Saturday, May 3, 2008

MAC - designing information assurance



Security has a cost. Like every other engineering requirement, we desire the gold-plated ones. One well-used example is the consumer requirements for a new car. It should be built like a tank with 400 horsepower that gets 50 miles per gallon for an affordable price of $10,000. However, the combination of these requirements are not technologically feasible, so trade-offs must be considered. The requirements must be separated from the desirements and then prioritized to facilitate trade-offs.


The salesperson, project manager, or systems engineer must work closely with the customer to manage their expectations and extract a solution that meets their needs within the client's budget.


Back to MAC- mission assurance categories, the DoD has established levels of system availability to communicate a requirement when purchasing or maintaining an information system. MAC levels are 1-3 with 1 being the highest need for availability and integrity. Using the example of above, engineers would like to design every application to be a MAC 1.

Can everything be a MAC 1? It would be like Amazon.com being accessible for ordering and history 24 hours per day and seven days a week. Although possible, think of the design ramifications. Redundant hardware that could handle backups and failovers. Software that could handle critical transactions processing without downtime for millions of transactions per day.

  • MAC 3 is for daily business transactions requiring normal accessibility and integrity. If the system is down for a moment, the user can try again later or if the record accessed is not the latest, it can still be sufficient for the task at hand (like a credit check).

  • MAC 2 is when accessibility is more important than integrity. A lower maintenance downtime might be accomplished with multiple backup servers (in different facilities) to ensure that the customer always receives a response to a query, but yesterday's data or last week's data is sufficient.

  • MAC 1 is reserved for a system or application that must always be available and have the latest record available. This might be accomplished through redundant transaction processing and a lot of extra work behind-the-scenes to ensure reconciliation between the many instances.

ref: Trusted Toolkit Blog

Defense Acquisition Guidebook

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Program Manager

As a technical leader, I develop a talent pipeline that can deliver client's expectations in a motivating and productive environment.

I have performed multi-discipline engineering on space launch vehicles, satellite command and control software, electronic medical records, and large data center operations.


I am seeking additional opportunities to deliver solutions internationally

resume MBA-Bard Center


I have delivered management and technology consulting solutions for Deloitte, BearingPoint, Department of the Interior, TRICARE Military Health System, Defense Information Systems Agency (DISA), Raytheon, Lockheed, Northrop, and Boeing on various projects in manufacturing, software development, systems engineering, testing, and ITIL management.