation system</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:originating-organization">Curtiss</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:receiving-organization">Packard</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:classification">USML:11A</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">GNU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">EGPSU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">DetailedDesign</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Simulation</AttributeAssignment> </Obligation> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:visual-marking-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Distribution Statement">Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is CURTISS</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Warning Statement">This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et. seq.) or the Export Administration Act of 1979, as amended, Title 50, U.S.C., App. 2401 et.seq. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Document: Footer">Export controlled – see sheet 1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Summary">DDTC - TAA 1.1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Email: First Line Of Text">Export controlled under ITAR</AttributeAssignment>


<AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Email: Subject Prefix">ITAR</AttributeAssignment> </Obligation> </Obligations> </Policy> <Policy PolicyId="TAA-1.2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Policy for Business Authorization Category TAA-1.2</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">urn:curtiss:ba:taa:taa-1.2</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">1.3.6.1.4.1.30000.300.2</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id:oid" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GNU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">EGPSU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> </Target> <Rule Effect="Permit"> <Description /> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Any</AttributeValue> <ActionAttributeDesignator “urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Curtiss</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Spad-RO</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:affiliated-organization" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">RO</AttributeValue> </Apply>


<AttributeDesignator “urn:tscp:nationality" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">RO</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:location" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Simulation</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Integration</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:work-effort" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Apply> </Condition> </Rule> <Obligations> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:categorization-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:business-context">Navigation system</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:originating-organization">Curtiss</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:receiving-organization">Spad-RO</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">GNU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">EGPSU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Simulation</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Integration</AttributeAssignment> </Obligation> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:visual-marking-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Distribution Statement">Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is CURTISS</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Warning Statement">This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et. seq.) or the Export Administration Act of 1979, as amended, Title 50, U.S.C., App. 2401 et.seq. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Document: Footer">Export controlled – see sheet 1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Summary">DDTC - TAA 1.1</AttributeAssignment> </Obligation> </Obligations> </Policy> </PolicySet>

Business Authorization Framework Version 1 BAF v.1 ... · Business Authorization Framework Version...

Documents

Transcript of Business Authorization Framework Version 1 BAF v.1 ... · Business Authorization Framework Version...