Responsible Information Sharing and Safeguarding
The Information Exchange Framework™ (IEF™) is an OMG® initiative to establish a family of specifications to enable policy-driven data-centric information sharing and safeguarding (ISS) capabilities for email exchange, file sharing, instant messaging (chat), structured messaging, and web services.
The first IEF specification has been published - the Information Exchange Packaging Policy Vocabulary™ (IEPPV™). This specification provides a policy vocabulary and UML® profile model for secure packaging and processing of structured information elements such as: National Information Exchange Model (NIEM), Structured Threat Information eXpression (STIX™), Cyber Observable eXpression (CybOX™), and Trusted Automated eXchange of Indicator Information (TAXII™).
The IEF Reference Architecture is nearing completion and will establish a framework for integrating ISS services into a user’s Technical Architecture.
This will ensure:
- Access and release controls reflect the sensitivity of each data and information element, not simply the domain in which it reside
- Every request for and exchange of information is gated through a policy enforcement point that enforces user–specified ISS policy
- Information Content is assembled, marked, and packaged in accordance with the data-owner’s policies for a recipient/community based on individual authorizations and privileges
- Protection mechanisms are applied in accordance with user–specified policies
- Transactions are recorded in a tamper-resistant log to enable real-time monitoring and forensic auditing
- Users can dynamically adapt ISS policies and controls based on variations in operational context (e.g., threat, risk, policy, location, and roles & responsibilities) and in accordance with security policy
Benefits of IEF include:
- Platform independence: The IEF may be implemented using one or more vendor products and services that can be integrated through standardized interfaces, messages and protocols.
- Defense-in-depth: The IEF supports layering of information safeguards that automate user-defined ISS policies, e.g., rules and constraints, for each information element based on its designated sensitivity.
- Policy driven: The IEF uses standard architecture modeling profiles to translate policy instruments (e.g., legislation, regulation, operating procedures, memoranda of understanding, and service–level agreements) into machine readable rules and constraints ingested and enforced by IEF-conformant services.
- Data centric: An IEF-conformant service enforces policies based on data and metadata content.