As discussed, a unified approach to protective marking would greatly enhance API inter-operabilty. The following text is offered as a potential addition to the api-security.md doc as a starting point. However it is acknowledged that each jurisdiction may have similar requirements, and this section should be open to evolution.
Suggested addition:
Protective Marking
Commonwealth entities, and State and territory government agencies that hold or access Commonwealth security classified information are required by the Protective Security Policy Framework to apply appropriate protective marking to classified data to ensure that data is handled and shared appropriately.
An ‘x-protective-marking’ HTTP header MUST be used to apply appropriate protective marking to Commonwealth security classified information.
The following rules apply to the use of the ‘x-protective-marking’ header:
• Transmission of any payload, request or response, containing data classified as having a high business impact level (‘PROTECTED’ at the time of writing) or above MUST be accompanied by an ‘x-protective-marking’ HTTP header.
• Data classified as having a ‘low to medium’ business impact (‘OFFICIAL:Sensitive’ at the time of writing) or above SHOULD be accompanied by an ‘x-protective-marking’ HTTP header, wherever technically feasible.
The first 2 key-value pairs are largely static. The namespace ('NS') value is always ’gov.au' when produced by Australian Government entities. The version (‘VER’) of the PSPF will change infrequently. At the time of writing, the first 2 key-value pairs appended to the x-protective-marking header will be 'VER=2018.1' and 'NS=gov.au', followed by the security classification marker and further optional markings.
e.g.
x-protective-marking: VER=2018.1, NS=gov.au, SEC=PROTECTED
or
x-protective-marking: VER=2018.1, NS=gov.au, SEC=OFFICIAL:Sensitive, ACCESS=Personal-Privacy
Content (payload) classified as having a high business impact level or above MUST NOT be logged, unless over secure channels and to platforms approved for the retention of data to the appropriate classification.
As discussed, a unified approach to protective marking would greatly enhance API inter-operabilty. The following text is offered as a potential addition to the api-security.md doc as a starting point. However it is acknowledged that each jurisdiction may have similar requirements, and this section should be open to evolution.
Suggested addition:
Protective Marking Commonwealth entities, and State and territory government agencies that hold or access Commonwealth security classified information are required by the Protective Security Policy Framework to apply appropriate protective marking to classified data to ensure that data is handled and shared appropriately. An ‘x-protective-marking’ HTTP header MUST be used to apply appropriate protective marking to Commonwealth security classified information.
The following rules apply to the use of the ‘x-protective-marking’ header: • Transmission of any payload, request or response, containing data classified as having a high business impact level (‘PROTECTED’ at the time of writing) or above MUST be accompanied by an ‘x-protective-marking’ HTTP header. • Data classified as having a ‘low to medium’ business impact (‘OFFICIAL:Sensitive’ at the time of writing) or above SHOULD be accompanied by an ‘x-protective-marking’ HTTP header, wherever technically feasible.
The values (and case) of the header should align with the appropriate Security classification literals defined in the Protective Security Policy Framework, and conforming to the syntax prescribed in the Annex B Email protective marking standard.
Syntax
The first 2 key-value pairs are largely static. The namespace ('NS') value is always ’gov.au' when produced by Australian Government entities. The version (‘VER’) of the PSPF will change infrequently. At the time of writing, the first 2 key-value pairs appended to the x-protective-marking header will be 'VER=2018.1' and 'NS=gov.au', followed by the security classification marker and further optional markings.
e.g.
x-protective-marking: VER=2018.1, NS=gov.au, SEC=PROTECTEDorx-protective-marking: VER=2018.1, NS=gov.au, SEC=OFFICIAL:Sensitive, ACCESS=Personal-PrivacyContent (payload) classified as having a high business impact level or above MUST NOT be logged, unless over secure channels and to platforms approved for the retention of data to the appropriate classification.