interagency advisory board€¦ · 1. opening remarks 2. research collaboration in the cloud: how...
TRANSCRIPT
1. Opening Remarks
2. Research Collaboration in the Cloud: How NCI and Research Partners Are Improving Business Processes using Digital Identities (Sherry Ansher, NIH/NCI and Cindy Cullen CTO Safe Bio-Pharma)
3. Minimum Standards for Proof and Verification of Personal Identity (Graham Whitehead, NAPSO)
4. Planned Changes to the Federal PKI (Judy Spencer, FICAM Co-Chair)
5. The Status and Future Plans for the GSA Shared Service (Steve Duncan, MSO Director)
6. The ICAM Return on Investment (ROI) WG (Tim Gaines, ICAM Chair)
7. Proposed Federal Profile for SAML 2.0 for LOA 1 through 4(Tim Baldridge, FICAM AWG)
8. TSCP Implementation Pilots to demonstrate NTSIC Goals & Objectives (Keith Ward)
9. Closing Remarks
Interagency Advisory BoardMeeting Agenda, July 28, 2010
National Strategy for Trusted
Identities in Cyberspace (NSTIC)
&
Transglobal Secure Collaboration
Program (TSCP)
June 28, 2010
9393 NSTIC AND TSCP PLANNING MEETING9393 NSTIC AND TSCP PLANNING MEETING
Agenda
• Description: TSCP Organization
• Background: NSTIC and TSCP Meetings
• Synergy: Alignment of Strategic Goals & Objectives
• Adoption: Opportunities to Collaborate
• Feedback: How can TSCP Support NSTIC?
• Partnership: What can we coordinate to achieve success?
• Implementation Pilots: Use Case Scenarios
• Next Steps:
9494 NSTIC AND TSCP PLANNING MEETING
Transglobal Secure Collaboration Program (TSCP)
Government-Industry Partnership
specifically focused on mitigating risks
related to:
Compliance
Complexity
Cost
Infrastructure Technology
Large scale programs spanning national jurisdictions face
significant risks when collaborating online.
9595 NSTIC AND TSCP PLANNING MEETING
TSCP: Common Framework for Federated Collaboration
Identity Management & Information Assurance
Data Protection
Facilitate Secure Collaboration
Common Framework for Federated Collaboration
96 NSTIC AND TSCP PLANNING MEETING
Alignment of TSCP and NSTIC Strategic Goals
NSTICTSCP
GOAL 4: Make TSCP specifications and
solutions a standard in the A&D
community
GOAL 4: Ensure the long-term success of
the Identity Ecosystem
GOAL 1: Enable secure information
sharing within and between industry and
governments
GOAL 2: Enable collaboration compliant
with export control and relevant policies
and company IP protection policies
GOAL 3: Define interoperable
specifications and solutions that enable
re-use in a cost-effective manner across
multiple programs
GOAL 1: Develop a comprehensive Identity
Ecosystem Framework
GOAL 2: Build and implement an
interoperable identity infrastructure aligned
with the Identity Ecosystem Framework
GOAL 3: Enhance confidence and
willingness to participate in the Identity
Ecosystem
TSCP solution architecture cornerstone is the establishment of the Trust Framework that
covers: Identity Management, Information Labeling and Information Protection
97 NSTIC AND TSCP PLANNING MEETING97 NSTIC AND TSCP PLANNING MEETING
Opportunities to Collaborate
• Adoption of Credentials: DoD executed an External PKI Memo
(8520.2) accepting CertiPath compliant credentials across DoD
enterprise to fight APT while significantly reducing internal costs
(ECA‟s)
– No Policy exists for US Civilian Agencies. A policy memo similar
to the DoD External PKI Memo that outlines the „acceptability‟
of Private Industry issued Medium Hardware Certificates by US
Civilian Agencies such as Dept. of State (ICAM?)
• Help with the Directorate of Defense Trade Controls to accept the Identity Ecosystem principles laid out in NSTIC
– Example: US Citizenship can be vouched for by a qualified
third party, rather than each individual company vetting
citizenship status of users
• Promote the participation of key civilian agencies (e.g. DHS) in TSCP projects to promote and foster public/private partnership to solve problems
98 NSTIC AND TSCP PLANNING MEETING98 NSTIC AND TSCP PLANNING MEETING
How can TSCP support NSTIC?
• Provide Industry Feedback: TSCP can provide feedback on National
Policy to ensure consistent interpretation of requirements for
industry internal and contractual program implementations
– Impacts cross-industry global supply chain: Implementation
timelines, compliance targets, contract management, funding
and effects on existing contracts
• Collaborative Partnership: Close working relationship between the
Defense industry, governments and vendors
• TSCP Integration Labs: Can provide a realistic framework for events /
scenarios through which benefits can be demonstrated. Scenarios and
events can be developed that enable interaction with national and
international partners in order to examine key interoperability issues
• Production Demonstrations: Pilots can identify Gaps in Policies,
Technologies and Privacy and drive innovation, interoperability, and
trust
99 NSTIC AND TSCP PLANNING MEETING99 NSTIC AND TSCP PLANNING MEETING
What can we coordinate to achieve success? (Demonstrations)
1. Leverage existing Government and Industry investments to date
– Existing global trust framework
– CertiPath Bridge
– TSCP Specifications
– Government and A&D issued credentials
– A&D infrastructure investments
2. Demonstrate Level 3 & 4 Authentication (PIV, PIV-I)
– Business-to-Business
– Business-to-Government
– Government-to-Government
– Citizen-to-Business-to-Government
Implementation Pilots to demonstrate NTSIC Goals & Objectives.
• Identify the Gaps in existing national and agency policies
• Demonstrate Innovation
• Table Top and/or Production of PIV & PIV-I Interoperability
100 NSTIC AND TSCP PLANNING MEETING100 NSTIC AND TSCP PLANNING MEETING
What can we coordinate to achieve success? (Demonstrations)
3. “Scale” - Recommendations and Feedback “GAPS”• National & International Scale (global supply-chain)• Regional, State and Local
– Critical Infrastructure verticals; Healthcare, Financial, Energy
• Citizen’s using PIV-I credentials – Illustrative examples:
» I’m a Defense contractor who has a PIV-I credential but as a citizen I’m part of the community as a First Responder or a family member of an activated National Guard/Army Reservist.
» I’m a citizen accessing my Bank account information
» I’m a citizen using PIV-I credentials through Global Entry
» I’m a Fireman who needs access to CUI building information
4. PIV-I across international boundaries for adoption• What are the Policy rules?
• What are the Technology challenges?
• What are the Privacy issues?
• What are the European issues and concerns?
101 NSTIC AND TSCP PLANNING MEETING101 NSTIC AND TSCP PLANNING MEETING
“Illustrative” Demonstration for a broader „Identity Ecosystem‟ –
An extension of the TSCP Pilot demonstration
Success Criterion Comments
Availability of new and innovative
services
• Ability to use a credential issued by the employer to
perform your citizen duties
Credential acceptance and trust
among diverse industries and
governments
• Possible “gaps” that can be addressed by TSCP if the
proposal is accepted
• Target cross industry: Financial Services (online banking,
401(k) and benefits access)
Scale • TSCP participants cover over 1 million employees across
A&D
• TSCP US Citizens can cover Federal/State/Local
Governments
Sensitivity of Information • Level 3 or Level 4 impact level sensitivity
International Applicability • TSCP companies are Lockheed Martin (US) and BAE (UK)
that are partners on F35 program – that have the need for
sharing information
TSCP “Illustrative” Example scenarios:
1. TSCP companies share sensitive documents using Secure E-Mail and/or Document Sharing applications that use the TSCP Identity Ecosystem – Pilot Target – Sept. 2010
2. Citizens who have high assurance identity credentials issued by their employer, use them to access sensitive information while performing community duties – e.g., Volunteer firefighter needs access to blueprints of a burning Critical infrastructure building to help rescue trapped citizens
3. Citizens can access their bank accounts using their employer issued high assurance credentials
102 NSTIC AND TSCP PLANNING MEETING102 NSTIC AND TSCP PLANNING MEETING
Information Assurance and Secure Collaboration
“Illustrative” Technical Approach (Secure Email Collaboration)
Secure information sharing for collaboration between large
commercial organizations and governments that assures the data is
controlled and validated before release and provides assurance that
organizational security policy is applied to data between internal
security domains and at the boundary of an organization
• Strategic Goals• NTSIC GOAL 1: Develop a comprehensive identity
ecosystem framework
• TSCP GOAL 1: Enable secure information sharing within and between industry and governments
• Business Case• Advanced Persistent Threat: Government and
community problem to mitigate exposure of enterprise Cyber Threats and comply with new regulations
• Authentication: Strengthening authentication across the enterprise with IDM Solutions
• Improved Confidentiality: E-mail is encrypted using medium assurance credentials
• Sample Use Case Scenarios Include: Use Case 1: Test encrypted email between
“Systems”
Use Case 2: Test encrypted email between “Systems” with allowed attachment – Exchange APT Threat information in DIB
Use Case 3: Exchange CUI data between partners using TSCP Secure Email Specification
Use Case 4: Encrypted email using visual markers to help cultural aspects of security
103 NSTIC AND TSCP PLANNING MEETING103 NSTIC AND TSCP PLANNING MEETING
Identity Federation Services
“Illustrative” Proposed Production Pilot
TSCP defined ‘Common Operating
Rules’ that enable the Trust
Framework, which is used by
Relying Parties to make
authorization decisions based on
identity attributes from trusted
Identity Providers
• Strategic Goals• NSTIC GOALS 1, 2 & 3:
• Develop a comprehensive Identity Ecosystem Framework
• Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
• Enhance confidence and willingness to participate in the Identity Ecosystem
• TSCP GOAL 1 & 3:
• Enable secure information sharing within and between industry and governments
• Define interoperable specifications and solutions that enable re-use in a cost-effective manner across multiple programs
• Business Case• Federated Common Identity Policy: Employers vouch for
employees identity attributes – Relying parties do not have to issue credentials and account provisioning is automated (cost reduction)
• Advanced Persistent Threat : Employees are using trusted computers and trusted networks to access CUI
• Cost Control and Recovery: Promote re-usable deployment of solutions to expedite implementation (decrease time to setup)
• Sample Use Case Scenarios Include: Use Case 1: Company 1 employee logs into Company 1’s
network using company’s issued Smart Badge (Windows Smart Card Login), that is compliant with Medium Hardware policies (re-use)
Use Case 2: Company 1 employee accesses Company 2’s application via the web. Company 1 passes the employee attributes such as Level of Assurance, employee status to Company 2 (Company 2 makes authorization decisions)
Identity Federation Services
104 NSTIC AND TSCP PLANNING MEETING104 NSTIC AND TSCP PLANNING MEETING
Information Assurance and Secure Collaboration
“Illustrative” Full Scale Federated Exercise
Potential Partners include: TSCP member Companies
Department of Homeland Security
FEMA
State of Virginia (Governors Office)
City of Newport News (VA)
City Hampton Roads (VA)
District of Columbia - Metro
State of Illinois
City of Chicago
Port of Chicago
O’Hare Airport
N.Y. Port Authority
• Strategic Goals• NSTIC GOALS 1, 2 & 3:
• Develop a comprehensive Identity Ecosystem Framework
• Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
• Enhance confidence and willingness to participate in the Identity Ecosystem
• TSCP GOAL 1 & 3:
• Enable secure information sharing within and between industry and governments
• Define interoperable specifications and solutions that enable re-use in a cost-effective manner across multiple programs
• Business Case• Federated Common Identity Policy: TSCP Policies and Specifications
align with DOD and Federal Identity Policies
• Multi-Factor Security: Multi-Factor approach to provide additional security layers across our networks, systems, facilities, data, intellectual property and information assets
• Cost Control and Recovery: Enterprise cost savings through enterprise deployment of TSCP Specifications while at the same time recover the cost of our investments
• Sample Use Case Scenarios Include: Use Case 1: Identity interoperability (federation) of multi-level identity
authentication across government & company domains Use Case 2: Identity Authentication at emergency venues to
positively and securely authenticate authorized users for logical & physical access
Use Case 3: Employees of critical businesses who work and/or reside in the impacted areas
Use Case 4-6: Disaster Recovery, Pandemic & Cyber Threats Exercise
105 NSTIC AND TSCP PLANNING MEETING105 NSTIC AND TSCP PLANNING MEETING
J O I N T S C P L E A D E R S H I P for TSCP’s Business week hosted by
Department of Defense at Lansdowne Resort Northern Virginia , where
world-wide A&D leaders and customers will discuss TSCP’s role in meeting
today’s cyber and global supply chain security challenges. Presentations
will address progress on major initiatives for secure information sharing
that protect partners from the advanced persistent threat of electronic
crime. We look forward to seeing you there!
SAVE THE DATE!
September 14 - 17, 2010