federal cio council information security and identity management committee idmanagement.gov...
TRANSCRIPT
Federal CIO CouncilInformation Security and Identity Management Committee
IDManagement.govIDManagement.gov
Leadership Communications Brief
Last Updated: June 13, 2013
2
Choose your own adventure! This briefing deck is intended for agencies to leverage in a manner that is most appropriate for them. The deck includes summary information as well as more detailed slides related to particular topics.
The slides are broken down into the following categories: ICAM Goals and Objectives Current Challenges and ICAM Solutions Intersection of ICAM and Emerging Needs Resources
Content Overview
ICAM Overview
4
What is Identity, Credential, and Access Management (ICAM)?
ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach that is focused on delivering greater convenience and appropriate security and privacy protection, with less effort and at a lower cost.
ICAM Includes:
Digital Identity Credentialing Privilege
Management Authentication Authorization
and Access Federation Cryptography Auditing and
Reporting
5
What Does ICAM Provide?
Component 2
Component 4Component 3
• Protection of PII*• Simplify management of
user data• Streamlined on-boarding
1
4
2
3
1
Identity Management
The ICAM Target State architecture enhances alignment, clarity, and interoperability across the Federal Government while improving security, eliminating redundancies, and reducing costs.
• Improved interoperability• Resistance to fraud and
tampering• Enhanced interagency
trust
2 Credential Management
• Stronger authentication• Streamlined access to
resources• Reduced enterprise
costs
3 Access Management
• Improved collaboration with partners
• Reduced management burden on external users
4 Federation
* Personally Identifiable Information (PII)
• Enhanced activity logging
• Ability to support security forensics
5 Auditing and Reporting
5
6
ICAM addresses federal identity, credential, and access management programs and demonstrates the importance of implementing the ICAM segment architecture in support of five overarching strategic goals and their related objectives.
ICAM Goals and Objectives
Comply with Federal Laws Relevant to
ICAM
Facilitate E-Government by
Streamlining Access to Services
Improve Security Posture across the Federal Enterprise
Enable Trust and Interoperability
Reduce Costs and Increase Efficiency
Key Objectives
• Align and coordinate federal policies and key initiatives impacting ICAM implementation
• Establish and Enforce Accountability for ICAM Implementation to Governance Bodies
• Expand secure electronic access to government data and systems
• Promote public confidence through transparent ICAM practices
• Support cybersecurity programs
• Integrate electronic verification procedures with PACS
• Drive the use of a role-based framework for access control
• Improve electronic audit capabilities
• Support ISE communities of interest
• Align processes with external partners
• Establish and maintain trust relationships
• Leverage standards and COTS for ICAM services
• Reduce administrative burden associated with performing ICAM tasks
• Align existing and reduce redundant ICAM programs
• Increase interoperability and reuse of ICAM programs and systems
Goal 1 Goal 2 Goal 3 Goal 4 Goal 5
7
Federal agencies are responsible for the agency-level initiatives found in the FICAM Roadmap and Implementation Guidance* as required by M-11-11.
Agency ICAM Responsibilities
Streamline Collection & Sharing
of Digital Identity Data
Fully Leverage PIV and PIV-I Credentials
Modernize PACS & LACS Infrastructure
Implement Federated Identity Capability
Key Objectives
• Establish and leverage authoritative data sources
• Automatically and electronically share identity data
• Authenticate cardholders using the mechanisms on PIV/PIV-I cards
• Accept PIV cards from other agencies
• Use PIV card for data security operations (e.g., encryption)
• PIV enable PACS/LACS
• Automate provisioning of user access privileges
• Implement enterprise solutions for cost savings
• Leverage FPKI and trust framework processes
• Enable applications to accept third party credentials
Initiative 5 Initiative 6 Initiative 7 & 8 Initiative 9
* FICAM Roadmap and Implementation Guidance
8
The Federal ICAM Initiative was created based on the recommendation of the National Science and Technology Council (NSTC) Identity Management Task Force Report, as an endeavor to provide streamlined coordination and management for related programs, including Federal Public Key Infrastructure (PKI), E-Authentication, and Homeland Security Presidential Directive 12 (HSPD-12).
The ICAM Evolution
2000 2002 2003
2009
2011
M-11-11February 2011
1990’s 2002 2003
FCPA OperationalSeptember 2002
FISMAOctober 2002
E-GovDecember 2002
M-04-04December 2003
2004
HSPD-12August 2004
Development of Special Publications
(Issuance of PIV Begins)
2006 2007 2008
2005
2011
FICAM Roadmap & Implementation Guidance v1.0November 2009
ISIMC CharteredDecember 2008
Development of ICAM Segment Architecture
Development of Implementation Guidance
GPEAOctober 1998
FIPS 201March 2006
FICAM Roadmap & Implementation Guidance v2.0
Dec. 2011
M-05-24August 2005
2010
NSTC Task Force Report
September 2008
9
There are a number of drivers related to security, privacy, and efficiency that have converged to emphasize the need for coordinated ICAM efforts.
Increasing Cybersecurity threats There is no National, International, Industry “standard” approach to individual identity
on the network. (President’s 60 Day Cyberspace Policy Review) Security weaknesses found across agencies included the areas of user identification
and authentication, encryption of sensitive data, logging and auditing, and physical access. (GAO-09-701T)
Need for improved physical security Lag in providing government services electronically Vulnerability of Personally Identifiable Information (PII) Lack of interoperability
“The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.” (President’s FY2010 Budget)
High costs for duplicative processes and data management
ICAM Drivers
10
ICAM seeks to streamline government-wide identity, credential, and access management activities to ensure alignment and clarity, minimize duplication of effort, and promote government-wide interoperability.
Fostering effective government-wide identity and access management
Enabling trust in online transactions through common identity and access management policies and approaches
Aligning federal agencies around common identity and access management practices
Reducing the identity and access management burden for individual agencies by fostering common interoperable approaches
Ensuring alignment across all identity and access management activities that cross individual agency boundaries
Collaborating with external identity management activities through inter-federation to enhance interoperability
ICAM Mission
11
ICAM provides a foundational capability to manage identity accounts, user credentials, and access to your agency’s resources.
Supporting Your Agency’s Mission with ICAM
Agency Employees & Contractors
Customers
BusinessPartners
Identity Management
Access Management
Credential Management
Leverage trusted externally-issued
credentials
Protect personally identifiable information
Implement PIV for
employees & contractors
Leverage PKI
Access federal facilities
Manage users & accounts
Access IT Resources
Federateaccess for external users
• First• Last • ID
Securely share attributes
• First• Last • ID
Agency Challenges and Solutions
13
ICAM can assist an agency in implementing solutions to overcome a variety of obstacles.
Today’s Agency Challenges
Budget Constraints Differing Agency
Priorities
Technical Comprehension
Collaboration Between Agency Stakeholders Multiple Federal
Laws and Policies
Distributed Organizations Agency Resources
PIV and PIV-enablement
Understanding How FICAM Impacts Agency Programs
Budget Constraints
15
Agencies may have existing investments in place that are capable of providing services in a manner consistent with the target state ICAM segment architecture.
Software. Cost of software including licenses and maintenance fees that can be decommissioned or redeployed across all environments for development, testing, and production
Hardware. Cost of hardware that could be decommissioned or redeployed across all environments for development, testing, and production
The availability of enterprise software licenses should be investigated, as these can significantly lower acquisition costs and influence an agency’s make or buy decision.
Leverage Existing Investments
This information has been derived from the FICAM Roadmap.
16
Leverage existing tools and documentation to plan for ICAM investments!
Tools to Support Agency ICAM Planning
FICAM Roadmap V2.0ICAM ROI Toolkit
*ICAM MaturityModel
• Capital planning guidance is found in Chapter 6
• Planning for physical and logical access implementations is found in Chapters 10 and 11 respectively
• The ROI dashboard tool can be used to determine potential ICAM costs and benefits
• Based on estimated costs, the Toolkit assists agencies in building a business case
• Identify how and where programs are being successful
• The findings can inform an agency on where resources can be leveraged
* Please contact [email protected] to access the ICAM ROI Toolkit.
17
FICAM Roadmap and Implementation Guidance
The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment.
Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including: Complies with the Federal Segment Architecture Methodology (FSAM) Various use cases which illustrate the as-is and target states of high level ICAM
functions and frame a gap analysis between the as-is and target states Detailed transition roadmap and milestones which define a series of logical steps or
phases that enable the implementation of the target architecture
Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including: Information for planning and managing an agency’s ICAM program Sample solution architectures for expected target state technical capabilities Important considerations, benefits, and limitations for different implementation
approaches Numerous tips, FAQs, and lessons learned from real ICAM implementations
PART A: ICAM Segment Architecture (Chapters 3 - 5)
PART B: Implementation Guidance (Chapters 6 - 12)
FICAM Roadmap V2.0
18
The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.
ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.
ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.
Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.
ROI Toolkit Overview
* Please contact [email protected] to access the ICAM ROI Toolkit.
19
The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.
Provides a series of questions for an agency to answer related to: Governance & Program Management Identity Management Credential Management Physical Access Management Logical Access Management Federation
Identifies capability gaps between the current state and the ICAM target state via a summary dashboard
Provides the steps necessary to achieve the next phase of ICAM maturity
ICAM Maturity Model
ICAM Maturity Model
Technical Comprehension
21
Understanding the key characteristics of ICAM technology can help an agency in moving towards achievement of the ICAM target state.
ICAM technology characteristics: Provides protection of both physical (e.g., buildings, offices) and logical (e.g.,
networks, applications) agency resources and assets Promotes collaboration among federal agencies and with mission partners Aligns with multiple agency missions and needs (i.e., provides a high
degree of customization and flexibility) Supports ability to manage multiple users and their privileges when
accessing agency resources (i.e., networks and applications) Promotes a high-level of security, privacy, and protection for sharing and
storage of sensitive data and information Provides a logging process to support a clear audit trail
ICAM Technology at a Glance
Understanding How FICAM Impacts Agency Programs
23
Experience the following benefits across your agency business processes by implementing ICAM:
Increased security, which correlates directly to reduction in identity theft, data breaches, and trust violations.
Compliance with laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress.
Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework.
Enhanced customer service, both within agencies and with their business partners and constituents. Facilitating secure, streamlined, and user-friendly transactions.
Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes.
Increase in protection of Personally Identifiable Information (PII) by consolidating and securing identity data.
ICAM Can Support Other Agency Programs
Collaboration Between Agency Stakeholders
25
Collaboration between all relevant stakeholders during each phase of the Capital Planning and Investment Control (CPIC) process is critical to ensure that the overlapping elements of different ICAM activities are addressed.
Capital Planning for ICAM
To support capital planning for ICAM programs, an agency should:
Coordinate capital planning efforts across individual ICAM projects and Exhibit 300 business cases
Ensure alignment throughout the organization to consolidate redundant ICAM investments across agency components
Support collaboration across ICAM projects and systems to improve visibility and accountability of the agency’s spending on ICAM-related investments
Evaluate agency specific needs to determine the appropriate and most cost efficient Exhibit 300 submission approach
Agencies should work to incorporate ICAM requirements into its CPIC and investment request processes by:
Identifying key criteria for an investment to be considered aligned with the ICAM target state;
Incorporating that criteria into CPIC processes and guidance; and,
Communicating any changes to the relevant stakeholders and CPIC process participants.
26
Coordinate with the appropriate stakeholders at your agency early and often! Suggested coordination activities include:
ICAM Touches Many Programs
This information has been derived from the FICAM Roadmap, for more detailed information see section 6.1.2 Program Stakeholders.
Problem-Solving Teams
Focus Groups/Tiger Team
• Develop expert problem-solving teams, such as working groups that are established to address issues and present solutions.
• Help to identify and escalate business and technical challenges that may not be known at the enterprise level but could impede ICAM implementation throughout the agency.
• Share implementation lessons learned across bureaus/components or individual programs to reduce overall ICAM program risk and increase speed and efficiency in implementation
• Stand up smaller focus groups or tiger teams for the purpose of resolving specific program issues or providing direct support for implementation.
• Improve stakeholder buy-in associated with enterprise approaches and services by promoting better understanding and a sense of inclusion and ownership in the program.
• Improve consistency across an agency’s ICAM implementation, a key goal when implementing the ICAM segment architecture
Multiple Federal Laws and Policies
28
Implementing ICAM promotes alignment with multiple policies.
HSPD-12: Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems.
OMB M-11-11: Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential.
NSTIC: In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
VanRoekel Memo: On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally-issued identity credentials by federal applications.
NSISS: The National Strategy for Information Sharing and Safeguarding (NSISS) was signed by the President on December 19, 2012 and contains goals, principles, and objectives that outline a plan on how the Federal Government will responsibly share and safeguard to enhance and protect national security information.
The Current ICAM Policy Landscape
29
The ICAM Landscape contains a multitude of policy drivers that enable the interoperability and trust necessary to accomplish secure information sharing within and beyond the boundaries of the Federal Government.
Policy Shaping the ICAM Landscape
Facilitates government-wide interoperability and trusted collaboration across the unclassified, secret, and top secret fabrics.
Promotes the use of enhanced security measures to protect government systems, resources, and facilities.
Uphold Security Posture
Secure Information Sharing
Establishes a foundation of internal and external trust to drive the development and implementation of interoperable solutions.
Enable Trust and Interoperability
References: • Homeland Security
Presidential Directive 12 (HSPD-12)
• Federal Information Security Management Act (FISMA)
• FIPS 201-2
References: • Intelligence Reform and
Terrorism Prevention Act• Executive Order (E.O) 13587• National Strategy for
Information Sharing and Safeguarding (NSISS)
References: • National Security Strategy
(2010)• Van Roekel Memo• National Strategy for Trusted
Identities in Cyberspace (NSTIC)
Supports the elimination of paper based forms to streamline existing processes and reduce redundancies.
FacilitateE-Government
References: • E-Government Act of 2002• OMB M-04-04• The Digital Government
Strategy• Government Paper
Elimination Act (GPEA)
HSPD-12
31
Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems.
HSPD-12
Security Objectives: Establish a mandatory, government-wide standard for secure and reliable
forms of identification that:
Is issued based on sound criteria for verifying an individual employee's identity;
Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
Can be rapidly authenticated electronically; and
Is issued only by providers whose reliability has been established by an official accreditation process.
Results:
A standard, interoperable credential: the PIV credential
Consistent processes for identity vetting and proofing
A common, secure approach for accessing facilities and networks
An increased level of government efficiency
http://www.dhs.gov/homeland-security-presidential-directive-12
32
Before HSPD-12, the key efforts in the federal environment, such as physical and logical access and identity vetting and identity processes, were managed separately and inconsistently.
The Environment Prior to HSPD-12
• Management of multiple passwords and user accounts increasing inefficiencies
• Use of lower assurance credentials (e.g., password) introducing security risks
• Inconvenience to users to remember/manage different passwords and tokens
• Various processes for confirming identity of user prior to issuance of credential, making it possible for individuals to claim a false identity
• Inconsistent vetting requirements, resulting in varying levels of suitability
• No trust or reciprocity across agencies, leading to duplication of investigation efforts and costs
• Over 200 types of valid IDs, leading to inefficiencies and security challenges
• Prevalence of IDs that could be easily counterfeited, enhancing potential for a security breach
• In many cases, no means of electronic verification, providing little to no assurance of user’s identity and introducing the opportunity for human error
Physical Access
Logical Access
Identity Processes
33
The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner.
PIV Credential Overview
Identity proofing and background investigation processes that build a
chain of trust.
Fingerprint and/or iris information used for authentication that binds
the identity of the user to the credential.
Something that only the user knows and is used to access
various applications. Replaces cumbersome and insecure passwords for applications.
Strong anti-counterfeiting features (e.g., laser etching, holographic
images).
Chain of Trust
Identity Proofing Process
PIN
Biometric Authentication
Common Processes
Physical Features
PKI Authentication
AffiliationCivilian
LastnameFirstname, M.
United States Government
Agency/Department
Department of Homeland Security
Issued
01/01/10Expires
01/01/15
Federal Emergency Response Official
ColorPhotograph
Contact Chip
PKI Digital Signature
PKI EncryptionFor cryptographically protecting
data at rest and in transit in order to provide confidentiality.
For electronically signing documents to provide non-
repudiation and message integrity.
Digital certificate on the card that supports electronic verification of
the cardholder.
34
By implementing HSPD-12 and standardizing the PIV credential, agencies experience significant cost-savings and added value.
HSPD-12 Streamlines Operations and Reduces Duplication
Cost-savings from: • Minimized password resets• Reduced infrastructure and hosting
costs on other credential types• Minimized security breaches• Phasing out duplicative processes
and IT investments
Added value from: • Minimized paperwork/manual
processes• Enhanced information-sharing• Improved user-satisfaction from
having to remember a single PIN vs. multiple passwords
Security breach remediation
Multiple password resets
Repeated data entryManual/redundant paperwork
Duplicative processes
Distributed physical security
Extensive IT and infrastructure
costs
HSPD-12 Environment
Multiple credentials
needed
Prior to HSPD-12
35
Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential.
Using the PIV Credential
Interoperable for Government-wide Use
Digital Signatures
Encryption
Transit/ Payment
Leverage Value-add Applications
Access Your Agency’sResources
Government-wideApplications Access at other
agencies
36
The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below.
PIV Credential vs. Other Credentials
Password OTP Tokens PIV
User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity
37
The PIV credential is an enabler for efforts across the Federal Government to move toward a stronger, more secure, and more efficient presence on the internet.
HSPD-12: PIV is an Enabler
Promotes the use of electronic forms and offers online-based government services for strong authentication.
Encourages sustained, responsible, and trusted collaboration to support interoperability across the government.
Strengthens the security and resiliency of critical infrastructure against evolving threats to safeguard the government.
Cybersecurity E-GovernmentInformation
Sharing
Emphasizes planning and spending control processes for investment in information systems to support agency missions.
Good Steward of IT Resources
References: • Cybersecurity Strategy• FISMA• PPD on Critical Infrastructure
Security and Resilience
References: • The Digital Government
Strategy• E-SIGN Act• E-Government Act
References: • National Strategy for
Information Sharing and Safeguarding
• ISS EO 13587
References: • Clinger-Cohen Act• M-12-10: PortfolioStat • M-13-02: Strategic
Sourcing
IT Spending
Investment Performance
38
There is an emerging desire across federal employees to have more flexibility in their work. The Federal Government is moving toward the use of mobile devices and allowing employees to telework.
Standards-based Solutions for Meeting Emerging Needs
• Strongly authenticate• Digitally sign and
encrypt data• Access applications
PIV-derived Credential
Use mobile devices to strongly authenticate to agency resources!
Perform these secure transactions from any
location!
39
When considering the HSPD-12 objective to move toward a common credential, the government is succeeding. Today a large number of PIV credentials have been issued; however, an agency is not able to capitalize on the true return on this investment until they begin fully leveraging the credential.
Agency Status
40
As a result of HSPD-12, agencies have the capabilities necessary to strengthen their current IT infrastructure and address the risks associated with the evolving threat environment.
Look at the Numbers
The percentage of incidents reported from
unauthorized accessGAO-13-187
17%
The estimated cost of a data breach per incident
Bloomberg
$7.2M
The estimated cost to Americans related to Identity theft cost
Huffington Post
$1.52B
Increase in cybersecurity incidents reported by federal agencies 2006- 2012
GAO-13-187
782%
Decrease in successful network intrusions
resulting from smart card-based
PKI logon in the DoDRealized Value of FPKI
46%
Estimated agency savings per year on password resetsForrester
$1464/user
Reduction of document handling costs, shipping costs and processing
costs by using digital signatureSignix.com
75%
Total cost savings per user, per year by
avoiding use of one-time password tokens
Tyntec
$100
Decrease in the number of successful social engineered e-mail attacks in the
DoD, from use of smart card/PKI Realized Value of FPKI
30%
Estimated savings realized from switching to digital transactions
Economist
$2.9B/year
41
PIV is fiscally responsible IT, provides for consolidation of investments, reduces redundancy and stove pipes, and promotes integration
PKI is a robust technology that is used everyday so that websites can be trusted to conduct transactions and supports two and three level factors of authentication.
HSPD-12 provides a very high level of assurance of identity and this facilitates trust.
HSPD-12 provides interoperable, crypto-based authentication for logical and physical access.
The PIV credential can be used for value-added functionality such as digital signatures, which reduce paper forms, and encryption, which protects data at rest and data in transmission.
Takeaways
42
Use the PIV Credential
at your Agency!
Ensure that contracts for procurements of IT, building access, and systems enable the PIV credential
Mandate the use of the PIV credential for network log on and building access
Accept the PIV credentials of other agency users Identify, prioritize, and PIV-enable multi-agency applications Phase out redundant infrastructure
Call to Action
OMB M-11-11
44
Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential. Key points include: Effective immediately, all new systems under development
must be enabled to use PIV credentials prior to being made operational
Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials prior to the agency using development and technology refresh funds to complete other activities
Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and the Federal Acquisition Regulation
Agency processes must accept and electronically verify PIV credentials issued by other federal agencies
The government-wide architecture and agency transition plans must align, as described in the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance
M-11-11
http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
NSTIC
46
In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
Addresses the need for a “cybersecurity focused identity management vision and strategy,” as stated in the President’s 2009 Cyberspace Policy Review
Seeks to establish an Identity Ecosystem where individuals and organizations can trust each other and have confidence in the security of online transactions
NSTIC Guiding Principles state that Identity Solutions will be:
Privacy-enhancing and voluntary Secure and resilient Interoperable Cost-effective and easy to use
NSTIC
http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf
VanRoekel Memo
48
On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally-issued identity credentials by federal applications.
VanRoekel Memo
Objectives: Calls for agencies to enable the use of externally-issued
credentials on web sites that allow members of the public and business partners to register or log on.
Requires that agencies only accept externally-issued credentials that are issued in accordance with National Institute of Standards and Technology guidelines and Federal Chief Information Officers (CIO) Council processes.
Externally-issued credentials are those that have been issued by an entity other than the Federal Government. In this document, the term externally-issued credential is used interchangeably with third party credential.
Results: Reduce the agency costs associated with issuing and
managing user credentials.
Decrease the burden on system users by allowing reuse of an existing credential. http://www.howto.gov/sites/default/files/omb-req-externally-issued-cred_0.pdf
NSISS Priority Objective #4
50
The NSISS contains Priority Objective #4 (PO #4) to implement FICAM on each of the three security fabrics: Unclassified, Secret, and Top Secret.
NSISS, Priority Objective #4
As a result of PO #4, implementation plans will be developed for each fabric:
The Unclassified Implementation Plan will include all unclassified, Sensitive but Unclassified (SBU), and Controlled Unclassified Information (CUI) federal systems and systems/users that interact with these systems.
The Secret Implementation Plan will include all systems of the Executive Branch that contain secret information.
The Top Secret Implementation Plan will include all systems of the Executive Branch that contain top secret information.
Distributed Organizations
52
The ICAM Maturity Model can help an agency identify their ICAM priorities, see where they are succeeding, determine where to make additional investment, and decide on the next steps needed to continue improvement.
Bring your Agency Together with ICAM
The ICAM Maturity Model helps measure across distributed program areas which will likely be in different stages of implementation.
ICAM Maturity Model
PIV and PIV-enablement
54
The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner.
PIV Credential Overview
Identity proofing and background investigation processes that build a
chain of trust.
Fingerprint and/or iris information used for authentication that binds
the identity of the user to the credential.
Something that only the user knows and is used to access
various applications. Replaces cumbersome and insecure passwords for applications.
Strong anti-counterfeiting features (e.g., laser etching, holographic
images).
Chain of Trust
Identity Proofing Process
PIN
Biometric Authentication
Common Processes
Physical Features
PKI Authentication
AffiliationCivilian
LastnameFirstname, M.
United States Government
Agency/Department
Department of Homeland Security
Issued
01/01/10Expires
01/01/15
Federal Emergency Response Official
ColorPhotograph
Contact Chip
PKI Digital Signature
PKI EncryptionFor cryptographically protecting
data at rest and in transit in order to provide confidentiality.
For electronically signing documents to provide non-
repudiation and message integrity.
Digital certificate on the card that supports electronic verification of
the cardholder.
55
Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential.
Using the PIV Credential
Interoperable for Government-wide Use
Digital Signatures
Encryption
Transit/ Payment
Leverage Value-add Applications
Access Your Agency’sResources
Government-wideApplications Access at other
agencies
56
The Employee Express (EEX) application is operated by OPM. EEX provides federal employees from participating agencies with a central hub to manage a variety of employment-related information such as tax withholding, health coverage, and direct deposit.
To support an enhanced user experience and promote a secure and trusted means of access and authentication, EEX was enabled to accept the PIV card and NASA participated in the pilot deployment of the PIV-enabled application.
The NASA community boasts a sizeable total user population, with approximately 18,500 NASA users with the PIV card option. In the beginning of the pilot, there was an average of over 1,000 PIV card logins each month and during January 2013, EEX was accessed over 3,000 times with PIV cards.
NASA employees have provided positive feedback which indicates PIV-enablement of applications increases ease of use, decreases the need for multiple passwords and usernames, and provides an added level of security.
PIV Credential Success Story
57
The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below.
PIV Credential vs. Other Credentials
Password OTP Tokens PIV
User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity
Differing Agency Priorities
59
Based on varying priorities, agencies can choose to focus their implementation efforts around a particular aspect of ICAM to achieve desired results. The ROI toolkit provides case studies that may be leveraged when addressing agency priorities.
The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%).
The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting.
The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures.
The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC.
Align ICAM with your Agency’s Priorities
These case studies can be found in more detail in the ROI toolkit. * Please contact [email protected] for access.
60
The ROI Toolkit is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.
ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.
ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.
Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.
ROI Toolkit Overview
Please contact [email protected] to access the ICAM ROI Toolkit.
Agency Mission Drivers
62
ICAM at USDA
“To provide leadership on food, agriculture, natural resources, rural development, nutrition, and related
issues based on sound public policy, the best available science, and efficient management.”
• Supports compliance with USDA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of USDA’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between USDA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the USDA enterprise and with mission partners
• Allows USDA to focus limited funds and personnel resources on promoting nutrition for the American Public and protecting food and natural resources.
The Department of Agriculture
How ICAM Supports USDA’s Mission
63
ICAM at DOC
“To promote job creation, economic growth, sustainable development, and
improved living standards for all Americans, by working in partnership with business, universities,
communities, and workers.”
• Supports compliance with DOC and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOC’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOC PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOC enterprise and with mission partners
• Allows DOC to focus limited funds and personnel resources on promoting a sustainable work environment for the American Public.
The Department of Commerce
How ICAM Supports DOC’s Mission
64
ICAM at DoD
“To provide the military forces needed to deter war and to protect the security of our country.”
• Supports compliance with DoD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DoD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DoD CAC holders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DoD enterprise and with mission partners
• Allows DoD to focus limited funds and personnel resources on protecting the safety of the American Public and Armed Forces.
The Department of Defense
How ICAM Supports DoD’s Mission
65
ICAM at ED
“To promote student achievement and preparation for global competitiveness by fostering educational
excellence and ensuring equal access.”
• Supports compliance with ED and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of ED’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between ED PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the ED enterprise and with mission partners
• Allows ED to focus limited funds and personnel resources on promoting student achievement and academic excellence.
The Department of Education
How ICAM Supports ED’s Mission
66
ICAM at DOE
“To ensure America’s security and prosperity by addressing its energy, environmental and nuclear challenges through transformative science and
technology solutions.”
• Supports compliance with DOE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOE enterprise and with mission partners
• Allows DOE to focus limited funds and personnel resources on modernizing the energy grid and protecting the environment.
The Department of Energy
How ICAM Supports DOE’s Mission
67
ICAM at HHS
“To serve as the United States government's principal agency for protecting health and providing
essential human services to Americans.”
• Supports compliance with HHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of HHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between HHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the HHS enterprise and with mission partners
• Allows HHS to focus limited funds and personnel resources on providing essential health-related services to the American Public.
The Department of Health and Human Services
How ICAM Supports HHS’ Mission
68
ICAM at DHS
“To ensure a homeland that is safe, secure, and resilient against terrorism and other hazards.”
• Supports compliance with DHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DHS enterprise and with mission partners
• Allows DHS to focus limited funds and personnel resources on safeguarding the American Public from foreign and domestic threats.
The Department of Homeland Security
How ICAM Supports DHS’ Mission
69
ICAM at HUD
“To create strong, sustainable, inclusive communities and quality affordable homes for all.”
• Supports compliance with HUD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of HUD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between HUD PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the HUD enterprise and with mission partners
• Allows HUD to focus limited funds and personnel resources on promoting strong communities and living environments.
The Department of Housing and Urban Development
How ICAM Supports HUD’s Mission
70
ICAM at DOJ
“To enforce the law and defend the interests of the United States according to the law; to ensure public safety against
threats foreign and domestic; to provide federal leadership in preventing and controlling crime; to seek just punishment for
those guilty of unlawful behavior; and to ensure fair and impartial administration of justice for all Americans.”
• Supports compliance with DOJ and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOJ’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOJ PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOJ enterprise and with mission partners
• Allows DOJ to focus limited funds and personnel resources on promoting and defending federal law.
The Department of Justice
How ICAM Supports DOJ’s Mission
71
ICAM at DOL
“To foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the United
States; improve working conditions; advance opportunities for profitable employment; and assure
work-related benefits and rights.”
• Supports compliance with DOL and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOL’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOL PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOL enterprise and with mission partners
• Allows DOL to focus limited funds and personnel resources on promoting the well being of the American worker through protection of work-related benefits and rights.
The Department of Labor
How ICAM Supports DOL’s Mission
72
ICAM at STATE
“To create a more secure, democratic, and prosperous world for the benefit of the American
people and the international community.”
• Supports compliance with STATE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of STATE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between STATE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the STATE enterprise and with mission partners
• Allows STATE to focus limited funds and personnel resources on promoting on United State diplomacy abroad.
The Department of State
How ICAM Supports STATE’s Mission
73
ICAM at DOI
“To protect America’s natural resources and heritage, honor our cultures and tribal
communities, and supply the energy to power our future.”
• Supports compliance with DOI and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOI’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOI PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOI enterprise and with mission partners
• Allows DOI to focus limited funds and personnel resources on promoting the protection and sustainment of natural resources and tribal communities.
The Department of Interior
How ICAM Supports DOI’s Mission
74
ICAM at TREAS
“Maintain a strong economy and create economic and job opportunities by promoting the conditions that enable economic growth and stability at home and abroad,
strengthen national security by combating threats and protecting the integrity of the financial system, and manage the U.S. Government’s finances and resources effectively.”
• Supports compliance with TREAS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of TREAS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between TREAS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the TREAS enterprise and with mission partners
• Allows TREAS to focus limited funds and personnel resources on managing and promoting the integrity of the U.S. financial system.
The Department of Treasury
How ICAM Supports TREAS’ Mission
75
ICAM at DOT
“To serve the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets our vital national interests and enhances the quality of life of
the American people, today and into the future.”
• Supports compliance with DOT and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of DOT physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between DOT PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the DOT enterprise and with mission partners
• Allows DOT to focus limited funds and personnel resources on promoting transportation and infrastructure to meet the needs of the American people.
The Department of Transportation
How ICAM Supports DOT’s Mission
76
ICAM at VA
“To fulfill President Lincoln's promise “To care for him who shall have borne the battle, and for his widow, and
his orphan” by serving and honoring the men and women who are America’s veterans.”
• Supports compliance with VA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress
• Provides protection of VA physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets
• Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information
• Improves interoperability between VA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework
• Promotes collaboration across the VA enterprise and with mission partners
• Allows VA to focus limited funds and personnel resources on protecting Veteran information and secure data/infrastructure assets from internal and external threats.
The Department of Veterans Affairs
How ICAM Supports VA’s Mission
Agency Resources
78
There are many ICAM resources available to agencies to address the various aspects of ICAM implementation.
ICAM Resources
FICAM Roadmap V2.0ICAM ROI Toolkit
*ICAM MaturityModel
ICAM Snapshot Brochure
Modernized PACS
Brochure
Modernized LACS
Brochure* Please contact [email protected] to access the ICAM ROI Toolkit.
Intersection of ICAM and Emerging Needs
80
As the ICAM landscape continues to evolve, agencies are looking for ways to meet these demands.
Intersection of ICAM and Emerging Needs
Evolution of mobile security
Popularity of cloud computing
Keeping pace with the commercial IAM space
Support for federation and visitor management
Growth of shared services
Surge of single sign-on solutions
Implementing an enterprise IAM system
Evolution of Mobile Security
82
The proliferation of internet-enabled mobile devices has created the need to secure the use of the device and manage employee and contractor access to data from a device to maintain security regardless of how a user is accessing resources.
Did you know that……
Evolution of Mobile Security
PIV-derived Credential
The government is working to certify and acquire mobile devices that meet its needs!
PIV-derived credentials will be the approved credentials for securely accessing and using mobile devices.
Growth of Shared Services
84
Agencies are working together to develop services to address common agency capabilities and capitalize on efficiencies in an effort to meet ICAM goals while saving money for the Federal Government. These common services include:
Backend Attribute Exchange (BAE) is a secure and standards-based retrieval of information from authoritative sources that enables access control decisions and secure information sharing.
Federal Cloud Credential Exchange (FCCX) is a core capability to consume, validate, and translate third-party credentials to relying party applications across multiple agencies, providing a single, easy-to-access integration point.
The GSA USAccess Managed Service Office (MSO) is the executive agent responsible for providing federal agencies with interoperable identity management and credentialing solutions.
Growth of Shared Services
For more information on Goal 4: FICAM Roadmap V2.0
Backend Attribute Exchange (BAE)
86
The BAE specification was first developed in May 2008 and has since been successfully demonstrated through a pilot program between the Department of Defense (DoD) and the Department of Homeland Security (DHS) to support information exchange between mission partners during emergency response events.
The Background of the BAE
The BAE Business Case and Lifecycle Sustainment Analysis was created as a joint effort supported by the Program Manager for the Information Sharing Environment (PM-ISE) and the ICAMSC. This effort:
Explored key business drivers, benefits, and challenges related to the pursuit of the enterprise BAE capability
Identified expected lifecycle costs and funding considerations
Provided recommendations regarding the feasibility of the enterprise BAE capability and potential implementation considerations
87
The enterprise BAE capability: represents the common interest of both PM-ISE and ICAMSC communities to securely and efficiently share mission-specific attribute information in a collaborative environment. PM-ISE supports innovation and implementation of secure information sharing capabilities among the Federal Government and collaborating organizations. The ICAMSC develops and recommends policies, procedures, and standards related to identity management, authentication, and secure access.
The analysis represented in this presentation highlights the following high-level benefits regarding the enterprise BAE capability, as it:
Offers increased flexibility and scalability. BAE provides a secure way to share information and facilitate collaboration between multiple organizations. It aligns with multiple mission needs and is applicable to a broad variety of applications and uses.
Brings a strong, broad potential customer base. An enterprise BAE capability would have a strong, immediate customer base within the information sharing environment which could include agencies and stakeholders (i.e., anyone who has an information sharing need).
Extends the federal trust infrastructure. Through its centralized governance structure, the enterprise BAE capability promotes trust between the attribute provider and consumer.
The BAE Capability Defined
88
GSA’s Office of Governmentwide Policy (OGP) has the responsibility to support coordination across the various policy and standards efforts affecting the Federal ICAM Initiative and to promote the consistent implementation of ICAM solutions at the agency level.
BAE’s Authority
OMB M-11-11 requires agencies to align with the ‘Federal Identity, Credential, and Access Management (FICAM) Roadmap
and Implementation Guidance.’
FICAM Roadmap Initiative 5 calls for streamlining the collection and sharing of digital identity data through the use of the BAE to support sharing of data elements
for use in shared mission or business areas.
89
BAE for Information Sharing
Agency A User with Credential
Agency B Protected Resource
1. Agency A user needs access to or information from Agency B
3. Agency B needs “off-credential” info to authorize User A to access resource. It “asks” its own Authorization Engine B
4. Agency B and Agency A communicate to exchange user information about User A
2. User A is Authenticated
5. User is granted Access
Agency AAttribute Service
(BAE Profile Compliant)
ExternalizedAuthorization
Manager B(PDP)
90
Due to the flexibility of the BAE model it can support any set of attributes as agreed upon by a particular community.
The following slides offer a description of several sample use scenarios for the BAE to help demonstrate its possible applications, including:
Attribute Based Access Control (ABAC) Sensitive but Unclassified (SBU) Environment Simplified Sign-on (SSO) Background Investigation Reciprocity Visitor Management
BAE Use Case Scenarios
91
Focuses on characteristics that describe people, resources, and environments. The requester provides attributes which are compared to those documented as requirements for granting or denying access, at which point an access decision is made.
ABAC is a suggested use for an organization due to: Existing complex access rule sets The high-volume of visitors requesting access to systems Your mission is focused on collaboration
Attribute Based Access Control (ABAC)
92
The following table summarizes the key details associated with the ABAC use scenario:
Attribute Based Access Control (ABAC)
Elements Details
ICAM Services Provided• Authorization and Access• Privilege Management
Transactional Data• Mission-specific attributes • Privilege attributes
Benefits
• Requires only one set of information-sharing agreements to join, instead of needing to establish multiple bilateral attribute sharing agreements between multiple partners.
• Enhances ability to coordinate with partners outside the federal space.• Places responsibility on both attribute provider and consumer for
attribute information lifecycle management.• Requires no advance knowledge of requestors.• Is highly adaptable to changing needs; efficient for agencies where
individuals come and go frequently.
93
A mechanism which reduces the need for multiple logins and authentication processes when accessing a variety of independently owned and maintained SBU/CUI resources.
SBU SSO is a suggested use for an organization due to: Current federal, state, local, and tribal partners Your work at DHS Fusion Centers Your need for access to a SSO SBU/CUI service Partnering with PM-ISE
SBU Environment Simplified Sign-on (SSO)
94
The following table summarizes the key details associated with the SBU/CUI environment SSO use scenario:
SBU Environment Simplified Sign-on (SSO)
Elements Details
ICAM Services Provided• Authorization and Access• Digital Identity Management
Transactional Data• Mission-specific attributes• Personnel attributes needed for authentication
Benefits
• Provides a means of maintaining integrity of multiple SBU/CUI systems by quickly identifying, authenticating, and authorizing a user.
• Supports and enhances SBU/CUI information collaboration for individuals with a variety of organizational affiliations, including non-federal partners
• Requires only one set of information-sharing agreements to join, rather than needing to establish multiple bilateral attribute sharing agreements between multiple partners
• Allows an individual’s attributes to be correlated from multiple organizations or sources to create a unified identity for SSO login.
• Reduces points of entry and increases prevalence of SSO capabilities across multiple applications.
• Supports interoperability with the Global Federated Identity and Privilege Management (GFIPM) and National Information Exchange Federation (NIEF).
95
The process by which an individual’s background check completeness attribute is requested and received from the authoritative source.
Background investigation reciprocity is a suggested use for an organization due to: Your high volume of visitors Your high volume of outside collaboration Your on-boarding of contractors How you temporarily employs detailed personnel You have multiple inter-agency personnel transfers Current federal, state, local, and tribal partners
Background Investigation Reciprocity
96
The following table summarizes the key details associated with the Background Investigation Reciprocity use scenario:
Background Investigation Reciprocity
Elements Details
ICAM Services Provided• Digital Identity Management • Authorization and Access
Transactional Data • Background investigation completeness attribute
Benefits
• Reduces the time needed for an agency to confirm that a background check has been completed.
• Potentially streamlines contractor on-boarding, inter-agency personnel transfer, internal hiring, and Visitor Management Systems (VMS)/services.
• Assists in reducing paperwork submission and administrative burden on both the organization and the individual.
• Supports more efficient PIV card provisioning.
97
A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor.
Visitor management is a suggested use for an organization due to: The fact that you are an authoritative attribute provider of background
investigation completeness You are an attribute consumer Your organization has a high volume of visitors, including state, local, and tribal
law enforcement partners, as well as contractors Your organization has a high volume of outside collaboration Your agency temporarily employs detailed personnel
Visitor Management
98
The following table summarizes the key details associated with the Visitor Management use scenario:
Visitor Management
Elements Details
ICAM Services Provided • Authorization and Access
Transactional Data
• Background investigation status • Clearance level• Various identity attributes • Personally Identifiable Information (PII) attributes
Benefits
• Offers opportunity for increased efficiency over commonly used point-to-point attribute sharing relationships.
• Improves timeliness of obtaining visitor attributes from the individual’s home organization.
• Supports more efficient Visitor Management System (VMS) pre-screening prior to an individual’s arrival at the agency
• Supports customization of BAE capability according to agency needs and internal VMS processes.
• Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure.
• Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual.
99
Benefits Realized by BAE Customer
The benefits associated with enterprise BAE capability adoption include:
.
Increased National Security. Contributes to enhancing the ability to detect, prevent, or disrupt terrorist activity and reduced incident response time to terrorist and natural-disaster related emergencies and an increase in the ability to share information with other organizations responding to the same national security-related issues
Enhanced service delivery. Enhances service delivery for mission partners and customers by shortening the time from when an information sharing need is identified to when it is delivered
Increased opportunity for collaboration. Increases the possibility of ease of collaboration between federal, state, local and tribal law enforcement agencies, as well as other mission partners
Improved efficiency. Improves the efficiency related to the collection and maintenance of information. By allowing for the streamlined electronic request and transfer of information, the enterprise BAE capability can reduce the administrative burden on an organization
Reduced total investment. Reduces the total investment costs incurred by customers to a secure information sharing capability. The total investment is considerably less than the costs associated with establishing individual information sharing systems
Federal Cloud Credential Exchange (FCCX)
101
FCCX is a White House-initiated effort to establish a secure, efficient, and privacy enhancing cloud-based government-wide service that will provide federal agencies with the ability to accept and authenticate FICAM-approved third-party credentials for their externally-facing applications.
Once fully-functional, the FCCX capability will: Support the ability to consume, validate, and translate credentials to relying party applications
across multiple agencies. Provide a single, easy-to-access integration point that can ensure agencies do not have to
keep building and maintaining single-use, point to point connections for the same approved credentials.
At present, the FCCX effort is focused on the following activities: Developing governance documents that will outline the expectations for customers, third-party
credential providers, another parties interested in the service; Procuring a technology provider to support the technical services and infrastructure required to
operate the FCCX capacity; Determining agency resources that are currently being expended to support credentialing and
authentication of external users; Working with identity providers to determine an appropriate business model for issuing and
authenticating third-party credentials via the FCCX capability; and Coordinating resources to efficiently implement the FCCX proof-of-concept.
FCCX Overview
102
FCCX Facilitates Alignment of Federal Goals
NSTIC Objective 2.3: Implement the Federal Government Elements
of the Identity Ecosystem
• The Federal Government must continue to lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.
• The Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.
Agency Challenges Uncovered
• Multiple credentials/accounts for single users
• Difficulty managing accounts and account access rights
• Operating at a lower level of assurance than required for the information being transferred
FICAM Strategic Goals
• Comply with federal laws, regulations, standards and governance
• Facilitate eGovernment by streamlining access to services
• Improve security posture across the Federal Enterprise
• Enable trust and interoperability
• Reduce costs and increase efficiency associated with ICAM
Achieve credential interoperability, ensuring that customers can use a single FICAM accredited credential, if they so choose, across all agencies at the same Level of Assurance (LOA) rather than be asked to get a new credential for each agency application1
2Make it easier for any agency to quickly and affordably integrate with – and consume – credentials provided by accredited third parties for customers to access online applications
3Ensure that agencies (and the taxpayer) do not duplicate efforts and expenditures to build the same system and pay for the associated maintenance and updates to that system
103
FCCX
Federal
Cloud
Credential
Exchange
• Each agency connects just once
• FCCX does the heavy lifting• Guaranteed interoperability
of credentials across agencies
• Offers agencies and citizens an easy path to more choice
OpenID/LOA1
SAML/LOA3
OpenID/LOA1
PKI
Open ID/LOA1
SAML/LOA3
OpenID/LOA1
The GSA USAccess Managed Service Office (MSO)
105
The GSA Federal Acquisition Service launched the HSPD-12 Managed Services Office (HSPD-12 MSO) on September 13, 2006, providing turn-key services to produce compliant PIV credentials.
The MSO established the USAccess program, a managed, shared service solution that simplifies the process of procuring and maintaining compliant PIV credentials.
The USAccess program enables U.S. Federal Government agencies to credential employees, contractors, and affiliates.
The USAccess program provides agencies with all the key components necessary to manage the full life-cycle of a PIV credential.
The GSA USAccess Managed Service Office
Popularity of Cloud Computing
107
As agencies modernize their infrastructures, they should seek to take advantage of the benefits offered by cloud computing. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
The cloud leverages:
Popularity of Cloud Computing
On-demand self-service
Broad network access
Massive scale
Virtualization
Resilient computing
Geographic distribution
Service orientation
Advanced security technologies
108
Leveraging shared infrastructure and the economies of scale associated with cloud computing, agencies can measure and pay for the IT resources they consume to match current requirements and budget constraints.
Cloud Computing in the Federal Environment
http://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf
http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-19.pdf
The Federal Cloud Computing Strategy
Emphasizes the capability of cloud computing to reduce inefficiencies and
improve service delivery.
M-10-19
Directs agencies to evaluate the potential to adopt cloud computing solutions by analyzing computing alternatives for IT
investments.
109
There is a fundamental shift in focus from asset ownership to service management when leveraging cloud computing. Agencies need to actively monitor emerging security threats and re-evaluate the service received periodically.
As agencies modify their IT portfolios to fully take advantage of the benefits of cloud computing, they will be able to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. Agencies will also realize the following benefits:
Increased efficiency (with improved asset and server utilization). Enhanced productivity in application development, application management,
network, and end-use. Increased responsiveness to urgent agency needs. Enhanced collaboration with private sector innovation. Increased linking to emerging technologies (e.g., devices).
Cloud Computing Considerations
http://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf
Keeping Pace with the IAM Commercial Space
111
FICAM incorporates best practices from the commercial space. The government is following the lead that the commercial space has set in creating efficiencies in a cost effective manner, particularly around cloud computing:
The commercial space has taken advantage of the technologies available for cloud computing to improve resource utilization, increase service responsiveness, and achieve meaningful benefits in efficiency, agility, and innovation.
Cloud computing offers the government an opportunity to apply the innovations of the commercial space through more effective use of IT investments.
Keeping Pace with the IAM Commercial Space
Support for Federation and Visitor Management
113
Today there are various ad hoc processes in place when an employee or contractor visits another agency. A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor.
Improves timeliness of obtaining visitor attributes from the individual’s home organization.
Supports more efficient VMS pre-screening prior to an individual’s arrival at the agency.
Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure.
Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual.
Support for Federation for Visitor Management
The BAE can improve this process!
114
A customer of the BAE is positioned to realize benefits internal to the agency as well as to the larger Federal Government.
Visitor Management Benefits Associated with the BAE
Reduce Risk
Decrease Hassle
Increase Power
Gain Praise
Save Money
• Reduce the paperwork submission of personally identifiable information (PII) on both the organization and the individual.
• Support more efficient visitor management pre-screening prior to an individual’s arrival at the agency to reduce the need for human intervention.
• Reduce administrative burden and redundant processes.• Improve timeliness of obtaining visitor attributes from the individual’s home
organization.
• Lead in innovation by supporting the FICAM target state through protecting, serving, and safeguarding.
• Assist in achieving M-11-11 through alignment with the FICAM Roadmap, in moving away from manual paper-based methods for managing visitors.
• Reduce upfront cost through leveraging the shared service which GSA is providing.
• Support customization of the BAE capability according to the agency needs and internal visitor management processes.
• Retain full control of information held allowing the opportunity to maintain ownership of information and maintain discretion on access to information.
• Increase national security by transmitting data in a secure and consistent format.
Surge of Single-Sign on Solutions
116
Single Sign-On (SSO) – a mechanism by which a single act of user authentication and log on enables access to multiple independent resources.
When agencies are considering modernizing their Logical Access architecture and design, SSO should be a consideration to help relieve application owners from managing and administering credentials, but it is also great for the user! SSO…
Eliminates the need to authenticate multiple times with the PIV credential (access protection applications as the session and application policy allow)
Streamlines the access process Creates transparency in access across applications
Surge of Single Sign-on Solutions
This information has been derived from the FICAM Roadmap, for more detailed information see Chapter 11.
Implementing an Enterprise IAM System
118
An enterprise solution for ICAM allows an agency to maximize investment while meeting ICAM requirements in a consistent, secure manner.
Implementing an Enterprise IAM System
A department with a modern, homogeneous infrastructure could save as
much as 30 percent on infrastructure costs, field applications more quickly and
less costly, and provide improved IT security. Given the structure of Agency
budgets and organizations, it is very difficult for an Agency CIO to have the tools
available to drive such standardization. The DHS CIO testimony before the House Committee on
Oversight and Government Reform released on February 27, 2013
An enterprise IAM solution allows an agency to: Standardize and streamline
processes Leverage existing tools across
multiple components/bureaus Pass identity data and
information across functional areas
Eliminate redundant IT investments
119
An enterprise solution provides benefits that span across the agency and helps to check the boxes of the ICAM target state.
Implementing an Enterprise IAM System
Reduced administrative burden Increased interoperability with partners Reduced infrastructure costs through enterprise technology
Increased cost savings through leveraging enterprise licensing
Resources
121
There are many ICAM resources available to agencies today!
ICAM Resources
FICAM Roadmap V2.0ICAM ROI Toolkit
*ICAM MaturityModel
ICAM Snapshot Brochure
Modernized PACS
Brochure
Modernized LACS
Brochure* Please contact [email protected] to access the ICAM ROI Toolkit.
FICAM Roadmap
123
FICAM Roadmap and Implementation Guidance
The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment.
Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including: Complies with the Federal Segment Architecture Methodology (FSAM) Various use cases which illustrate the as-is and target states of high level ICAM
functions and frame a gap analysis between the as-is and target states Detailed transition roadmap and milestones which define a series of logical steps or
phases that enable the implementation of the target architecture
Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including: Information for planning and managing an agency’s ICAM program Sample solution architectures for expected target state technical capabilities Important considerations, benefits, and limitations for different implementation
approaches Numerous tips, FAQs, and lessons learned from real ICAM implementations
PART A: ICAM Segment Architecture (Chapters 3 - 5)
PART B: Implementation Guidance (Chapters 6 - 12)
FICAM Roadmap V2.0
ROI Toolkit
125
The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation.
ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.
ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation.
Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool.
ROI Toolkit Overview
* Please contact [email protected] to access the ICAM ROI Toolkit.
126
The case study inventory includes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results.
ROI Toolkit: Case Study Inventory
Type or Industry Case Study Name
Federal, Civilian STATE: Cost Benefit Comparison between PKI/BLADE and Password-based Authentication
GSA IAM Logical Access Initiative
Common Access Card for US Bureau of Land Management
Federal, Defense Drivers for use of CAC in the DoD Community
Transportation Transit Industry Case Study – Transit Smartcards for Automatic Fare collection
Healthcare Use of Smartcards in the Healthcare Community
Health Industry Case Study – Multi-function Smart ID Badge for Hospital Staff
SAFE-BioPharma Digital Signatures – AstraZeneca example
General Value of Converged Access, SSO, and Remote Access Solutions
Password Management and Single Sign-on
Opening the Door to e-Business
Password Reset: Using Self-Service
Please contact [email protected] to access the ICAM ROI Toolkit.
127
The building an ICAM business case presentation provides a detailed, step-by-step approach for building an ICAM business case and the associated cost calculations.
ROI Toolkit: Building an ICAM Business Case Presentation
Strategy and Requirements
Alternatives Planning
Measurement and Reporting
• Defining an ICAM Strategy• Completing the stakeholder analysis
• Constructing the ICAM business case• Completing a gap analysis• Conducting an alternatives analysis• Completing a detailed cost analysis• Calculating quantitative and qualitative benefits
• Completing an end-to-end cost summary• Selecting performance metrics and reports
1
2
3
* Please contact [email protected] to access the ICAM ROI Toolkit.
128
The ROI dashboard tool provides templates for calculating ICAM costs and benefits.
ROI Toolkit: ROI Dashboard Tool
Dashboard tool components:
Cost summary Cost analysis Quantitative benefits Qualitative benefits Net benefits graph Break even analysis * Please contact [email protected] to
access the ICAM ROI Toolkit.
129
Through ICAM implementations, federal agencies have been able to experience the benefits associated with successful ICAM solutions.
The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%).
The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting.
The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures.
The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC.
ICAM Success Story Snapshot
These case studies can be found in more detail in the ROI toolkit. Please contact [email protected] to access the ICAM ROI Toolkit.
ICAM Maturity Model
131
The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.
Provides a series of questions for an agency to answer related to: Governance & Program Management Identity Management Credential Management Physical Access Management Logical Access Management Federation
Identifies capability gaps between the current state and the ICAM target state via a summary dashboard
Provides the steps necessary to achieve the next phase of ICAM maturity
ICAM Maturity Model
ICAM Maturity Model
132
Initial.
ICAM related projects and work streams are initiated and managed in an ad-hoc manner;
There is little structure or opportunity for coordination between related ICAM projects and work streams;
ICAM related processes are often conducted manually using paper-based methods, often creating duplicative and redundant efforts; and
Users are issued credentials for access to agency resources that are not PIV cards.
ICAM Maturity Model – Initial
133
Repeatable.
A coordinated plan for the establishment of an ICAM program exists within the agency;
An agency-level ICAM program management structure has been designed and a plan exists to implement it;
A plan for the reduction of redundant, manual, and paper-based processes related to ICAM has been defined; and
A plan has been developed to transition to issuance of the PIV card, while minimizing the issuance of other credential types.
ICAM Maturity Model – Repeatable
134
Defined.
A coordinated agency-level ICAM program/approach has been implemented;
An agency-level ICAM program management structure is in place;
Redundant, manual, and paper-based processes related to ICAM have been reduced and electronic and automated processes have been introduced; and
The PIV card is being issued to users within the organization.
ICAM Maturity Model – Defined
135
Managed. There is an operational ICAM program with clearly defined programs and project
goals and objects;
The agency has formalized leadership support and there is close coordination between agency-level ICAM efforts;
A single, enterprise digital identity record has been established for each user within the organization and a mechanism is in place to securely share authoritative identity data with agency systems and processes that use it;
The PIV card is the only credential issued to employees and contractors; and
Users are electronically authenticated to physical and logical resources, using the technology on the PIV card (e.g., CHUID/FASC-N [PACS] and PIV Authentication Key [LACS]).
ICAM Maturity Model – Managed
136
Optimized.
The agency has an effective ICAM program with formalized and robust management mechanisms in place;
ICAM related processes have been streamlined, automated, and converted to electronic mechanisms, wherever possible; and
Enhanced management capabilities (e.g., enhanced auditing and reporting, leadership dashboard capabilities, etc.) have been implemented to increase security and reduce administrative burden.
ICAM Maturity Model – Optimized
137
Based on the answers provided for each of the ICAM areas, the tool coordinates measuring maturity and accountability across agency-level activities and performance metrics from the ICAM segment architecture and the ICAM transition plan template.
ICAM Maturity Model
Note: Guidance for use of the ICAM Maturity Model by federal agencies is forthcoming.
FICAM Testing Program
139
The FICAM Testing Program: Serves as a comprehensive testing and
evaluation capability Supports the selection and procurement of
qualified products and services for federal agencies
Enables the implementation of a federated and interoperable ICAM segment architecture
The FICAM Approved Products List (APL):
Provides agency purchasers with a list of products that have been tested and approved under the FICAM Testing Program for purchase and use by federal agencies
FICAM Testing Program
Access the new FICAM Testing Program page here
New!
ICAM Web Content Series
141
The ICAM Web Content Series provides agency implementers with a succinct summary of the highlighted subject matter. It translates complex and technical topics, illustrating them in a digestible fashion for implementers while providing a holistic summary of how the identified topic fits within the ICAM landscape.
The PIV in LACS Web Content provides guidance, best practices, and helpful tips to federal agencies on PIV-enabling logical resources at the enterprise level to meet federal requirements. The PIV in LACS video provides additional resources, such as: • Information on the multiple benefits of PIV-enablement • Common questions and answers that may arise during
the implementation process• A checklist of actionable next steps for PIV-enablement
ICAM Web Content Series
Coming Soon! The PIV in PACS and Mobile Security Web Content Videos
ICAM Brochures
143
As an accompaniment for the FICAM Roadmap, snapshot brochures are available.
ICAM Brochures
ICAM Snapshot Brochure: Provides summary information around what ICAM is, the FICAM Roadmap target state, the strategic vision for ICAM, and its value proposition.
Modernized PACS Brochure: Provides summary information around the implementation of an enterprise PACS, the benefits of PACS modernization, the steps for implementing a modernized PACS solution, and PIV-enablement.
Modernized LACS Brochure: Provides summary information around the implementation of an enterprise LACS, the benefits of LACS modernization, and design approaches and application integration for LACS.
Leadership Communications Brochure: Provides high-level summary information about ICAM programs for leadership and explains how ICAM supports an agency in achieving its mission.
144
Align Collaborate Enable