Business Authorization Framework Version 1
BAF v.1
Prepared by: TSCP ILH Team
Lead Author: Jean-Paul Buu-Sao, TSCP
Released to: TSCP Architecture Committee Edition: 1.3.0 Published: October 22, 2012
Business Authorization Framework Version 1.5 i
Copyright © 2012 Transglobal Secure Collaboration Program, Inc.
All rights reserved.
Terms and Conditions
Transglobal Secure Collaboration Program, Inc. (TSCP) is a consortium comprising a number of commercial and government
members (as further specified at http://www.tscp.org) (each a “TSCP Member”). This specification was developed and is being
released under this open source license by TSCP.
Use of this specification is subject to the disclaimers and limitations described below. By using this specification you (the user)
agree to and accept the following terms and conditions:
1. This specification may not be modified in any way. In particular, no rights are granted to alter, transform, create derivative
works from, or otherwise modify this specification. Redistribution and use of this specification, without modification, is
permitted provided that the following conditions are met:
Redistributions of this specification must retain the above copyright notice, this list of conditions, and all terms and
conditions contained herein.
Redistributions in conjunction with any product or service must reproduce the above copyright notice, this list of
conditions, and all terms and conditions contained herein in the documentation and/or other materials provided with the
distribution of the product or service.
TSCP’s name may not be used to endorse or promote products or services derived from this specification without
specific prior written permission.
2. The use of technology described in or implemented in accordance with this specification may be subject to regulatory controls
under the laws and regulations of various jurisdictions. The user bears sole responsibility for the compliance of its products
and/or services with any such laws and regulations and for obtaining any and all required authorizations, permits, or licenses for
its products and/or services as a result of such laws or regulations.
3. THIS SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT WARRANTY OF ANY KIND. TSCP AND EACH
TSCP MEMBER DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF TITLE, NONINFRINGEMENT,
MERCHANTABILITY, QUIET ENJOYMENT, ACCURACY, AND FITNESS FOR A PARTICULAR PURPOSE.
NEITHER TSCP NOR ANY TSCP MEMBER WARRANTS (A) THAT THIS SPECIFICATION IS COMPLETE OR
WITHOUT ERRORS, (B) THE SUITABILITY FOR USE IN ANY JURISDICTION OF ANY PRODUCT OR SERVICE
WHOSE DESIGN IS BASED IN WHOLE OR IN PART ON THIS SPECIFICATION, OR (C) THE SUITABILITY OF
ANY PRODUCT OR A SERVICE FOR CERTIFICATION UNDER ANY CERTIFICATION PROGRAM OF TSCP OR
ANY THIRD PARTY.
4. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY
CLAIM ARISING FROM OR RELATING TO THE USE OF THIS SPECIFICATION, INCLUDING, WITHOUT
LIMITATION, A CLAIM THAT SUCH USE INFRINGES A THIRD PARTY’S INTELLECTUAL PROPERTY
RIGHTS OR THAT IT FAILS TO COMPLY WITH APPLICABLE LAWS OR REGULATIONS. BY USE OF THIS
SPECIFICATION, THE USER WAIVES ANY SUCH CLAIM AGAINST TSCP OR ANY TSCP MEMBER RELATING
TO THE USE OF THIS SPECIFICATION. IN NO EVENT SHALL TSCP OR ANY TSCP MEMBER BE LIABLE FOR
ANY DIRECT OR INDIRECT DAMAGES OF ANY KIND, INCLUDING CONSEQUENTIAL, INCIDENTAL,
SPECIAL, PUNITIVE, OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR RELATED TO ANY USER
OF THIS SPECIFICATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
5. TSCP reserves the right to modify or amend this specification at any time, with or without notice to the user, and in its sole
discretion. The user is solely responsible for determining whether this specification has been superseded by a later version or a
different specification.
6. These terms and conditions will be interpreted and governed by the laws of the State of Delaware without regard to its conflict
of laws and rules. Any party asserting any claims related to this specification irrevocably consents to the personal jurisdiction of
the U.S. District Court for the District of Delaware and to any state court located in such district of the State of Delaware and
waives any objections to the venue of such court.
Business Authorization Framework Version 1.5 ii
TABLE OF CONTENTS
1. Purpose .................................................................................................................................................. 1 2. Status of the proposal ............................................................................................................................. 2 3. Terminology ............................................................................................................................................ 3 4. Process Model ........................................................................................................................................ 4 5. Data Model ............................................................................................................................................. 5
5.1 Protection Profile .............................................................................................................................. 6 5.2 Business Authorization..................................................................................................................... 7 5.3 Policy ................................................................................................................................................ 8 5.4 Policy Authority ................................................................................................................................ 9 5.5 Business Authorization Category ................................................................................................... 10 5.6 Impact Level ................................................................................................................................... 11 5.7 Categorization Rule ........................................................................................................................ 12 5.8 Access Rule ................................................................................................................................... 14 5.9 Marking Rules ................................................................................................................................ 16
6. Interchange format ............................................................................................................................... 18 6.1 BAF Profile for XACML .................................................................................................................. 18
6.1.1 Protection Profile .................................................................................................................. 19 6.1.2 Business Authorization Category ......................................................................................... 19 6.1.3 Identification of Business Authorization Categories ............................................................. 19 6.1.4 Categorization rules ............................................................................................................. 20 6.1.5 Access Rules ........................................................................................................................ 21 6.1.6 Marking rules ........................................................................................................................ 22
6.2 Plain XML ....................................................................................................................................... 23 7. Acronyms .............................................................................................................................................. 28 8. References ........................................................................................................................................... 30 9. APPENDIX ............................................................................................................................................ 31
9.1 BAF mapping to XACML (logical models) ...................................................................................... 31 9.1.1 XACML instance of TAA#1................................................................................................... 32
Table of Figures
Figure 1. Overall Process Model ................................................................................................................... 4
Figure 2. Data Model ..................................................................................................................................... 5
Figure 3. BAF Mapping to XACML ............................................................................................................. 31
Business Authorization Framework Version 1.5 iii
CONTRIBUTORS
Richard Skedd BAE Systems
Dexter Smith The Boeing Company
Tim Bird The Boeing Company
Scott Fitch Lockheed Martin Corporation
Mark Burns Northrop Grumman Corporation
Chris Jordan UK Ministry of Defence
Jean-Paul Buu-Sao TSCP
REVISION HISTORY
Date Version Author Changes Made
3 July 2009 0-0 Jean-Paul Buu-Sao Created
10 July 2009 0-1 Jean-Paul Buu-Sao Updated with latest version of the XML Schema and
instance example. First draft circulated within IAP Tiger Team
23 July 2009 0-2 Jean-Paul Buu-Sao Updated with feedback from IAP Tiger Team
Added Process Model section
12 Nov 2009 1-0 Jean-Paul Buu-Sao
Baseline v1.0 including feedback from Nov Business Week
For Export Control Working Group validation
15 Jun 2011 1-1 Jean-Paul Buu-Sao Updated after feedback from policy SME’s (including
UK and IP)
4 Aug 2011 1-2 Jean-Paul Buu-Sao Impact Level decomposed, and accept/deny on
access rules
8 Sep 2011 1-3 Jean-Paul Buu-Sao Updated “Data Model” and “BAF Profile for XACML”
sections
Business Authorization Framework Version 1.5 Page 1 of 35
1. Purpose
TSCP is establishing a framework with the objective of streamlining all business authorization (security policies) processes that its members need to implement information asset protection throughout the various Aeronautical & Defense (A&D) programs. The general purpose of this document is to introduce this framework at a high-level, and in particular, to allow subject matter experts (SME) to validate the approach and content.
The problem statement can be briefly summarized as follows:
Policy Authorities (such as US-DDTC1) provide business authorizations (such as ITAR TAA
2) in forms that
need to be interpreted manually in order to extract information properly, for example, setting up access management rules; this is error prone (interpretation errors) and costly.
Two main factors that contribute to the problem are:
Organizations receive artifacts from policy authorities and these artifacts are not in a form that can be efficiently automated. The artifacts generally consist of textual documents that need to be manually read and interpreted before the contained information can be used in adequate applications for policy administration and implementation.
In the absence of standards and appropriate guidelines, applications implement policy artifacts with great difficulty, which results in incomplete support of the policy requirements.
The purpose of the Business Authorization Framework (BAF) is to design a framework for the administration and management of business authorizations that enables a higher level of automated processes for business protection policies.
In contrast with the factors highlighted above, BAF contributes to solving the problem statement by:
Proposing an expression of policy requirements that are specifically targeted for system processing. Note that this representation does not eliminate the need for exchanging textual documents, which is a requirement for legal reasons; future studies will include the possibility of generating the textual material from the systemic expression of the policy requirements.
Proposing a set of guidelines for the automated processing of policy requirements that software vendors can use as a source of requirements in order to deliver consistent support across applications.
BAF v.1.1 includes three main components:
1. A process model that specifies the key use-cases involved with the definition and management of business authorizations.
2. An extensible data model that specifies the data elements required to articulate a generic business authorization.
3. An XML-based interchange format which allows the exchange of business authorizations across administrative, platform, and application boundaries.
1 The Department of Defense Trace Control (DDTC) is the U.S. authority that governs Export Control
regulations and the International Traffic in Arms Regulations (ITAR) policies.
2 The Technical Assistance Agreement (TAA) is one of the licenses that organizations need to obtain and
comply with in order to export technical information under the ITAR policies.
Business Authorization Framework Version 1.5 Page 2 of 35
2. Status of the proposal
The data constructs put forward in BAF v.1 are based upon the analysis of the requirements that are
specified in a limited set of Export Control and Intellectual Property policies, namely ITAR TAA, EAR3, EU
UGEA4, and generic PIEA
5. Although proven to support this initial set of policies, the BAF model is meant
to be extensible in order to cope with other policy regimes. As of the writing of this document, work is underway to support other EU
6 Export Control policies.
Despite this caveat, this proposal has the merit of setting out the foundational elements that will support
further discussions on the integration of other instances of ITAR TAA and PIEA7, as well as allowing
modeling work around other required types of business authorizations (e.g., NDA8, MTA
9, etc.).
3 EAR: The Export Administration Regulations, under the authority of the US Bureau of Industry and
Security (BIS), regulates Export Control of dual-use (civilian and military) items.
4 Union General Export Authorization: A license under the authority of the European Union that regulates
Export Control of dual-use items.
5 Manufacturing Technical Agreement: Another type of license under the ITAR policies.
6 EU: European Union
7 PIEA: A Proprietary Information Exchange Agreement.
8 NDA: A Non-Disclosure Agreement.
9 MTA: A Manufacturing Technical Agreement; this is another type of license under the ITAR policies.
Business Authorization Framework Version 1.5 Page 3 of 35
3. Terminology
This section provides a primer on the business terminology used throughout this document.
Program: A business context that is formed in order to deliver a final product to a customer. For example, the Joint Strike Fighter (JSF) program aims at delivering various versions of the F35 fighter to military customers.
Policy authority: An entity that holds legal or administrative authority over one or more policy scopes. BAF recognizes three types of policy authorities: export authorities (e.g., Directorate of Defense Trade Control, a branch of the U.S. Department of State), National Security authorities (e.g., the UK Cabinet Office), and intellectual property authorities (e.g., Lockheed Martin).
Policy scope: The scope that encompasses the set of organizations and systems managed by a given policy authority. Each policy has one, and only one, policy authority.
Business authorization: The result of the analysis of a manually readable policy artifact and of the expression, in a precise manner, of all the components of information protection policies required for consistent interpretation of policy artifacts.
Business Context Specific Resource Protection Profile (shortened to Protection Profile hereafter): The result of the analysis of all the business authorizations applicable under a given business context, and capture, in a precise manner, of the components required for consistent implementation across collaboration partners.
Delegated Administrative Authority: The entity that has the responsibility of applying a given policy on behalf of its policy authority. For example, LMCO, as the prime contractor of the JSF program, is also a delegated administrative authority for ITAR policies on behalf of the DDTC policy authority.
Information Asset: A generic way to designate containers of information, whether it is a document, a webpage, or a database record.
Item: In Export Control terminology, the item designates the physical goods to be exported. Export Control regulations aim at controlling the export of items and information assets.
Risk Impact: The evaluation of risks that would occur should an information asset be disclosed. The assessment of a risk impact determines the set of security controls that is mandated in order to mitigate the risk.
Business Authorization Framework Version 1.5 Page 4 of 35
4. Process Model
BAF promotes a process where policy authorities express their requirements in a form that is consistent across policy authorities, and that allows for automated processes that can be implemented by organizations that need to comply with these policies.
Figure 1 below depicts a typical A&D setting where, in a specific business context (a program), an organization playing the role of the “Delegated Administrative Authority” puts together all the applicable policy requirements for all organizations that are a part of the program to be implemented.
Figure 1. Overall Process Model
The three key business processes implied by this model are:
1. Specification of the information protection policy requirements: Policy authority administrators formulate their policy requirements in the form of business authorizations. The format of the business authorizations is standard across policy authorities.
2. Creation of the protection profile: The organization playing the role of the delegated administrative authority puts together the comprehensive set of business authorizations applicable to the program in the form of a protection profile. The protection profile is standard across program participants.
3. Administration of the information protection policy requirements: Organizations that are part of the program need to implement the protection profile before starting to collaborate.
There is one possible variation to this target model:
Some policy authorities may not produce their policy requirements in the form of business authorizations. In this case, the delegated administrative authority translates the traditional artifacts to the business authorization format.
The BAF specification is mainly focused on the definition of the standard interchange formats for business authorizations and protection profiles, which are containers of business authorizations.
This specification sets the requirements for software vendors willing to support automated processes for business authorizations in their product offers.
Business Authorization Framework Version 1.5 Page 5 of 35
5. Data Model
Figure 2 below, a UML10
class-diagram,11
shows the protection profile and its key constituents. The
following sub-sections provide details on each of these components.
Figure 2. Data Model
10 Unified Modeling Language (UML): The modeling language that was used to model BAF. (For more
information, see http://en.wikipedia.org/wiki/Unified_Modeling_Language.)
11 A class-diagram represent classes (the rectangles) with relations between themselves with an
indication of the multiplicity of the relations. In UML, the multiplicity is annotated on the target class, following a convention opposite to the entity relationship’s diagrams. The absence of multiplicity indicates the default value of “1.”
Business Authorization Framework Version 1.5 Page 6 of 35
5.1 Protection Profile
Concept Definition Examples
Protection Profile The result of the analysis of all the business authorizations applicable under a given business context, and capture, in a precise manner, of the components required for consistent implementation across collaboration partners.
A protection profile defining the information protection requirements for the collaboration around the design of the navigation system of Program-Z.
Business Context Name of the business context (string).
Program-Z
Version Number The version of the protection profile as managed by its issuer (string).
1.0
Identifier The unique identifier of the protection profile in the scope of its issuer.
urn:curtiss:pp:pgrm-z
Issuer The digital certificate establishing the identity of the issuer of the protection profile.
Curtiss X509 Certificate
A Protection Profile has at least one business authorization detailed hereafter.
Business Authorization Framework Version 1.5 Page 7 of 35
5.2 Business Authorization
Concept Definition Examples
Business Authorization The result of the analysis of a human-readable policy artifact and of the expression, in a consistent and precise manner, of all the components of information protection policies required for consistent interpretation of policy artifacts.
A Technical Assistance Agreement (TAA) is a business authorization, defining information protection requirements in the context of ITAR export control’s policy scope.
Name Name of the business authorization (string).
TAA-1
Version Number The version of the business authorization as managed by the policy authority or by the delegated policy authority (string).
1.0
Validity Dates The validity dates of the business authorization defined as a start date and an end date. Either date can be left undefined, thus expressing an open-ended range.
2014/10/01
Document Locator The URL to a document that represents the human-readable form of the policy that a business authorization formalizes.
http://www.curtiss.com/ba/taa-1.pdf
Identifier A unique identifier of the business authorization as managed by the policy authority or by the delegated policy authority (URN).
urn:curtiss:ba:taa:taa-1
A business authorization is associated to a policy, and has at least one business authorization category.
Business Authorization Framework Version 1.5 Page 8 of 35
5.3 Policy
Concept Definition Examples
Policy A set of requirements that aims at protecting items and information under a given policy scope.
The ITAR policy aims at protecting items (goods) and information under the Export Control policy scope.
Name Name of the Policy (string). ITAR
Identifier A unique identifier of the policy, as managed by the policy authority.
urn:tscp:pa:us:ddtc
Types A policy can be of the following three types:
Export Control
National Security
Intellectual Property
ITAR is a policy of type Export Control for country = U.S.
A policy is associated to a policy authority.
Business Authorization Framework Version 1.5 Page 9 of 35
5.4 Policy Authority
Concept Definition Examples
Policy Authority An entity that holds legal or administrative authority over one or more policy scopes.
The Directorate of Defense Trade Control (DDTC), a branch of the U.S. Department of State, is the policy authority defining ITAR Export Control policy scope.
Policy Authority - Name The name of the policy authority. DDTC
Policy Authority – Identifier
A unique identifier for the policy authority.
urn:tscp:pa:us:ddtc
A policy authority is authoritative on at least one policy.
Business Authorization Framework Version 1.5 Page 10 of 35
5.5 Business Authorization Category
Concept Definition Examples
Business Authorization Category
Designates a uniquely identifiable construct that defines a subset of the requirements within a business authorization. A business authorization must contain at least one business authorization category.
The TAA, which grants to Curtiss the right to export information to Packard and Spad, in context of the design and simulation of the navigation system of Program-Z, contains two categories: one general category for the protection of information related to the GPRSNU item, and one category specifically addressed at the Y-Code subsystem of the GPRSNU item.
Name A name for the business authorization category.
TAA-1.1
URN An identifier, expressed as a URN, that is unique within an identifier scope managed by the issuer of the containing business authorization.
Category 1: urn:curtiss:ba:taa:taa-1.1
Category 2:
urn:curtiss:ba:taa:taa-1.2
OID An identifier, expressed as an OID, that is unique within an identifier scope managed by the issuer of the containing business authorization.
Category 1:
1.3.6.1.4.1.30000.300.1
Category 2:
1.3.6.1.4.1.30000.300.2
A business authorization category has one impact level and optional rules, such as the following: categorization rule, labeling rule, and access rule.
Business Authorization Framework Version 1.5 Page 11 of 35
5.6 Impact Level
Concept Definition Examples
Impact Level The indication of the damage that would occur should the information object be compromised.
The business category TAA#1.1 specifies that all information under this category are of a “Moderate” confidentiality impact level, “Moderate” integrity impact level, and “Low” availability impact level from the “FIPS199” scale.
Scale The scale that provides definitions for the various values.
FIPS199 scale
Confidentiality Value The impact value in case of a loss of confidentiality.
Medium
Integrity Value The impact value in terms of a loss of integrity.
Medium
Availability The impact value in terms of a loss of availability.
Low
Business Authorization Framework Version 1.5 Page 12 of 35
5.7 Categorization Rule
Concept Definition Examples
Categorization Rule Rules that define the conditions under which an information object must fall within the business authorization category; the categorization rules are provided as an input to the training for end-users who need to apply business authorization categories to documents.
IP Owning Organizations
A criterion specifying the organizations that detain intellectual property on the exchange information.
Examples of some independent categorization rules (they are extracted from two different business authorization categories):
1. All information that IP is owned by {Curtiss} (IP Owning Organization) to the destination of {Packard} (Receiving Organization), and contributes to the {Detailed Design} (Work effort) must be protected under IPL-2.1
2. All information which any information object that originates from {Curtiss} (Originating Organizations) and which is provided to {Packard} (Receiving Organization) and which covers topics {“before M3”} (Topics) and is about {GNU or EGPSU or MGPSR} (Products) and that includes information designated as {11A of USML} (Classification) and is produced by
Originating Organizations
A criterion specifying the organizations from which the information originates.
Receiving Organizations
A criterion specifying the organizations which consume the information.
Business Authorization Framework Version 1.5 Page 13 of 35
Concept Definition Examples
Topics A criterion specifying various topics (business context decomposition) that make business sense for the end-users applying labels to information objects.
{DetailedDesign or Simulation} (Work Effort), must be protected under TAA-1.1.
Products A criterion specifying a list of product references (typically, but not limited to, with respect to a product breakdown structure).
Classification A criterion specifying a list of classification numbers that the information relates to (typically, but not limited to, a goods category designation in the designated military list).
Work Effort A criterion specifying a list of work efforts that the information contributes to (typically, but not limited to, with respect to a work breakdown structure).
Business Authorization Framework Version 1.5 Page 14 of 35
5.8 Access Rule
Concept Definition Examples
Access Rule A rule that defines the requirements for having access to any information covered by the business authorization category. These requirements are provided as inclusion criteria (condition to permit access) or exclusion criteria (condition to deny access).
Effect Determines whether the rule permits or denies access.
Examples of some independent access rules:
1. Any (Action) access to information under this business authorization category is Denied (Effect) to all users located outside of the {US, GB, FR} (Location), or to all users which organization’s country of incorporation is not in {US, GB, FR}.
2. Any (Action) to information under this business authorization category is permitted (Effect) to all users cleared to {ITAR-Training} (Entitlement), assigned to {DetailedDesign, Integration} (Work effort), on information about {GNU, EGPSU} (Product)
Action The actions that are either permitted (Effect: Permit), or denied (Effect: Deny), if the access criteria below are all met.
Principal A criterion specifying the list of individuals to which access is denied or granted.
Entitlement A criterion specifying the list of entitlements that the subject (requestor to the information) has been assigned to.
Organization A criterion specifying the list of organizations that the subject (requestor to the information) must
Business Authorization Framework Version 1.5 Page 15 of 35
Concept Definition Examples be affiliated with.
Work Effort A criterion specifying the list of work efforts that the subject (requestor to the information) must be assigned to.
Product A criterion specifying the list of products that the information is associated with.
Nationalities A criterion specifying a list of authorized nationalities, which the authorized parties (whether organizations or persons) can be affiliated with.
Locations A criterion specifying a list of authorized country locations where the requestor may reside at the time of a request for access to information.
Country of incorporation A criterion specifying a list of countries of incorporation of the organizations to which the subject is affiliated.
Business Authorization Framework Version 1.5 Page 16 of 35
5.9 Marking Rules
Concept Definition Examples
Marking Rule A rule that defines the visual indicators on information objects that are required for the procedural enforcement of all the applicable policies.
Marking Precedence A number between 1 and 10 that determines the precedence of the visual marking of this business authorization category over other business authorization category’s visual markings appearing on the same information object. A value of 1 expresses a low precedence, whereas the value of 10 expresses the highest precedence. Labeling tools use the marking precedence to determine the position of the visual markings that need to share the same space.
In the case in which two “Email First Line Of Text” physical markings were required, the one with the higher marking precedence would appear first.
Marking Parts The visual indicators are specified as individual parts. Each part has an identifier, which defines what the part is about, and a string value. The identifiers are listed below:
Identifier:
UI – Name
A very brief (fewer than 20 characters) summary of the policy to use in a user interface, e.g., for users to select the policy from a drop down list.
“TAA-{license-number}”
Identifier:
UI – Disclaimer
Language shown to the user (by an application, e.g., SharePoint) before she can access information, and where the user (the potential recipient of the data) needs to acknowledge that she has read the disclaimer.
“This technical data requires an export license prior to dissemination to non-US persons. It is controlled by United States International Traffic in Arms Regulations (ITAR) (22 CFR 120-130). It is the responsibility of each individual in control of this data to abide by all export laws”
Identifier:
General - Summary
Short language typically located in a single place within the document, e.g., in a security control information table.
“US ITAR Export Controlled under:
TAA-1.1
Program-Z”
Identifier:
General – Warning Statement
Language typically located at the beginning of a document (e.g., on the cover page), that warns the end-user about the protection policy that must apply, and possibly the
“This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et.
Business Authorization Framework Version 1.5 Page 17 of 35
Concept Definition Examples consequences of non-compliance. seq.) or the Export Administration Act
of 1979, as amended, Title 50, U.S.C., App. 2401 tense. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization.”
Identifier:
General – Distribution statement
Language typically located at the beginning of a document (e.g., on the cover page), that provides information on the distribution requirements of the document.
“Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is [Insert Company Details]”
Identifier:
Document – Header
Short language located at the top of each document's pages.
Identifier:
Document – Footer
Short language located at the bottom of each document's pages.
“Export controlled – see sheet 1”
Identifier:
Document – Watermark
Short language formatted as a watermark on each document's pages.
Identifier:
Email – First Line Of Text
Language located at the beginning of the email body.
“ITAR Export Controlled”
Identifier:
Email – Last Line Of Text
Language located at the end of the email body.
Identifier:
Email – Subject suffix
Short language located at the beginning of the email subject.
“ITAR”
Identifier:
Email – Subject prefix
Short language located at the end of the email subject.
Business Authorization Framework Version 1.5 Page 18 of 35
6. Interchange format
6.1 BAF Profile for XACML
The XACML standard from OASIS can be leveraged in three scenarios:
1. Interchange of access control requirements
2. Representation of authorization request / responses between a Policy Enforcement Point12
and a Policy Decision Point13
3. Execution of authorization rules within a XACML rules engine
The BAF profile for XACML 2.0 considers the first scenario for the purpose of exchanging Business Authorizations between organizations.
Notation
The following notation is used in this section to indicate the mapping between BAF and XACML 2.0 constructs:
BAF v1.0 Data Model XACML 2.0 Construct
BAF construct <Value> - the value element from the BAF data model
A / B = <Value> denotes an element’s contents: <A> <B>Value</B> </A> A / B @C = “Value” denotes an element’s attribute: <A> <B C=”Value”> . . .</B>
</A>
The components of the Data Model that are mapped to XACML are the:
Protection Profile
Business Authorization Category Categorization Rules
Business Authorization Marking Categorization Rules
Business Authorization Category Access Rules
The other components of the Data Model (e.g., Policy Authority, Business Authorization, Impact Level) are not mapped to XACML because they served as intermediate artifacts aiming at producing final the implementable protection profile.
12 The point where the policy decisions are actually enforced, per RFC 2904.
13 The point where policy decisions are made per RFC 2904.
Business Authorization Framework Version 1.5 Page 19 of 35
6.1.1 Protection Profile
A Protection Profile is expressed as a XACML PolicySet. As the XACML standard (up to 3.0) does not provide structured support for some of the administrative information related to a PolicySet, Business Context, Name, and Contact, the profile defines a loose way to convey this information as XML attributes of the Description element of a PolicySet:
BAF v1.0 Data Model XACML 2.0 Construct
Protection Profile PolicySet
Administrative Data - Identifier PolicySet @PolicySetId=<Identifier>
Administrative Data - Version PolicySet @Version=<Version>
Administrative Data - BUiness Context
PolicySet / Documentation @BusinessContext=<Business Context>
Administrative Data - Contact PolicySet / Documentation @Contact=<Contact>
6.1.2 Business Authorization Category
A Business Authorization Category is expressed as a XACML Policy.
BAF v1.0 Data Model XACML 2.0 Construct
Business Authorization Category PolicySet / Policy
6.1.3 Identification of Business Authorization Categories
The URN and OID identifiers are expressed as XACML target resource attributes:
BAF v1.0 Data Model XACML 2.0 Construct
Business Authorization Category Identifier URN
PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId = “urn:oasis:names:tc:xacml:1.0:resource:policy-id”
PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Identifier URN>
Business Authorization Category Identifier OID
PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId = “urn:oasis:names:tc:xacml:1.0:resource:policy-id:OID”
PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Identifier OID>
Business Authorization Framework Version 1.5 Page 20 of 35
6.1.4 Categorization rules
The categorization rules are expressed as XACML obligations:
BAF v1.0 Data Model XACML 2.0 Construct
Business Authorization Category Categorization rules
Obligations / Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.0:categorization-rules" / AttributeAssignment = <Value>
Obligations / Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.0:categorization-rules" / AttributeAssignment @AttributeId See below the recognized values: for @AttributeId:
Business context “urn:tscp:names:baf:xacml:1.0:categorizationRule:business-context"
Originating organization “urn:tscp:names:baf:xacml:1.0:categorizationRule: originating-organization"
Receiving organization “urn:tscp:names:baf:xacml:1.0:categorizationRule: receiving-organization"
IP Owning organization “urn:tscp:names:baf:xacml:1.0:categorizationRule:owning-organization"
Classification “urn:tscp:names:baf:xacml:1.0:categorizationRule:classification"
Product “urn:tscp:names:baf:xacml:1.0:categorizationRule:product"
Work effort “urn:tscp:names:baf:xacml:1.0:categorizationRule:work-effort"
Business Authorization Framework Version 1.5 Page 21 of 35
6.1.5 Access Rules
The access rules for a Business Authorization Category are made of two components:
Criteria on the resource
Criteria on the subject and of the environment
The criteria on the resource are expressed as XACML ResourceMatch attributes, whereas the criteria on the subject and the environment are expressed as XACML rule conditions:
BAF v1.0 Data Model XACML 2.0 Construct
Business Authorization Category
Access Rules
Criteria on Resource: PolicySet / Policy / Target / Resources / Resource / ResourceMatch / AttributeValue = <Value> PolicySet / Policy / Target / Resources / Resource / ResourceMatch / ResourceAttributeDesignator @AttributeId See below the recognized values: for @AttributeId:
Product: "urn:tscp:resource-product"
Classification: "urn:tscp:resource-classification"
Business Authorization Category
Access Rules
Criteria on Subject: PolicySet / Policy / Rule / Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"/ Apply / AttributeValue = <Value> PolicySet / Policy / Rule / Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"/ Apply / AttributeDesignator @AttributeId See below the recognized values: for @AttributeId:
Affiliated Organization: “urn:tscp:affiliated-organization"
Work Effort: “urn:tscp:work-effort"
Nationality: “urn:tscp:nationality"
Physical Location: “urn:tscp:location"
Identifier: “urn:oasis:names:tc:xacml:1.0:subject:subject-id"
Business Authorization Category
Access rules
Criteria on Environment:
PolicySet / Policy / Target / Environments / Environment / AttributeValue = <Value> PolicySet / Policy / Target / Environments / Environment / EnvironmentAttributeDesignator @AttributeId
See below the recognized values: for @AttributeId:
Business Authorization Framework Version 1.5 Page 22 of 35
BAF v1.0 Data Model XACML 2.0 Construct
Readiness condition “urn:tscp:readiness-condition"
6.1.6 Marking rules
The marking rules are made of two components:
The marking precedence
The list of physical markings
Both components are expressed as XACML obligations:
BAF v1.0 Data Model XACML 2.0 Construct
Business Authorization Category
Marking rules
PolicySet / Policy /Obligations / Obligation
@FulfillOn="Permit" @RuleId=" urn:tscp:names:baf:xacml:1.0:visual-marking-rules"
PolicySet / Policy /Obligations / Obligation / AttributeAssignment @AttributeId
See below the recognized values: for @AttributeId:
Marking Precedence: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:precedence"
Document Header: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Header"
Document Footer: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Footer"
Document Watermark: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Document: Watermark"
Warning Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Warning statement"
Distribution Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Distribution statement"
Distribution Statement: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Distribution statement"
Summary: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:General: Summary"
First Line of Text: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email:FirstLineOfText"
Last Line of Text: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: LastLineOfText"
Subject Prefix: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: SubjectPrefix"
Subject Suffix: “urn:tscp:names:baf:xacml:1.0:visual-marking-rule:Email: SubjectSuffix"
The reader will find instances of business authorizations that are expressed in XML and in XACML in the appendix.
Business Authorization Framework Version 1.5 Page 23 of 35
6.2 Plain XML
Instances of business authorizations can be interchanged in a form which can be processed by machines by using the XML structure defined by the following XML Schema:
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xal="urn:oasis:names:tc:ciq:xal:3" xmlns:baf="urn:tscp:names:baf:1.1"> <xs:import namespace="urn:oasis:names:tc:ciq:xal:3" schemaLocation="xalv3.xsd"/> <!-- Business Authorization --> <xs:complexType name="BusinessAuthorization"> <xs:sequence> <xs:element ref="AdministrativeData"/> <xs:element ref="Scope"/> <xs:element ref="Included"/> <xs:element ref="Excluded"/> </xs:sequence> </xs:complexType> <xs:element name="AdministrativeData"> <xs:complexType> <xs:sequence> <xs:element ref="ProgramID"/> <xs:element ref="LicenseID"/> <xs:element ref="StartValidityDate"/> <xs:element ref="StopValidityDate"/> <xs:element ref="Applicant"/> <xs:element ref="Signatories"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Included"> <xs:complexType> <xs:sequence> <xs:element ref="BusinessAuthorizationCategory" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Excluded"> <xs:complexType> <xs:sequence> <xs:element ref="BusinessAuthorizationCategory" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="StopValidityDate"> <xs:simpleType> <xs:restriction base="xs:date"/> </xs:simpleType> </xs:element> <xs:element name="StartValidityDate"> <xs:simpleType> <xs:restriction base="xs:date"/> </xs:simpleType> </xs:element> <!-- Business Authorization Category --> <xs:element name="BusinessAuthorizationCategory"> <xs:complexType> <xs:sequence> <xs:element ref="AccessRules"/> <xs:element ref="HandlingRules"/> <xs:element ref="LabelingRules"/> </xs:sequence> <xs:attribute name="Identifier" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- Impact Level --> <xs:element name="ImpactLevel" type="ImpactLevel"/> <xs:complexType name="ImpactLevel" abstract="true"/> <xs:element name="Undefined_ImpactLevel" type="Undefined_ImpactLevel"/> <xs:complexType name="Undefined_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"/>
Business Authorization Framework Version 1.5 Page 24 of 35
</xs:complexContent> </xs:complexType> <xs:element name="FIPS_ImpactLevel" type="FIPS_ImpactLevel"/> <xs:complexType name="FIPS_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"> <xs:sequence> <xs:element name="Value"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Low"/> <xs:enumeration value="Moderate"/> <xs:enumeration value="High"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <xs:element name="UK_Cabinet_ImpactLevel" type="UK_Cabinet_ImpactLevel"/> <xs:complexType name="UK_Cabinet_ImpactLevel" mixed="false"> <xs:complexContent mixed="false"> <xs:extension base="ImpactLevel"> <xs:sequence> <xs:element name="Value"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="0"/> <xs:enumeration value="1"/> <xs:enumeration value="2"/> <xs:enumeration value="3"/> </xs:restriction> </xs:simpleType> </xs:element> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> <!-- Handling Rule --> <xs:complexType name="HandlingRule" abstract="true"/> <xs:complexType name="SecureWEBTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="StorageRule"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureWEBStorage"> <xs:complexContent> <xs:extension base="StorageRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureFileTransferTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="SecureEmailTransmission"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="MediumAuthentication"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <xs:complexType name="FileDeletion"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType>
Business Authorization Framework Version 1.5 Page 25 of 35
<xs:complexType name="DesktopStorage"> <xs:complexContent> <xs:extension base="HandlingRule"/> </xs:complexContent> </xs:complexType> <!-- Labeling Rule --> <xs:element name="VisualMarkingPart"> <xs:complexType> <xs:sequence> <xs:element name="Description"/> <xs:element name="Contents"/> </xs:sequence> <xs:attribute name="type" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- Others --> <xs:element name="WorkEffortsScope"> <xs:complexType> <xs:sequence> <xs:element ref="WorkEfforts"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="WorkEfforts"> <xs:complexType> <xs:sequence> <xs:element ref="WorkEffort" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="WorkEffort"> <xs:complexType> <xs:sequence> <xs:element ref="Name"/> </xs:sequence> <xs:attribute name="id" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Signatories"> <xs:complexType/> </xs:element> <xs:element name="Scope"> <xs:complexType> <xs:sequence> <xs:element ref="OrganizationsScope"/> <xs:element ref="WorkEffortsScope"/> <xs:element ref="ActionsScope"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Rules"> <xs:complexType> <xs:sequence> <xs:element ref="HandlingRules"/> <xs:element ref="LabelingRules"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ProgramID"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="PRGM-Z"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="OrganizationsScope"> <xs:complexType> <xs:sequence> <xs:element ref="Organizations"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Organizations"> <xs:complexType>
Business Authorization Framework Version 1.5 Page 26 of 35
<xs:sequence> <xs:element ref="Organization" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Organization"> <xs:complexType> <xs:sequence> <xs:element ref="xal:Name"/> <xs:element ref="xal:Address"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="Name" type="xs:string"/> <xs:element name="LicenseID" type="xs:anyURI"/> <xs:element name="Level"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="Moderate"/> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="LabelingRules"> <xs:complexType> <xs:sequence> <xs:element ref="VisualMarkingPart" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="InformationScope"> <xs:complexType> <xs:sequence> <xs:element ref="ImpactLevel"/> <xs:element ref="ClassificationNumbers"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="HandlingRules"> <xs:complexType> <xs:sequence> <xs:element ref="HandlingRule" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="HandlingRule" type="HandlingRule"/> <xs:element name="Countries"> <xs:complexType/> </xs:element> <xs:element name="ClassificationNumbers"> <xs:complexType/> </xs:element> <xs:element name="BusinessAuthorization" type="BusinessAuthorization"/> <xs:element name="Applicant"> <xs:complexType> <xs:sequence> <xs:element ref="xal:Name"/> <xs:element ref="xal:Address"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="ActionsScope"> <xs:complexType> <xs:sequence> <xs:element ref="Actions"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Actions"> <xs:complexType> <xs:sequence> <xs:element ref="Action" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Action"> <xs:complexType>
Business Authorization Framework Version 1.5 Page 27 of 35
<xs:sequence> <xs:element ref="Name"/> </xs:sequence> <xs:attribute name="id" use="required" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="AccessRules"> <xs:complexType> <xs:sequence> <xs:element ref="AccessRule" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="AccessRule"> <xs:complexType> <xs:sequence> <xs:element ref="Organization"/> <xs:element ref="Countries"/> <xs:element ref="WorkEffort"/> <xs:element ref="Actions"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
Business Authorization Framework Version 1.5 Page 28 of 35
7. Acronyms
The following list of acronyms and corresponding descriptions will be used throughout the document.
Acronym Description
BA Business Authorization
BAF Business Authorization Framework
BAL Business Authorization Label
BAILS Business Authorization Identification and Labeling Scheme
BOM Bills Of Material
A&D Aerospace and Defense
BIS US Bureau of Industry and Security: The Bureau that regulates export control of dual-use (civilian and military) items.
DDTC US State Department - Policy - Directorate of Defense Trade Controls, regulates export control of military items
DEFCON Defense Readiness Condition: A measure of the activation and readiness level of the US Armed Forces.
DoD US Department of Defense
EBOM Engineering Bills of Material
I&AM Identity and Access Management: Overarching architecture document for the TSCP.
IAP Information Asset Protection
ITAR International Traffic in Arms Regulations
JSF Joint Strike Fighter: A major A&D program aimed at producing the F35 fighter.
MBOM Manufacturing Bills Of Material
MoD Ministry of Defense
MTA Manufacturing Technical Agreement: Another type of license under the ITAR policies.
NDA Non-Disclosure Agreement
OpenXML (OOXML): An ECMA standard for interoperable office document format. Mostly promoted by Microsoft, and used in Office 2007 and on.
Business Authorization Framework Version 1.5 Page 29 of 35
Acronym Description
PDM Product Data Management
PDP Policy Decision Point
PEP Policy Enforcement Point
POC Proof Of Concept
OBS Organization Breakdown Structure
PIEA Proprietary Information Exchange Agreement
TAA Technical Assistance Agreement: One of the licenses that organizations need to obtain and comply with in order to export technical information under the ITAR policies.
TSCP Transglobal Secure Collaboration Program
UGEA Union General Export Authorization: A license under the authority of the European Union that regulates export control of dual-use items.
XACML Extensible Access Control Markup Language
WBS Work Breakdown Structure
Business Authorization Framework Version 1.5 Page 30 of 35
8. References
Document URL
NIST SP 800-53 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Business Authorization Framework Version 1.5 Page 31 of 35
9. APPENDIX
9.1 BAF mapping to XACML (logical models)
Figure 3. BAF Mapping to XACML
Business Authorization Framework Version 1.5 Page 32 of 35
9.1.1 XACML instance of TAA#1
<?xml version="1.0"?> <PolicySet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"> <Description /> <Policy PolicyId="TAA-1.1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Policy for Business Authorization Category TAA-1.1</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">urn:curtiss:ba:taa:taa-1.1</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">1.3.6.1.4.1.30000.300.1</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id:oid" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GNU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">EGPSU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> </Target> <Rule Effect="Permit"> <Description /> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Any</AttributeValue> <ActionAttributeDesignator “urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Curtiss</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Packard</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:affiliated-organization" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GB</AttributeValue>
Business Authorization Framework Version 1.5 Page 33 of 35
</Apply> <AttributeDesignator “urn:tscp:nationality" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GB</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:location" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">DetailedDesign</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Simulation</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:work-effort" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Apply> </Condition> </Rule> <Obligations> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:categorization-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:business-context">Navigation system</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:originating-organization">Curtiss</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:receiving-organization">Packard</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:classification">USML:11A</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">GNU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">EGPSU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">DetailedDesign</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Simulation</AttributeAssignment> </Obligation> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:visual-marking-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Distribution Statement">Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is CURTISS</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Warning Statement">This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et. seq.) or the Export Administration Act of 1979, as amended, Title 50, U.S.C., App. 2401 et.seq. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Document: Footer">Export controlled – see sheet 1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Summary">DDTC - TAA 1.1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Email: First Line Of Text">Export controlled under ITAR</AttributeAssignment>
Business Authorization Framework Version 1.5 Page 34 of 35
<AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Email: Subject Prefix">ITAR</AttributeAssignment> </Obligation> </Obligations> </Policy> <Policy PolicyId="TAA-1.2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Description>Policy for Business Authorization Category TAA-1.2</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">urn:curtiss:ba:taa:taa-1.2</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">1.3.6.1.4.1.30000.300.2</AttributeValue> <ResourceAttributeDesignator “urn:oasis:names:tc:xacml:1.0:resource:policy-id:oid" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">GNU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">EGPSU</AttributeValue> <ResourceAttributeDesignator “urn:tscp:resource-product" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> </Target> <Rule Effect="Permit"> <Description /> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Any</AttributeValue> <ActionAttributeDesignator “urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply xsi:type="AndFunction" functionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Curtiss</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Spad-RO</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:affiliated-organization" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">RO</AttributeValue> </Apply>
Business Authorization Framework Version 1.5 Page 35 of 35
<AttributeDesignator “urn:tscp:nationality" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">US</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">RO</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:location" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> <Apply xsi:type="AtLeastMemberOf" functionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply functionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Simulation</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" “">Integration</AttributeValue> </Apply> <AttributeDesignator “urn:tscp:work-effort" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Apply> </Condition> </Rule> <Obligations> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:categorization-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:business-context">Navigation system</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:originating-organization">Curtiss</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:receiving-organization">Spad-RO</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">GNU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:product">EGPSU</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Simulation</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:categorizationRule:work-effort">Integration</AttributeAssignment> </Obligation> <Obligation FulfillOn="Permit" RuleId="urn:tscp:names:baf:xacml:1.1:visual-marking-rules"> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Distribution Statement">Distribution authorized to U.S. Government Agencies and private individuals or enterprises eligible to obtain export-controlled technical data in accordance w/DoDD 5230.25 20 July 2010. Controlling DoD office is CURTISS</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Warning Statement">This document (or software if applicable) contains technical data whose export/ transfer/disclosure is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et. seq.) or the Export Administration Act of 1979, as amended, Title 50, U.S.C., App. 2401 et.seq. Violations of these export laws are subject to severe criminal penalties. Disseminate in accordance with provisions of DoD Directive 5230.25. Dissemination to non-U.S. persons whether in the United States or abroad requires an export license or other authorization</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:Document: Footer">Export controlled – see sheet 1</AttributeAssignment> <AttributeAssignment DataType="http://www.w3.org/2001/XMLSchema#string" “urn:tscp:names:baf:xacml:1.1:visual-marking-rule:General: Summary">DDTC - TAA 1.1</AttributeAssignment> </Obligation> </Obligations> </Policy> </PolicySet>