Federal CIO CouncilInformation Security and Identity Management Committee

IDManagement.govIDManagement.gov

Leadership Communications Brief

Last Updated: June 13, 2013

2

Choose your own adventure! This briefing deck is intended for agencies to leverage in a manner that is most appropriate for them. The deck includes summary information as well as more detailed slides related to particular topics.

The slides are broken down into the following categories: ICAM Goals and Objectives Current Challenges and ICAM Solutions Intersection of ICAM and Emerging Needs Resources

Content Overview

ICAM Overview

4

What is Identity, Credential, and Access Management (ICAM)?

ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach that is focused on delivering greater convenience and appropriate security and privacy protection, with less effort and at a lower cost.

ICAM Includes:

Digital Identity Credentialing Privilege

Management Authentication Authorization

and Access Federation Cryptography Auditing and

Reporting

5

What Does ICAM Provide?

Component 2

Component 4Component 3

• Protection of PII*• Simplify management of

user data• Streamlined on-boarding

1

4

2

3

1

Identity Management

The ICAM Target State architecture enhances alignment, clarity, and interoperability across the Federal Government while improving security, eliminating redundancies, and reducing costs.

• Improved interoperability• Resistance to fraud and

tampering• Enhanced interagency

trust

2 Credential Management

• Stronger authentication• Streamlined access to

resources• Reduced enterprise

costs

3 Access Management

• Improved collaboration with partners

• Reduced management burden on external users

4 Federation

* Personally Identifiable Information (PII)

• Enhanced activity logging

• Ability to support security forensics

5 Auditing and Reporting

5

6

ICAM addresses federal identity, credential, and access management programs and demonstrates the importance of implementing the ICAM segment architecture in support of five overarching strategic goals and their related objectives.

ICAM Goals and Objectives

Comply with Federal Laws Relevant to

ICAM

Facilitate E-Government by

Streamlining Access to Services

Improve Security Posture across the Federal Enterprise

Enable Trust and Interoperability

Reduce Costs and Increase Efficiency

Key Objectives

• Align and coordinate federal policies and key initiatives impacting ICAM implementation

• Establish and Enforce Accountability for ICAM Implementation to Governance Bodies

• Expand secure electronic access to government data and systems

• Promote public confidence through transparent ICAM practices

• Support cybersecurity programs

• Integrate electronic verification procedures with PACS

• Drive the use of a role-based framework for access control

• Improve electronic audit capabilities

• Support ISE communities of interest

• Align processes with external partners

• Establish and maintain trust relationships

• Leverage standards and COTS for ICAM services

• Reduce administrative burden associated with performing ICAM tasks

• Align existing and reduce redundant ICAM programs

• Increase interoperability and reuse of ICAM programs and systems

Goal 1 Goal 2 Goal 3 Goal 4 Goal 5

7

Federal agencies are responsible for the agency-level initiatives found in the FICAM Roadmap and Implementation Guidance* as required by M-11-11.

Agency ICAM Responsibilities

Streamline Collection & Sharing

of Digital Identity Data

Fully Leverage PIV and PIV-I Credentials

Modernize PACS & LACS Infrastructure

Implement Federated Identity Capability

Key Objectives

• Establish and leverage authoritative data sources

• Automatically and electronically share identity data

• Authenticate cardholders using the mechanisms on PIV/PIV-I cards

• Accept PIV cards from other agencies

• Use PIV card for data security operations (e.g., encryption)

• PIV enable PACS/LACS

• Automate provisioning of user access privileges

• Implement enterprise solutions for cost savings

• Leverage FPKI and trust framework processes

• Enable applications to accept third party credentials

Initiative 5 Initiative 6 Initiative 7 & 8 Initiative 9

* FICAM Roadmap and Implementation Guidance

8

The Federal ICAM Initiative was created based on the recommendation of the National Science and Technology Council (NSTC) Identity Management Task Force Report, as an endeavor to provide streamlined coordination and management for related programs, including Federal Public Key Infrastructure (PKI), E-Authentication, and Homeland Security Presidential Directive 12 (HSPD-12).

The ICAM Evolution

2000 2002 2003

2009

2011

M-11-11February 2011

1990’s 2002 2003

FCPA OperationalSeptember 2002

FISMAOctober 2002

E-GovDecember 2002

M-04-04December 2003

2004

HSPD-12August 2004

Development of Special Publications

(Issuance of PIV Begins)

2006 2007 2008

2005

2011

FICAM Roadmap & Implementation Guidance v1.0November 2009

ISIMC CharteredDecember 2008

Development of ICAM Segment Architecture

Development of Implementation Guidance

GPEAOctober 1998

FIPS 201March 2006

FICAM Roadmap & Implementation Guidance v2.0

Dec. 2011

M-05-24August 2005

2010

NSTC Task Force Report

September 2008

9

There are a number of drivers related to security, privacy, and efficiency that have converged to emphasize the need for coordinated ICAM efforts.

Increasing Cybersecurity threats There is no National, International, Industry “standard” approach to individual identity

on the network. (President’s 60 Day Cyberspace Policy Review) Security weaknesses found across agencies included the areas of user identification

and authentication, encryption of sensitive data, logging and auditing, and physical access. (GAO-09-701T)

Need for improved physical security Lag in providing government services electronically Vulnerability of Personally Identifiable Information (PII) Lack of interoperability

“The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.” (President’s FY2010 Budget)

High costs for duplicative processes and data management

ICAM Drivers

10

ICAM seeks to streamline government-wide identity, credential, and access management activities to ensure alignment and clarity, minimize duplication of effort, and promote government-wide interoperability.

Fostering effective government-wide identity and access management

Enabling trust in online transactions through common identity and access management policies and approaches

Aligning federal agencies around common identity and access management practices

Reducing the identity and access management burden for individual agencies by fostering common interoperable approaches

Ensuring alignment across all identity and access management activities that cross individual agency boundaries

Collaborating with external identity management activities through inter-federation to enhance interoperability

ICAM Mission

11

ICAM provides a foundational capability to manage identity accounts, user credentials, and access to your agency’s resources.

Supporting Your Agency’s Mission with ICAM

Agency Employees & Contractors

Customers

BusinessPartners

Identity Management

Access Management

Credential Management

Leverage trusted externally-issued

credentials

Protect personally identifiable information

Implement PIV for

employees & contractors

Leverage PKI

Access federal facilities

Manage users & accounts

Access IT Resources

Federateaccess for external users

• First• Last • ID

Securely share attributes

• First• Last • ID

Agency Challenges and Solutions

13

ICAM can assist an agency in implementing solutions to overcome a variety of obstacles.

Today’s Agency Challenges

Budget Constraints Differing Agency

Priorities

Technical Comprehension

Collaboration Between Agency Stakeholders Multiple Federal

Laws and Policies

Distributed Organizations Agency Resources

PIV and PIV-enablement

Understanding How FICAM Impacts Agency Programs

Budget Constraints

15

Agencies may have existing investments in place that are capable of providing services in a manner consistent with the target state ICAM segment architecture.

Software. Cost of software including licenses and maintenance fees that can be decommissioned or redeployed across all environments for development, testing, and production

Hardware. Cost of hardware that could be decommissioned or redeployed across all environments for development, testing, and production

The availability of enterprise software licenses should be investigated, as these can significantly lower acquisition costs and influence an agency’s make or buy decision.

Leverage Existing Investments

This information has been derived from the FICAM Roadmap.

16

Leverage existing tools and documentation to plan for ICAM investments!

Tools to Support Agency ICAM Planning

FICAM Roadmap V2.0ICAM ROI Toolkit

*ICAM MaturityModel

• Capital planning guidance is found in Chapter 6

• Planning for physical and logical access implementations is found in Chapters 10 and 11 respectively

• The ROI dashboard tool can be used to determine potential ICAM costs and benefits

• Based on estimated costs, the Toolkit assists agencies in building a business case

• Identify how and where programs are being successful

• The findings can inform an agency on where resources can be leveraged

* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

17

FICAM Roadmap and Implementation Guidance

The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment.

Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including: Complies with the Federal Segment Architecture Methodology (FSAM) Various use cases which illustrate the as-is and target states of high level ICAM

functions and frame a gap analysis between the as-is and target states Detailed transition roadmap and milestones which define a series of logical steps or

phases that enable the implementation of the target architecture

Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including: Information for planning and managing an agency’s ICAM program Sample solution architectures for expected target state technical capabilities Important considerations, benefits, and limitations for different implementation

approaches Numerous tips, FAQs, and lessons learned from real ICAM implementations

PART A: ICAM Segment Architecture (Chapters 3 - 5)

PART B: Implementation Guidance (Chapters 6 - 12)

FICAM Roadmap V2.0

18

The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.

ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.

ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.

Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.

ROI Toolkit Overview

* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

19

The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.

Provides a series of questions for an agency to answer related to: Governance & Program Management Identity Management Credential Management Physical Access Management Logical Access Management Federation

Identifies capability gaps between the current state and the ICAM target state via a summary dashboard

Provides the steps necessary to achieve the next phase of ICAM maturity

ICAM Maturity Model

ICAM Maturity Model

Technical Comprehension

21

Understanding the key characteristics of ICAM technology can help an agency in moving towards achievement of the ICAM target state.

ICAM technology characteristics: Provides protection of both physical (e.g., buildings, offices) and logical (e.g.,

networks, applications) agency resources and assets Promotes collaboration among federal agencies and with mission partners Aligns with multiple agency missions and needs (i.e., provides a high

degree of customization and flexibility) Supports ability to manage multiple users and their privileges when

accessing agency resources (i.e., networks and applications) Promotes a high-level of security, privacy, and protection for sharing and

storage of sensitive data and information Provides a logging process to support a clear audit trail

ICAM Technology at a Glance

Understanding How FICAM Impacts Agency Programs

23

Experience the following benefits across your agency business processes by implementing ICAM:

Increased security, which correlates directly to reduction in identity theft, data breaches, and trust violations.

Compliance with laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress.

Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework.

Enhanced customer service, both within agencies and with their business partners and constituents. Facilitating secure, streamlined, and user-friendly transactions.

Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes.

Increase in protection of Personally Identifiable Information (PII) by consolidating and securing identity data.

ICAM Can Support Other Agency Programs

Collaboration Between Agency Stakeholders

25

Collaboration between all relevant stakeholders during each phase of the Capital Planning and Investment Control (CPIC) process is critical to ensure that the overlapping elements of different ICAM activities are addressed.

Capital Planning for ICAM

To support capital planning for ICAM programs, an agency should:

Coordinate capital planning efforts across individual ICAM projects and Exhibit 300 business cases

Ensure alignment throughout the organization to consolidate redundant ICAM investments across agency components

Support collaboration across ICAM projects and systems to improve visibility and accountability of the agency’s spending on ICAM-related investments

Evaluate agency specific needs to determine the appropriate and most cost efficient Exhibit 300 submission approach

Agencies should work to incorporate ICAM requirements into its CPIC and investment request processes by:

Identifying key criteria for an investment to be considered aligned with the ICAM target state;

Incorporating that criteria into CPIC processes and guidance; and,

Communicating any changes to the relevant stakeholders and CPIC process participants.

26

Coordinate with the appropriate stakeholders at your agency early and often! Suggested coordination activities include:

ICAM Touches Many Programs

This information has been derived from the FICAM Roadmap, for more detailed information see section 6.1.2 Program Stakeholders.

Problem-Solving Teams

Focus Groups/Tiger Team

• Develop expert problem-solving teams, such as working groups that are established to address issues and present solutions.

• Help to identify and escalate business and technical challenges that may not be known at the enterprise level but could impede ICAM implementation throughout the agency.

• Share implementation lessons learned across bureaus/components or individual programs to reduce overall ICAM program risk and increase speed and efficiency in implementation

• Stand up smaller focus groups or tiger teams for the purpose of resolving specific program issues or providing direct support for implementation.

• Improve stakeholder buy-in associated with enterprise approaches and services by promoting better understanding and a sense of inclusion and ownership in the program.

• Improve consistency across an agency’s ICAM implementation, a key goal when implementing the ICAM segment architecture

Multiple Federal Laws and Policies

28

Implementing ICAM promotes alignment with multiple policies.

HSPD-12: Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems.

OMB M-11-11: Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential.

NSTIC: In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

VanRoekel Memo: On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally-issued identity credentials by federal applications.

NSISS: The National Strategy for Information Sharing and Safeguarding (NSISS) was signed by the President on December 19, 2012 and contains goals, principles, and objectives that outline a plan on how the Federal Government will responsibly share and safeguard to enhance and protect national security information.

The Current ICAM Policy Landscape

29

The ICAM Landscape contains a multitude of policy drivers that enable the interoperability and trust necessary to accomplish secure information sharing within and beyond the boundaries of the Federal Government.

Policy Shaping the ICAM Landscape

Facilitates government-wide interoperability and trusted collaboration across the unclassified, secret, and top secret fabrics.

Promotes the use of enhanced security measures to protect government systems, resources, and facilities.

Uphold Security Posture

Secure Information Sharing

Establishes a foundation of internal and external trust to drive the development and implementation of interoperable solutions.

Enable Trust and Interoperability

References: • Homeland Security

Presidential Directive 12 (HSPD-12)

• Federal Information Security Management Act (FISMA)

• FIPS 201-2

References: • Intelligence Reform and

Terrorism Prevention Act• Executive Order (E.O) 13587• National Strategy for

Information Sharing and Safeguarding (NSISS)

References: • National Security Strategy

(2010)• Van Roekel Memo• National Strategy for Trusted

Identities in Cyberspace (NSTIC)

Supports the elimination of paper based forms to streamline existing processes and reduce redundancies.

FacilitateE-Government

References: • E-Government Act of 2002• OMB M-04-04• The Digital Government

Strategy• Government Paper

Elimination Act (GPEA)

HSPD-12

31

Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems.

HSPD-12

Security Objectives: Establish a mandatory, government-wide standard for secure and reliable

forms of identification that:

Is issued based on sound criteria for verifying an individual employee's identity;

Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;

Can be rapidly authenticated electronically; and

Is issued only by providers whose reliability has been established by an official accreditation process.

Results:

A standard, interoperable credential: the PIV credential

Consistent processes for identity vetting and proofing

A common, secure approach for accessing facilities and networks

An increased level of government efficiency

http://www.dhs.gov/homeland-security-presidential-directive-12

32

Before HSPD-12, the key efforts in the federal environment, such as physical and logical access and identity vetting and identity processes, were managed separately and inconsistently.

The Environment Prior to HSPD-12

• Management of multiple passwords and user accounts increasing inefficiencies

• Use of lower assurance credentials (e.g., password) introducing security risks

• Inconvenience to users to remember/manage different passwords and tokens

• Various processes for confirming identity of user prior to issuance of credential, making it possible for individuals to claim a false identity

• Inconsistent vetting requirements, resulting in varying levels of suitability

• No trust or reciprocity across agencies, leading to duplication of investigation efforts and costs

• Over 200 types of valid IDs, leading to inefficiencies and security challenges

• Prevalence of IDs that could be easily counterfeited, enhancing potential for a security breach

• In many cases, no means of electronic verification, providing little to no assurance of user’s identity and introducing the opportunity for human error

Physical Access

Logical Access

Identity Processes

33

The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner.

PIV Credential Overview

Identity proofing and background investigation processes that build a

chain of trust.

Fingerprint and/or iris information used for authentication that binds

the identity of the user to the credential.

Something that only the user knows and is used to access

various applications. Replaces cumbersome and insecure passwords for applications.

Strong anti-counterfeiting features (e.g., laser etching, holographic

images).

Chain of Trust

Identity Proofing Process

PIN

Biometric Authentication

Common Processes

Physical Features

PKI Authentication

AffiliationCivilian

LastnameFirstname, M.

United States Government

Agency/Department

Department of Homeland Security

Issued

01/01/10Expires

01/01/15

Federal Emergency Response Official

ColorPhotograph

Contact Chip

PKI Digital Signature

PKI EncryptionFor cryptographically protecting

data at rest and in transit in order to provide confidentiality.

For electronically signing documents to provide non-

repudiation and message integrity.

Digital certificate on the card that supports electronic verification of

the cardholder.

34

By implementing HSPD-12 and standardizing the PIV credential, agencies experience significant cost-savings and added value.

HSPD-12 Streamlines Operations and Reduces Duplication

Cost-savings from: • Minimized password resets• Reduced infrastructure and hosting

costs on other credential types• Minimized security breaches• Phasing out duplicative processes

and IT investments

Added value from: • Minimized paperwork/manual

processes• Enhanced information-sharing• Improved user-satisfaction from

having to remember a single PIN vs. multiple passwords

Security breach remediation

Multiple password resets

Repeated data entryManual/redundant paperwork

Duplicative processes

Distributed physical security

Extensive IT and infrastructure

costs

HSPD-12 Environment

Multiple credentials

needed

Prior to HSPD-12

35

Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential.

Using the PIV Credential

Interoperable for Government-wide Use

Digital Signatures

Encryption

Transit/ Payment

Leverage Value-add Applications

Access Your Agency’sResources

Government-wideApplications Access at other

agencies

36

The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below.

PIV Credential vs. Other Credentials

Password OTP Tokens PIV

User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity

37

The PIV credential is an enabler for efforts across the Federal Government to move toward a stronger, more secure, and more efficient presence on the internet.

HSPD-12: PIV is an Enabler

Promotes the use of electronic forms and offers online-based government services for strong authentication.

Encourages sustained, responsible, and trusted collaboration to support interoperability across the government.

Strengthens the security and resiliency of critical infrastructure against evolving threats to safeguard the government.

Cybersecurity E-GovernmentInformation

Sharing

Emphasizes planning and spending control processes for investment in information systems to support agency missions.

Good Steward of IT Resources

References: • Cybersecurity Strategy• FISMA• PPD on Critical Infrastructure

Security and Resilience

References: • The Digital Government

Strategy• E-SIGN Act• E-Government Act

References: • National Strategy for

Information Sharing and Safeguarding

• ISS EO 13587

References: • Clinger-Cohen Act• M-12-10: PortfolioStat • M-13-02: Strategic

Sourcing

IT Spending

Investment Performance

38

There is an emerging desire across federal employees to have more flexibility in their work. The Federal Government is moving toward the use of mobile devices and allowing employees to telework.

Standards-based Solutions for Meeting Emerging Needs

• Strongly authenticate• Digitally sign and

encrypt data• Access applications

PIV-derived Credential

Use mobile devices to strongly authenticate to agency resources!

Perform these secure transactions from any

location!

39

When considering the HSPD-12 objective to move toward a common credential, the government is succeeding. Today a large number of PIV credentials have been issued; however, an agency is not able to capitalize on the true return on this investment until they begin fully leveraging the credential.

Agency Status

40

As a result of HSPD-12, agencies have the capabilities necessary to strengthen their current IT infrastructure and address the risks associated with the evolving threat environment.

Look at the Numbers

The percentage of incidents reported from

unauthorized accessGAO-13-187

17%

The estimated cost of a data breach per incident

Bloomberg

$7.2M

The estimated cost to Americans related to Identity theft cost

Huffington Post

$1.52B

Increase in cybersecurity incidents reported by federal agencies 2006- 2012

GAO-13-187

782%

Decrease in successful network intrusions

resulting from smart card-based

PKI logon in the DoDRealized Value of FPKI

46%

Estimated agency savings per year on password resetsForrester

$1464/user

Reduction of document handling costs, shipping costs and processing

costs by using digital signatureSignix.com

75%

Total cost savings per user, per year by

avoiding use of one-time password tokens

Tyntec

$100

Decrease in the number of successful social engineered e-mail attacks in the

DoD, from use of smart card/PKI Realized Value of FPKI

30%

Estimated savings realized from switching to digital transactions

Economist

$2.9B/year

41

PIV is fiscally responsible IT, provides for consolidation of investments, reduces redundancy and stove pipes, and promotes integration

PKI is a robust technology that is used everyday so that websites can be trusted to conduct transactions and supports two and three level factors of authentication.

HSPD-12 provides a very high level of assurance of identity and this facilitates trust.

HSPD-12 provides interoperable, crypto-based authentication for logical and physical access.

The PIV credential can be used for value-added functionality such as digital signatures, which reduce paper forms, and encryption, which protects data at rest and data in transmission.

Takeaways

42

Use the PIV Credential

at your Agency!

Ensure that contracts for procurements of IT, building access, and systems enable the PIV credential

Mandate the use of the PIV credential for network log on and building access

Accept the PIV credentials of other agency users Identify, prioritize, and PIV-enable multi-agency applications Phase out redundant infrastructure

Call to Action

OMB M-11-11

44

Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential. Key points include: Effective immediately, all new systems under development

must be enabled to use PIV credentials prior to being made operational

Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials prior to the agency using development and technology refresh funds to complete other activities

Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and the Federal Acquisition Regulation

Agency processes must accept and electronically verify PIV credentials issued by other federal agencies

The government-wide architecture and agency transition plans must align, as described in the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance

M-11-11

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf

NSTIC

46

In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.

Addresses the need for a “cybersecurity focused identity management vision and strategy,” as stated in the President’s 2009 Cyberspace Policy Review

Seeks to establish an Identity Ecosystem where individuals and organizations can trust each other and have confidence in the security of online transactions

NSTIC Guiding Principles state that Identity Solutions will be:

Privacy-enhancing and voluntary Secure and resilient Interoperable Cost-effective and easy to use

NSTIC

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf

VanRoekel Memo

48

On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally-issued identity credentials by federal applications.

VanRoekel Memo

Objectives: Calls for agencies to enable the use of externally-issued

credentials on web sites that allow members of the public and business partners to register or log on.

Requires that agencies only accept externally-issued credentials that are issued in accordance with National Institute of Standards and Technology guidelines and Federal Chief Information Officers (CIO) Council processes.

Externally-issued credentials are those that have been issued by an entity other than the Federal Government. In this document, the term externally-issued credential is used interchangeably with third party credential.

Results: Reduce the agency costs associated with issuing and

managing user credentials.

Decrease the burden on system users by allowing reuse of an existing credential. http://www.howto.gov/sites/default/files/omb-req-externally-issued-cred_0.pdf

NSISS Priority Objective #4

50

The NSISS contains Priority Objective #4 (PO #4) to implement FICAM on each of the three security fabrics: Unclassified, Secret, and Top Secret.

NSISS, Priority Objective #4

As a result of PO #4, implementation plans will be developed for each fabric:

The Unclassified Implementation Plan will include all unclassified, Sensitive but Unclassified (SBU), and Controlled Unclassified Information (CUI) federal systems and systems/users that interact with these systems.

The Secret Implementation Plan will include all systems of the Executive Branch that contain secret information.

The Top Secret Implementation Plan will include all systems of the Executive Branch that contain top secret information.

Distributed Organizations

52

The ICAM Maturity Model can help an agency identify their ICAM priorities, see where they are succeeding, determine where to make additional investment, and decide on the next steps needed to continue improvement.

Bring your Agency Together with ICAM

The ICAM Maturity Model helps measure across distributed program areas which will likely be in different stages of implementation.

ICAM Maturity Model

PIV and PIV-enablement

54

The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner.

PIV Credential Overview

Identity proofing and background investigation processes that build a

chain of trust.

Fingerprint and/or iris information used for authentication that binds

the identity of the user to the credential.

Something that only the user knows and is used to access

various applications. Replaces cumbersome and insecure passwords for applications.

Strong anti-counterfeiting features (e.g., laser etching, holographic

images).

Chain of Trust

Identity Proofing Process

PIN

Biometric Authentication

Common Processes

Physical Features

PKI Authentication

AffiliationCivilian

LastnameFirstname, M.

United States Government

Agency/Department

Department of Homeland Security

Issued

01/01/10Expires

01/01/15

Federal Emergency Response Official

ColorPhotograph

Contact Chip

PKI Digital Signature

PKI EncryptionFor cryptographically protecting

data at rest and in transit in order to provide confidentiality.

For electronically signing documents to provide non-

repudiation and message integrity.

Digital certificate on the card that supports electronic verification of

the cardholder.

55

Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential.

Using the PIV Credential

Interoperable for Government-wide Use

Digital Signatures

Encryption

Transit/ Payment

Leverage Value-add Applications

Access Your Agency’sResources

Government-wideApplications Access at other

agencies

56

The Employee Express (EEX) application is operated by OPM. EEX provides federal employees from participating agencies with a central hub to manage a variety of employment-related information such as tax withholding, health coverage, and direct deposit.

To support an enhanced user experience and promote a secure and trusted means of access and authentication, EEX was enabled to accept the PIV card and NASA participated in the pilot deployment of the PIV-enabled application.

The NASA community boasts a sizeable total user population, with approximately 18,500  NASA users with the PIV card option. In the beginning of the pilot, there was an average of over 1,000 PIV card logins each month and during January 2013, EEX was accessed over 3,000 times with PIV cards.

NASA employees have provided positive feedback which indicates PIV-enablement of applications increases ease of use, decreases the need for multiple passwords and usernames, and provides an added level of security.

PIV Credential Success Story

57

The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below.

PIV Credential vs. Other Credentials

Password OTP Tokens PIV

User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity

Differing Agency Priorities

59

Based on varying priorities, agencies can choose to focus their implementation efforts around a particular aspect of ICAM to achieve desired results. The ROI toolkit provides case studies that may be leveraged when addressing agency priorities.

The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%).

The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting.

The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures.

The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC.

Align ICAM with your Agency’s Priorities

These case studies can be found in more detail in the ROI toolkit. * Please contact ICAM@gsa.gov for access.

60

The ROI Toolkit is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.

ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.

ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.

Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.

ROI Toolkit Overview

Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

Agency Mission Drivers

62

ICAM at USDA

“To provide leadership on food, agriculture, natural resources, rural development, nutrition, and related

issues based on sound public policy, the best available science, and efficient management.”

• Supports compliance with USDA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of USDA’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between USDA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the USDA enterprise and with mission partners

• Allows USDA to focus limited funds and personnel resources on promoting nutrition for the American Public and protecting food and natural resources.

The Department of Agriculture

How ICAM Supports USDA’s Mission

63

ICAM at DOC

“To promote job creation, economic growth, sustainable development, and

improved living standards for all Americans, by working in partnership with business, universities,

communities, and workers.”

• Supports compliance with DOC and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOC’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOC PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOC enterprise and with mission partners

• Allows DOC to focus limited funds and personnel resources on promoting a sustainable work environment for the American Public.

The Department of Commerce

How ICAM Supports DOC’s Mission

64

ICAM at DoD

“To provide the military forces needed to deter war and to protect the security of our country.”

• Supports compliance with DoD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DoD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DoD CAC holders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DoD enterprise and with mission partners

• Allows DoD to focus limited funds and personnel resources on protecting the safety of the American Public and Armed Forces.

The Department of Defense

How ICAM Supports DoD’s Mission

65

ICAM at ED

“To promote student achievement and preparation for global competitiveness by fostering educational

excellence and ensuring equal access.”

• Supports compliance with ED and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of ED’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between ED PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the ED enterprise and with mission partners

• Allows ED to focus limited funds and personnel resources on promoting student achievement and academic excellence.

The Department of Education

How ICAM Supports ED’s Mission

66

ICAM at DOE

“To ensure America’s security and prosperity by addressing its energy, environmental and nuclear challenges through transformative science and

technology solutions.”

• Supports compliance with DOE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOE enterprise and with mission partners

• Allows DOE to focus limited funds and personnel resources on modernizing the energy grid and protecting the environment.

The Department of Energy

How ICAM Supports DOE’s Mission

67

ICAM at HHS

“To serve as the United States government's principal agency for protecting health and providing

essential human services to Americans.”

• Supports compliance with HHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of HHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between HHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the HHS enterprise and with mission partners

• Allows HHS to focus limited funds and personnel resources on providing essential health-related services to the American Public.

The Department of Health and Human Services

How ICAM Supports HHS’ Mission

68

ICAM at DHS

“To ensure a homeland that is safe, secure, and resilient against terrorism and other hazards.”

• Supports compliance with DHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DHS enterprise and with mission partners

• Allows DHS to focus limited funds and personnel resources on safeguarding the American Public from foreign and domestic threats.

The Department of Homeland Security

How ICAM Supports DHS’ Mission

69

ICAM at HUD

“To create strong, sustainable, inclusive communities and quality affordable homes for all.”

• Supports compliance with HUD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of HUD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between HUD PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the HUD enterprise and with mission partners

• Allows HUD to focus limited funds and personnel resources on promoting strong communities and living environments.

The Department of Housing and Urban Development

How ICAM Supports HUD’s Mission

70

ICAM at DOJ

“To enforce the law and defend the interests of the United States according to the law; to ensure public safety against

threats foreign and domestic; to provide federal leadership in preventing and controlling crime; to seek just punishment for

those guilty of unlawful behavior; and to ensure fair and impartial administration of justice for all Americans.”

• Supports compliance with DOJ and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOJ’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOJ PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOJ enterprise and with mission partners

• Allows DOJ to focus limited funds and personnel resources on promoting and defending federal law.

The Department of Justice

How ICAM Supports DOJ’s Mission

71

ICAM at DOL

“To foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the United

States; improve working conditions; advance opportunities for profitable employment; and assure

work-related benefits and rights.”

• Supports compliance with DOL and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOL’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOL PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOL enterprise and with mission partners

• Allows DOL to focus limited funds and personnel resources on promoting the well being of the American worker through protection of work-related benefits and rights.

The Department of Labor

How ICAM Supports DOL’s Mission

72

ICAM at STATE

“To create a more secure, democratic, and prosperous world for the benefit of the American

people and the international community.”

• Supports compliance with STATE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of STATE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between STATE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the STATE enterprise and with mission partners

• Allows STATE to focus limited funds and personnel resources on promoting on United State diplomacy abroad.

The Department of State

How ICAM Supports STATE’s Mission

73

ICAM at DOI

“To protect America’s natural resources and heritage, honor our cultures and tribal

communities, and supply the energy to power our future.”

• Supports compliance with DOI and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOI’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOI PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOI enterprise and with mission partners

• Allows DOI to focus limited funds and personnel resources on promoting the protection and sustainment of natural resources and tribal communities.

The Department of Interior

How ICAM Supports DOI’s Mission

74

ICAM at TREAS

“Maintain a strong economy and create economic and job opportunities by promoting the conditions that enable economic growth and stability at home and abroad,

strengthen national security by combating threats and protecting the integrity of the financial system, and manage the U.S. Government’s finances and resources effectively.”

• Supports compliance with TREAS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of TREAS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between TREAS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the TREAS enterprise and with mission partners

• Allows TREAS to focus limited funds and personnel resources on managing and promoting the integrity of the U.S. financial system.

The Department of Treasury

How ICAM Supports TREAS’ Mission

75

ICAM at DOT

“To serve the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets our vital national interests and enhances the quality of life of

the American people, today and into the future.”

• Supports compliance with DOT and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of DOT physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between DOT PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the DOT enterprise and with mission partners

• Allows DOT to focus limited funds and personnel resources on promoting transportation and infrastructure to meet the needs of the American people.

The Department of Transportation

How ICAM Supports DOT’s Mission

76

ICAM at VA

“To fulfill President Lincoln's promise “To care for him who shall have borne the battle, and for his widow, and

his orphan” by serving and honoring the men and women who are America’s veterans.”

• Supports compliance with VA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress

• Provides protection of VA physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets

• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information

• Improves interoperability between VA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework

• Promotes collaboration across the VA enterprise and with mission partners

• Allows VA to focus limited funds and personnel resources on protecting Veteran information and secure data/infrastructure assets from internal and external threats.

The Department of Veterans Affairs

How ICAM Supports VA’s Mission

Agency Resources

78

There are many ICAM resources available to agencies to address the various aspects of ICAM implementation.

ICAM Resources

FICAM Roadmap V2.0ICAM ROI Toolkit

*ICAM MaturityModel

ICAM Snapshot Brochure

Modernized PACS

Brochure

Modernized LACS

Brochure* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

Intersection of ICAM and Emerging Needs

80

As the ICAM landscape continues to evolve, agencies are looking for ways to meet these demands.

Intersection of ICAM and Emerging Needs

Evolution of mobile security

Popularity of cloud computing

Keeping pace with the commercial IAM space

Support for federation and visitor management

Growth of shared services

Surge of single sign-on solutions

Implementing an enterprise IAM system

Evolution of Mobile Security

82

The proliferation of internet-enabled mobile devices has created the need to secure the use of the device and manage employee and contractor access to data from a device to maintain security regardless of how a user is accessing resources.

Did you know that……

Evolution of Mobile Security

PIV-derived Credential

The government is working to certify and acquire mobile devices that meet its needs!

PIV-derived credentials will be the approved credentials for securely accessing and using mobile devices.

Growth of Shared Services

84

Agencies are working together to develop services to address common agency capabilities and capitalize on efficiencies in an effort to meet ICAM goals while saving money for the Federal Government. These common services include:

Backend Attribute Exchange (BAE) is a secure and standards-based retrieval of information from authoritative sources that enables access control decisions and secure information sharing.

Federal Cloud Credential Exchange (FCCX) is a core capability to consume, validate, and translate third-party credentials to relying party applications across multiple agencies, providing a single, easy-to-access integration point.

The GSA USAccess Managed Service Office (MSO) is the executive agent responsible for providing federal agencies with interoperable identity management and credentialing solutions.

Growth of Shared Services

For more information on Goal 4: FICAM Roadmap V2.0

Backend Attribute Exchange (BAE)

86

The BAE specification was first developed in May 2008 and has since been successfully demonstrated through a pilot program between the Department of Defense (DoD) and the Department of Homeland Security (DHS) to support information exchange between mission partners during emergency response events.

The Background of the BAE

The BAE Business Case and Lifecycle Sustainment Analysis was created as a joint effort supported by the Program Manager for the Information Sharing Environment (PM-ISE) and the ICAMSC. This effort:

Explored key business drivers, benefits, and challenges related to the pursuit of the enterprise BAE capability

Identified expected lifecycle costs and funding considerations

Provided recommendations regarding the feasibility of the enterprise BAE capability and potential implementation considerations

87

The enterprise BAE capability: represents the common interest of both PM-ISE and ICAMSC communities to securely and efficiently share mission-specific attribute information in a collaborative environment. PM-ISE supports innovation and implementation of secure information sharing capabilities among the Federal Government and collaborating organizations. The ICAMSC develops and recommends policies, procedures, and standards related to identity management, authentication, and secure access.

The analysis represented in this presentation highlights the following high-level benefits regarding the enterprise BAE capability, as it:

Offers increased flexibility and scalability. BAE provides a secure way to share information and facilitate collaboration between multiple organizations. It aligns with multiple mission needs and is applicable to a broad variety of applications and uses.

Brings a strong, broad potential customer base. An enterprise BAE capability would have a strong, immediate customer base within the information sharing environment which could include agencies and stakeholders (i.e., anyone who has an information sharing need).

Extends the federal trust infrastructure. Through its centralized governance structure, the enterprise BAE capability promotes trust between the attribute provider and consumer.

The BAE Capability Defined

88

GSA’s Office of Governmentwide Policy (OGP) has the responsibility to support coordination across the various policy and standards efforts affecting the Federal ICAM Initiative and to promote the consistent implementation of ICAM solutions at the agency level.

BAE’s Authority

OMB M-11-11 requires agencies to align with the ‘Federal Identity, Credential, and Access Management (FICAM) Roadmap

and Implementation Guidance.’

FICAM Roadmap Initiative 5 calls for streamlining the collection and sharing of digital identity data through the use of the BAE to support sharing of data elements

for use in shared mission or business areas.

89

BAE for Information Sharing

Agency A User with Credential

Agency B Protected Resource

1. Agency A user needs access to or information from Agency B

3. Agency B needs “off-credential” info to authorize User A to access resource. It “asks” its own Authorization Engine B

4. Agency B and Agency A communicate to exchange user information about User A

2. User A is Authenticated

5. User is granted Access

Agency AAttribute Service

(BAE Profile Compliant)

ExternalizedAuthorization

Manager B(PDP)

90

Due to the flexibility of the BAE model it can support any set of attributes as agreed upon by a particular community.

The following slides offer a description of several sample use scenarios for the BAE to help demonstrate its possible applications, including:

Attribute Based Access Control (ABAC) Sensitive but Unclassified (SBU) Environment Simplified Sign-on (SSO) Background Investigation Reciprocity Visitor Management

BAE Use Case Scenarios

91

Focuses on characteristics that describe people, resources, and environments. The requester provides attributes which are compared to those documented as requirements for granting or denying access, at which point an access decision is made.

ABAC is a suggested use for an organization due to: Existing complex access rule sets The high-volume of visitors requesting access to systems Your mission is focused on collaboration

Attribute Based Access Control (ABAC)

92

The following table summarizes the key details associated with the ABAC use scenario:

Attribute Based Access Control (ABAC)

Elements Details

ICAM Services Provided• Authorization and Access• Privilege Management

Transactional Data• Mission-specific attributes • Privilege attributes

Benefits

• Requires only one set of information-sharing agreements to join, instead of needing to establish multiple bilateral attribute sharing agreements between multiple partners.

• Enhances ability to coordinate with partners outside the federal space.• Places responsibility on both attribute provider and consumer for

attribute information lifecycle management.• Requires no advance knowledge of requestors.• Is highly adaptable to changing needs; efficient for agencies where

individuals come and go frequently.

93

A mechanism which reduces the need for multiple logins and authentication processes when accessing a variety of independently owned and maintained SBU/CUI resources.

SBU SSO is a suggested use for an organization due to: Current federal, state, local, and tribal partners Your work at DHS Fusion Centers Your need for access to a SSO SBU/CUI service Partnering with PM-ISE

SBU Environment Simplified Sign-on (SSO)

94

The following table summarizes the key details associated with the SBU/CUI environment SSO use scenario:

SBU Environment Simplified Sign-on (SSO)

Elements Details

ICAM Services Provided• Authorization and Access• Digital Identity Management

Transactional Data• Mission-specific attributes• Personnel attributes needed for authentication

Benefits

• Provides a means of maintaining integrity of multiple SBU/CUI systems by quickly identifying, authenticating, and authorizing a user.

• Supports and enhances SBU/CUI information collaboration for individuals with a variety of organizational affiliations, including non-federal partners

• Requires only one set of information-sharing agreements to join, rather than needing to establish multiple bilateral attribute sharing agreements between multiple partners

• Allows an individual’s attributes to be correlated from multiple organizations or sources to create a unified identity for SSO login.

• Reduces points of entry and increases prevalence of SSO capabilities across multiple applications.

• Supports interoperability with the Global Federated Identity and Privilege Management (GFIPM) and National Information Exchange Federation (NIEF).

95

The process by which an individual’s background check completeness attribute is requested and received from the authoritative source.

Background investigation reciprocity is a suggested use for an organization due to: Your high volume of visitors Your high volume of outside collaboration Your on-boarding of contractors How you temporarily employs detailed personnel You have multiple inter-agency personnel transfers Current federal, state, local, and tribal partners

Background Investigation Reciprocity

96

The following table summarizes the key details associated with the Background Investigation Reciprocity use scenario:

Background Investigation Reciprocity

Elements Details

ICAM Services Provided• Digital Identity Management • Authorization and Access

Transactional Data • Background investigation completeness attribute

Benefits

• Reduces the time needed for an agency to confirm that a background check has been completed.

• Potentially streamlines contractor on-boarding, inter-agency personnel transfer, internal hiring, and Visitor Management Systems (VMS)/services.

• Assists in reducing paperwork submission and administrative burden on both the organization and the individual.

• Supports more efficient PIV card provisioning.

97

A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor.

Visitor management is a suggested use for an organization due to: The fact that you are an authoritative attribute provider of background

investigation completeness You are an attribute consumer Your organization has a high volume of visitors, including state, local, and tribal

law enforcement partners, as well as contractors Your organization has a high volume of outside collaboration Your agency temporarily employs detailed personnel

Visitor Management

98

The following table summarizes the key details associated with the Visitor Management use scenario:

Visitor Management

Elements Details

ICAM Services Provided • Authorization and Access

Transactional Data

• Background investigation status • Clearance level• Various identity attributes • Personally Identifiable Information (PII) attributes

Benefits

• Offers opportunity for increased efficiency over commonly used point-to-point attribute sharing relationships.

• Improves timeliness of obtaining visitor attributes from the individual’s home organization.

• Supports more efficient Visitor Management System (VMS) pre-screening prior to an individual’s arrival at the agency

• Supports customization of BAE capability according to agency needs and internal VMS processes.

• Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure.

• Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual.

99

Benefits Realized by BAE Customer

The benefits associated with enterprise BAE capability adoption include:

.

Increased National Security. Contributes to enhancing the ability to detect, prevent, or disrupt terrorist activity and reduced incident response time to terrorist and natural-disaster related emergencies and an increase in the ability to share information with other organizations responding to the same national security-related issues

Enhanced service delivery. Enhances service delivery for mission partners and customers by shortening the time from when an information sharing need is identified to when it is delivered

Increased opportunity for collaboration. Increases the possibility of ease of collaboration between federal, state, local and tribal law enforcement agencies, as well as other mission partners

Improved efficiency. Improves the efficiency related to the collection and maintenance of information. By allowing for the streamlined electronic request and transfer of information, the enterprise BAE capability can reduce the administrative burden on an organization

Reduced total investment. Reduces the total investment costs incurred by customers to a secure information sharing capability. The total investment is considerably less than the costs associated with establishing individual information sharing systems

Federal Cloud Credential Exchange (FCCX)

101

FCCX is a White House-initiated effort to establish a secure, efficient, and privacy enhancing cloud-based government-wide service that will provide federal agencies with the ability to accept and authenticate FICAM-approved third-party credentials for their externally-facing applications.

Once fully-functional, the FCCX capability will: Support the ability to consume, validate, and translate credentials to relying party applications

across multiple agencies. Provide a single, easy-to-access integration point that can ensure agencies do not have to

keep building and maintaining single-use, point to point connections for the same approved credentials.

At present, the FCCX effort is focused on the following activities: Developing governance documents that will outline the expectations for customers, third-party

credential providers, another parties interested in the service; Procuring a technology provider to support the technical services and infrastructure required to

operate the FCCX capacity; Determining agency resources that are currently being expended to support credentialing and

authentication of external users; Working with identity providers to determine an appropriate business model for issuing and

authenticating third-party credentials via the FCCX capability; and Coordinating resources to efficiently implement the FCCX proof-of-concept.

FCCX Overview

102

FCCX Facilitates Alignment of Federal Goals

NSTIC Objective 2.3: Implement the Federal Government Elements

of the Identity Ecosystem

• The Federal Government must continue to lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.

• The Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.

Agency Challenges Uncovered

• Multiple credentials/accounts for single users

• Difficulty managing accounts and account access rights

• Operating at a lower level of assurance than required for the information being transferred

FICAM Strategic Goals

• Comply with federal laws, regulations, standards and governance

• Facilitate eGovernment by streamlining access to services

• Improve security posture across the Federal Enterprise

• Enable trust and interoperability

• Reduce costs and increase efficiency associated with ICAM

Achieve credential interoperability, ensuring that customers can use a single FICAM accredited credential, if they so choose, across all agencies at the same Level of Assurance (LOA) rather than be asked to get a new credential for each agency application1

2Make it easier for any agency to quickly and affordably integrate with – and consume – credentials provided by accredited third parties for customers to access online applications

3Ensure that agencies (and the taxpayer) do not duplicate efforts and expenditures to build the same system and pay for the associated maintenance and updates to that system

103

FCCX

Federal

Cloud

Credential

Exchange

• Each agency connects just once

• FCCX does the heavy lifting• Guaranteed interoperability

of credentials across agencies

• Offers agencies and citizens an easy path to more choice

OpenID/LOA1

SAML/LOA3

OpenID/LOA1

PKI

Open ID/LOA1

SAML/LOA3

OpenID/LOA1

The GSA USAccess Managed Service Office (MSO)

105

The GSA Federal Acquisition Service launched the HSPD-12 Managed Services Office (HSPD-12 MSO) on September 13, 2006, providing turn-key services to produce compliant PIV credentials.

The MSO established the USAccess program, a managed, shared service solution that simplifies the process of procuring and maintaining compliant PIV credentials.

The USAccess program enables U.S. Federal Government agencies to credential employees, contractors, and affiliates.

The USAccess program provides agencies with all the key components necessary to manage the full life-cycle of a PIV credential.

The GSA USAccess Managed Service Office

Popularity of Cloud Computing

107

As agencies modernize their infrastructures, they should seek to take advantage of the benefits offered by cloud computing. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The cloud leverages:

Popularity of Cloud Computing

On-demand self-service

Broad network access

Massive scale

Virtualization

Resilient computing

Geographic distribution

Service orientation

Advanced security technologies

108

Leveraging shared infrastructure and the economies of scale associated with cloud computing, agencies can measure and pay for the IT resources they consume to match current requirements and budget constraints.

Cloud Computing in the Federal Environment

http://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf

http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-19.pdf

The Federal Cloud Computing Strategy

Emphasizes the capability of cloud computing to reduce inefficiencies and

improve service delivery.

M-10-19

Directs agencies to evaluate the potential to adopt cloud computing solutions by analyzing computing alternatives for IT

investments.

109

There is a fundamental shift in focus from asset ownership to service management when leveraging cloud computing. Agencies need to actively monitor emerging security threats and re-evaluate the service received periodically.

As agencies modify their IT portfolios to fully take advantage of the benefits of cloud computing, they will be able to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. Agencies will also realize the following benefits:

Increased efficiency (with improved asset and server utilization). Enhanced productivity in application development, application management,

network, and end-use. Increased responsiveness to urgent agency needs. Enhanced collaboration with private sector innovation. Increased linking to emerging technologies (e.g., devices).

Cloud Computing Considerations

http://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf

Keeping Pace with the IAM Commercial Space

111

FICAM incorporates best practices from the commercial space. The government is following the lead that the commercial space has set in creating efficiencies in a cost effective manner, particularly around cloud computing:

The commercial space has taken advantage of the technologies available for cloud computing to improve resource utilization, increase service responsiveness, and achieve meaningful benefits in efficiency, agility, and innovation.

Cloud computing offers the government an opportunity to apply the innovations of the commercial space through more effective use of IT investments.

Keeping Pace with the IAM Commercial Space

Support for Federation and Visitor Management

113

Today there are various ad hoc processes in place when an employee or contractor visits another agency. A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor.

Improves timeliness of obtaining visitor attributes from the individual’s home organization.

Supports more efficient VMS pre-screening prior to an individual’s arrival at the agency.

Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure.

Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual.

Support for Federation for Visitor Management

The BAE can improve this process!

114

A customer of the BAE is positioned to realize benefits internal to the agency as well as to the larger Federal Government.

Visitor Management Benefits Associated with the BAE

Reduce Risk

Decrease Hassle

Increase Power

Gain Praise

Save Money

• Reduce the paperwork submission of personally identifiable information (PII) on both the organization and the individual.

• Support more efficient visitor management pre-screening prior to an individual’s arrival at the agency to reduce the need for human intervention.

• Reduce administrative burden and redundant processes.• Improve timeliness of obtaining visitor attributes from the individual’s home

organization.

• Lead in innovation by supporting the FICAM target state through protecting, serving, and safeguarding.

• Assist in achieving M-11-11 through alignment with the FICAM Roadmap, in moving away from manual paper-based methods for managing visitors.

• Reduce upfront cost through leveraging the shared service which GSA is providing.

• Support customization of the BAE capability according to the agency needs and internal visitor management processes.

• Retain full control of information held allowing the opportunity to maintain ownership of information and maintain discretion on access to information.

• Increase national security by transmitting data in a secure and consistent format.

Surge of Single-Sign on Solutions

116

Single Sign-On (SSO) – a mechanism by which a single act of user authentication and log on enables access to multiple independent resources.

When agencies are considering modernizing their Logical Access architecture and design, SSO should be a consideration to help relieve application owners from managing and administering credentials, but it is also great for the user! SSO…

Eliminates the need to authenticate multiple times with the PIV credential (access protection applications as the session and application policy allow)

Streamlines the access process Creates transparency in access across applications

Surge of Single Sign-on Solutions

This information has been derived from the FICAM Roadmap, for more detailed information see Chapter 11.

Implementing an Enterprise IAM System

118

An enterprise solution for ICAM allows an agency to maximize investment while meeting ICAM requirements in a consistent, secure manner.

Implementing an Enterprise IAM System

A department with a modern, homogeneous infrastructure could save as

much as 30 percent on infrastructure costs, field applications more quickly and

less costly, and provide improved IT security. Given the structure of Agency

budgets and organizations, it is very difficult for an Agency CIO to have the tools

available to drive such standardization. The DHS CIO testimony before the House Committee on

Oversight and Government Reform released on February 27, 2013

An enterprise IAM solution allows an agency to: Standardize and streamline

processes Leverage existing tools across

multiple components/bureaus Pass identity data and

information across functional areas

Eliminate redundant IT investments

119

An enterprise solution provides benefits that span across the agency and helps to check the boxes of the ICAM target state.

Implementing an Enterprise IAM System

Reduced administrative burden Increased interoperability with partners Reduced infrastructure costs through enterprise technology

Increased cost savings through leveraging enterprise licensing

Resources

121

There are many ICAM resources available to agencies today!

ICAM Resources

FICAM Roadmap V2.0ICAM ROI Toolkit

*ICAM MaturityModel

ICAM Snapshot Brochure

Modernized PACS

Brochure

Modernized LACS

Brochure* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

FICAM Roadmap

123

FICAM Roadmap and Implementation Guidance

The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment.

Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including: Complies with the Federal Segment Architecture Methodology (FSAM) Various use cases which illustrate the as-is and target states of high level ICAM

functions and frame a gap analysis between the as-is and target states Detailed transition roadmap and milestones which define a series of logical steps or

phases that enable the implementation of the target architecture

Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including: Information for planning and managing an agency’s ICAM program Sample solution architectures for expected target state technical capabilities Important considerations, benefits, and limitations for different implementation

approaches Numerous tips, FAQs, and lessons learned from real ICAM implementations

PART A: ICAM Segment Architecture (Chapters 3 - 5)

PART B: Implementation Guidance (Chapters 6 - 12)

FICAM Roadmap V2.0

ROI Toolkit

125

The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.

ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.

ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.

Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.

ROI Toolkit Overview

* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

126

The case study inventory includes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.

ROI Toolkit: Case Study Inventory

Type or Industry Case Study Name

Federal, Civilian STATE: Cost Benefit Comparison between PKI/BLADE and Password-based Authentication

GSA IAM Logical Access Initiative

Common Access Card for US Bureau of Land Management

Federal, Defense Drivers for use of CAC in the DoD Community

Transportation Transit Industry Case Study – Transit Smartcards for Automatic Fare collection

Healthcare Use of Smartcards in the Healthcare Community

Health Industry Case Study – Multi-function Smart ID Badge for Hospital Staff

SAFE-BioPharma Digital Signatures – AstraZeneca example

General Value of Converged Access, SSO, and Remote Access Solutions

Password Management and Single Sign-on

Opening the Door to e-Business

Password Reset: Using Self-Service

Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

127

The building an ICAM business case presentation provides a detailed, step-by-step approach for building an ICAM business case and the associated cost calculations.

ROI Toolkit: Building an ICAM Business Case Presentation

Strategy and Requirements

Alternatives Planning

Measurement and Reporting

• Defining an ICAM Strategy• Completing the stakeholder analysis

• Constructing the ICAM business case• Completing a gap analysis• Conducting an alternatives analysis• Completing a detailed cost analysis• Calculating quantitative and qualitative benefits

• Completing an end-to-end cost summary• Selecting performance metrics and reports

1

2

3

* Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

128

The ROI dashboard tool provides templates for calculating ICAM costs and benefits.

ROI Toolkit: ROI Dashboard Tool

Dashboard tool components:

Cost summary Cost analysis Quantitative benefits Qualitative benefits Net benefits graph Break even analysis * Please contact ICAM@gsa.gov to

access the ICAM ROI Toolkit.

129

Through ICAM implementations, federal agencies have been able to experience the benefits associated with successful ICAM solutions.

The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%).

The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting.

The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures.

The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC.

ICAM Success Story Snapshot

These case studies can be found in more detail in the ROI toolkit. Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.

ICAM Maturity Model

131

The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.

Provides a series of questions for an agency to answer related to: Governance & Program Management Identity Management Credential Management Physical Access Management Logical Access Management Federation

Identifies capability gaps between the current state and the ICAM target state via a summary dashboard

Provides the steps necessary to achieve the next phase of ICAM maturity

ICAM Maturity Model

ICAM Maturity Model

132

Initial.

ICAM related projects and work streams are initiated and managed in an ad-hoc manner;

There is little structure or opportunity for coordination between related ICAM projects and work streams;

ICAM related processes are often conducted manually using paper-based methods, often creating duplicative and redundant efforts; and

Users are issued credentials for access to agency resources that are not PIV cards.

ICAM Maturity Model – Initial

133

Repeatable.

A coordinated plan for the establishment of an ICAM program exists within the agency;

An agency-level ICAM program management structure has been designed and a plan exists to implement it;

A plan for the reduction of redundant, manual, and paper-based processes related to ICAM has been defined; and

A plan has been developed to transition to issuance of the PIV card, while minimizing the issuance of other credential types.

ICAM Maturity Model – Repeatable

134

Defined.

A coordinated agency-level ICAM program/approach has been implemented;

An agency-level ICAM program management structure is in place;

Redundant, manual, and paper-based processes related to ICAM have been reduced and electronic and automated processes have been introduced; and

The PIV card is being issued to users within the organization.

ICAM Maturity Model – Defined

135

Managed. There is an operational ICAM program with clearly defined programs and project

goals and objects;

The agency has formalized leadership support and there is close coordination between agency-level ICAM efforts;

A single, enterprise digital identity record has been established for each user within the organization and a mechanism is in place to securely share authoritative identity data with agency systems and processes that use it;

The PIV card is the only credential issued to employees and contractors; and

Users are electronically authenticated to physical and logical resources, using the technology on the PIV card (e.g., CHUID/FASC-N [PACS] and PIV Authentication Key [LACS]).

ICAM Maturity Model – Managed

136

Optimized.

The agency has an effective ICAM program with formalized and robust management mechanisms in place;

ICAM related processes have been streamlined, automated, and converted to electronic mechanisms, wherever possible; and

Enhanced management capabilities (e.g., enhanced auditing and reporting, leadership dashboard capabilities, etc.) have been implemented to increase security and reduce administrative burden.

ICAM Maturity Model – Optimized

137

Based on the answers provided for each of the ICAM areas, the tool coordinates measuring maturity and accountability across agency-level activities and performance metrics from the ICAM segment architecture and the ICAM transition plan template.

ICAM Maturity Model

Note: Guidance for use of the ICAM Maturity Model by federal agencies is forthcoming.

FICAM Testing Program

139

The FICAM Testing Program: Serves as a comprehensive testing and

evaluation capability Supports the selection and procurement of

qualified products and services for federal agencies

Enables the implementation of a federated and interoperable ICAM segment architecture

The FICAM Approved Products List (APL):

Provides agency purchasers with a list of products that have been tested and approved under the FICAM Testing Program for purchase and use by federal agencies

FICAM Testing Program

Access the new FICAM Testing Program page here

New!

ICAM Web Content Series

141

The ICAM Web Content Series provides agency implementers with a succinct summary of the highlighted subject matter. It translates complex and technical topics, illustrating them in a digestible fashion for implementers while providing a holistic summary of how the identified topic fits within the ICAM landscape.

The PIV in LACS Web Content provides guidance, best practices, and helpful tips to federal agencies on PIV-enabling logical resources at the enterprise level to meet federal requirements. The PIV in LACS video provides additional resources, such as: • Information on the multiple benefits of PIV-enablement • Common questions and answers that may arise during

the implementation process• A checklist of actionable next steps for PIV-enablement

ICAM Web Content Series

Coming Soon! The PIV in PACS and Mobile Security Web Content Videos

ICAM Brochures

143

As an accompaniment for the FICAM Roadmap, snapshot brochures are available.

ICAM Brochures

ICAM Snapshot Brochure: Provides summary information around what ICAM is, the FICAM Roadmap target state, the strategic vision for ICAM, and its value proposition.

Modernized PACS Brochure: Provides summary information around the implementation of an enterprise PACS, the benefits of PACS modernization, the steps for implementing a modernized PACS solution, and PIV-enablement.

Modernized LACS Brochure: Provides summary information around the implementation of an enterprise LACS, the benefits of LACS modernization, and design approaches and application integration for LACS.

Leadership Communications Brochure: Provides high-level summary information about ICAM programs for leadership and explains how ICAM supports an agency in achieving its mission.

144

Align Collaborate Enable