The New Triad?

Unless otherwise stated, all views expressed are mine and don’t necessarily reflect those of my employer or MITRE sponsors.

In Ron Ross , Michael McEvilley, and my NIST SP 800-160 Volume 1 Revision 1 Engineering Trustworthy Secure Systems, how many times do you think we mentioned the CIA Triad? How often is data confidentiality mentioned? Data Integrity? Data Availability?

Think on that, we'll come back to it.

In Section 3.2, the ideal of a secure system was captured in three bullets on page 13. I've come to want to re-express those points as

• Delivers the required system capability in support of the mission/business needs despite all forms of adversity.
• Ensures only desired behaviors and outcomes.
• Ensures the delivered capability, desired behaviors, and desired outcomes for authorized entities.

An ideal, the rest of section 3.2 talks to what is adequate to achieving that ideal.

This is the triad of a secure system - which we can shorten to resilient, intended, and authorized (RIA). Eh, got a better one word for each three bullets? Going with that for this article.

Where does data confidentiality come in - it may be a desire for a stakeholder - data used by the system may have a stakeholder want it kept confidential. It may also support delivering capability, denying a malicious adversary from finding out information about the system they may use to develop an attack.

Data integrity? Broader integrity of the system is needed to meet this RIA triad, including configuration data. And this is another case of where a stakeholder may have a data integrity need if the system performs certain functions.

Data availability - certainly system data needs to be available for the system to function, and other data needs to be available to perform to a system's purpose in mission. And the system's purpose may require other kinds of data availability.

But all that has CIA deriving from RIA, driven by what the stakeholders determine is desired behaviors.

So I would contend the objectives for mission-based security are characterized by resilience, intention, and authorization. Data confidentiality, integrity, and availability are a matter of support those and specific stakeholder requirements for stakeholder information.

So, back to that quiz

Answers:

No form of the CIA triad is mentioned in Volume 1.

The word "confidentiality" appears no where in the publication.

The word "integrity" makes 7 appearances, once in a title of a reference; defined in glossary not specifically referring to data; three times in Appendix E, twice speaking to system element integrity and once about the integrity of the reference validation mechanism; once in Appendix H talking to the integrity of system interfaces; and finally, one mention in Appendix I about the integrity of configuration management data. Thus, one mention of data integrity, and a specific data type at that.

The word "availability" makes 16 appearances. A definition not specific to any one item like data, four references about system availability, one about interface availability, and rest about the availability of resources and services for a systems during development, deployment, or operation, including availability of qualified personnel. So, zero mentions of data availability.

A Final Word

I hope to many, they realize this isn't really a new concept being discussed. Many just execute backwards - talk to the data in the system, identify effects which really trace to the RIA triad, then move forward again. What is here I believe simply unpacks to a more holistic approach that informs systems thinking about engineering the system. It informs building a secure system, not securing a system.

I'm not bound yet to calling it the resilient, intended, and authorized (RIA) triad. What would you label it?