interagency advisory board€¦ · 1. opening remarks 2. research collaboration in the cloud: how...

1. Opening Remarks

2. Research Collaboration in the Cloud: How NCI and Research Partners Are Improving Business Processes using Digital Identities (Sherry Ansher, NIH/NCI and Cindy Cullen CTO Safe Bio-Pharma)

3. Minimum Standards for Proof and Verification of Personal Identity (Graham Whitehead, NAPSO)

4. Planned Changes to the Federal PKI (Judy Spencer, FICAM Co-Chair)

5. The Status and Future Plans for the GSA Shared Service (Steve Duncan, MSO Director)

6. The ICAM Return on Investment (ROI) WG (Tim Gaines, ICAM Chair)

7. Proposed Federal Profile for SAML 2.0 for LOA 1 through 4(Tim Baldridge, FICAM AWG)

8. TSCP Implementation Pilots to demonstrate NTSIC Goals & Objectives (Keith Ward)

9. Closing Remarks

Interagency Advisory BoardMeeting Agenda, July 28, 2010

National Strategy for Trusted

Identities in Cyberspace (NSTIC)

&

Transglobal Secure Collaboration

Program (TSCP)

June 28, 2010

9393 NSTIC AND TSCP PLANNING MEETING9393 NSTIC AND TSCP PLANNING MEETING

Agenda

• Description: TSCP Organization

• Background: NSTIC and TSCP Meetings

• Synergy: Alignment of Strategic Goals & Objectives

• Adoption: Opportunities to Collaborate

• Feedback: How can TSCP Support NSTIC?

• Partnership: What can we coordinate to achieve success?

• Implementation Pilots: Use Case Scenarios

• Next Steps:

9494 NSTIC AND TSCP PLANNING MEETING

Transglobal Secure Collaboration Program (TSCP)

Government-Industry Partnership

specifically focused on mitigating risks

related to:

Compliance

Complexity

Cost

Infrastructure Technology

Large scale programs spanning national jurisdictions face

significant risks when collaborating online.


TSCP: Common Framework for Federated Collaboration

Identity Management & Information Assurance

Data Protection

Facilitate Secure Collaboration

Common Framework for Federated Collaboration


Alignment of TSCP and NSTIC Strategic Goals

NSTICTSCP

GOAL 4: Make TSCP specifications and

solutions a standard in the A&D

community

GOAL 4: Ensure the long-term success of

the Identity Ecosystem

GOAL 1: Enable secure information

sharing within and between industry and

governments

GOAL 2: Enable collaboration compliant

with export control and relevant policies

and company IP protection policies

GOAL 3: Define interoperable

specifications and solutions that enable

re-use in a cost-effective manner across

multiple programs

GOAL 1: Develop a comprehensive Identity

Ecosystem Framework

GOAL 2: Build and implement an

interoperable identity infrastructure aligned

with the Identity Ecosystem Framework

GOAL 3: Enhance confidence and

willingness to participate in the Identity

Ecosystem

TSCP solution architecture cornerstone is the establishment of the Trust Framework that

covers: Identity Management, Information Labeling and Information Protection


Opportunities to Collaborate

• Adoption of Credentials: DoD executed an External PKI Memo

(8520.2) accepting CertiPath compliant credentials across DoD

enterprise to fight APT while significantly reducing internal costs

(ECA‟s)

– No Policy exists for US Civilian Agencies. A policy memo similar

to the DoD External PKI Memo that outlines the „acceptability‟

of Private Industry issued Medium Hardware Certificates by US

Civilian Agencies such as Dept. of State (ICAM?)

• Help with the Directorate of Defense Trade Controls to accept the Identity Ecosystem principles laid out in NSTIC

– Example: US Citizenship can be vouched for by a qualified

third party, rather than each individual company vetting

citizenship status of users

• Promote the participation of key civilian agencies (e.g. DHS) in TSCP projects to promote and foster public/private partnership to solve problems


How can TSCP support NSTIC?

• Provide Industry Feedback: TSCP can provide feedback on National

Policy to ensure consistent interpretation of requirements for

industry internal and contractual program implementations

– Impacts cross-industry global supply chain: Implementation

timelines, compliance targets, contract management, funding

and effects on existing contracts

• Collaborative Partnership: Close working relationship between the

Defense industry, governments and vendors

• TSCP Integration Labs: Can provide a realistic framework for events /

scenarios through which benefits can be demonstrated. Scenarios and

events can be developed that enable interaction with national and

international partners in order to examine key interoperability issues

• Production Demonstrations: Pilots can identify Gaps in Policies,

Technologies and Privacy and drive innovation, interoperability, and

trust


What can we coordinate to achieve success? (Demonstrations)

1. Leverage existing Government and Industry investments to date

– Existing global trust framework

– CertiPath Bridge

– TSCP Specifications

– Government and A&D issued credentials

– A&D infrastructure investments

2. Demonstrate Level 3 & 4 Authentication (PIV, PIV-I)

– Business-to-Business

– Business-to-Government

– Government-to-Government

– Citizen-to-Business-to-Government

Implementation Pilots to demonstrate NTSIC Goals & Objectives.

• Identify the Gaps in existing national and agency policies

• Demonstrate Innovation

• Table Top and/or Production of PIV & PIV-I Interoperability


What can we coordinate to achieve success? (Demonstrations)

3. “Scale” - Recommendations and Feedback “GAPS”• National & International Scale (global supply-chain)• Regional, State and Local

– Critical Infrastructure verticals; Healthcare, Financial, Energy

• Citizen’s using PIV-I credentials – Illustrative examples:

» I’m a Defense contractor who has a PIV-I credential but as a citizen I’m part of the community as a First Responder or a family member of an activated National Guard/Army Reservist.

» I’m a citizen accessing my Bank account information

» I’m a citizen using PIV-I credentials through Global Entry

» I’m a Fireman who needs access to CUI building information

4. PIV-I across international boundaries for adoption• What are the Policy rules?

• What are the Technology challenges?

• What are the Privacy issues?

• What are the European issues and concerns?


“Illustrative” Demonstration for a broader „Identity Ecosystem‟ –

An extension of the TSCP Pilot demonstration

Success Criterion Comments

Availability of new and innovative

services

• Ability to use a credential issued by the employer to

perform your citizen duties

Credential acceptance and trust

among diverse industries and

governments

• Possible “gaps” that can be addressed by TSCP if the

proposal is accepted

• Target cross industry: Financial Services (online banking,

401(k) and benefits access)

Scale • TSCP participants cover over 1 million employees across

A&D

• TSCP US Citizens can cover Federal/State/Local

Governments

Sensitivity of Information • Level 3 or Level 4 impact level sensitivity

International Applicability • TSCP companies are Lockheed Martin (US) and BAE (UK)

that are partners on F35 program – that have the need for

sharing information

TSCP “Illustrative” Example scenarios:

1. TSCP companies share sensitive documents using Secure E-Mail and/or Document Sharing applications that use the TSCP Identity Ecosystem – Pilot Target – Sept. 2010

2. Citizens who have high assurance identity credentials issued by their employer, use them to access sensitive information while performing community duties – e.g., Volunteer firefighter needs access to blueprints of a burning Critical infrastructure building to help rescue trapped citizens

3. Citizens can access their bank accounts using their employer issued high assurance credentials


Information Assurance and Secure Collaboration

“Illustrative” Technical Approach (Secure Email Collaboration)

Secure information sharing for collaboration between large

commercial organizations and governments that assures the data is

controlled and validated before release and provides assurance that

organizational security policy is applied to data between internal

security domains and at the boundary of an organization

• Strategic Goals• NTSIC GOAL 1: Develop a comprehensive identity

ecosystem framework

• TSCP GOAL 1: Enable secure information sharing within and between industry and governments

• Business Case• Advanced Persistent Threat: Government and

community problem to mitigate exposure of enterprise Cyber Threats and comply with new regulations

• Authentication: Strengthening authentication across the enterprise with IDM Solutions

• Improved Confidentiality: E-mail is encrypted using medium assurance credentials

• Sample Use Case Scenarios Include: Use Case 1: Test encrypted email between

“Systems”

Use Case 2: Test encrypted email between “Systems” with allowed attachment – Exchange APT Threat information in DIB

Use Case 3: Exchange CUI data between partners using TSCP Secure Email Specification

Use Case 4: Encrypted email using visual markers to help cultural aspects of security


Identity Federation Services

“Illustrative” Proposed Production Pilot

TSCP defined ‘Common Operating

Rules’ that enable the Trust

Framework, which is used by

Relying Parties to make

authorization decisions based on

identity attributes from trusted

Identity Providers

• Strategic Goals• NSTIC GOALS 1, 2 & 3:

• Develop a comprehensive Identity Ecosystem Framework

• Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework

• Enhance confidence and willingness to participate in the Identity Ecosystem

• TSCP GOAL 1 & 3:

• Enable secure information sharing within and between industry and governments

• Define interoperable specifications and solutions that enable re-use in a cost-effective manner across multiple programs

• Business Case• Federated Common Identity Policy: Employers vouch for

employees identity attributes – Relying parties do not have to issue credentials and account provisioning is automated (cost reduction)

• Advanced Persistent Threat : Employees are using trusted computers and trusted networks to access CUI

• Cost Control and Recovery: Promote re-usable deployment of solutions to expedite implementation (decrease time to setup)

• Sample Use Case Scenarios Include: Use Case 1: Company 1 employee logs into Company 1’s

network using company’s issued Smart Badge (Windows Smart Card Login), that is compliant with Medium Hardware policies (re-use)

Use Case 2: Company 1 employee accesses Company 2’s application via the web. Company 1 passes the employee attributes such as Level of Assurance, employee status to Company 2 (Company 2 makes authorization decisions)

Identity Federation Services


Information Assurance and Secure Collaboration

“Illustrative” Full Scale Federated Exercise

Potential Partners include: TSCP member Companies

Department of Homeland Security

FEMA

State of Virginia (Governors Office)

City of Newport News (VA)

City Hampton Roads (VA)

District of Columbia - Metro

State of Illinois

City of Chicago

Port of Chicago

O’Hare Airport

N.Y. Port Authority

• Strategic Goals• NSTIC GOALS 1, 2 & 3:

• Develop a comprehensive Identity Ecosystem Framework

• Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework

• Enhance confidence and willingness to participate in the Identity Ecosystem

• TSCP GOAL 1 & 3:

• Enable secure information sharing within and between industry and governments

• Define interoperable specifications and solutions that enable re-use in a cost-effective manner across multiple programs

• Business Case• Federated Common Identity Policy: TSCP Policies and Specifications

align with DOD and Federal Identity Policies

• Multi-Factor Security: Multi-Factor approach to provide additional security layers across our networks, systems, facilities, data, intellectual property and information assets

• Cost Control and Recovery: Enterprise cost savings through enterprise deployment of TSCP Specifications while at the same time recover the cost of our investments

• Sample Use Case Scenarios Include: Use Case 1: Identity interoperability (federation) of multi-level identity

authentication across government & company domains Use Case 2: Identity Authentication at emergency venues to

positively and securely authenticate authorized users for logical & physical access

Use Case 3: Employees of critical businesses who work and/or reside in the impacted areas

Use Case 4-6: Disaster Recovery, Pandemic & Cyber Threats Exercise


J O I N T S C P L E A D E R S H I P for TSCP’s Business week hosted by

Department of Defense at Lansdowne Resort Northern Virginia , where

world-wide A&D leaders and customers will discuss TSCP’s role in meeting

today’s cyber and global supply chain security challenges. Presentations

will address progress on major initiatives for secure information sharing

that protect partners from the advanced persistent threat of electronic

crime. We look forward to seeing you there!

SAVE THE DATE!

September 14 - 17, 2010

interagency advisory board€¦ · 1. opening remarks 2. research collaboration in the cloud: how...

Documents