Navigate to content

INCITS Announces the New Standard for Role Based Access Control (RBAC)

FOR IMMEDIATE RELEASE

CONTACT: Shannon Feaster (202) 626-5725 or sfeaster@itic.org

INCITS Announces New Standard for Role Based Access Control (RBAC)

First-of-its-kind Cyber Security Standard Supports Commercial and Homeland Security Applications
 
Washington, DC, March 23, 2004 - The InterNational Committee for Information Technology Standards (INCITS) today announced that the Role Based Access Control (RBAC) standard has been approved by the American National Standards Institute (ANSI). The standard is designated as ANSI INCITS 359-2004, American National Standard for Information Technology - Role Based Access Control, and can be purchased through the INCITS Web site: http://www.incits.org/. 

Role Based Access Control has become the predominant model for advanced access control because it reduces the complexity and cost of security administration in large networked applications. Many information technology vendors have incorporated RBAC into their product line, and the technology is finding applications in areas ranging from health care to defense, in addition to the mainstream commerce systems for which it was designed. The National Institute of Standards and Technology (NIST) initiated the development of the standard via the INCITS fast track process. 

This standard describes RBAC features that have achieved acceptance in the commercial marketplace. It includes a reference model and functional specifications for the RBAC features defined in the reference model. It is intended for 1) software engineers and product development managers who design products incorporating access control features; and 2) managers and procurement officials who seek to acquire computer security products with features that provide access control capabilities based on commonly known and understood terminology and functional specifications.

"The standard provides users and vendors of information technology products with a coherent and uniform definition of RBAC features and we anticipate that this first ever RBAC standard can serve as the basis for further international standardization of RBAC by INCITS," explained Susan Zevin, Acting Director of the Information Technology Laboratory at the National Institute for Standards and Technology (NIST).
 
"This RBAC standard is structured so that RBAC profiles could be developed for specific applications, such as the protection of critical infrastructure, and we welcome all interested parties to join INCITS to further progress RBAC standardization," said Karen Higginbottom, INCITS Executive Board Chair and Director of Standards Initiatives in Hewlett-Packard’s Office of Strategy and Technology. " An OASIS
technical committee has issued a profile for using RBAC with the eXtensible Access Control Markup Language (XACML) as a method for defining RBAC building blocks for Web services."

Ed Reed, the Security Tzar at Novell, said, "Novell welcomes the publication of this standard. We look forward to the widespread industry adoption of RBAC as a standard in applications and infrastructure services that this will encourage." More information on RBAC can be found on the NIST Computer Security Resource Center Web site, at  http://csrc.nist.gov/rbac.

 
About INCITS
The InterNational Committee for Information Technology Standards (INCITS) is the primary U.S. focus of standardization in the field of Information and Communications Technology (ICT) encompassing storage, processing, transfer, display, management, organization, and retrieval of information. As such, INCITS also serves as the American National Standards Institute's (ANSI) Technical Advisory Group
for ISO/IEC Joint Technical Committee 1. JTC 1 is responsible for International standardization in the field of information technology. INCITS is accredited by ANSI and operates under its rules, designed to ensure that voluntary standards are developed by the consensus of directly and materially affected interests. Contact: INCITS Secretariat, Information Technology Industry Council, 1250 Eye St. NW,
Suite 200, Washington, DC 20005 (www.incits.org)

About NIST
As a non-regulatory agency of the U.S. Department of Commerce’s Technology Administration, NIST develops and promotes measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. The NIST web site is www.nist.gov.