Compartmented Mode Workstation Labeling: Encodings Format

Chapter 6 Accreditation Range and Name Information Label Encodings

The ACCREDITATION RANGE: section specifies the system and user accreditation ranges as well as a number of system constants related to the system accreditation range. The system accreditation range is the set of sensitivity labels that the system as a whole can process. It is specified by a minimum sensitivity label and a maximum sensitivity label. The minimum sensitivity label is directly specified in the ACCREDITATION RANGE: section, whereas the maximum sensitivity label is deduced from the classifications and word specifications in the encodings file. The user accreditation range is a subset of the system accreditation range, and contains those sensitivity labels that normal (non-authorized) users of the system can set (i.e., those sensitivity labels at which users can create subjects or objects, or to which users can change existing sensitivity labels).

The ACCREDITATION RANGE: section consists of one or more user accreditation range specifications, followed by the specification of various system accreditation range-related constants, the minimum clearance, the minimum sensitivity label, and the minimum protect as classification.

This section explains the concept of a user accreditation range in terms of examples, then explains how to specify the user accreditation range and system accreditation range-related constants.

User Accreditation Range Examples

The user accreditation range of a system is the set of sensitivity labels at which normal users are intended to be able to operate. The user accreditation range is conceptually specified as a list (or set) of sensitivity labels. In this manner, certain sensitivity labels can be left out of the list, as will be the case for many systems.

Note that the restriction the user accreditation range places on sensitivity labels does not apply to either clearances or information labels.

For example, consider a system that processes TS along with compartments A, B, and C. The complete list of possible sensitivity labels (and hence the largest possible user accreditation range) for such a system is:

TS   TS A   TS B   TS C    TS A B  TS A C   TS B C   TS A B C

However, a more realistic user accreditation range for such a system might be:

TS A B   TS A C   TS A B C

In this example, compartments B and C can be processed only in combination with A, and A cannot be processed alone.

Specifying the User Accreditation Range

The encodings for classifications and sensitivity label words specify which potential sensitivity labels are well formed. Based on these encodings alone, every potential sensitivity label may not be well formed. Given the compartments A, B, and C from the above example, if compartment C has a REQUIRED COMBINATION of C A, then compartment C can never appear in a well formed label without compartment A. Thus, the well formed sensitivity labels in the example would be:

TS   TS A   TS B   TS A B   TS A C   TS A B C

The user accreditation range specification is stated in terms of the set of well formed sensitivity labels.

Whereas the above examples dealt with the classification TS only, specifying a user accreditation range in general requires specifying the compartment combinations valid with each classification in the user accreditation range. Furthermore, specifying the valid compartment combinations, in the case where all well formed combinations are not valid, can be done by specifying those combinations are valid, or by specifying those combinations that are not valid.

There must be one or more user accreditation range specifications. There should be one specification for each classification that appears in a sensitivity label in the user accreditation range. Each specification consists of a classification= keyword followed by one of the keywords all compartment combinations valid, all compartment combinations valid except:, or only valid compartment combinations:, as described below.

The Classification= Keyword

The classification= keyword should be specified for each classification in the user accreditation range. The keyword is followed by a valid classification (short, long, or alternate name) from the CLASSIFICATIONS: section, and one of the three keywords described below. The classification name is taken to begin with the first non-blank character following the blank after the keyword, and continues up to the next semicolon or the end of the line. The name specified must match either the short, long, or alternate name of one of the classifications specified in the classifications section of the encodings file.

The All Compartment Combinations Valid Keyword

The all compartment combinations valid keyword specifies that all well formed compartment combinations are valid along with the classification specified by the preceding classification= keyword. Note that only those compartment combinations that are well formed according to the encodings in the CLASSIFICATIONS: and SENSITIVITY LABELS: sections are valid. For example, if the SENSITIVITY LABELS: COMBINATIONS CONSTRAINTS: specifies

A ! B

Then compartment B cannot appear in a sensitivity label along with compartment A, regardless of the classification or the user accreditation range specification.

An example of a user accreditation range specification using the all compartment combinations valid keyword is:

classification= TS; all compartment combinations valid;

The All Compartment Combinations Valid Except: Keyword

The all compartment combinations valid except: keyword specifies that all compartment combinations are valid along with the classification specified by the preceding classification= keyword, except those that are listed, one per line, on the lines that follow until the next keyword. Each subsequent line (other than blank lines and comment lines) should contain exactly one sensitivity label, up until a line containing a classification= or minimum clearance= keyword is found. At least one sensitivity label should be specified.

Each sensitivity label specified must be well formed according to the encodings in the CLASSIFICATIONS: and SENSITIVITY LABELS: sections. Furthermore, each sensitivity label must be in canonical form. A sensitivity label is in canonical form if it begins with the sname of a classification followed by the name of zero or more SENSITIVITY LABELS: WORDS:, in the order in which the words appear in the SENSITIVITY LABELS: section.

The sensitivity labels are used to specify compartment combinations only; the classification in the sensitivity label is ignored after validity checking. However, the classification in each sensitivity label must be the same as the classification= keyword that precedes it.

A specification of the realistic user accreditation range from the example above using the all compartment combinations valid except: keyword is:

classification= TS; all compartment combinations valid except:
TS
TS A
TS B

The Only Valid Compartment Combinations: Keyword

The only valid compartment combinations: keyword specifies that no compartment combinations are valid along with the classification specified by the preceding classification= keyword, except those that are listed, one per line, on the lines that follow until the next keyword. Each subsequent line (other than blank lines and comment lines) should contain exactly one sensitivity label, up until a line containing a classification= or minimum clearance= keyword is found. At least one sensitivity label should be specified.

A specification of the realistic user accreditation range from the example above using the only valid compartment combinations: keyword is:

classification= TS; only valid compartment combinations: 
TS A B
TS A C
TS A B C

Appendix B, Annotated Sample Encodings contains more examples of each of the above types of user accreditation range specifications.

Specifying System Accreditation Range-Related Constants

Following the specification of each classification in the user accreditation range, a number of system accreditation range-related system constants are specified with the keywords minimum clearance=, minimum sensitivity label=, and minimum protect as classification=, as described below.

The Minimum Clearance= Keyword

Following the user accreditation range specifications is the minimum clearance= keyword. This keyword is followed by a specification of the minimum clearance of any user on the system. This minimum clearance will be enforced by the system when setting user's clearances. The clearance is taken to begin with the first non-blank character following the blank after the keyword, and continues up to the next semicolon or the end of the line. The clearance must be well formed and in canonical form. A clearance is in canonical form if it begins with the sname of a classification followed by the name of zero or more CLEARANCES: WORDS:, in the order in which the words appear in the CLEARANCES: section. This clearance must be valid according to the CLEARANCES: encodings, but does not have to conform to the clearance combination constraints (and is therefore not well formed), and does not have to be in the user accreditation range.

The Minimum Sensitivity Label= Keyword

Following the minimum clearance= keyword is the minimum sensitivity label= keyword. This keyword is followed by a specification of the minimum sensitivity label to be used on the system. This minimum sensitivity label forms the low end of the system accreditation range, and will be enforced by the system when setting sensitivity labels. The sensitivity label is taken to begin with the first non-blank character following the blank after the keyword, and continues up to the next semicolon or the end of the line. The sensitivity label must be well formed and in canonical form. A sensitivity label is in canonical form if it begins with the sname of a classification followed by the name of zero or more SENSITIVITY LABELS: WORDS:, in the order in which the words appear in the SENSITIVITY LABELS: section. The minimum sensitivity label does not have to be in the user accreditation range. However, the minimum sensitivity label must be dominated by the minimum clearance.

The Minimum Protect As Classification= Keyword

Following the minimum sensitivity label= keyword is the minimum protect as classification= keyword. Following this keyword is the minimum classification at which all system output is to be protected unless it is manually reviewed and downgraded. The classification name is taken to begin with the first non-blank character following the blank after the keyword, and continues up to the next semicolon or the end of the line. The name specified must match either the short, long, or alternate name of one of the classifications specified in the classifications section of the encodings file. The minimum protect as classification cannot be greater than the classification in the minimum clearance.

Figure 6–1 is an example of how the minimum protect as classification will be used by the system when producing printed output. The system puts the maximum of the minimum protect as classification and the classification in the sensitivity label of the data being printed at the top and bottom of the banner page, and in the warning statement about how the output must be protected.

Figure 6–1 Printer Banner Example Denoting Minimum Protect As Classification Usage

Illustration shows that TOP SECRET is the minimum protect as
classification for the data. TOP SECRET is printed in 3 places on banner.

Name Information Label Encodings

In some encodings files, some classification and word names themselves may be classified. If so, the optional NAME INFORMATION LABELS: section specifies the information label of names specified in the encodings. An information label can be specified for every classification and word name, including prefixes and suffixes. This section is entirely optional. If not included, the information labels of all names will be assumed to be the minimum information label. Even if this section is included, it is necessary to specify information labels for only those names whose information label is other than the minimum information label.

The NAME INFORMATION LABELS: section consists of zero or more information label specifications. Each information label specification consists of one or more name= keywords followed by one il= specification. All of the names specified are assigned the single information label specified. The names can be classification names, snames, or anames, or word names or snames (including prefix or suffix names or snames).

Each information label specified must be well formed according to the encodings in the CLASSIFICATIONS: and INFORMATION LABELS: sections. Furthermore, each information label must be in canonical form. An information label is in canonical form if it begins with a classification name (not sname or aname) followed by the name of zero or more INFORMATION LABELS: WORD:, in the order in which the words appear in the INFORMATION LABELS: section.

The following examples, drawn from the same encodings in Appendix B, Annotated Sample Encodings, serve to illustrate the usage of name information label specifications. For example, the information label specification:

name= bravo1;	il= confidential b;

assigns the information label confidential b to the name bravo1, which appears only in the INFORMATION LABELS: section. The specification:

name= alpha1;

name= alpha2;

name= alpha3;	il= confidential a;

assigns the information label confidential a to the names alpha1, alpha2, and alpha3, which appear only in the INFORMATION LABELS: section. The specification:

name= sa;	il= top secret sa;

assigns the information label top secret sa to the name sa, which appears in the INFORMATION LABELS:, SENSITIVITY LABELS:, and CLEARANCES:, sections. Finally, the specification:

name= (CH A);	il= confidential a;

assigns the information label confidential a to the name (CH A), which appears multiple times in the CHANNELS: section.