Docstoc

ICAM_Maturity_Model_Version_1_0_20110826

Document Sample
ICAM_Maturity_Model_Version_1_0_20110826 Powered By Docstoc
					Identity Credential and Access Management (ICAM)
                   Maturity Model


                   Version 1.0

                 August 26, 2011
                                                                     Instructions
ICAM Background
The Federal Identity, Credential and Access Management (ICAM) initiative is an effort under the Federal Chief Information Officers (CIO) Council established
to promote a consolidated approach for all government-wide identity, credential and access management activities. A key output of the effort is the FICAM
Roadmap and Implementation Guidance, which outlines a government-wide segment architecture for program managers, leadership, and stakeholders and
practical guidance for implementing a segment architecture for ICAM management programs. Alignment with the FICAM Roadmap is required per OMB
Policy Memorandum M-11-11.
ICAM Maturity Model Overview
The ICAM Maturity Model has been developed in conjunction with the FICAM Roadmap and Implementation Guidance document to provide a government-
wide approach for evaluating the progress of an agency's business processes and technical capabilities against the ICAM segment architecture. The ICAM
Maturity Model tool is comprised of two main aspects:
• Results Dashboard. This portion of the ICAM Maturity Model, designated by lighter tabs, provides information on the maturity results of the ICAM program,
individual program areas, and supporting capabilities.
• Self-Assessment. This portion of the ICAM Maturity Model, designated by the darker tabs, consists of a set of questions related to an agency's ICAM
Program areas that is used to determine program maturity.
Each question within the Self-Assessment portion of the tool aligns with an activity, requirement, consideration, or concept within the FICAM Roadmap
(referenced in parentheses at the end of the question). For additional details around the courses of action, planning considerations, and technical solution
information associated with the ICAM areas covered in the ICAM Maturity Model, refer to the FICAM Roadmap and Implementation Guidance, Version 2.0,
available on www.idmanagement.gov.
How to Complete & Use the ICAM Maturity Model
1. Identify individuals within your agency with appropriate expertise in each functional area of ICAM. As noted above, the ICAM maturity results are
based upon the answers to the evaluation criteria in the Self-Assessment. The Self-Assessment has been broken out into the following functional areas to
allow portions of the assessment to be assigned to different individuals within the agency for completion, if necessary:
Governance & Program Management
Identity Management
Credential Management
Physical Access Management
Logical Access Management
Federation
2. Fill out the evaluation criteria within the Self-Assessment tabs. The evaluation criteria are addressed by selecting a response from the drop down list in
the column labeled "Answer." The information in the Results Dashboard is the most accurate and useful when it is reflective of the entire set of questions for
each ICAM area. Therefore, it is important to answer all of the evaluation criteria before reviewing the Results Dashboard.
3. View the maturity results within the Results Dashboard. Once the Self-Assessment is completed, the scores will automatically populate the tabs that
make up the Results Dashboard. The Results Dashboard is broken out into two components:
• Executive Summary. This portion of the Results Dashboard provides only top-level maturity results of each ICAM area and an analysis of the overall ICAM
program maturity level.
• Scoring Details. This portion of the Results Dashboard provides a break out of the individual maturity results that comprise each ICAM area and an
analysis of the overall ICAM area maturity level.
The scoring is based on a graduated scale, beginning with the lowest maturity level, "Initial" and ending with the highest level, "Optimized." These maturity
scores are accompanied by a description of what it means for an agency to be at that level as well as the actions an agency can complete to achieve the next
maturity level.
Tips for completing the tool:
• Collect relevant documentation before starting the Self-Assessment. In order to accurately answer some of the evaluation criteria, it may be necessary
to look up information in other documents. Therefore, it is recommended that users gather any materials that may assist them in completing the Self-
Assessment before beginning to answer the evaluation criteria.
• Select the most appropriate answer for your agency. Each of the answer options reflect a typical indicator of ICAM maturity. To receive an accurate
maturity score, select the answer that most closely represents your agency's current status. Note: if a response indicates that a capability area is not
applicable for your agency, all associated questions will be shaded gray to indicate that they do not need to be answered.
• Determine if any individuals outside of your organization are required to complete the Self-Assessment. If your agency uses any external services
(e.g., the GSA HSPD-12 Managed Service Office (MSO)), you may need to consult with points of contacts from those providers. Do not leave these questions
blank simply because these areas are not managed internally by your organization.
• Include comments, where necessary. Users filling out the tool can include notes in the "Comments" column. While doing this can help the user explain
why an answer was selected for reference purposes, the information in this column has no impact on the maturity scoring.




Instructions                                                           ICAM Maturity Model                                                             Page 2 of 15
                                                                    Executive Summary
ICAM Background
Identity, Credential and Access Management (ICAM) is an initiative within the Federal Executive Branch with the goal of establishing a consolidated approach for all
government-wide identity, credential and access management activities. Per OMB M-11-11, agencies must align with the FICAM Roadmap and Implementation
Guidance document and are expected to take steps that bring them closer to achieving the ICAM target state. The ICAM target state closes security gaps in the areas
of user identification and authentication, encryption of sensitive data, and logging and auditing. It supports the integration of physical access control with enterprise
identity and access systems, and enables information sharing across systems and agencies with common access controls and policies.

How to Read & Use Results
The ICAM Maturity Model has been developed in conjunction with the FICAM Roadmap and Implementation Guidance document to provide a standard way to measure
an agency's progress against achievement of the ICAM target state. This tool will allow your agency to manage overall performance and accountability of its ICAM
program and communicate progress at the government-wide level (e.g., ICAMSC, OMB).
The graph below shows the maturity levels for your agency's overall ICAM program and the individual ICAM areas of which it is comprised. Following the graph is an
analysis of the maturity level for your agency's overall ICAM program including a description of the typical characterisitcs of an agency at that maturity level and a
summary of the steps your agency can take to achieve the next level of maturity. Finally, the bottom of this tab provides a link to the Scoring Details tab which provides
a break out of the individuals maturity results that comprise each ICAM area and an analysis of the overall ICAM area maturity level.
The information in this tab is based on how your agency answers the evaluation criteria in the Self-Assessment. The maturity results can inform decisions and drive
action. For example, funding and effort might be a priority for the ICAM areas that receive a lower maturity score.

                     ICAM AREA                      INITIAL          REPEATABLE               DEFINED             MANAGED              OPTIMIZED

               Overall ICAM Program


               Governance & Program
                   Management


                Identity Management


              Credential Management


                   Physical Access
                    Management

                   Logical Access
                    Management


                      Federation


                                                       Legend:             Current State              Planned State


                                                                    Overall ICAM Program




                                                   Select this link to view detailed scoring results for each ICAM area.




Results Dashboard: Executive Summary                                        ICAM Maturity Model                                                                  Page 3 of 15
                                                              Scoring Details
                                                          Overall ICAM Program
                                                Evaluation Category                                                      Maturity Score
                 Governance & Program Management
                 Identity Management
                 Credential Management
                 Physical Access Management
                 Logical Access Management
                 Federation




                                              Governance & Program Management
                                                Evaluation Category                                                      Maturity Score
                 Program Structure & Support
                 Communications & Stakeholder Management
                 ICAM Integration into Existing Processes
                 Performance Management & Accountability
                 Risk Management




                  Select this link to view the answers to the evaluation criteria within Governance and Program Management
                                                           Identity Management
                                                Evaluation Category                                                      Maturity Score
                 Digital Identity Lifecycle Management
                 Streamlined On-boarding
                 Streamlined Background Investigations
                 Authoritative Digital Identity Attribute Exchange




                            Select this link to view the answers to the evaluation criteria within Identity Management
                                                         Credential Management
Results Dashboard: Scoring Details                                   ICAM Maturity Model                                              Page 4 of 15
                                                Evaluation Category                                                       Maturity Score
                 Sponsorship
                 Enrollment
                 Issuance
                 Credential Lifecycle Management
                 Data Security Using the PIV




                           Select this link to view the answers to the evaluation criteria within Credential Management
                                                  Physical Access Management
                                                Evaluation Category                                                       Maturity Score
                 Planning & Design
                 Provisioning/De-provisioning
                 Authentication
                 Visitor Management




                        Select this link to view the answers to the evaluation criteria within Physical Access Management
                                                   Logical Access Management
                                                Evaluation Category                                                       Maturity Score
                 Planning & Design
                 Provisioning/De-provisioning
                 Authentication
                 Authorization
                 Session Management




                        Select this link to view the answers to the evaluation criteria within Logical Access Management
                                                                Federation
                                                Evaluation Category                                                       Maturity Score

Results Dashboard: Scoring Details                               ICAM Maturity Model                                                   Page 5 of 15
                 Interagency
                 External to the Federal Government




                                     Select this link to view the answers to the evaluation criteria within Federation




Results Dashboard: Scoring Details                                    ICAM Maturity Model                                Page 6 of 15
                                                     Governance & Program Management
     Governance and Program Management is the planning and establishment of an ICAM program within a federal agency.
 Governance and program management services comprise the processes and efforts required to support the ICAM programs
within an agency. Additional guidance related to Governance and Program Management can be found in Chapter 6 of the FICAM
                                     Roadmap and Implementation Guidance document.
               Evaluation Criteria                                              Answer                                                                       Comments/Notes (Optional)
                                                                      Program Structure & Support
      Involves the establishment of ICAM governance bodies and mechanisms to manage and coordinate efforts across an agency's ICAM program.

 1. Has a mechanism been put into place at the agency level to
    provide senior executive oversight for ICAM programs (e.g.,
    an Executive Steering Committee)? (6.1.1.1)

 2. Does your agency's ICAM governance structure have the
    authority to enforce changes to align ICAM technology,
    policy, and execution with government-wide requirements
    and guidance? (6.1.1.1)
 3. Which statement best describes the way in which your
    ICAM program is structured to manage efforts across
    projects (e.g., credentialing, physical access control, logical
    access control, personnel security, etc.)? (6.1.3)
 4. Does your agency have a mechanism for which ICAM
    questions, issues, and concerns are routed? (6.1.3)
 5. Does your agency have a mechanism (e.g., working group)
    to facilitate coordination between ICAM projects at the
    Department and the bureau/component level? (6.1.1)

 6. Which statement best describes the staffing support your
    agency has provided for its ICAM projects? (6.1.3)

 7. Does your agency's ICAM program governance include
    representation and involvement from the privacy office?
    (6.1.1)

                                                        Communications & Stakeholder Management
        Involves the implementation of communication strategies for engaging and collaborating with the wide array of groups that comprise ICAM.

 8. To what extent has your agency identified the key ICAM
    stakeholders necessary to support its ICAM program goals
    and initiatives? (6.1.2)
 9. Does your agency have a strategy or defined plan for
    involving stakeholders and promoting collaboration across
    the agency’s ICAM portfolio? (6.1.2)
10. Which statement best describes your agency's approach to
    planning and decision-making related to its ICAM program?
    (6.1.1)

11. Has your agency developed a Communications Plan that
    outlines the objectives, goals, themes, and approach of the
    overall program and is used to communicate consistently
    across the agency? (6.1.3.1)
12. Has your agency implemented on-going communications
    activities to inform both internal and external stakeholders?
    (6.1.3)
13. Which statement best describes the effectiveness of your
    agency's Communications Plan? (6.1.3.1)
14. Does your agency include a privacy professional in the
    planning and decision-making processes within its ICAM
    program? (6.3)


                                                           ICAM Integration into Existing Processes
 Involves incorporating ICAM requirements and investments into activities and processes that are already being performed and supported by the agency.

15. What steps has your agency taken to include PIV-
    enablement requirements/costs into the Capital Planning
    and Investment Control process? (6.2.2)

16. Has your agency established the necessary procurement
    language to assure that logical and physical authentication
    systems support PIV-compliant identity credentials? (6.2.2)

17. How does your agency's procurement personnel purchase
    resources to meet ICAM needs? (6.1.3.3)

18. Which statement best describes how your agency
    determines which investments are in alignment with the
    ICAM target state? (6.2.3)

19. To what extent have your agency's IT systems and
    applications been incorporated into its Enterprise
    Architecture (EA)? (6.2.3)

20. Which statement best describes the extent to which your
    agency has incorporated its ICAM capabilities into the
    application of the Risk Management Framework (RMF), per
    SP 800-37? (6.2.4)
21. Which statement best describes your agency's integration of
    its ICAM capabilities within the investment review and
    approval process? (6.2.2)
                                                         Performance Management & Accountability
Involves activities that support the quality and timeliness of program performance, increasing productivity, controlling costs, and assuring that programs
                                              are managed with integrity and in compliance with applicable law.
22. Has your agency implemented tools to help track
    compliance of ICAM implementation efforts (e.g., PACS
    modernization)? (6.1.4)
23. Which statement best describes how your agency measures
    performance and accountability of the individual projects
    and investments that comprise its ICAM program? (6.1.3)


24. Which statement best describes your agency's approach for
    managing and coordinating ICAM investments across
    agency components/bureaus? (6.2.2)


25. How does your agency track pertinent ICAM investment
    information and track the performance of these
    investments? (6.1.4)


                                                                           Risk Management
                                     Includes activities to mitigate the level of risk to agencies implementing ICAM programs.

26. Does your agency have a mechanism for identifying and
    resolving program risks and issues across ICAM projects?
    (6.1.3)




               Self-Assessment: Governance
               and Program Management                                                                                    ICAM Maturity Model                                             Page 7 of 15
                      Evaluation Criteria                                                         Answer                                        Comments/Notes (Optional)
27. Has your agency implemented a Risk Management Plan
    that defines the way risks are measured for the ICAM
                                                                Program Structure & Support
       Involves the establishment identification and
    program, provides a process forof ICAM governance bodies and mechanisms to manage and coordinate efforts across an agency's ICAM program.
    appropriate response, and assigns roles and responsibilities
    for various stages in the process? (6.1.3.2)

28. Is there a defined escalation path for flagging and resolving
    risks up to and including executive leadership? (6.1.3.2)

29. Is there an ability to track the efforts to resolve risks across
    ICAM projects and measure their effectiveness? (6.1.3.2)




               Self-Assessment: Governance
               and Program Management                                                                          ICAM Maturity Model                                          Page 8 of 15
                                                                       Identity Management
 Identity Management is the combination of technical systems, rules, and procedures that define the ownership, utilization, and
safeguard of personal identity information. Additional guidance related to Identity Management can be found in Chapter 7 of the
                                   FICAM Roadmap and Implementation Guidance document.
               Evaluation Criteria                                                    Answer                                                                Comments/Notes (Optional)
                                                              Digital Identity Lifecycle Management
                            The process of establishing and maintaining the attributes that comprise an individual’s digital identity.

1. Does your agency have a mechanism (e.g., unique person
   identifiers, multi-attribute keys, manual identity attribute
   correlation) to determine that a record in one system is
   referring to the same individual as a record in a different
   system? (7.1.3)
2. Which statement best describes the way in which identity
   data stored in authoritative sources is updated? (7.1.2)

3. Does your agency have a mechanism available for users
   within your agency to view and update their identity data
   stored in authoritative sources (e.g., via a self-service
   portal)? (7.1.)
4. Which statement best describes the way in which your
   agency has established the data elements that comprise its
   digital identity records? (7.1.1)
5. Which statement best describes how data elements are
   collected to create digital identity records? (7.1.1)
6. To what extent has your agency minimized collection of
   identity data to just those points/processes that are used to
   populate authoritative data sources? (7.1.1)
7. Has your agency worked with its Privacy Office to establish
   agency-level policies or guidance around the appropriate
   use of identity data that may be shared between
   applications to create a single digital identity record for a
   user? (7.1)
8. Has your agency's Privacy Office reviewed your identity
   lifecycle management processes and determined that it is
   compliant with privacy laws and regulations and that privacy
   protections and controls are properly implemented? (7.1)

                                                                       Streamlined On-boarding
   Refers to improving the process an individual goes through to become affiliated with an agency as a result of a creation of an enterprise-wide digital
                                                                       identity.
 9. Is the data that your agency collects as part of the on-
    boarding process used to populate other systems and
    applications that need the same information? (7.2.1)
10. Is the data that your agency collects as part of the recruiting
    process used to populate other systems and applications
    that need the same information? (7.2.1)
11. Has your agency established an on-boarding solution that
    allows new employees to complete and submit all required
    forms online? (7.2.1)
12. Does your agency have a mechanism to electronically
    collect and manage contractor identity data during the on-
    boarding process? (7.2.3)
                                                             Streamlined Background Investigations
     Refers to the improvement of the processes related to searching records covering specific areas of an individual’s background as a result of an
                                                             enterprise-wide digital identity.
13. Which statement best describes the way in which your
    agency collects information for the background
    investigation? (7.2.2)
14. Has your agency transitioned all transmission of
    investigative and fingerprint data to the Office of Personnel
    Management (OPM) to electronic mechanisms? (7.2.2)

15. Are the fingerprints used to support a background
    investigation captured as part of the same enrollment
    session as the PIV? (7.2.2)
16. Which statement best describes your agency's use of
    OPM's Central Verification System (CVS)? (7.2.2)
                                                  Authoritative Digital Identity Attribute Exchange (AAES)
      A capability/technical solution that allows the secure sharing of authoritative identity attributes within an agency via the connection of various
                                                                 authoritative data sources.
17. Does your agency have a mechanism to share identity data
    from authoritative data sources with agency processes and
    systems that need to use that data? (7.1.1)

18. Does your agency have the capability to share (get and
    send) identity data across the agency and between
    bureaus/components? (7.3)
19. Has your agency incorporated requirements for new
    applications to have the ability to share identity data into its
    system development lifecycle? (7.3)
20. Which statement best describes the security of your
    agency's identity data sharing capability? (7.3)
21. To what extent has your agency conducted an analysis to
    determine the need for sharing information outside of its
    organization? (7.3)
22. Which statement best describes the steps your agency has
    taken to ensure its Authoritative Attribute Exchange Service
    (AAES) capability is compliant with privacy requirements?
    (7.3)




                Self-Assessment: Identity Management                                                                       ICAM Maturity Model                                          Page 9 of 15
                                                                   Credential Management
 Credential Management is the support of the credential throughout its lifecycle; from establishing the need for a credential to
the expiration or termination of the credential. Additional guidance related to Credential Management can be found in Chapter 8
                                of the FICAM Roadmap and Implementation Guidance document.
                Evaluation Criteria                                                    Answer                                                               Comments/Notes (Optional)
                                                                               Sponsorship
                                        The process for establishing the need for a card/credential by an authorized official.

1. Which statement best describes the point at which
   sponsorship is performed for a federal employee? (8.3.1.1)


2. Which statement best describes the way in which the
   sponsorship request is initiated? (8.3.1)


3. Which statement best describes the way in which the
   identity data required for sponsorship is populated for
   federal employees? (8.3.1)
4. How does your agency perform quality assurance on the
   information in the PIV credentialing system? (8.3.2.3)


5. Does your agency follow the sponsorship requirements
   outlined in FIPS 201? (8.3.1)

                                                                                Enrollment
       The process of collecting and storing identity information of an entity in a registry/repository; typically associated with PIV card registration.

6. How are applicants notified that they are authorized to
   enroll for a PIV card? (8.3.1)


7. Which statement best describes your agency's approach to
   scheduling PIV card enrollment appointments? (8.3.1.4)


 8. Is your agency able to complete an enrollment in 10
    minutes or less, as required by the FICAM Roadmap?
    (8.3.1)
 9. Which statement best describes the way in which
    biographic data is populated to support credential
    enrollment? (8.3.1)
10. Does your agency's PIV card enrollment system
    automatically check the quality of the data (e.g., confirming
    the phone number has 10 digits)? (8.3.1)
11. Are the fingerprints collected during the PIV card enrollment
    also used for the background investigation? (8.3.1)


12. Does your agency follow the PIV card enrollment processes
    outlined in FIPS 201? (8.3.1)

                                                                                 Issuance
                                               The process by which possession of a credential is passed to an entity.

13. What steps has your agency taken to automate the approval
    for card issuance based upon the successful adjudication of
    a background investigation? (8.3.1.2)

14. Does your agency pass the relevant credential information
    to FEMA for those individuals who have been issued a PIV
    card with the Federal Emergency Response Official
    designation? (8.3.2)

15. How are applicants notified that their PIV card is ready for
    issuance? (8.3.1)


16. Which statement best describes your agency's approach to
    scheduling PIV card issuance appointments? (8.3.1)


17. Does your agency follow the PIV card issuance
    requirements outlined in FIPS 201? (8.3.1)
18. Does your agency have an accreditation program for PIV
    Card Issuers (PCIs) in accordance with NIST SP 800-79?
    (6.2.4.1)
                                                                 Credential Lifecycle Management
     The process of maintaining a credential and associated support over the lifecycle; common processes include renewal, reissuance, suspension,
                                                        blocking and unblocking, revocation, etc.
19. Which answer best describes the integration between
    credential management systems and other related systems
    or processes? (8.3.5.1)


20. How are cardholders notified that their PIV card certificates
    need to be renewed? (8.3.5.2)

21. How are cardholders notified that their PIV card needs to be
    renewed? (8.3.5)

22. Does your agency have a capability to automatically and
    electronically notify the personnel security specialist (or
    other appropriate party) when a subject's periodic re-
    investigation is due? (7.2.2)
23. How is the subject of certificate expiration communicated to
    PIV cardholders (i.e., an awareness of the digital certificates
    on their card, the fact that they will expire, and that they will
    need to take action to update the certificates)? (8.3.5.2)


24. Does your agency have a policy for card renewal
    processes? (8.3.5)
25. Which statement best describes your agency's process for
    addressing lost/stolen/broken PIV cards? (8.3.5)
26. What process does your agency follow to ensure collection
    of the PIV card after termination? (8.3.5)

27. Has your agency's Privacy Office reviewed your credential
    lifecycle management processes and determined it is
    compliant with privacy laws and regulations and that privacy
    protections and controls are properly implemented? (8.3)


                                                                        Data Security Using the PIV
                 Addresses the use of the PIV credential to perform additional security operations including encryption and digital signature.

28. Which statement best describes your agency's encryption
    capability? (8.5.1)




                Self-Assessment: Credential Management                                                                      ICAM Maturity Model                                         Page 10 of 15
                   Evaluation Criteria                                                                   Answer                               Comments/Notes (Optional)
29. Does your agency's planned/implemented encryption
    capability use the PIV card?
                                                                      Sponsorship
30. Has your agency established and The process for establishing the need for a card/credential by an authorized official.
                                       communicated
    policy/guidance on how and when to use encryption?
    (8.5.1)
31. Have applications been implemented to support the use of
    encryption? (8.5.1)
32. Are users trained in how to use the PIV for encryption and
    follow policy requirements in an effort to increase adoption
    across the agency? (8.5.1)
33. Which statement best describes your agency's digital
    signature capability? (8.5.2)
34. Does your agency's planned/implemented digital signature
    capability use the PIV card? (8.5.2)
35. Has your agency established and communicated
    policy/guidance on how and when to use digital signature?
    (8.5.2)
36. Have applications been implemented to support the use of
    digital signature? (8.5.2)
37. Are users trained in how to use the PIV for digital signature
    and follow policy requirements in an effort to increase
    adoption across the agency? (8.5.2)
38. Has a digital signature capability been integrated into
    approval processes for ICAM capabilities (e.g., background
    investigation, etc.)? (8.5.2)
39. Has your agency established a capability for the recovery of
    data encrypted with expired/lost credentials? (8.3.5)




              Self-Assessment: Credential Management                                                                    ICAM Maturity Model                               Page 11 of 15
                                                           Physical Access Management
  Physical Access Management is the management and control of the ways in which entities are granted access to a physical
 location such as a building, parking lot, garage, or office. Additional guidance related to Physical Access Management can be
                 found in Chapters 9 and 10 of the FICAM Roadmap and Implementation Guidance document.
               Evaluation Criteria                                                      Answer                                                               Comments/Notes (Optional)
                                                                          Planning & Design
          Relates to initial planning including resource, privilege, and policy management requirements and design of a technical PACS solution.

1. Has your agency developed and issued policy requiring the
   use of the PIV credential for access to the agency’s
   facilities? (10.1.1.2)
2. Has your agency developed a plan for accepting the PIV
   credential for access to all facilities that require the use of
   the PIV credential based on risk? (10.1.4)
3. Which best describes your agency's approach to the design
   and operation of its physical access control systems?
   (10.2.3)
4. Does your agency follow a defined life cycle methodology
   for planning and executing implementation of new PACS
   and upgrades to existing PACS? (10.1.4)
5. Which of the following best describes the process your
   agency follows to request/secure funding for its PACS?
   (10.1.3)
6. Which statement best describes the extent to which your
   agency has worked to meet the design requirements of the
   ICAM target state architecture for its PACS? (10.2)

7. Has your agency identified and established a
   comprehensive inventory for its protected facilities and
   areas? (9.1.1)
8. Which best describes the approach your agency takes for
   selecting the access control mechanism (i.e., technology
   available on the PIV card) for each facility or individual
   access control point that requires the use of PIV based on
   risk? (9.1.2)

 9. Is your agency's PACS included within the IT system
    inventory? (10.2.3)
10. To what extent has your agency applied the designation of
    “Controlled, Limited, Exclusion” to facilities and protected
    areas based on the guidance provided in SP 800-116?
    (10.1.2)
11. Has your agency's Privacy Office reviewed the planning and
    design of the technical PACS and determined it is compliant
    with privacy laws and regulations and that privacy
    protections and controls are properly implemented? (10.1)

                                                                     Provisioning/De-provisioning
Provisioning is the mechanism by which identity accounts are linked to access privileges within applications. De-provisioning is performed when there is
                         a need to permanently eliminate an existing access permission or remove a user account altogether.
12. Which answer best describes the way your agency creates
    users within your physical access system and applies basic
    access rights? (9.2)

13. To what extent has your agency implemented an automated
    provisioning capability as defined in the FICAM Roadmap
    and Implementation Guidance? (9.2.3)

14. Does your agency have a mechanism to log and audit
    approvals associated with provisioning user access rights?
    (9.2.3.2)
15. Have privacy protections been embedded into the electronic
    workflows of the applications or processes that are used to
    assign user access rights? (9.2.3)

                                                                           Authentication
  The process of verifying that a claimed identity is genuine and based on valid credentials. Authentication typically leads to a mutually shared level of
                                                       assurance by the relying parties in the identity.
16. Which statement best describes the extent to which your
    agency's PACS uses the PIV card for authentication to its
    facilities? (10.3.2)
17. Has your agency implemented PACS interfaces to support
    PIV public key infrastructure (PKI) certificate checks to
    grant physical access privileges based on risk? (10.2.1)


18. What steps does your agency take to determine the
    trustworthiness of a PIV or PIV-Interoperable card when
    enrolling/registering it into its PACS? (10.2.3)

19. Does your agency's PACS have the capability to periodically
    check and update credential status after the cardholder’s
    credentials are determined as valid and enrolled in a
    PACS? (10.2.3)
20. To what extent has your agency addressed PIV enablement
    at facilities it leases (i.e., does not manage access control
    system)? (10.1.3)

21. Which statement best describes the way in which your
    agency's PACS administrators and physical security staff
    logs into the PACS management application? (8.3.3)

22. Has your agency mapped the PIV authentication
    mechanisms to the appropriate area designations
    ("Controlled, Limited, Exclusion") based on the guidance
    provided in SP 800-116? (10.1.2)

                                                                         Visitor Management
                     Includes processes for granting access to agency visitors and individuals requiring extended local facility access.

23. Does your agency have a visitor management policy that
    specifies what credential types are acceptable and the ways
    in which they should be authenticated? (10.5)
24. Which statement best describes the approach for
    requesting access for visitors? (10.5)

25. Does your agency accept PIV cards from visitors from
    another agency and electronically authenticate them in
    accordance with applicable access control procedures?
    (10.5)
26. Does your agency register visitors with PIV cards from
    another agency into its PACS? (10.5)
27. Does your agency leverage its existing credentialing
    infrastructure for visitors and accept PIV-I cards from
    visitors when they are available? (10.5)
28. What best describes the type of visitor badge in use within
    your agency? (10.5)




               Self-Assessment: Physical Access Management                                                              ICAM Maturity Model                                              Page 12 of 15
                    Evaluation Criteria                                                              Answer                                      Comments/Notes (Optional)
29. Does your agency consider the background vetting of its
    visitor populations when determining visitor procedures,
                                                                    Planning & Design
           Relates to initial for an escort? (10.5)
    such as the requirementplanning including resource, privilege, and policy management requirements and design of a technical PACS solution.

30. For individuals who require long-term facility access but do
    not meet the requirements to receive a PIV card, has your
    agency adopted a common approach for issuing and
    accepting an alternate card type that aligns with the
    recommendations found in the FICAM Roadmap and
    Implementation Guidance? (10.4)




               Self-Assessment: Physical Access Management                                                         ICAM Maturity Model                                       Page 13 of 15
                                                             Logical Access Management
 Logical Access Management is the management and control of the ways in which entities are granted access to an IT network,
 system, service, or application. Additional guidance related to Logical Access Management can be found in Chapters 9 and 11
                                of the FICAM Roadmap and Implementation Guidance document.
               Evaluation Criteria                                                   Answer                                                                  Comments/Notes (Optional)
                                                                          Planning & Design
          Relates to initial planning including resource, privilege, and policy management requirements and design of a technical LACS solution.

1. Has your agency developed and issued policy requiring the
   use of the PIV credential for access to the agency’s IT
   systems and applications? (11.1.1)
2. Has your agency developed a plan for accepting the PIV
   credential for access to all IT systems and applications?
   (11.1.1)
3. Does your agency follow a defined life cycle methodology
   for planning and executing implementation of new LACS
   and/or upgrades to existing LACS? (11.1.3)

4. Has your agency conducted an analysis to determine if any
   existing technology investments could be leveraged to
   support upgrades and/or replacement of its LACS in
   accordance with guidance provided in the FICAM
   Roadmap? (11.1.2)
5. Which of the following best describes the process your
   agency follows to request/secure funding for its LACS?
   (11.1.2)
6. Which statement best describes the extent to which your
   agency has worked to meet the design requirements of the
   ICAM target state architecture? (11.2)

 7. Has your agency identified and established a
    comprehensive inventory of its IT systems and applications?
    (9.1.1)
 8. Has your agency determined the access control
    requirements for each of its IT systems and applications?
    (9.1.2)
 9. To what extent has your agency prioritized the order in
    which its IT systems and applications will be enabled to use
    the PIV for user access? (11.1.3.6)
10. Has your agency's Privacy Office reviewed the planning and
    design of the LACS and determined it is compliant with
    privacy laws and regulations and that privacy protections
    and controls are properly implemented? (11.1)

                                                                     Provisioning/De-provisioning
     Provisioning is the mechanism by which identity accounts are linked to access privileges within IT systems and applications. De-provisioning is
              performed when there is a need to permanently eliminate an existing access permission or remove a user account altogether.
11. Which answer best describes the way your agency creates
    users within your logical access system and applies basic
    access rights? (9.2)
12. To what extent has your agency implemented an automated
    provisioning capability as defined in the FICAM Roadmap
    and Implementation Guidance? (9.2.3)

13. Does your agency have a mechanism to log and audit
    approvals associated with provisioning user access rights?
    (9.2.3.2)
14. Have privacy protections been embedded into the electronic
    workflows of the applications or processes that are used to
    assign user access rights? (9.2.3)
15. Which answer best describes the status of your agency's IT
    systems/applications integration into the automated
    provisioning workflow? (11.1.3)
16. To what extent does your agency have the ability to detect
    potential conflicts in user access privileges (i.e.,
    Segregation of Duties)? (9.2.3)
17. Which answer best describes your agency's ability to de-
    provision user access when it is no longer needed? (9.2.3)

                                                                           Authentication
  The process of verifying that a claimed identity is genuine and based on valid credentials. Authentication typically leads to a mutually shared level of
                                                       assurance by the relying parties in the identity.
18. Which best describes the extent to which your agency's
    LACS uses the PIV card for authentication to its IT systems
    and applications? (11.2)
19. Does your agency have a mechanism for performing
    certificate path discovery and validation in association with
    card authentication? (11.3)

20. Which answer best describes the way in which
    authentication services are provided to IT systems and
    applications? (11.2)
21. Which answer best describes the way in which your
    agency's system/network administrators (or other users with
    special access privileges) authenticate to their administrator
    accounts? (8.3.3)
22. Is your agency's LACS able to support authentication and
    authorization of remote users using the PIV card? (11.2.3)

                                                                            Authorization
   The process of granting or denying specific requests for obtaining and using information processing services or data and to enter specific physical
                                                                        facilities.
23. Which answer best describes the way in which your agency
    grants users access to IT systems and applications? (9.3)

24. Which of the following answers best describes the
    authorization services that your agency’s LACS provides to
    your agency's IT systems and applications? (11.2)

25. Where authorization services are provided, does your
    agency have the capability to accommodate special roles
    and policies based on individual application needs? (9.3)

                                                                        Session Management
Involves the sharing of data among multiple relying parties as part of an authenticated user session; includes protocol translation services for access to
                  systems needing different authentication protocols; manages automatic time-outs and requests for re-authentication.
26. Which of the following best describes the way in which your
    agency's LACS enables users to access multiple IT systems
    and applications using the same credential during the same
    access session? (11.2.2)




                Self-Assessment: Logical Access Management                                                              ICAM Maturity Model                                              Page 14 of 15
                                                                       Federation
    Federation is the capability to support a trust relationship between discrete digital identity providers (IDPs) that enables a
 relying party to accept credentials from an external IDP in order to make access control decisions. Additional guidance related
       to Federation can be found in Chapters 8 and 12 of the FICAM Roadmap and Implementation Guidance document.

                     Evaluation Criteria                                                               Answer                                              Comments/Notes (Optional)
                                                                   Interagency Federation
                     Occurs between two or more federal agencies using the PIV card as the common credential for user authentication.

 1. Does your agency have any IT systems or applications that
    are accessed by another agency's users? (8.4)
 2. What steps has your agency taken to implement a policy for
    accepting and electronically authenticating PIV cards from
    users from other agencies? (8.4)

 3. Which answer most accurately represents your agency’s
    approach for authenticating and granting access to users
    from other agencies? (8.4)

 4. Which of the following answers best describes the process
    users from other agencies follow to request access to
    applications where account creation is required? (8.4)

 5. Which of the following answers best describes the way in
    which identity attributes for users from another agency are
    obtained to facilitate granting access to IT systems and
    applications? (8.4)
 6. Which of the following answers best describes how your
    agency manages the identity data and entitlements for
    users from another agency?
 7. Has your agency's Privacy Office reviewed the approach for
    authenticating and granting access to users from other
    agencies to ensure it is compliant with privacy laws and
    regulations and that privacy protections and controls are
    properly implemented? (8.4)

                                               Federation with Entities External to the Federal Government
   Occurs between a federal agency and any other non-federal organization or entity (e.g., state, local, or tribal governments, commercial entities, and
                                                                     citizens).
 8. Does your agency have any IT systems or applications that
    are accessed by individuals that are external to the Federal
    Government (i.e., not an employee or contractor of another
    federal agency)? (12.1.1)
 9. Which answer best describes your agency’s policy for
    accepting third-party credentials? (12.4)

10. Which answer best describes your agency’s planning
    efforts for the enablement of applications that are accessed
    by non-federal users (i.e., public-facing) to accept third-
    party credentials? (12.4)

11. Which answer best describes the level of implementation
    for IT systems and applications that must accept third-party
    credentials? (12.4)

12. Has your agency implemented an attribute exchange
    capability (e.g., Backend Attribute Exchange) to enable
    electronic retrieval of identity attributes for non-federal
    users? (12.3)

13. Which of the following answers best describes the way in
    which identity attributes from non-federal users are
    obtained to facilitate granting access to IT systems and
    applications? (12.3)
14. Which of the following answers best describes the process
    that non-federal users follow to request access to agency IT
    systems and applications in situations where a user
    account will be established? (12.3)
15. Has your agency's Privacy Office reviewed the approach for
    accepting third-party credentials to ensure it is compliant
    with privacy laws and regulations and that privacy
    protections and controls are properly implemented? (12.3)




                 Self-Assessment: Federation                                                                           ICAM Maturity Model                                             Page 15 of 15

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:12
posted:8/27/2012
language:Unknown
pages:15