paul d. grant [email protected] special assistant, federated identity management and external...
TRANSCRIPT
Paul D. Grant [email protected]
Special Assistant, Federated Identity Management and External PartneringOffice of the DoD CIO
Co-Chair, Identity, Credential and Access Management Sub-Committee, Federal CIO Council
www.IdManagement.Gov
ICAM UpdateGTRA Workshop
16 February 2012
ICAM is Executive Branch Implementationof the
National Strategy for Trusted Identities in Cyberspace
UNCLASSIFIED 2
• Fostering effective government-wide identity and access management
• Enabling trust in online transactions through common identity and access management policies and approaches
• Aligning federal agencies around common identity and access management practices
• Reducing the identity and access management burden for individual agencies by fostering common interoperable approaches
• Ensuring alignment across all identity and access management activities that cross individual agency boundaries
• Collaborating with external identity management activities through inter-federation to enhance interoperability
Federal ICAM Goals
The Federal ICAM Initiative provides cohesive governance for several programs that were previously governed and managed separately.
The Federal ICAM Initiative provides cohesive governance for several programs that were previously governed and managed separately.
Lo
gic
al A
cces
sL
og
ical
Acc
ess
Ph
ysic
al A
cce
ssP
hys
ical
Acc
ess
UNCLASSIFIED 3
ICAM ScopeP
erso
ns
Per
son
sN
on
-Per
son
sN
on
-Per
son
s
Foundation for Trust and Interoperability in Conducting Electronic Transactions both within the Federal Government and with External Partners
4
Evolving FICAM Governance Structure
UNCLASSIFIED 5
FICAM Key Componentsin the ICAM Segment Architecture
ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach
FICAM Service AreasDigital IdentityCredentialingPrivilege ManagementAuthenticationAuthorization & AccessCryptographyAuditing and Reporting
6
FICAM Services Framework
Credentialing
Issuance
Enrollment/Registration
Credential Lifecycle Management
Sponsorship
Self-Service
Auditing and Reporting
Audit Trail
Reports Management
Authorization and Access
Policy Decision
Policy Enforcement
Policy Administration
Backend Attribute Retrieval
Authentication
Credential Validation
Biometric Validation
Session Management
Federation
Cryptography
Encryption/Decryption
Digital Signature
Key Management
Privilege Management
Provisioning
Account Management
Bind/Unbind
Privilege Administration
Resource Attribute/Metadata Management
Digital Identity
Digital Identity Lifecycle Management
Identity Proofing
Linking/Association
Adjudication
Vetting
Authoritative Attribute Exchange
Identity Attribute Discovery
UNCLASSIFIED
DoD ICAM Target State:Dynamic Access Control
UNCLASSIFIED 7
Resource Management
Policy Decision
Point (PDP)
Resource
Policy Enforcement Point (PEP)
EnvironmentalFactors
(e.g., DEFCON,INFOCON, Etc.)
Policy-Based Authorization Services
Policy Store
Resource Attribute
Management
Audit Management
Authenticate
Identity Management
Identity & Credential Management Policy Management
Digital Policy Management
Credential Management
User/DeviceAttribute
Management
User/Device
UNCLASSIFIED 8
PIV Implementation
• OMB Memo M-11-11“Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors,” was released on 3 Feb 2011.
– Provides additional implementation requirements around HSPD-12– Also directed alignment with the FICAM Roadmap and Implementation
Guidance
• The DoD-CIO has distributed a memo giving implementation requirements to the DoD Components
– The deadlines are the same as in M-11-11
This guidance will help move the paradigm of everyone having a PIV card to everyone using the PIV card to improve operations in their everyday business.
UNCLASSIFIED 9
• Federal Bridge Approved PIV-I Providers:
– VeriSign, Inc. (A Symantec Company)
– Verizon Business
– Entrust
– Operational Research Consultants (ORC)
• Certipath Approved PIV-I Providers:
– CitiBank
– HID (ActivIdentity)
Approved PIV-I Providers
Goal: Large Number of Qualified Providers (NFI) for Partners to have Competitive Choices
UNCLASSIFIED 10
• Booz Allen Hamilton
• California Prison Health Care Services
• Computer Sciences Corporation
• ICF international
• Millennium Challenge Corporation
• US Senate
• State of Colorado – purchasing PIV-I and trusts DoD CAC
• State of Kansas
• State of Illinois
• Commonwealth of Virginia – First Responders
• State of West Virginia – RFP
• Commonwealth of Pennsylvania – Chester Country issuing PIV-I
Recent Purchases of PIV-I Credentials
UNCLASSIFIED 11
• Hosts the DoD PKI/PKE site:– http://iase.disa.mil/pki-pke/interoperability/index.html
• 3 categories of PKIs– Category I – U.S. Federal agency PKIs (i.e. PIV)– Category II – Non-Federal Agency PKIs cross certified with the FBCA or
PKIs from other PKI Bridges that are cross certified with FBCA– Category III – Foreign, Allied, or Coalition Partner PKIs
• There are currently 5 PIV-I providers approved for Authentication in DoD:
– HID - ActivIdentity Inc. NFI PKI (August 2011), and– VeriSign NFI PKI (April 2011)– CitiBank (Jul 2011)– Verizon Business NFI PKI (Jul 2011)– Entrust (Oct 2011)
Now Available to PublicInformation Assurance Support Environment
(IASE) PKI/PKE
Fed Bridge Status: http://www.idmanagement.gov/fpkia/crosscert.cfmCertipath Status: http://www.certipath.com/certipath-bridge/piv-i-issuers
Inte
rop
erab
le @
tes
t le
vel;
HE
Bri
dg
e d
orm
ant
Participants:AstraZenecaBristol-Myers-SquibbGenzymeGlaxoSmithKline Johnson & Johnson MerckNektarOrganonPfizerProcter & GambleRocheSanofi-Aventis
FederalBridge
Certipath(Aero/Def)
SAFE(Bio/Pharma)
HigherEducation
Cross Certified:D of Defense D of JusticeGov Printing Office D of StateD of Treasury USPS Patent & Trademark Ofc DHSState of Illinois DEA CSOS Credential Svc Providers:VeriSign Verizon Business Entrust ORCDoD ECAs (ORC, IdenTrust, VeriSign)ACES (IdenTrust & ORC)
ParticipantsCross Certified:
BoeingLockheed Martin Northrop Grumman RaytheonEADS/AirbusMOD NL
Credential Svc Providers:Exostar, SITA, ARINC,CitiBank, HID (ActivIdentity)
BAE Systems (Exostar)
Cross C
ertified at
“Com
mercial B
est
Practices” Level
Shared Service Providers
VeriSign, Inc.
Symantec
Operational Research Consultants, Inc.
The Department of the Treasury
Entrust Managed Services
U.S. Government Printing Office
PKI Bridges
Red: IAL-4DoDI 8520.03
Federal Common
Policy Root
UNCLASSIFIED 12
Identity Federations (PKI Based)
13
Approach Trust Framework Providers Adoption Process
• Approach
– Adopt technologies in use by industry• “Scheme Adoption”
– Adopt industry Trust Models• “Trust Framework Adoption”
Approach documents posted on http://www.IDmanagement.gov
UNCLASSIFIED
The TFPAP is a process for assessing the efficacy of industry-based trust frameworks to enable an agency to trust an externally-issued electronic identity credential at a known level of assurance, comparable to LOA 1, 2, or non-PKI 3.
•Industry-based trust frameworks are adopted at specific assurance levels, considering the requirements of NIST SP800-63
•Industry-based Trust Framework Providers assess individual identity providers for compliance with the policies, standards, and processes of the trust framework
•TFPAP addresses basic privacy principles of Opt In, Minimalism, Activity Tracking, Adequate Notice, Non-compulsory, and Termination
14
Federal Identity InitiativesTrust Framework Provider Adoption Process
UNCLASSIFIED
• DoD is accepting approved IAL- 4 (Including PIV-I ) and approved PIV-I providers can be found at: http://iase.disa.mil/pki-pke/index.html
• DoD is drafting an approval process and implementation guidance for credentials approved through the Federal Trust Framework Process at IAL 1,2, and 3 (non-PKI)
• An executive summary on DoD’s acceptance of NFI credentials has been created and is being circulated now
15
Non-Federally Issued Credentials and the DoD
Trust Framework Provider
UNCLASSIFIED
Approved TFPs and NFIs under the TFPs
• Adopted Trust Framework Providers– Open Identity Exchange (OIX) (http://openidentityexchange.org/)– Kantara Initiative (http://kantarainitiative.org/)– InCommon (http://www.incommonfederation.org/)– SAFE Bio-Pharma (http://www.safe-biopharma.org/)
• Currently completing the approval process
• Approved NFI Providers– Google – LOA 1 – OIX– Equifax – LOA 1 – OIX– Paypal – LOA 1 – OIX– Verisign – LOA 1 – OIX– Wave Systems – LOA 1 – OIX– Verizon Business – LOA 1, 2, and 3 – Kantara Initiative
Approved Trust Framework Providers and Identity Providers posted on http://www.IDmanagement.gov
Goal: Large Number of Qualified Providers (NFI) for Partners to have Competitive Choices
UNCLASSIFIED
National Strategy for Trusted Identities in Cyberspace
17
The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions. The NSTIC’s vision is that: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
The NSTIC prescribes 4 Guiding Principles:
• Identity Solutions will be Privacy-enhancing and Voluntary• Identity Solutions will be Secure and Resilient• Identity Solutions will be Interoperable• Identity Solutions will be Cost-effective and Easy to Use
The NSTIC Program Office is coordinating amongst multiple Federal Agencies to increase alignment with FICAM and working with the private sector to drive the future identity ecosystem.
UNCLASSIFIED
UNCLASSIFIED 18
• NSTIC Federal Funding Opportunity– NIST is soliciting proposals from eligible proposers to pilot on-line identity
solutions that embrace and advance the NSTIC vision – NIST anticipates funding five (5) to eight (8) projects for up to two (2) years in
the range of approximately $1,250,000 to $2,000,000 per year per project – NIST Conducted a public meeting (Proposers’ Conference) in Washington, D.C.
on 15 February, 0900 – 1400
• Steering Committee/ Governance Recommendations – Provides the government’s recommendations on the establishment of an
Identity Ecosystem Steering Group that can bring together all NSTIC stakeholders
• The Steering Group should be established as a new organization that is led by the private sector in conjunction with, but independent of, the federal government.
• The group should be structured to safeguard the individual • An administrative body to support the Steering Group should be initially
funded by the government through a competitive two-year grant.
NSTIC Work In Progress
UNCLASSIFIED 19
• Strong Identity, Credential and Access Management Are Foundational to Secure Information Sharing, Secure Collaboration and Cybersecurity
• Shared Guidance is Improving: Much Room for More Improvement– Clear, Consistent, Credible– For Ourselves and Our Mission Partners
• Federal Identity, Credential, and Access Management (ICAM) is providing this consistent approach (with your help)
• Mission/Business Partners are Fielding Strong Identity Credentials as well as Creating Federations for Sharing & Collaboration
• Progress Depends on Public-Private Partnering– Domestically and – Internationally
Summary & Conclusions