NCCoE Launches Building Blocks for Access Control and Mobile Devices

NIST’s National Cybersecurity Center of Excellence (NCCoE) has proposed two new building blocks, one to help organizations develop capabilities for attribute based access control, the other to help enterprises address security issues that result from the use of mobile devices to access company resources. The NCCoE invites the public to comment on the draft documents. The comment period is open until March 28, 2014.

Building blocks are example cybersecurity implementations that apply to multiple industry sectors and are expected to be incorporated into many of the center's sector-specific use cases. The NCCoE's work to develop building blocks results in practice guides, publicly available descriptions of the practical steps needed to implement a cybersecurity reference design.

The draft Attribute Based Access Control (ABAC) Building Block proposes an identity management system that allows multiple enterprises to exchange and validate employee attributes such as title, division, certifications and training. This allows an organization to grant a non-employee access to a range of corporate resources using risk-based policy enforcement. For example, a doctor helping to treat pandemic patients in a neighboring state can present her home hospital’s badge. Because her home hospital and the hospital she is assisting both subscribe to an attribute exchange service, she is immediately granted access to the physical locations and IT systems and services that she needs. The technology demonstrated in this building block will be modular, allowing corporations flexibility in their implementations based on their current network infrastructures. The draft Attribute Based Access Control Building Block document can be viewed here. Comments should be submitted to by March 28, 2014.

The draft Mobile Device Security for Enterprises Building Block proposes a system of commercially available technologies that provide enterprise-class protection for mobile platforms that access corporate resources. This building block will examine an array of security technologies that can enable enterprise risk management for users to work inside and outside the corporate network with a securely configured mobile device. This building block will incorporate a layered approach that allows enterprises to tailor solutions to their business needs. The draft Mobile Device Security for Enterprises Building Block document can be viewed here. Comments should be submitted to by March 28, 2014.