NIST Finalizes Attribute Considerations for Access Control Systems

NIST

The National Institute of Standards and Technology (NIST) released the finalized version of Special Publication (SP) 800-205 today, offering a guide for implementing attributes in Federal access control systems.

The guidance helps agencies as they consider alternatives to the traditional role-based access control method, with an update to the guidance that was originally created in 2014.

“This document aims to provide federal agencies with a guide to attribute considerations with Attribute Evaluation Scheme examples for access control,” the guidance states.

The new publication is similar in nature to SP 800-162, which provides a guide on attribute-based access control, but offers “detailed recommendations on considerations such as the preparation, veracity, security, readiness, and management of attributes.” SP 800-205 also extends on previous works from NIST like NIST Interagency Report 8112 and SP-800-178.

NIST does not endorse a particular style of attribute-based access control, but focused on the attribute properties that agencies should consider while establishing their access control system, establishing five key areas of interest:

  • Preparation – planning of the attribute creation and sharing mechanism;
  • Veracity – policy and technical underpinnings for semantic and syntactic correctness;
  • Security – standards and protocols for secure transmission and attribute repositories;
  • Readiness – frequency of refresh for attributes; and
  • Management – maintenance of attributes for efficiency and consistency.

Categories

Recent