STANAG

You are currently browsing the archive for the STANAG category.

Confidentiality Metadata-based Access Control (CMBAC) core to enabling NATO Data-Centric Security (DCS) vision and strategy

December 3, 2025 in STANAG, Uncategorized by xmlspif | No comments

DCS is recognised as a key enabler for NATO to evolve towards digital transformation exploiting new technologies and processes that treats data as a strategic resource to help inform timely decision making at all political and military levels across multiple domains of operations.

NATO vision for DCS is to deliver shareable, timely and reliable information: protected at source; and, controlled for life.

NATO strategy for implementing DCS is evolutionary defined by three Maturity Levels (MLs), whereby each ML facilitates interoperability and builds ontop of each other to reach the defined end-state.

DCS ML 1: Basic Labelling (DCS-1) – Facilitated by the NATO standards (STANAG 4774, STANAG 5636 and STANAG 4778) to provide consistent, reliable and trustworthy labelling with metadata associated for use with all common types of file formats and core services. Use of the XMLSPIF is fundamental for ensuring confidentiality metadata (STANAG 4774 confidentiality label and confidentiality clearance) is consistently applied and consistently displayed based upon the governing security policy that is being enforced.

DCS ML 2: Enhanced Labelling (DCS-2) – Facilitated by the emerging NATO standard (STANAG 5663) to provide federated identity and access management (FIAM) and facilitate attribute-based access control (ABAC). The “Holy Trinity” (not George Best, Dennis Law and Sir Bobby Charlton) of STANAG 4774 confidentiality label, STANAG 4774 confidentiality clearance and XMLSPIF are used to provide Confidentiality Metadata-based Access Control (CMBAC; pronounced as “Come Back“), fundamental for facilitating ABAC. XMLSPIF specifies the rules for how CMBAC is enforced based upon comparing the confidentiality metadata value domains provided in a STANAG 4774 confidentiality label (associated with a resource) against a STANAG 4774 confidentiality clearance (associated with a Subject i.e. a user, application, device or service). Implementation of CMBAC (as illustrated below), through the ratification of ADatP-5663: Federated Identity, Credentials and Access Management, is recognised as a core capability for evolving NATO DCS vision and strategy towards achieving DCS-2.

cmbac

DCS ML 3: Cryptographic Protection (DCS-3) – NATO are currently developing an interoperable, standardised and federated approach for achieving DCS-3.

Tags: , , ,

STANAG 4774 Published

January 16, 2018 in STANAG by Graeme Lunt | No comments

After being ratified by a quorum of NATO Nations, STANAG 4774, Metadata Confidentiality Label Syntax, has been promulgated (published) by NATO.

STANAG 4774 provides a XML syntax for representing a confidentiality label in an arbitrary policy, and includes information about the life-cycle of the confidentiality label e.g. when it should be reviewed.

An example of simple confidentiality label using the example AMOCO security policy, is shown below:

<slab:originatorConfidentialityLabel>
  <slab:ConfidentialityInformation>
    <slab:PolicyIdentifier>TEST-Amoco</slab:PolicyIdentifier>
    <slab:Classification>General</slab:Classification>
    <slab:PrivaryMark>MINIMUM</slabPrivacyMark>
   </slab:ConfidentialityInformation>
   <slab:CreationDateTime>
     2016-11-10T12:30:00Z
   </slab:CreationDateTime>
</slab:originatorConfidentialityLabel>

An XMLSPIF can be used to describe the value domains for the PolicyIdentifier, Classification, GenericValue (a category value), and PrivacyMark elements of the confidentiality metadata label.

The confidentiality metadata label syntax was designed to be used define metadata elements, with those metadata elements in turn being bound to information. STANAG 4774 defines two metadata elements that use the syntax:

  • originatorConfidentialityLabel – the confidentiality label assigned to the information by the originator
  • alternativeConfidentialityLabel – an confidentiality label in a different policy that is equivalent to the originatorConfidentialityLabel

The binding of metadata elements to information (both XML and non-XML) is the subject of a second STANAG, STANAG 4778, Metadata Binding Mechanism, which is expected to be ratified in 1Q18.

It is highly recommended that metadata elements which use the confidentiality metadata label syntax only use the STANAG 4778 binding mechanism to associate a confidentiality label with information.

STANAG 4774 is not openly available, so in order to obtain a copy of STANAG 4774, you should contact your National Technical Expert (NATEX).