The National Institute of Standards and Technology (NIST) released the finalized version of Special Publication (SP) 800-205 today, offering a guide for implementing attributes in Federal access control systems.
The guidance helps agencies as they consider alternatives to the traditional role-based access control method, with an update to the guidance that was originally created in 2014.
“This document aims to provide federal agencies with a guide to attribute considerations with Attribute Evaluation Scheme examples for access control,” the guidance states.
The new publication is similar in nature to SP 800-162, which provides a guide on attribute-based access control, but offers “detailed recommendations on considerations such as the preparation, veracity, security, readiness, and management of attributes.” SP 800-205 also extends on previous works from NIST like NIST Interagency Report 8112 and SP-800-178.
NIST does not endorse a particular style of attribute-based access control, but focused on the attribute properties that agencies should consider while establishing their access control system, establishing five key areas of interest:
- Preparation – planning of the attribute creation and sharing mechanism;
- Veracity – policy and technical underpinnings for semantic and syntactic correctness;
- Security – standards and protocols for secure transmission and attribute repositories;
- Readiness – frequency of refresh for attributes; and
- Management – maintenance of attributes for efficiency and consistency.