Copyright (c) 2023 Boeing
This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at https://www.eclipse.org/legal/epl-2.0/
SPDX-License-Identifier: EPL-2.0
Contributors: Boeing - initial API and implementation
The primary unit of data storage in OSEE is the Artifact. Each artifact has a name and a collection of attributes to hold the artifact’s data.
OSEE shall allow the user to indicate that an OSEE Artifact contains CUI.
A CUI Category or Subcategory are the exclusive designations for identifying CUI that a law, regulation, or Government-wide policy requires or permits agencies to apply safegauarding or dissemination controls to.
OSEE shall allow the user to indicate the CUI Category or Subcategory for OSEE Artifacts containing CUI.
CUI Categories and Subcategories are either “Basic” or “Specified”. “Specified” categories and subcategories have handling requirements that go beyond the “Basic” CUI handling requirements. Only some data for a CUI Category or Subcategory may be “Specified”.
OSEE shall allow the user to indicate the CUI type as “Basic” or “Specified” for OSEE Artifacts containing CUI.
In addition to a Required Indicator, the dissemination of data stored in an OSEE Artifact may be controlled.
OSEE shall allow the user to indicate the dissemination controls for OSEE Artifacts containing CUI.
In addition to the CUI indicators and Required Indicators, it is also important to record the rationale for the assigned indicators.
OSEE shall allow the user to record the rationale for the OSEE Artifact’s assigned CUI and Required indicators.
The Authority specifying the CUI category may also require additional data indicators. Additional indicators may also be required by corporate policy and or contract. The following are examples of Required Indicators:
OSEE shall allow the user to enumerate all Required Indicators for an OSEE Artifact.
OSEE shall allow the user to indicate if a Required Indicator must be present on every page or only on containing pages.
OSEE shall allow the user to provide a title page Required Indicator statement for each Required Indicator type on a per document basis.
OSEE shall allow the user to provide a document header statement for each Required Indicator type on a per document basis.
OSEE shall allow the user to provide a document footer statement for each Required Indicator type on a per document basis.
OSEE is a database which may contain data for multiple programs with different data rights and different user access controls. The unit of access control in OSEE is the branch.
OSEE shall only allow authorized users access to a branch and all of it’s sub-branches.
OSEE provides HTTP(S) API that allow external tools/browsers to access OSEE Data.
OSEE shall not allow access to controlled data via an HTTP(S) API that a user does not have access to.
OSEE maybe configured to send E-mail notifications to users.
All CUI data e-mailed by OSEE shall be contained in encrypted attachments.
OSEE shall include CUI Banner markings on any e-mails containing CUI data.
Users must be notified of authorized use restrictions and requirements for access to the OSEE database.
OSEE shall display the GSSFL Banner to users upon login.
At some juncture it may become necessary to destroy CUI data stored within OSEE.
OSEE shall provide a data destruction capability compliant with the electronic media data destruction requirements for CUI data.
The CUI Banner must be included on all pages, this includes the title page.
OSEE shall publish a CUI Banner at the top of each page for all documents containing CUI.
OSEE publishing shall provide an option to include the CUI Banner Marking at the bottom of each page.
OSEE shall publish the same CUI Banner on all pages of a publish.
OSEE shall publish a CUI Banner that is inclusive of all data within the publish.
OSEE shall publish the CUI Banner with the following formatting:
OSEE shall formulate the CUI Banner according to the following EBNF:
<cui-banner> ::= <control> [ <category-list> ] [ <dissemination-list> ]
<control> ::= “CUI” | “CONTROLLED”
<category-list> ::= “//” <category-list-contents>
<category-list-contents> ::= <category> { “/” <category> }
<category> ::= <basic-category> | <specified-category>
<basic-category> ::= <category-indicator>
<specified-category> ::= “SP-“ <category-indicator>
<dissemination-list> ::= “//” <dissemination-list-contents>
<dissemination-list-contents> ::= <dissemination> | <dissemination> { “/” <dissemination> }
<dissemination> :: = “NOFORN” | “FED ONLY” | “FEDCON” | “NOCON” | “DL ONLY” | <release-to>
<release-to> ::= “REL TO USA” { <foreign-release-list> }
<foreign-release-list> ::= “,” <foreign-indicator> { “,” <foreign-indicator> }
OSEE shall include the <category-indicators> for all OSEE Artifacts in the publish.
OSEE shall prefix <category-indicators> for “Specified” CUI categories and subcategories with “SP-“ in the CUI Banner Marking.
OSEE shall place all the <specified-category> indicators ahead of the <basic-category> indicators in the <category-list-contents>.
OSEE shall sort the <basic-category> indicators in the <category-list-contents> in alphabetical order.
OSEE shall sort the <specified-category> indicators in the <category-list-contents> in alphabetical order.
OSEE shall include the <dissemination> indicators for all OSEE Artifacts in the publish.
OSEE shall sort the <dissemination> indicators in the <dissemination-list> in alphabetical order.
OSEE shall include “USA” as the first <foreign-indicator> in the <foreign-release-list>.
OSEE shall sort the <foreign-indicator> indicators for foreign nations in the <foreign-release-list> in alphabetical order.
OSEE shall include a CUI Designation Indicator Block in each document containing CUI data.
OSEE shall include the following in the “CUI Designation Indicator Block”:
OSEE shall include a Required Indicator Title Page Statement for each type of Required Indication with a Title Page Statement contained within the document.
OSEE shall include a Required Indicator Header Statement for each type of Every Page Required Indication contained within the document.
OSEE shall include a Required Indicator Header Statement for each type of Only Page Required Indication contained on that page of the document.
OSEE shall include a Required Indicator Footer Statement for each type of Every Page Required Indication contained within the document.
OSEE shall include a Required Indicator Footer Statement for each type of Only Page Required Indication contained on that page of the document.
Temporary files are files that are created by either the OSEE client or the OSEE server, not delivered to the user, and no longer needed at the completion of the publish.
OSEE shall destroy all temporary files containing CUI at the completion of a publish in a manner compliant with the electronic media data destruction requirements for CUI data.
Temporary files are files that are created by either the OSEE client or the OSEE server, not delivered to the user, and no longer needed at the completion of the publish.
OSEE shall create temporary files containing CUI with OS level access controls that only permit access by authorized users.