Get documents about "Monthly Program Review Template
Shared by: HC120704071111
-
Stats
- views:
- 3
- posted:
- 7/4/2012
- language:
- pages:
- 16
Document Sample
Federal Identity Management
Initatives
David Temoshok
Director, Identity Policy and Management
GSA Office of Governmentwide Policy
EDUCAUSE
June 15, 2006
Federal Identity Management Initiatives 1
Industry and EAI ID Federation/Authentication
Alignment
The Federal Government is seeking to align with industry in the
following ways in order to meet the mandates for government-
wide e-Authentication services:
Common trust framework for reciprocal trust
Common business & operating rules for business
interoperability
Common technical infrastructure (i.e., architecture, protocols,
data models, testing) for technical interoperability
Common business models for ID federation
adoption/interoperability.
Federal Identity Management Initiatives 2
A VERY Simplified View of the Federal
EAI Architecture
EAI SAML
Trust List
PIN, Passwords
User ID
Banks Levels 1 & Levels 1 &
Financial Inst. SAML Assertions 2 Online
2 CSPs
Universities Apps &
Agency Apps SDT Services
Commercial CSPs
Levels 3 &
Levels 3 & 4 Online
4 CSPs Apps &
Digital Certificates
Services
One-Time Passwords
Multi-Factor Authentication
(HSPD-12)
FBCA PKI Federal Agency PKIs
Trust List Other Gov PKIs
Commercial PKIs
PKI Bridges
Federal Identity Management Initiatives 3
EAI/EAP Common Trust Framework
• EAI: OMB M-04-04 - Established and defined 4
1. Establish & define authentication authentication assurance levels as Governmentwide policy
risk and assurance levels • EAP: Adopted OMB M-04-04 authentication assurance
levels
2. Establish technical standards & • EAI: NIST Special Pub 800-63 Authentication Technical
Guidance – Established authentication technical
requirements for e-Authentication standards at 4 established assurance levels
systems at each assurance level • EAP: Adopted NIST SP 800-63 standards
3. Establish methodology for • EAI: Credential Assessment Framework – Standard
methodology for assessing authentication systems of
evaluating authentication systems credential service providers
at each assurance level • EAP: Service Assessment Criteria – Standard
methodology for assessing authentication systems of
credential service providers
5. Perform assessments and
• EAP: Trusted CSP List
maintain trust list of trusted CSPs • EAI: Trusted CSP List (pending)
6. Establish common business • EAI: EAI Federation Business Rules and Service
Agreements
rules for approved CSPs • EAP: EAP Business Rules and Agreements
Federal Identity Management Initiatives 4
EAI/EAP Alignment
EAI EAP
Common Assurance Levels
2004 Common Authentication Standards
2005 CSP Assessments
CSP Trust Lists
2006 Reciprocal CSP Trust Certifications
EAI Projects Common Designated Assessors EAP Projects
2007 Joint Pilots
Common Business Rules
And Projects
2008
Common Architecture
Common Protocols
Common Data Models
Common Business Model
Federal Identity Management Initiatives 5
Components of EAP Trust Framework in FiXs Pilot
1. Establish & define authentication • EAP/FiXs: Adopted OMB M-04-04 authentication
risk and assurance levels assurance levels
2. Establish technical standards &
requirements for e-Authentication • EAP: Adopted NIST SP 800-63 standards
• FiXs: Adopted NIST FIPS 201 standards
systems at each assurance level
• EAP: Service Assessment Criteria – Standard
3. Establish methodology for methodology for assessing authentication systems of
evaluating authentication systems credential service providers
at each assurance level • FiXs: Certification standards and security
requirements
5. Perform assessments and
• EAP/FiXs: Trusted CSP Lists
maintain trust list of trusted CSPs
6. Establish common business • EAP: EAP Business Rules and Agreements
rules for approved CSPs • FiXs: FiXs Business and Operating Rules
Federal Identity Management Initiatives 6
Core FiXs Pilot Objectives - EAP
EAP Component FiXs Pilot Objective Test Outcomes
Business Rules Develop FiXs Operating Rules for Adoption of EAP Business Rules by FiXs
electronic authentication that Federation through FiXs Operating Rules
satisfy terms and conditions of Signed Agreements to follow Operating
EAP Business Rules. Rules by FiXs pilot participants
Service Develop FiXs CSP (“Issuer”) Determination that FiXs Certification
Assessment Certification Procedures and Procedures and Security Requirements
Criteria Security Requirements that satisfy satisfy EAP SAC requirements at
EAP SAC requirements. assurance level 4.
Determination that FiXs Certification
Procedures and Security Requirements
satisfy EAI CAF requirements at assurance
level 4.
CSP Trust List Make FiXs CSP (“Issuer”) Determination that FiXs CSP “Issuer”
certifications that satisfy EAP SAC certifications satisfy EAP SAC
requirements. requirements at assurance level 4.
Establish EAP CSP Trust List to include
certified FiXs Issuers
Determination that FiXs CSP “Issuer”
certifications satisfy EAI CAF requirements
at assurance level 4.
Inter-Federation acceptance of FiXS
Issuer certifications by EAP and EAI.
Federal Identity Management Initiatives 7
FiXs Pilot Objectives - Expanded
Pilot Component FiXs Pilot Objective Test Outcomes
Interoperable Develop FiXs Technical Architecture that Demonstrated interoperability of all aspects of
Technical will interoperate with DoD and EAI e-Authentication transactions with FiXs pilot
technical architectures for e- participants.
Architecture
Authentication. Demonstrated interoperability of all aspects of
e-Authentication transactions with DoD and
EAI.
Model technical architecture available for EAP
use/adoption.
Technical Develop FiXs Technical Interface Common FiXs technical specifications for
Interface Specifications that permit interoperability in FiXs global roll-out.
electronic authentication transactions and Demonstrated interoperability of all aspects of
Specifications
transaction data exchange with DoD and e-Authentication transactions and transaction
EAI. data exchanges with DoD and EAI.
Model technical interface specifications
available for EAP use/adoption.
Operating Rules Develop FiXs Operating Rules that define Common FiXs operating Rules for FiXs global
the operational and transaction roll-out.
requirements for FiXs e-Authentication Signed Agreements to follow Operating Rules
transactions. by FiXs pilot participants.
Model ID Federation Operating Rules
available for EAP use/adoption.
Registration, Develop FiXs registration, enrollment and Registration, enrollment, ID verification, and
Enrollment and ID ID verification requirements/procedures cross-credentialing requirements &
that meet FIPS 201/HSPD-12 standards procedures for non-Federal identity
Verification
and requirements. verification that can be accepted as meeting
procedures. FIPS 201/HSPD-12 standards..
Federal Identity Management Initiatives 8
Cross-Federation Trust Certifications
FiXs trust certifications will be made at assurance level 4+, as FiXs
will be certifying against FIPS 201/HSPD-12 standards/requirements.
EAP may determine to accept FiXs certifications as meeting EAP
SAC level 4 authentication assurance
Federal EAI may determine to accept FiXs and/or EAP certifications
as meeting EAI CAF level 4 authentication assurance
EAP Trust
Certifications
FiXs Trust EAI Trust
Certifications Certifications
Federal Identity Management Initiatives 9
Federal Interoperability Lab
Tests interoperability of products for participation in e-
Authentication architecture.
Conformance testing to Fed e-Authentication Interface Specification
Interoperability testing among all approved products
Currently 11 SAML 1.0 products on Approved Product List.
See URL: http://cio.gov/eauthentication
Multiple protocol interoperability testing will be very complex
4 Products approved for PKI certificate path discovery &
validation
GSA intends to continue to test architecture components for
interoperability and capability to meet governmentwide use
requirements
Federal Identity Management Initiatives 10
And then there’s HSPD-12 …
Homeland Security Presidential Directive 12 (HSPD-12):
“Policy for a Common Identification Standard for Federal
Employees and Contractors”
Dated: August 27, 2004
Federal Identity Management Initiatives 11
IDM Policy and Acquisition Landscape
• Key governmentwide initiatives have established program, policy, and
technical requirements for authentication and identity management.
• GSA Is establishing “approved products/services” for each authentication
service line based on compliance with established requirements.
• Consolidate multiple offerings of Identity Management products & services
from GSA acquisition schedules and GWACs onto IT Schedule 70, SIN
132-60, Authentication Products and Services
• Authentication service lines on SIN 132-60 include:
ACES
PKI Shared Service Providers (HSPD-12)
PIV Service Components (HSPD-12)
PIV Integrators (HSPD-12)
Approved FIPS-201 Products and Services (HSPD-12)
E-Authentication Architecture Components.
• All require active program management to ensure compliance with
program requirements and keep pace with marketplace changes.
Federal Identity Management Initiatives 12
OMB Guidance – Key Points
OMB Guidance for HSPD-12 - M-05-24:
• To ensure government-wide interoperability, agencies must acquire only
products and services that are on the approved products list
• Agencies must include language implementing the FIPS 201 Standard
in applicable new contracts
• GSA is designated the “executive agent for Government-wide
acquisitions of information technology" for the products and services
required by HSPD-12
• GSA will make approved products and services available through
blanket purchase agreements under IT Schedule 70
• GSA will ensure all approved BPA suppliers provide products and
services that meet all applicable federal standards and requirements
http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf
Federal Identity Management Initiatives 13
GSA’s Role
• Establish interoperability and common performance
testing to meet NIST standards
• Compliance for GSA contractors (e.g., cleaning,
maintenance, etc.)
• Award SIN 132-62 listings as approved products and
services become available
• Establish Approved Products Lists for product
categories requiring FIPS 201 compliance
• Provide full-range of qualified products and services
to meet Agency implementation needs
Federal Identity Management Initiatives 14
HSPD-12 Service Components
Enrollment Systems Production
Service Provider Infrastructure Service
Enrollment/registration
Provider Provider
Enrollment Card
Stations & managed CMS Card Printing
Data IDMS Data
service Inventory, Distribution
Services inside dotted
FPKI SSP
rings may be provided as
shared infrastructure. FPKI SSP & FBCA
Cross-certified PKI
Card Management
Agency PACS Services
Finalization
Service
Provider
Cards issued and
Agency LACS Activated
Federal Identity Management Initiatives 15
For More Information
● Visit our Websites:
http://www.idmanagement.gov
http://www.cio.gov/eauthentication
http://www.cio.gov/ficc
http://www.cio.gov/fbca
http://www.cio.gov/fpkipa
http://www.cio.gov/fpkisc
http://www.smart.gov/
● Or contact:
David Temoshok
Director, Identity Policy and Management
202-208-7655
david.temoshok@gsa.gov
Federal Identity Management Initiatives 16
