Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Attribute metadata project charter

This page is ARCHIVED. Please visit https://www.nist.gov/identity-access-management for current information on NIST’s Identity and Access Management work.

Project Charter
10 March, 2016

Applied Cybersecurity Division
Information Technology Laboratory, NIST

 

1. Introduction


The identity ecosystem has matured to the point where it is appropriate to undertake the work of building measurement science for application in the market—a critical step in further aiding expansion and innovation of the identity ecosystem. Building off of February’s workshop, NIST intends to delve more deeply into each of the topic areas: Strength of Identity Proofing, Strength of Authentication, and Attribute Metadata & Confidence.

This charter provides a high level understanding of the work which NIST’s Applied Cybersecurity Division will undertake to advance the standardization of federal attribute metadata and serve as an initial tool for collecting feedback around this proposed approach.

 

2. Purpose


The purpose of this project will be to produce a NIST Internal Report (IR) that contains guidance for a schema on attribute metadata. The overall objective is to provide the foundation for cross boundary trust and interoperability of attributes used for access control. Ultimately, application of this schema is intended to promote greater government efficiency in federating access to protected resources.

 

3. Scope


NIST’s Applied Cybersecurity Division (ACD), of the Information Technology Laboratory (ITL) will undertake the development of a schema for attribute metadata. This document will identify and define the metadata elements essential to support cross agency confidence in attribute assertions as well as the semantics and syntax required to support interoperability. The schema is intended for use in unclassified federal systems, but is expected to be applicable in multiple security domains and industry sectors. The effort will focus on two classes of metadata:

  • Attribute Metadata – Metadata values for the attribute itself, not the actual values for the attribute. For example, “is PII” could be metadata for the attribute “birth date”.  The actual date of birth does not drive the value for “is PII”.
  • Attribute Value Metadata  - This element focuses directly on the asserted value for the attribute. For example, an attribute of “Training Received” may have multiple values.  Each value could have a attribute value metadata of “verified on”, with containing a different date for “verified on”.

The schema will be provided in an IR developed as an “implementer’s draft.” The intent behind this “implementer’s draft” is to rapidly provide a document to federal stakeholders that will identify agency and market viability, target improvement areas, produce lessons learned, and delineate a potential migration path to a Special Publication or standards development organization (SDO) contribution.

This IR will not address confidence scores for attributes. Given the effort that will be required to develop such a framework, NIST has determined to focus initial efforts on the metadata IR with a future NISTIRs envisioned to address confidence scoring.

 

4. Development Approach


This IR will be developed using an iterative approach that engages community stakeholders early and often during the drafting period—taking advantage of more frequent, but shorter comment periods to enable rapid production of the document. All processes will be conducted in a way that preserves and reflects NIST’s traditions of openness and transparency. The proposed phases are outlined below:

  • Phase I- Initial Drafting: This phase will focus on conducting any required research, developing an outline for IR content, and producing an initial draft. It will conclude with a draft that is prepared to enter the first comment period.
  • Phase II- Iterative Public Review and Comment: This phase will focus on gaining input through successive open comment periods and iterations of the IR draft. It is envisioned that this phase will include a minimum of three public comment periods of approximately 3-6 weeks in length, followed by 3-6 week periods for the authoring team to make appropriate updates to the document.  As this phase progresses, additional iterations may be added.
  • Phase III – Document Finalization: NIST will adjudicate and resolve all in-scope comments and post the final NISTIR to the NIST website.

 

5. Engagement, Communications & Input


Throughout the course of this project, ACD intends to engage with a broad spectrum of different stakeholders. Those interested in engaging with, contributing to, and influencing this work should seek out opportunities in the following ways:

  • Comment & Contribute: Drafts of the IR will be published for comment on an iterative basis. Comments will be collected, posted, and managed as issues via a public page on Github.  Details will follow as to specific page location. Those that wish to participate in comment periods but are unable to utilize Github will be provided a standard comment matrix, though Github is preferred. As discussed above, the comment process will be iterative and open, comments on each draft are welcome and encouraged. Additionally, despite the focus on federal guidance, comments from all sectors are welcome, encouraged, and will be considered.
  • Follow: Keep up to date with the progress of the work by following regular updates through the NSTIC website (www.NSTIC.gov), blog (http://nstic.blogs.govdelivery.com/), and on twitter (@NSTICNPO).

In addition to facilitating comments on the IR and its draft. ACD is also seeking input on the concepts and ideas proposed in this charter—we want to know if we are heading in the correct direction. Comments can be provided by emailing to NSTICworkshop [at] nist.gov (NSTICworkshop[at]nist[dot]gov).

 

6. Proposed Timeline & Milestones


Below are high level milestones, by phase for the development of the IR.

  • Phase I- Initial Drafting (April 2016)
    • IR Outline Completed
    • Initial IR Draft Completed
  • Phase II- Open Comment Period (May-August 2016)
    • Comment Period One Open
    • Comment Period One Closed
    • IR Update One Completed
    • Comment Period Two Open
    • Comment Period Two Closed
    • IR Update Two Complete
    • Comment Period Three Open
    • Comment Period Three Closed
    • Final DRAFT NISTIR Published
  • Phase III – Document Finalization (December 2016)
    • Comment Period Closed
    • Final IR Released

 

7. Related, Complementary Efforts


Created May 2, 2016, Updated April 19, 2021