CS1/05-0082
NOTE: Based upon
the discussion and comments on the original project proposal, CS1/05-0009, at
the first INCITS CS1 meeting on June 7-8, 2005, the proposers have drafted this
revised project proposal.
Requirements for the
Implementation of Role Based Access Control (RBAC)
1. Source of the
Proposed Project
1.1.
Title
Requirements for the Implementation of Role Based Access Control (RBAC)
1.2. Date
Submitted
August 23, 2005
1.3.
Proposer
Mike Davis, Department of Veterans Affairs (SAIC), Rick Kuhn, NIST
2. Process Description
for the Proposed Project
2.1. Project
Type
D - this is a standard development project.
2.2. Type of
Document
The project is expected to result in an American National Standard.
2.3. Definitions of
Concepts and Special Terms
Base Standards - define fundamentals and generalized procedures. They provide an infrastructure that can be used by a variety of applications, each of which can make its own selection from the options offered by them.
Implementation Requirements - define conforming subsets or combinations of base standards used to provide specific functions. Implementation Requirements identify the use of particular options available in the base standards, and provide a basis for the interchange of data between applications and interoperability of systems.
2.4. Expected
Relationship with Approved Reference Models, Architectures,
etc.
None
2.5. Recommended
INCITS Development Technical Committee
Technical Committee CS1 on Cyber Security
2.6. Anticipated
Frequency and Duration of Meetings
It is anticipated that this project would require one-day meetings approximately four times annually.
2.7. Target Date for
Initial Public Review
If the project is approved in September 2005, the draft document could be ready for submission to INCITS for Milestone 4 processing in June 2006.
2.8. Estimated Useful
Life of Standard
There is no known limitation on the useful life of this proposed standard.
3. Business Case for
Developing the Proposed Standard
3.1.
Description
This proposed standard will specify the implementation requirements for role based access control in applications, such as financial services, health care, manufacturing, transportation, etc. It will specify the use of existing requirements and/or options in the relevant base standard in order to provide for the interoperability of role based access in systems. The functional specifications defined by INCITS 359-2004, American National Standard for Information Technology - Role Based Access Control, will serve as the basis for specifying implementation requirements in this standard.
3.2. Existing Practice
and the Need for a Standard
Currently, there is no standard addressing the implementation requirements for role based access control in various applications. For instance, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as Public Law 104-191, establishes requirements for the protection of health records and related information. HIPAA regulations specifically cite RBAC as a desired security model for health records, and providers have a need to store and exchange records securely. Implementation requirements for RBAC are needed to ensure interoperability among health care and other applications and meet privacy requirements of HIPAA and related rules.
3.3. Implementation
Impacts of the Proposed Standard
3.3.1. Development
Costs
Since relevant work has already been performed within existing standards groups and federal agencies, it is expected that the costs related to further development of this standard would be low.
Technical editor labor is expected to total about two months of a staff-year.
3.3.2. Impact on
Existing or Potential Markets
Existing and new markets for RBAC systems should experience added impetus from the benefits of interoperability. Development of this standard should help to further accelerate the deployment of standards-based RBAC applications within systems.
3.3.3. Costs and
Methods for Conformity Assessment
The possible testing environment may range from the use of suppliers' declarations to third party testing. Therefore, the cost of conformity assessment is not known at this time.
3.3.4.
Return on Investment
There is no known data on which to make an estimate.
3.4. Legal
Considerations
3.4.1. Patent
Assertions
INCITS 359-2004, American National Standard for Information Technology – Role Based Access Control, is the base standard for which implementation requirements will be developed. There are no known patent issues.
3.4.2. Dissemination
of the Standard
Drafts of this standard will be distributed electronically. There may be distribution constraints as this document reaches different stages of development and processing within INCITS. There are no known IPR issues.
4. Related Standards
Activities
4.1. Existing
Standards
INCITS 359-2004, American National Standard for Information Technology – Role Based Access Control
4.2. Related Standards
Activity
This proposed standard is expected to be compatible with the Core and Hierarchical Role Based Access Control (RBAC) profile of XACML, Version 2.0 (Committee Draft 01, 11 November 2004) developed by OASIS XACML TC.
IETF RFC 3881 is a basic reference document for the Integrating the Healthcare Enterprise (IHE) "Audit Trail and Node Authentication" profile and DICOM
Supplement 95.
4.3. Recommendations
for Close Liaison
INCITS Technical Committees B10 and M1
OASIS XACML Technical Committee
5. Units of
Measurement used in the Standard
Indicate units of measurement used in the Standard:
___ International Systems of Units (SI)
___ Inch/Pound
___ Both
___ Other
XX Not Measurement Sensitive
It is not anticipated
that units from a physical dimensioning system will be needed for specifying the
requirements of this standard. If
necessary, the goal would be to use the International System of Units (SI).