The UAF Domain Meta-model (DMM) itself is based on the DoDAF 2.02 domain metamodel – the DM2, with additions to incorporate metamodel concepts of NAF 3, MODAF 1.2, and the Canadian DNDAF 1.7.
Security Artifacts
There are a number of artifact types concerning Security that are part of the UAF metamodel – brought in from the Canadian DnDAF – which are provided in NAF v4 – however, since NAF v4 does not specify viewpoints for these Security artifacts they exist only as definitions in NAF v4, and cannot be visualized on a viewpoint. They can be captured in the architecture, and output in reports.
These artifact types are:
▪Risk – A statement of the impact of an event on Assets. It represents a constraint on an Asset in terms of adverse effects, with an associated measure. The measure is used to capture the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Software related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.
▪SecurityControl – A type of OperationalActivity that specifies a safeguard or countermeasure prescribed for OperationalPerformer. It is intended to protect the confidentiality, integrity, and availability of its information.
▪EnhancedSecurityControl – A type of Activity that represents an enhanced SecurityControl. It specifies a safeguard or countermeasure prescribed for a ResourcePerformer. It is intended to protect the confidentiality, integrity, and availability of the Resource’s information and to meet a set of defined security requirements
▪SecurityControlFamily – A type that organizes security controls into a family.
▪ResourceMitigation – a resource that mitigates Risk against an asset. It is a subtype of ResourceArchitecture, which in turn is a subtype of ResourcePerformer.
▪SecurityEnclave – Collection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location
▪SecurityConstraint – A type of rule that captures a formal statement to define access control policy language.
▪Caveat – A statement of the impact of an event on Assets. It represents a constraint on an Asset in terms of adverse effects, with an associated measure. The measure is used to capture the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Software related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.