Monthly Program Review Template by o3v767

VIEWS: 6 PAGES: 16

									Federal Identity Management
          Initatives



             David Temoshok
Director, Identity Policy and Management
 GSA Office of Governmentwide Policy
                  EDUCAUSE
                 June 15, 2006

     Federal Identity Management Initiatives   1
Industry and EAI ID Federation/Authentication
Alignment

The Federal Government is seeking to align with industry in the
  following ways in order to meet the mandates for government-
  wide e-Authentication services:
   Common trust framework for reciprocal trust
   Common business & operating rules for business
    interoperability
   Common technical infrastructure (i.e., architecture, protocols,
    data models, testing) for technical interoperability
   Common business models for ID federation
    adoption/interoperability.




                Federal Identity Management Initiatives           2
A VERY Simplified View of the Federal
EAI Architecture

    EAI SAML
    Trust List
                                          PIN, Passwords
                                          User ID
 Banks                       Levels 1 &                               Levels 1 &
 Financial Inst.                          SAML Assertions              2 Online
                             2 CSPs
 Universities                                                          Apps &
 Agency Apps                                                      SDT Services
 Commercial CSPs
                                                                        Levels 3 &
                             Levels 3 &                                 4 Online
                             4 CSPs                                     Apps &
                                          Digital Certificates
                                                                        Services
                                          One-Time Passwords
                                          Multi-Factor Authentication
                                                                        (HSPD-12)
      FBCA PKI           Federal Agency PKIs
      Trust List         Other Gov PKIs
                         Commercial PKIs
                         PKI Bridges

                   Federal Identity Management Initiatives                    3
                EAI/EAP Common Trust Framework
                                       • EAI: OMB M-04-04 - Established and defined 4
1. Establish & define authentication   authentication assurance levels as Governmentwide policy
risk and assurance levels              • EAP: Adopted OMB M-04-04 authentication assurance
                                       levels

2. Establish technical standards &     • EAI: NIST Special Pub 800-63 Authentication Technical
                                       Guidance – Established authentication technical
requirements for e-Authentication      standards at 4 established assurance levels
systems at each assurance level        • EAP: Adopted NIST SP 800-63 standards


3. Establish methodology for           • EAI: Credential Assessment Framework – Standard
                                       methodology for assessing authentication systems of
evaluating authentication systems      credential service providers
at each assurance level                • EAP: Service Assessment Criteria – Standard
                                       methodology for assessing authentication systems of
                                       credential service providers
5. Perform assessments and
                                       • EAP: Trusted CSP List
maintain trust list of trusted CSPs    • EAI: Trusted CSP List (pending)


 6. Establish common business          • EAI: EAI Federation Business Rules and Service
                                       Agreements
 rules for approved CSPs               • EAP: EAP Business Rules and Agreements


                        Federal Identity Management Initiatives                        4
                        EAI/EAP Alignment
        EAI                                                           EAP
                           Common Assurance Levels
2004                    Common Authentication Standards


 2005                         CSP Assessments
                               CSP Trust Lists

 2006                   Reciprocal CSP Trust Certifications
         EAI Projects    Common Designated Assessors          EAP Projects
  2007                                                           Joint Pilots
                            Common Business Rules
                                                                 And Projects
       2008
                              Common Architecture
                               Common Protocols
                              Common Data Models


                            Common Business Model



                  Federal Identity Management Initiatives                5
    Components of EAP Trust Framework in FiXs Pilot
1. Establish & define authentication   • EAP/FiXs: Adopted OMB M-04-04 authentication
risk and assurance levels              assurance levels



2. Establish technical standards &
requirements for e-Authentication      •       EAP: Adopted NIST SP 800-63 standards
                                       •       FiXs: Adopted NIST FIPS 201 standards
systems at each assurance level

                                       • EAP: Service Assessment Criteria – Standard
3. Establish methodology for           methodology for assessing authentication systems of
evaluating authentication systems      credential service providers
at each assurance level                • FiXs: Certification standards and security
                                       requirements

5. Perform assessments and
                                           •    EAP/FiXs: Trusted CSP Lists
maintain trust list of trusted CSPs

 6. Establish common business          •       EAP: EAP Business Rules and Agreements
 rules for approved CSPs               •       FiXs: FiXs Business and Operating Rules



                        Federal Identity Management Initiatives                          6
Core FiXs Pilot Objectives - EAP
EAP Component    FiXs Pilot Objective                  Test Outcomes
Business Rules   Develop FiXs Operating Rules for      Adoption of EAP Business Rules by FiXs
                 electronic authentication that        Federation through FiXs Operating Rules
                 satisfy terms and conditions of       Signed Agreements to follow Operating
                 EAP Business Rules.                   Rules by FiXs pilot participants
Service          Develop FiXs CSP (“Issuer”)           Determination that FiXs Certification
Assessment       Certification Procedures and          Procedures and Security Requirements
Criteria         Security Requirements that satisfy    satisfy EAP SAC requirements at
                 EAP SAC requirements.                 assurance level 4.
                                                       Determination that FiXs Certification
                                                       Procedures and Security Requirements
                                                       satisfy EAI CAF requirements at assurance
                                                       level 4.
CSP Trust List   Make FiXs CSP (“Issuer”)              Determination that FiXs CSP “Issuer”
                 certifications that satisfy EAP SAC   certifications satisfy EAP SAC
                 requirements.                         requirements at assurance level 4.
                                                       Establish EAP CSP Trust List to include
                                                       certified FiXs Issuers
                                                       Determination that FiXs CSP “Issuer”
                                                       certifications satisfy EAI CAF requirements
                                                       at assurance level 4.
                                                       Inter-Federation acceptance of FiXS
                                                       Issuer certifications by EAP and EAI.


                 Federal Identity Management Initiatives                                  7
FiXs Pilot Objectives - Expanded
Pilot Component        FiXs Pilot Objective                          Test Outcomes
Interoperable       Develop FiXs Technical Architecture that            Demonstrated interoperability of all aspects of
Technical           will interoperate with DoD and EAI                   e-Authentication transactions with FiXs pilot
                    technical architectures for e-                       participants.
Architecture
                    Authentication.                                     Demonstrated interoperability of all aspects of
                                                                         e-Authentication transactions with DoD and
                                                                         EAI.
                                                                        Model technical architecture available for EAP
                                                                         use/adoption.
Technical           Develop FiXs Technical Interface                    Common FiXs technical specifications for
Interface           Specifications that permit interoperability in       FiXs global roll-out.
                    electronic authentication transactions and          Demonstrated interoperability of all aspects of
Specifications
                    transaction data exchange with DoD and               e-Authentication transactions and transaction
                    EAI.                                                 data exchanges with DoD and EAI.
                                                                        Model technical interface specifications
                                                                         available for EAP use/adoption.
Operating Rules     Develop FiXs Operating Rules that define            Common FiXs operating Rules for FiXs global
                    the operational and transaction                      roll-out.
                    requirements for FiXs e-Authentication              Signed Agreements to follow Operating Rules
                    transactions.                                        by FiXs pilot participants.
                                                                        Model ID Federation Operating Rules
                                                                         available for EAP use/adoption.
Registration,       Develop FiXs registration, enrollment and           Registration, enrollment, ID verification, and
Enrollment and ID   ID verification requirements/procedures              cross-credentialing requirements &
                    that meet FIPS 201/HSPD-12 standards                 procedures for non-Federal identity
Verification
                    and requirements.                                    verification that can be accepted as meeting
procedures.                                                              FIPS 201/HSPD-12 standards..



                      Federal Identity Management Initiatives                                                 8
Cross-Federation Trust Certifications
    FiXs trust certifications will be made at assurance level 4+, as FiXs
     will be certifying against FIPS 201/HSPD-12 standards/requirements.
    EAP may determine to accept FiXs certifications as meeting EAP
     SAC level 4 authentication assurance
    Federal EAI may determine to accept FiXs and/or EAP certifications
     as meeting EAI CAF level 4 authentication assurance


                                    EAP Trust
                                   Certifications


     FiXs Trust                                                 EAI Trust
    Certifications                                             Certifications




                     Federal Identity Management Initiatives               9
Federal Interoperability Lab

   Tests interoperability of products for participation in e-
    Authentication architecture.
        Conformance testing to Fed e-Authentication Interface Specification
        Interoperability testing among all approved products

   Currently 11 SAML 1.0 products on Approved Product List.
        See URL: http://cio.gov/eauthentication
   Multiple protocol interoperability testing will be very complex
   4 Products approved for PKI certificate path discovery &
    validation
   GSA intends to continue to test architecture components for
    interoperability and capability to meet governmentwide use
    requirements



                   Federal Identity Management Initiatives                10
And then there’s HSPD-12 …



 Homeland Security Presidential Directive 12 (HSPD-12):


   “Policy for a Common Identification Standard for Federal
   Employees and Contractors”

                                 Dated: August 27, 2004




             Federal Identity Management Initiatives      11
IDM Policy and Acquisition Landscape

•   Key governmentwide initiatives have established program, policy, and
    technical requirements for authentication and identity management.
•   GSA Is establishing “approved products/services” for each authentication
    service line based on compliance with established requirements.
•   Consolidate multiple offerings of Identity Management products & services
    from GSA acquisition schedules and GWACs onto IT Schedule 70, SIN
    132-60, Authentication Products and Services
•   Authentication service lines on SIN 132-60 include:
       ACES
       PKI Shared Service Providers (HSPD-12)
       PIV Service Components (HSPD-12)
       PIV Integrators (HSPD-12)
       Approved FIPS-201 Products and Services (HSPD-12)
       E-Authentication Architecture Components.

•   All require active program management to ensure compliance with
    program requirements and keep pace with marketplace changes.



                    Federal Identity Management Initiatives                12
OMB Guidance – Key Points
  OMB Guidance for HSPD-12 - M-05-24:
  •   To ensure government-wide interoperability, agencies must acquire only
      products and services that are on the approved products list
  •   Agencies must include language implementing the FIPS 201 Standard
      in applicable new contracts
  •   GSA is designated the “executive agent for Government-wide
      acquisitions of information technology" for the products and services
      required by HSPD-12
  •   GSA will make approved products and services available through
      blanket purchase agreements under IT Schedule 70
  •   GSA will ensure all approved BPA suppliers provide products and
      services that meet all applicable federal standards and requirements

       http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf



                  Federal Identity Management Initiatives                 13
GSA’s Role

•   Establish interoperability and common performance
    testing to meet NIST standards
•   Compliance for GSA contractors (e.g., cleaning,
    maintenance, etc.)
•   Award SIN 132-62 listings as approved products and
    services become available
•   Establish Approved Products Lists for product
    categories requiring FIPS 201 compliance
•   Provide full-range of qualified products and services
    to meet Agency implementation needs



               Federal Identity Management Initiatives      14
  HSPD-12 Service Components


       Enrollment                                Systems                    Production
     Service Provider                         Infrastructure                 Service
    Enrollment/registration
                                                 Provider                    Provider
                                Enrollment                         Card
     Stations & managed                                                    CMS Card Printing
                                Data         IDMS                  Data
    service                                                                Inventory, Distribution




Services inside dotted
                                                                              FPKI SSP
rings may be provided as
shared infrastructure.                                                      FPKI SSP & FBCA
                                                                            Cross-certified PKI


                                                                          Card Management
             Agency PACS                                                  Services
                                                Finalization
                                                  Service
                                                 Provider
                                                Cards issued and
              Agency LACS                       Activated



                              Federal Identity Management Initiatives                                15
    For More Information


●   Visit our Websites:
       http://www.idmanagement.gov
       http://www.cio.gov/eauthentication
       http://www.cio.gov/ficc
       http://www.cio.gov/fbca
       http://www.cio.gov/fpkipa
       http://www.cio.gov/fpkisc
       http://www.smart.gov/

●   Or contact:
    David Temoshok
    Director, Identity Policy and Management
    202-208-7655
    david.temoshok@gsa.gov




                        Federal Identity Management Initiatives   16

								
To top