2009 IT Summit

Federal CIO Council

Breakout Session #5Identity and Access Management

Federal IT SummitOctober 28, 2009

Moderator: Paul Christy, SBAPaul Grant—DoD

Owen Unangst, USDAVance Hitch, USDoJ

2009 IT Summit

Federal CIO Council

Identity, Credential, and Access Management

in and with

The Federal GovernmentPaul D. Grant Special Assistant,

Federated IDM and External PartneringOffice of the CIO

DoDPaul.Grant@OSD.Mil

Federal IT SummitOctober 28, 2009

http://www.IdManagement.Gov

3

What is ICAM?

•ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach.•Key ICAM Service Areas Include:

• Digital Identity• Credentialing• Privilege Management• Authentication• Authorization & Access• Cryptography• Auditing and Reporting

4

Presidents Budget for FY 2010 Extract from Section 9.

LEVERAGING THE POWER OF TECHNOLOGY TO TRANSFORM THE FEDERAL GOVERNMENT

• To support this effort, the Federal Identity, Credential, and Access Management (ICAM) segment architecture provides Federal agencies with a consistent approach for managing the vetting and credentialing of individuals requiring access to Federal information systems and facilities

• The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.

5

ICAM Scope

Per

son

sP

erso

ns

No

n-P

erso

ns

No

n-P

erso

ns

Lo

gic

al A

cces

sL

og

ical

Acc

ess

Ph

ysic

al A

cce

ssP

hys

ical

Acc

ess

Alignment of Federal ICAM and• CNSS Identity and Access Management (National Security Systems)• Interagency Security Committee (Physical Access Control)• Awareness to External Mission Partners for interoperable solutions

6

The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government groups.

The Roadmap team has produced the key outputs of the FSAM needed for an ICAM segment architecture, and have coordinated these groups to develop workable approaches to enable cross-government solutions.

FICAM Development Process

Committee for National Security Systems (CNSS)

Interagency Security Council (ISC) Information Sharing Environment

(ISE) White House National Science and

Technology Council (NSTC) Office of Management and Budget National Institute of Science and

Technology (NIST) Office of National Coordinator (ONC)

for Health IT Multiple agencies represented within

the CIO council subcommittees and working groups

7

Summary & Conclusions

• Strong Identity and Access Management Are Foundational to Secure Information Sharing, Collaboration and Cybersecurity

• Shared Guidance is Improving: Much Room for More Improvement• Clear, Concise, Consistent, Credible• For Ourselves and Our Mission Partners

• Federal Identity, Credential, and Access Management (ICAM) is providing this consistent approach (with your help)

• Mission Partners are Fielding Strong Identity Credentials as well as Creating Federations for Sharing & Collaboration

• Progress Depends on Public-Private Partnering• Domestically and • Internationally

8

Back Up Slides

9

Enabling Policy and Guidance

The Mandate:HSPD-12

August 27, 2004

The Standard:FIPS-201

February 25, 2005

The Implementing Guidance:

OMB M-05-24August 5, 2005

Federal PKI Common Policy

Framework

Special PublicationsTechnical Specs.

The E-Gov Act 0f 2002

The Implementing Guidance:

OMB M-04-04December 16, 2003

The Technical Spec:SP 800-63June 2004

The GovernmentPaperwork Elimination

Act 0f 1998

Federal Bridge Model Policy

The Implementing Guidance:

OMB M-05-05December 20, 2004

The Implementing Guidance:

OMB M-00-10April 25, 2000

10

M-04-04:E-Authentication Guidance for Federal Agencies

OMB Guidance establishes 4 authentication assurance levels

Identity Assurance Levels (IAL)

Level 1

Little or no confidence in asserted identity

Self-assertion minimum standards

Level 3

High confidence in asserted identity

On-line out-of-band verification for qualification

Cryptographic Solution

Level 2

Some confidence in asserted identity

On-line instant qualification, out-of-

band follow-up

Level 4

Very high confidence in asserted identity

In person proofing Record a biometric

Cryptographic solution Hardware Token

11

FICAM Roadmap & Implementation Guidance Overview

• Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization.

• ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agency initiatives.

• ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states.

• Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture.

• ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs.

• Implementation Guidance. Provides guidance to agencies on how to implement the transition roadmap initiatives identified in the segment architecture, including best practices and lessons learned.

PART A: ICAM Segment Architecture (Phase 1 of the effort)

PART B: Implementation Guidance (Phase 2 of the effort)

12

ICAM Overviewfrom ICAM Segment Architecture

13

Services Framework Categorization Scheme

Service TypeProvides a layer of categorization that defines the context of a specific set of service components

Service Component A self contained business process or service with predetermined and well-defined functionality that may be exposed through a well-defined and documented business or technology interface

Service Type

Service Component

Service Component

Service Component

Service Component

14

Credentialing

Issuance

Enrollment/Registration*

Credential Lifecycle Management

Sponsorship

Self-Service*

Auditing and Reporting

Audit Trail*

Reports Management

Authorization and Access

Policy Decision

Policy Enforcement

Policy Administration

Backend Attribute Retrieval

Authentication

Credential Validation

Biometric Validation

Session Management

Federation

Services Framework

Cryptography

Encryption/Decryption

Digital Signature*

Key Management

Privilege Management

Provisioning

Account Management*

Bind/Unbind

Privilege Administration

Resource Attribute/Metadata Management

Digital Identity

Digital Identity Lifecycle Management

Identity Proofing

Linking/Association*

Adjudication

Vetting

Authoritative Attribute Exchange

15

ICAM SubcommitteeAccomplishments Summary for FY 2009

• Issued “Personal Identity Verification Interoperability (PIV-I) for non-Federal Issuers” in May, 2009 providing guidance on achieving identity credentials that are consistent with the PIV Credential and trustable by the Federal community.

• Initiated work on the ICAM Segment Architecture as Part One of the ICAM Roadmap and Implementation Guidance mandated in the President’s FY-10 Budget. Produced and coordinated multiple drafts. Final release is imminent.

• Published Federal profiles for the implementation of open identity solutions for interaction with the American Public. Current profiles include OpenID and InfoCard for transactions at identity assurance level one.

• Worked with Federal PKI Shared Service Providers to extend strong identity credentialing to the external community in support of PIV Interoperability. Published Trusted Framework Providers Adoption Process.

• Conducted ICAMSC leadership outreach to other identity initiatives in the Federal community, in order to foster a “Clear, Concise, Consistent and Credible” message for ourselves and our external partners; and further socializing this message with state governments and industry through participation in multiple conferences and meetings.

• Developed ICAM Work Plan for 2010

2009 IT Summit

Federal CIO Council

Owen UnangstDirector of Innovation

US Department of Agriculture

Enterprise SSO

EEMS

EE

MS

Ad

min

istr

atio

n

Auditing and Reporting

Mon

itor

ing Workflow Engine Rules Engine

NEIS

PayPers

EmpowHR

Stand-Alone

ServersMainframe

AS/400

Active Directories

ePACSHSPD-12VPN/NAC

eAuthentication

Identity Management System

Provisioning System

Enterprise Directory

Enterprise &Business Apps

17

USDA’s ICAM Model Implementing Policies, Procedures & Technologies

- Available Now (Phase 1) - In Progress (Phase 1a) - FY 10 Deliverables(Phase 2)

EmpowHR

Person Model

18

Example Utilization: Single Sign-On

Desktops

Laptops

VPN’s

eAuthentication

Whole Disk Encryption

Encrypted Thumb Drives

19

Example Utilization: Physical Access Controls

For “Ultimately” 220 MCF’s …National Infrastructure in PlaceAlmost 100 Facilities Already ConnectedAuthentication Controlled NationallyAuthorization Controlled Locally

Example Utilization: Role Based Access Control

20

New Process:If “Loan Officer” = True

Then Do not add role = “Loan Approver”

Manual Process:

- Over 200 persons to manage roles

- 73 to handle audit issues

22

Example Utilization: Digital Signatures @ USDA

Scope

– Adobe Acrobat files and forms – Versions 8

& 9

– Microsoft Office (Word, Excel, PowerPoint)

– Versions 2003 & 3007

– Microsoft Outlook – Versions 2003 & 2007

– Business Transactions

2009 IT Summit

Federal CIO Council

Vance HitchChief Information OfficerUS Department of Justice

Identity, Credential, and Access Management

Today’s Law Enforcement Environment

Today’s World Law Enforcement Agencies rely on their numerous systems to provide critical

information to officers Some systems are internal to an agency but many more are parts of a national

network– Internal Records Management systems– Regional Information Sharing Networks (LINK’s ,ARGIS etc.)– National Systems

CJIS NCIC N-Dex IAFIS (NGI) NICS

The end goal is to provide the “Right Information to the Right Person, at the Right Times”

The end result is to provide officer and analysts with critical information that keeps them and the American Public safe and secure.

Identity, Credential, and Access Management

How are we accomplishing this mission?

We have developed a trusted relationship with limited access points for information sharing

We communicate over trusted networks like:– CJIS WAN – LEO– RISS– HISN

Established through policies and procedures developed by participants and governing boards such as the FBI’s APB

Supported through the use of MOU’s signed by all participants that dictate how and what we will share

Identity, Credential, and Access Management

Problem

Today’s world requires users to have Passwords for every system they access.

Each system must validate and manage access to their own system

There is a need to have individuals’ identities validated, managed and vouched for by trusted organizations in a secure way so that other entities do not have to redo it

Identity, Credential, and Access Management

Examples of Ongoing Federated Identity Management Initiatives

Global Federated Identity & Privilege Management (GFIPM)

CJIS Federated Identity Management Services (FIMS)

DOJ’s Trusted Broker pilot The DOJ currently provides a “trusted broker” pilot to help

enable organizations to connect Identity Providers to Service Providers more simply and inexpensively

These initiatives are complementary, not competitive, and are interoperable today

Identity, Credential, and Access Management

DOJ’s Trusted Broker Pilot

Currently Deployed to 4,400 users at: DOJ, Chicago PD, RISS, LEO

Service Providers JABs HISIN-Intel LEO-Intelink RISS-Intelink Criminal Information Sharing Alliance Network (Southwest Border) RISSNET Portal myFX – secure internet file sharing offered by DOJ

New Service Providers in process N-DEx, Tripwire, Bomb & Arson Tracking Systems (BATS- ATF),

NGIC

Identity, Credential, and Access Management

Trusted Broker Operation

Standard Process for Access to a Federation Resource

User

IdentityProvider

ServiceProvider

TrustedBroker

SAML(B)

SAML(C)

Authentication(A)

Application(D)

Identity, Credential, and Access Management

Federated Identity ManagementUsing a Trusted Broker Solution

Benefits More information available to more users Single sign-on (enhanced user experience) Comprehensive audit capability Improved alliances across government entities Streamlined vetting (cost avoidance/reduction) Improved interoperability Improved security

– Vetting is done closer to user– More secure authentication mechanisms– Dynamic de-provisioning

2009 IT Summit

Federal CIO Council

Questions?

http://www.cio.gov/committees/InformationSecurity.cfm