As many organizations explore options for cyber-secure multifactor access, the National Institute for Standards and Technology released Draft Special Publication 800-205 which describes the attribute-influencing factors that an access control system must address when engineering and evaluating attributes. The document expands upon NIST’s NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. The new draft proposes some notional implementation suggestions for consideration from the perspectives of fundamental security properties. It is intended to be a guide for federal agencies to attribute considerations with Attribute Evaluation Scheme examples for access control.
Attributes enable a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environmental conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document outlines factors which influence attributes that an authoritative body must address when standardizing an attribute system and proposes some notional implementation suggestions for consideration.
Comments Due: April 1, 2019. Email Comments to: sp800-205-comments@nist.gov
Authors: Vincent Hu (NIST), David Ferraiolo (NIST), Richard Kuhn (NIST)
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.