The data management services consist of the following three components: 1) the data dictionary/directory component for accessing and modifying metadata (i.e., data about data); 2) the data management component for storing, accessing, and modifying data; and 3) the distributed data component for accessing and modifying data located in a remote database. Within the DODIIS community, most of the standards in the data management services address text data only, rather than all types of data defined in section 1.5 . Table 2-3 lists these standards.
Table 2-3. Data Management Service Standards
The data dictionary/directory component refers to utilities and systems necessary to catalog, document, manage, and use metadata through direct interface with the user, an application program interface (API), or associated language binding.
FIPS PUB 156 defines the Information Resource Dictionary System (IRDS). Making direct reference to ANSI X3.138-1988, FIPS PUB 156 provides non-proprietary and common functions for the description, documentation, protection, and use of information resources. However, FIPS PUB 156 has not been widely implemented in the market because 1) it is not aligned with the ISO IRDS (ISO 10728:1992, IRDS Services Interface), which is based on another ANSI standard (ANSI X3.185-1992, IRDS Services Interface), and 2) it does not provide sufficient capabilities as it only specifies functionality in terms of user-oriented command language interface and an alternative panel interface without specifying application programming interface.
To resolve these issues, the ANSI X3H4 committee is currently working on the next-generation IRDS (IRDS2), which is being harmonized with ISO for joint development. The IRDS2 will provide a software interface, enhanced functionality and capability to manage object-oriented data structures, and provide for communication of information between applications and other data management tools.
Recognizing the market reality, IRDS standards adopted as gap fillers in the previous DODIIS Profile (FIPS PUB 156, ANSI X3.195-1991, and ANSI X3.185-1992) are being dropped in this document, with the plan to adopt IRDS2 when it is completed and becomes commercially available. Procurements must seek assurances from contractors and vendors that their products will be fully compliant with the final IRDS2 standard.
The database management component includes definition, management, query, and security of structured data stored within a database management system. Structured Query Language (SQL), defined in FIPS PUB 127-1, provides a non-procedural way for applications to access data and design schema of the database. It consists of a set of operators, qualifiers, and supporting structures that are used by applications to define, access, maintain, and control data, regardless of the underlying database management system.
FIPS PUB 127-1 adopted both ANSI X3.135-1989, Structured Query Language (SQL) and ANSI X3.168-1989, Embedded SQL, as described below:
A recently completed replacement of SQL is FIPS PUB 127-2, commonly referred to as SQL2. The revised FIPS adopts only ANSI X3.135-1992, which includes the specifications from ANSI X3.168-1989, thereby superseding ANSI X3.168-1989. SQL2 contains substantial additional features for schema manipulation, dynamic SQL, exception-handling, enhanced integrity constraints, transaction management, and data administration, along with simple domains and simple assertions. SQL2 has been adopted by the ISO as well, as ISO/IEC 9075:1992, Database Language SQL. DODIIS applications are required to conform to FIPS PUB 127-2.
As such, SQL2 is replacing SQL1 as a standard that should be implemented now. For future standards, DODIIS will consider an SQL Amendment which is currently being processed for stored procedures (expected in 1994-95), and SQL3 which will provide facilities such as triggers, user-defined types, domain, and table hierarchies (expected in 1995).
The DODIIS client server model allows data to be centrally managed on a single server or distributed across multiple servers. However, the SQL specification is not sufficient for the development of distributed system environments. For example, SQL assumes all data operations are to be performed upon a single database system, and therefore, does not have a naming mechanism. The naming of a database is, however, an essential requirement for dealing with data from several systems. The ISO Remote Database Access (RDA) specification (ISO DIS 9579), published in 1993, will be used to establish a remote connection between a database client, acting on behalf of an application program, and a database server, interfacing to a process that controls data transfers to and from a database. The goal of this specification is to promote interconnection of database applications among heterogeneous environments, with emphasis on the SQL server interface.
RDA services consist of dialogue management, association control, resource-handling, and data language services between a single client and a single server. Association control includes making a connection to a specific database at the server site. SQL statements are sent as character strings with a separate list of input parameters, and resulting data or exception conditions are returned. Transaction management services are also included for both one and two-phase commit protocols. Individual applications determine whether both one- and two-phase commits are available.
Although the industry is slow to adopt and conform to the RDA standard, NIST is currently developing a conformance testing suite. When selecting database products, sites should get vendor assurances that compliance to the RDA standard is planned.
Data management security services include access control (e.g., discretionary access control (DAC), mandatory access control (MAC), content-dependent and context-dependent access control), individual user identification and authentication (I& A), data confidentiality, data integrity (e.g., domain integrity, entity integrity, referential integrity, and label integrity), security audit, object reuse, and availability of service and data.
Very few standards address data management security services, although standards bodies are in the process of developing security standards. These standards bodies include ANSI X3H2 and ANSI X3H7, both technical subcommittees of ANSI SPARC. ANSI X3H2 is responsible for proposing SQL security extensions whereas X3H7 (formerly the Object-Oriented Database Task Group) plans to address security within Object Data Management. The Database Management Security and Privacy Task Group (DMSPTG), an ANSI SPARC study group, has developed a reference model that provides a framework for security and privacy for data management. Security standards and related developments resulting from these standards bodies are being monitored for potential inclusion within the DODIIS Profile.
Several trusted DBMS products are in various stages of National Computer Security Center (NCSC) product evaluation against the Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria, commonly referred to as the "TDI". The TDI, released in April 1991, extends the evaluation classes of the Trusted Computer System Evaluation Criteria (TCSEC; DOD 5200.28-STD) to trusted applications, in general, and to trusted DBMSs, in particular. This document provides guidance for the design, implementation, and evaluation of trusted DBMSs. Several trusted DBMS products have been evaluated against this interpretation and some are undergoing evaluation at a specific level of trust.
