Description:
OBJECTIVE: Develop a framework for a secure, standards based Attribute-Based Access Control (ABAC) solution that is capable of dynamically redacting and filtering data within the DIB Query Service (1.3 and later) SOAP endpoint and is interoperable with Simple Object Access Protocol (SOAP) Dial-Tone, Distributed Common Ground System (DCGS) Directory Information Base (DIB), and Distributed Common Ground System-Army (DCGS-A) architectures. DESCRIPTION: The current DCGS-A systems were built to provide best in class data services at the time and are in need of architecture enhancements to support current guidance. The current deployed DIB systems lack identity and attribute awareness, leaving DCGS-A with systems that have constricted security boundaries. These boundaries impair a warfighter"s ability to use information resources beyond the user"s immediate visibility, awareness, or access. To comply with Intelligence Community (IC) Directives, DCGS-A requires the capability to redact and filter federated data within the DIB (1.3 and later) Query Service SOAP endpoint, in a manner that allows the re-use of existing deployed architectures to the greatest extent possible and supports information-sharing efforts, actionable intelligence, and use of new and emerging IT technologies (e.g. cloud and shared computing services). In the fielded system, it is currently not possible to redact or filter information accessed within the DIB Query Service SOAP endpoint. A standards-based ABAC solution would take in attributes and access control policies and return only data that the entity is allowed to see. Solution architecture for this effort will incorporate SOAP Dial-Tone, Distributed Common Ground/Surface System (DCGS) Multi-Service Execution Team (MET) Office (DMO) DIB architectures, and DCGS-A"s fine-grained Attribute-Based Access Control (ABAC) mechanisms. This solution will address Intelligence Community Directive 501 (ICD 501) The Discovery and Dissemination or Retrieval of Information within the Intelligence Community, ICD 503 Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation, and other relevant DoD/IC guidance and net centric requirements. The solution will leverage IC security markings maintained by the Office of the Director of National Intelligence (ODNI)/Controlled Access Program Coordination Office (CAPCO) and XML Data Encoding Specification for Information Security Marking Metadata V9 (ISM.XML.V9) 17 July 12. Previous efforts to be leveraged include DMO"s DIB 2.0 PL3 certification and the DMO DIB 1.3 Redaction demonstration to support architecture and system development design goals. PHASE I: Prepare a feasibility study for a framework solution that can redact and filter data elements for Product Retrieval and Dissemination within SOAP-based DIB (1.3 and later) Query Service, accessible through DCGS-A ABAC architecture. This framework will support Special Operations Forces (SOF) and Army (513), with the Army as the producer node. The attribute store will be setup in the consumer node. The Army node will setup a trust between the consumer and producer Secure Token Service (STS). PHASE II: Using the resulting materials and/or designs from Phase I, develop Integrated Master Schedule with resource allocation and assemble a prototype to demonstrate the feasibility and efficacy of the solution. Benchmark and identify production tasks, system throughput, scaling of capabilities, use of identity, policies, attributes, management of policies, management of attributes and auditing for production. Use the resulting prototype to support an Interoperability Demonstration Pilot. PHASE III: Operationalize the dissemination of the solution within DCGS-A and DIB. Prepare the roadmap to guide related efforts and support accreditation. DUAL USE COMMERCIALIZATION: Military Application: Transition capability into current ABAC-based solution to support secure near real-time collaboration with DCGS-A and other entities. Commercial Application: Companies with need to protect sensitive data while collaborating in interoperable environments, including healthcare, banking, and other industries.
