Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Leadership Communications Brief Last Updated: June 13, 2013.

Similar presentations


Presentation on theme: "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Leadership Communications Brief Last Updated: June 13, 2013."— Presentation transcript:

1 Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Leadership Communications Brief Last Updated: June 13, 2013

2 2 Choose your own adventure! This briefing deck is intended for agencies to leverage in a manner that is most appropriate for them. The deck includes summary information as well as more detailed slides related to particular topics. The slides are broken down into the following categories:  ICAM Goals and Objectives  Current Challenges and ICAM Solutions  Intersection of ICAM and Emerging Needs  Resources Content Overview

3 ICAM Overview

4 4 What is Identity, Credential, and Access Management (ICAM)? ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach that is focused on delivering greater convenience and appropriate security and privacy protection, with less effort and at a lower cost. ICAM Includes:  Digital Identity  Credentialing  Privilege Management  Authentication  Authorization and Access  Federation  Cryptography  Auditing and Reporting

5 5 What Does ICAM Provide? Component 2 Component 4 Component 3 Protection of PII* Simplify management of user data Streamlined on-boarding 1 4 2 3 1 Identity Management The ICAM Target State architecture enhances alignment, clarity, and interoperability across the Federal Government while improving security, eliminating redundancies, and reducing costs. Improved interoperability Resistance to fraud and tampering Enhanced interagency trust 2 Credential Management Stronger authentication Streamlined access to resources Reduced enterprise costs 3 Access Management Improved collaboration with partners Reduced management burden on external users 4 Federation * Personally Identifiable Information (PII) Enhanced activity logging Ability to support security forensics 5 Auditing and Reporting 5

6 6 ICAM addresses federal identity, credential, and access management programs and demonstrates the importance of implementing the ICAM segment architecture in support of five overarching strategic goals and their related objectives. ICAM Goals and Objectives Comply with Federal Laws Relevant to ICAM Facilitate E- Government by Streamlining Access to Services Improve Security Posture across the Federal Enterprise Enable Trust and Interoperability Reduce Costs and Increase Efficiency Key Objectives Align and coordinate federal policies and key initiatives impacting ICAM implementation Establish and Enforce Accountability for ICAM Implementation to Governance Bodies Expand secure electronic access to government data and systems Promote public confidence through transparent ICAM practices Support cybersecurity programs Integrate electronic verification procedures with PACS Drive the use of a role-based framework for access control Improve electronic audit capabilities Support ISE communities of interest Align processes with external partners Establish and maintain trust relationships Leverage standards and COTS for ICAM services Reduce administrative burden associated with performing ICAM tasks Align existing and reduce redundant ICAM programs Increase interoperability and reuse of ICAM programs and systems Goal 1 Goal 2 Goal 3 Goal 4 Goal 5

7 7 Federal agencies are responsible for the agency-level initiatives found in the FICAM Roadmap and Implementation Guidance* as required by M-11-11. Agency ICAM Responsibilities Streamline Collection & Sharing of Digital Identity Data Fully Leverage PIV and PIV-I Credentials Modernize PACS & LACS Infrastructure Implement Federated Identity Capability Key Objectives Establish and leverage authoritative data sources Automatically and electronically share identity data Authenticate cardholders using the mechanisms on PIV/PIV-I cards Accept PIV cards from other agencies Use PIV card for data security operations (e.g., encryption) PIV enable PACS/LACS Automate provisioning of user access privileges Implement enterprise solutions for cost savings Leverage FPKI and trust framework processes Enable applications to accept third party credentials Initiative 5Initiative 6 Initiative 7 & 8 Initiative 9 * FICAM Roadmap and Implementation Guidance

8 8 The Federal ICAM Initiative was created based on the recommendation of the National Science and Technology Council (NSTC) Identity Management Task Force Report, as an endeavor to provide streamlined coordination and management for related programs, including Federal Public Key Infrastructure (PKI), E-Authentication, and Homeland Security Presidential Directive 12 (HSPD- 12). The ICAM Evolution 200020022003 2009 2011 M-11-11 February 2011 1990’s 2002 2003 FCPA Operational September 2002 FISMA October 2002 E-Gov December 2002 M-04-04 December 2003 2004 HSPD-12 August 2004 Development of Special Publications (Issuance of PIV Begins) 2006 20072008 2005 2011 FICAM Roadmap & Implementation Guidance v1.0 November 2009 ISIMC Chartered December 2008 Development of ICAM Segment Architecture Development of Implementation Guidance GPEA October 1998 FIPS 201 March 2006 FICAM Roadmap & Implementation Guidance v2.0 Dec. 2011 M-05-24 August 2005 2010 NSTC Task Force Report September 2008

9 9 There are a number of drivers related to security, privacy, and efficiency that have converged to emphasize the need for coordinated ICAM efforts.  Increasing Cybersecurity threats  There is no National, International, Industry “standard” approach to individual identity on the network. (President’s 60 Day Cyberspace Policy Review)  Security weaknesses found across agencies included the areas of user identification and authentication, encryption of sensitive data, logging and auditing, and physical access. (GAO-09-701T)  Need for improved physical security  Lag in providing government services electronically  Vulnerability of Personally Identifiable Information (PII)  Lack of interoperability  “The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.” (President’s FY2010 Budget)  High costs for duplicative processes and data management ICAM Drivers

10 10 ICAM seeks to streamline government-wide identity, credential, and access management activities to ensure alignment and clarity, minimize duplication of effort, and promote government-wide interoperability.  Fostering effective government-wide identity and access management  Enabling trust in online transactions through common identity and access management policies and approaches  Aligning federal agencies around common identity and access management practices  Reducing the identity and access management burden for individual agencies by fostering common interoperable approaches  Ensuring alignment across all identity and access management activities that cross individual agency boundaries  Collaborating with external identity management activities through inter- federation to enhance interoperability ICAM Mission

11 11 ICAM provides a foundational capability to manage identity accounts, user credentials, and access to your agency’s resources. Supporting Your Agency’s Mission with ICAM Agency Employees & Contractors Customers Business Partners IdentityManagementAccessManagement Credential Management Leverage trusted externally-issued credentials Protect personally identifiable information Implement PIV for employees & contractors Leverage PKI Access federal facilities Manage users & accounts Access IT Resources Federate access for external users First Last ID Securely share attributes First Last ID

12 Agency Challenges and Solutions

13 13 ICAM can assist an agency in implementing solutions to overcome a variety of obstacles. Today’s Agency Challenges Budget Constraints Differing Agency Priorities Technical Comprehension Collaboration Between Agency Stakeholders Multiple Federal Laws and Policies Distributed Organizations Agency Resources PIV and PIV-enablement Understanding How FICAM Impacts Agency Programs

14 Budget Constraints

15 15 Agencies may have existing investments in place that are capable of providing services in a manner consistent with the target state ICAM segment architecture.  Software. Cost of software including licenses and maintenance fees that can be decommissioned or redeployed across all environments for development, testing, and production  Hardware. Cost of hardware that could be decommissioned or redeployed across all environments for development, testing, and production The availability of enterprise software licenses should be investigated, as these can significantly lower acquisition costs and influence an agency’s make or buy decision. Leverage Existing Investments This information has been derived from the FICAM Roadmap.

16 16 Leverage existing tools and documentation to plan for ICAM investments! Tools to Support Agency ICAM Planning FICAM Roadmap V2.0 ICAM ROI ToolkitICAM ROI Toolkit * ICAM Maturity Model Capital planning guidance is found in Chapter 6 Planning for physical and logical access implementations is found in Chapters 10 and 11 respectively The ROI dashboard tool can be used to determine potential ICAM costs and benefits Based on estimated costs, the Toolkit assists agencies in building a business case Identify how and where programs are being successful The findings can inform an agency on where resources can be leveraged * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

17 17 FICAM Roadmap and Implementation Guidance The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment. Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including:  Complies with the Federal Segment Architecture Methodology (FSAM)  Various use cases which illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states  Detailed transition roadmap and milestones which define a series of logical steps or phases that enable the implementation of the target architecture Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including:  Information for planning and managing an agency’s ICAM program  Sample solution architectures for expected target state technical capabilities  Important considerations, benefits, and limitations for different implementation approaches  Numerous tips, FAQs, and lessons learned from real ICAM implementations PART A: ICAM Segment Architecture (Chapters 3 - 5) PART B: Implementation Guidance (Chapters 6 - 12) FICAM Roadmap V2.0

18 18 The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation. ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results. ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation. Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool. ROI Toolkit Overview * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

19 19 The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.  Provides a series of questions for an agency to answer related to:  Governance & Program Management  Identity Management  Credential Management  Physical Access Management  Logical Access Management  Federation  Identifies capability gaps between the current state and the ICAM target state via a summary dashboard  Provides the steps necessary to achieve the next phase of ICAM maturity ICAM Maturity Model

20 Technical Comprehension

21 21 Understanding the key characteristics of ICAM technology can help an agency in moving towards achievement of the ICAM target state. ICAM technology characteristics:  Provides protection of both physical (e.g., buildings, offices) and logical (e.g., networks, applications) agency resources and assets  Promotes collaboration among federal agencies and with mission partners  Aligns with multiple agency missions and needs (i.e., provides a high degree of customization and flexibility)  Supports ability to manage multiple users and their privileges when accessing agency resources (i.e., networks and applications)  Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information  Provides a logging process to support a clear audit trail ICAM Technology at a Glance

22 Understanding How FICAM Impacts Agency Programs

23 23 Experience the following benefits across your agency business processes by implementing ICAM:  Increased security, which correlates directly to reduction in identity theft, data breaches, and trust violations.  Compliance with laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress.  Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework.  Enhanced customer service, both within agencies and with their business partners and constituents. Facilitating secure, streamlined, and user-friendly transactions.  Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes.  Increase in protection of Personally Identifiable Information (PII) by consolidating and securing identity data. ICAM Can Support Other Agency Programs

24 Collaboration Between Agency Stakeholders

25 25 Collaboration between all relevant stakeholders during each phase of the Capital Planning and Investment Control (CPIC) process is critical to ensure that the overlapping elements of different ICAM activities are addressed. Capital Planning for ICAM  To support capital planning for ICAM programs, an agency should:  Coordinate capital planning efforts across individual ICAM projects and Exhibit 300 business cases  Ensure alignment throughout the organization to consolidate redundant ICAM investments across agency components  Support collaboration across ICAM projects and systems to improve visibility and accountability of the agency’s spending on ICAM-related investments  Evaluate agency specific needs to determine the appropriate and most cost efficient Exhibit 300 submission approach  Agencies should work to incorporate ICAM requirements into its CPIC and investment request processes by:  Identifying key criteria for an investment to be considered aligned with the ICAM target state;  Incorporating that criteria into CPIC processes and guidance; and,  Communicating any changes to the relevant stakeholders and CPIC process participants.

26 26 Coordinate with the appropriate stakeholders at your agency early and often! Suggested coordination activities include: ICAM Touches Many Programs This information has been derived from the FICAM Roadmap, for more detailed information see section 6.1.2 Program Stakeholders. Problem-Solving Teams Focus Groups/ Tiger Team Develop expert problem-solving teams, such as working groups that are established to address issues and present solutions. Help to identify and escalate business and technical challenges that may not be known at the enterprise level but could impede ICAM implementation throughout the agency. Share implementation lessons learned across bureaus/components or individual programs to reduce overall ICAM program risk and increase speed and efficiency in implementation Stand up smaller focus groups or tiger teams for the purpose of resolving specific program issues or providing direct support for implementation. Improve stakeholder buy-in associated with enterprise approaches and services by promoting better understanding and a sense of inclusion and ownership in the program. Improve consistency across an agency’s ICAM implementation, a key goal when implementing the ICAM segment architecture

27 Multiple Federal Laws and Policies

28 28 Implementing ICAM promotes alignment with multiple policies. HSPD-12: Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems. OMB M-11-11: Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential. NSTIC: In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. VanRoekel Memo: On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally-issued identity credentials by federal applications. NSISS: The National Strategy for Information Sharing and Safeguarding (NSISS) was signed by the President on December 19, 2012 and contains goals, principles, and objectives that outline a plan on how the Federal Government will responsibly share and safeguard to enhance and protect national security information. The Current ICAM Policy Landscape

29 29 The ICAM Landscape contains a multitude of policy drivers that enable the interoperability and trust necessary to accomplish secure information sharing within and beyond the boundaries of the Federal Government. Policy Shaping the ICAM Landscape Facilitates government- wide interoperability and trusted collaboration across the unclassified, secret, and top secret fabrics. Promotes the use of enhanced security measures to protect government systems, resources, and facilities. Uphold Security Posture Secure Information Sharing Establishes a foundation of internal and external trust to drive the development and implementation of interoperable solutions. Enable Trust and Interoperability References: Homeland Security Presidential Directive 12 (HSPD-12) Federal Information Security Management Act (FISMA) FIPS 201-2 References: Intelligence Reform and Terrorism Prevention Act Executive Order (E.O) 13587 National Strategy for Information Sharing and Safeguarding (NSISS) References: National Security Strategy (2010) Van Roekel Memo National Strategy for Trusted Identities in Cyberspace (NSTIC) Supports the elimination of paper based forms to streamline existing processes and reduce redundancies. Facilitate E-Government References: E-Government Act of 2002 OMB M-04-04 The Digital Government Strategy Government Paper Elimination Act (GPEA)

30 HSPD-12

31 31 Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally-controlled facilities and federal information systems. HSPD-12 Security Objectives:  Establish a mandatory, government-wide standard for secure and reliable forms of identification that:  Is issued based on sound criteria for verifying an individual employee's identity;  Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;  Can be rapidly authenticated electronically; and  Is issued only by providers whose reliability has been established by an official accreditation process. Results:  A standard, interoperable credential: the PIV credential  Consistent processes for identity vetting and proofing  A common, secure approach for accessing facilities and networks  An increased level of government efficiency http://www.dhs.gov/homeland-security-presidential-directive-12

32 32 Before HSPD-12, the key efforts in the federal environment, such as physical and logical access and identity vetting and identity processes, were managed separately and inconsistently. The Environment Prior to HSPD-12 Management of multiple passwords and user accounts increasing inefficiencies Use of lower assurance credentials (e.g., password) introducing security risks Inconvenience to users to remember/manage different passwords and tokens Various processes for confirming identity of user prior to issuance of credential, making it possible for individuals to claim a false identity Inconsistent vetting requirements, resulting in varying levels of suitability No trust or reciprocity across agencies, leading to duplication of investigation efforts and costs Over 200 types of valid IDs, leading to inefficiencies and security challenges Prevalence of IDs that could be easily counterfeited, enhancing potential for a security breach In many cases, no means of electronic verification, providing little to no assurance of user’s identity and introducing the opportunity for human error Physical Access Logical Access Identity Processes

33 33 The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner. PIV Credential Overview Identity proofing and background investigation processes that build a chain of trust. Fingerprint and/or iris information used for authentication that binds the identity of the user to the credential. Something that only the user knows and is used to access various applications. Replaces cumbersome and insecure passwords for applications. Strong anti-counterfeiting features (e.g., laser etching, holographic images). Chain of Trust Identity Proofing Process PIN Biometric Authentication Common Processes Physical Features PKI Authentication Affiliation Civilian Lastname Firstname, M. United States Government Agency/Department Department of Homeland Security Issued 01/01/10 Expires 01/01/15 Federal Emergency Response Official Color Photograph Contact Chip PKI Digital Signature PKI Encryption For cryptographically protecting data at rest and in transit in order to provide confidentiality. For electronically signing documents to provide non- repudiation and message integrity. Digital certificate on the card that supports electronic verification of the cardholder.

34 34 By implementing HSPD-12 and standardizing the PIV credential, agencies experience significant cost-savings and added value. HSPD-12 Streamlines Operations and Reduces Duplication Cost-savings from: Minimized password resets Reduced infrastructure and hosting costs on other credential types Minimized security breaches Phasing out duplicative processes and IT investments Added value from: Minimized paperwork/manual processes Enhanced information-sharing Improved user-satisfaction from having to remember a single PIN vs. multiple passwords Security breach remediation Multiple password resets Repeated data entry Manual/redundant paperwork Duplicative processes Distributed physical security Extensive IT and infrastructure costs HSPD-12 Environment Multiple credentials needed Prior to HSPD-12

35 35 Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential. Using the PIV Credential Interoperable for Government-wide Use Digital Signatures Encryption Transit/ Payment Leverage Value-add Applications Access Your Agency’s Resources Government-wide Applications Access at other agencies

36 36 The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below. PIV Credential vs. Other Credentials PasswordOTP TokensPIV User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity

37 37 The PIV credential is an enabler for efforts across the Federal Government to move toward a stronger, more secure, and more efficient presence on the internet. HSPD-12: PIV is an Enabler Promotes the use of electronic forms and offers online-based government services for strong authentication. Encourages sustained, responsible, and trusted collaboration to support interoperability across the government. Strengthens the security and resiliency of critical infrastructure against evolving threats to safeguard the government. CybersecurityE-Government Information Sharing Emphasizes planning and spending control processes for investment in information systems to support agency missions. Good Steward of IT Resources References: Cybersecurity Strategy FISMA PPD on Critical Infrastructure Security and Resilience References: The Digital Government Strategy E-SIGN Act E-Government Act References: National Strategy for Information Sharing and Safeguarding ISS EO 13587 References: Clinger-Cohen Act M-12-10: PortfolioStat M-13-02: Strategic Sourcing IT Spending Investment Performance

38 38 There is an emerging desire across federal employees to have more flexibility in their work. The Federal Government is moving toward the use of mobile devices and allowing employees to telework. Standards-based Solutions for Meeting Emerging Needs Strongly authenticate Digitally sign and encrypt data Access applications PIV-derived Credential Use mobile devices to strongly authenticate to agency resources! Perform these secure transactions from any location!

39 39 When considering the HSPD-12 objective to move toward a common credential, the government is succeeding. Today a large number of PIV credentials have been issued; however, an agency is not able to capitalize on the true return on this investment until they begin fully leveraging the credential. Agency Status

40 40 As a result of HSPD-12, agencies have the capabilities necessary to strengthen their current IT infrastructure and address the risks associated with the evolving threat environment. Look at the Numbers The percentage of incidents reported from unauthorized access GAO-13-187 17% The estimated cost of a data breach per incident Bloomberg $7.2M The estimated cost to Americans related to Identity theft cost Huffington Post $1.52B Increase in cybersecurity incidents reported by federal agencies 2006- 2012 GAO-13-187 782% Decrease in successful network intrusions resulting from smart card-based PKI logon in the DoD Realized Value of FPKI 46% Estimated agency savings per year on password resets Forrester $1464/user Reduction of document handling costs, shipping costs and processing costs by using digital signature Signix.com 75% Total cost savings per user, per year by avoiding use of one- time password tokens Tyntec $100 Decrease in the number of successful social engineered e-mail attacks in the DoD, from use of smart card/PKI Realized Value of FPKI 30% Estimated savings realized from switching to digital transactions Economist $2.9B/year

41 41  PIV is fiscally responsible IT, provides for consolidation of investments, reduces redundancy and stove pipes, and promotes integration  PKI is a robust technology that is used everyday so that websites can be trusted to conduct transactions and supports two and three level factors of authentication.  HSPD-12 provides a very high level of assurance of identity and this facilitates trust.  HSPD-12 provides interoperable, crypto-based authentication for logical and physical access.  The PIV credential can be used for value-added functionality such as digital signatures, which reduce paper forms, and encryption, which protects data at rest and data in transmission. Takeaways

42 42 Use the PIV Credential at your Agency!  Ensure that contracts for procurements of IT, building access, and systems enable the PIV credential  Mandate the use of the PIV credential for network log on and building access  Accept the PIV credentials of other agency users  Identify, prioritize, and PIV-enable multi-agency applications  Phase out redundant infrastructure Call to Action

43 OMB M-11-11

44 44 Issued February 3, 2011, OMB M-11-11 provides additional guidance for agencies in the continued implementation of HSPD-12 and requires federal agencies to designate a lead official and issue a policy requiring use of the PIV credential. Key points include:  Effective immediately, all new systems under development must be enabled to use PIV credentials prior to being made operational  Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials prior to the agency using development and technology refresh funds to complete other activities  Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and the Federal Acquisition Regulation  Agency processes must accept and electronically verify PIV credentials issued by other federal agencies  The government-wide architecture and agency transition plans must align, as described in the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance M-11-11 http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf

45 NSTIC

46 46 In April 2011, The National Strategy for Trusted Identities in Cyberspace (NSTIC) was developed to enable individuals and organizations to utilize improved identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.  Addresses the need for a “cybersecurity focused identity management vision and strategy,” as stated in the President’s 2009 Cyberspace Policy Review  Seeks to establish an Identity Ecosystem where individuals and organizations can trust each other and have confidence in the security of online transactions  NSTIC Guiding Principles state that Identity Solutions will be:  Privacy-enhancing and voluntary  Secure and resilient  Interoperable  Cost-effective and easy to use NSTIC http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf

47 VanRoekel Memo

48 48 On October 6, 2011 the Office of Management and Budget (OMB) released a policy memorandum related to the acceptance of externally- issued identity credentials by federal applications. VanRoekel Memo Objectives:  Calls for agencies to enable the use of externally-issued credentials on web sites that allow members of the public and business partners to register or log on.  Requires that agencies only accept externally-issued credentials that are issued in accordance with National Institute of Standards and Technology guidelines and Federal Chief Information Officers (CIO) Council processes.  Externally-issued credentials are those that have been issued by an entity other than the Federal Government. In this document, the term externally-issued credential is used interchangeably with third party credential. Results:  Reduce the agency costs associated with issuing and managing user credentials.  Decrease the burden on system users by allowing reuse of an existing credential. http://www.howto.gov/sites/default/files/omb-req-externally-issued-cred_0.pdf

49 NSISS Priority Objective #4

50 50  The NSISS contains Priority Objective #4 (PO #4) to implement FICAM on each of the three security fabrics: Unclassified, Secret, and Top Secret. NSISS, Priority Objective #4  As a result of PO #4, implementation plans will be developed for each fabric:  The Unclassified Implementation Plan will include all unclassified, Sensitive but Unclassified (SBU), and Controlled Unclassified Information (CUI) federal systems and systems/users that interact with these systems.  The Secret Implementation Plan will include all systems of the Executive Branch that contain secret information.  The Top Secret Implementation Plan will include all systems of the Executive Branch that contain top secret information.

51 Distributed Organizations

52 52 The ICAM Maturity Model can help an agency identify their ICAM priorities, see where they are succeeding, determine where to make additional investment, and decide on the next steps needed to continue improvement. Bring your Agency Together with ICAM The ICAM Maturity Model helps measure across distributed program areas which will likely be in different stages of implementation. ICAM Maturity Model

53 PIV and PIV-enablement

54 54 The PIV credential has a variety of security features, notably the use of Public Key Infrastructure (PKI) cryptography to provide strong identity assurance in an interoperable manner. PIV Credential Overview Identity proofing and background investigation processes that build a chain of trust. Fingerprint and/or iris information used for authentication that binds the identity of the user to the credential. Something that only the user knows and is used to access various applications. Replaces cumbersome and insecure passwords for applications. Strong anti-counterfeiting features (e.g., laser etching, holographic images). Chain of Trust Identity Proofing Process PIN Biometric Authentication Common Processes Physical Features PKI Authentication Affiliation Civilian Lastname Firstname, M. United States Government Agency/Department Department of Homeland Security Issued 01/01/10 Expires 01/01/15 Federal Emergency Response Official Color Photograph Contact Chip PKI Digital Signature PKI Encryption For cryptographically protecting data at rest and in transit in order to provide confidentiality. For electronically signing documents to provide non- repudiation and message integrity. Digital certificate on the card that supports electronic verification of the cardholder.

55 55 Imagine a world where a single credential gets you in the front door to your office, onto your computer, allows you to securely sign and encrypt data, and access government-wide tools and resources at other agencies. This world is possible today with the PIV credential. Using the PIV Credential Interoperable for Government-wide Use Digital Signatures Encryption Transit/ Payment Leverage Value-add Applications Access Your Agency’s Resources Government-wide Applications Access at other agencies

56 56 The Employee Express (EEX) application is operated by OPM. EEX provides federal employees from participating agencies with a central hub to manage a variety of employment-related information such as tax withholding, health coverage, and direct deposit.  To support an enhanced user experience and promote a secure and trusted means of access and authentication, EEX was enabled to accept the PIV card and NASA participated in the pilot deployment of the PIV-enabled application.  The NASA community boasts a sizeable total user population, with approximately 18,500 NASA users with the PIV card option. In the beginning of the pilot, there was an average of over 1,000 PIV card logins each month and during January 2013, EEX was accessed over 3,000 times with PIV cards.  NASA employees have provided positive feedback which indicates PIV- enablement of applications increases ease of use, decreases the need for multiple passwords and usernames, and provides an added level of security. PIV Credential Success Story

57 57 The PIV credential provides many features and benefits that other credentials are unable to offer, as depicted below. PIV Credential vs. Other Credentials PasswordOTP TokensPIV User vetting High identity assurance Interoperability Accredited issuance processes Cross-agency trust Use for physical and logical access Encryption Digital Signature Efficiencies Biometric binding of identity

58 Differing Agency Priorities

59 59 Based on varying priorities, agencies can choose to focus their implementation efforts around a particular aspect of ICAM to achieve desired results. The ROI toolkit provides case studies that may be leveraged when addressing agency priorities. The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%). The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting. The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures. The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC. Align ICAM with your Agency’s Priorities These case studies can be found in more detail in the ROI toolkit. * Please contact ICAM@gsa.gov for access.ICAM@gsa.gov

60 60 The ROI Toolkit is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation. ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results. ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation. Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool. ROI Toolkit Overview Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

61 Agency Mission Drivers

62 62 ICAM at USDA “To provide leadership on food, agriculture, natural resources, rural development, nutrition, and related issues based on sound public policy, the best available science, and efficient management.” Supports compliance with USDA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of USDA’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between USDA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the USDA enterprise and with mission partners Allows USDA to focus limited funds and personnel resources on promoting nutrition for the American Public and protecting food and natural resources. The Department of Agriculture How ICAM Supports USDA’s Mission

63 63 ICAM at DOC “To promote job creation, economic growth, sustainable development, and improved living standards for all Americans, by working in partnership with business, universities, communities, and workers.” Supports compliance with DOC and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOC’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOC PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOC enterprise and with mission partners Allows DOC to focus limited funds and personnel resources on promoting a sustainable work environment for the American Public. The Department of Commerce How ICAM Supports DOC’s Mission

64 64 ICAM at DoD “To provide the military forces needed to deter war and to protect the security of our country.” Supports compliance with DoD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DoD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DoD CAC holders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DoD enterprise and with mission partners Allows DoD to focus limited funds and personnel resources on protecting the safety of the American Public and Armed Forces. The Department of Defense How ICAM Supports DoD’s Mission

65 65 ICAM at ED “To promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access.” Supports compliance with ED and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of ED’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between ED PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the ED enterprise and with mission partners Allows ED to focus limited funds and personnel resources on promoting student achievement and academic excellence. The Department of Education How ICAM Supports ED’s Mission

66 66 ICAM at DOE “To ensure America’s security and prosperity by addressing its energy, environmental and nuclear challenges through transformative science and technology solutions.” Supports compliance with DOE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOE enterprise and with mission partners Allows DOE to focus limited funds and personnel resources on modernizing the energy grid and protecting the environment. The Department of Energy How ICAM Supports DOE’s Mission

67 67 ICAM at HHS “To serve as the United States government's principal agency for protecting health and providing essential human services to Americans.” Supports compliance with HHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of HHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between HHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the HHS enterprise and with mission partners Allows HHS to focus limited funds and personnel resources on providing essential health-related services to the American Public. The Department of Health and Human Services How ICAM Supports HHS’ Mission

68 68 ICAM at DHS “To ensure a homeland that is safe, secure, and resilient against terrorism and other hazards.” Supports compliance with DHS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DHS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DHS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DHS enterprise and with mission partners Allows DHS to focus limited funds and personnel resources on safeguarding the American Public from foreign and domestic threats. The Department of Homeland Security How ICAM Supports DHS’ Mission

69 69 ICAM at HUD “To create strong, sustainable, inclusive communities and quality affordable homes for all.” Supports compliance with HUD and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of HUD’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between HUD PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the HUD enterprise and with mission partners Allows HUD to focus limited funds and personnel resources on promoting strong communities and living environments. The Department of Housing and Urban Development How ICAM Supports HUD’s Mission

70 70 ICAM at DOJ “To enforce the law and defend the interests of the United States according to the law; to ensure public safety against threats foreign and domestic; to provide federal leadership in preventing and controlling crime; to seek just punishment for those guilty of unlawful behavior; and to ensure fair and impartial administration of justice for all Americans.” Supports compliance with DOJ and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOJ’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOJ PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOJ enterprise and with mission partners Allows DOJ to focus limited funds and personnel resources on promoting and defending federal law. The Department of Justice How ICAM Supports DOJ’s Mission

71 71 ICAM at DOL “To foster, promote, and develop the welfare of the wage earners, job seekers, and retirees of the United States; improve working conditions; advance opportunities for profitable employment; and assure work-related benefits and rights.” Supports compliance with DOL and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOL’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOL PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOL enterprise and with mission partners Allows DOL to focus limited funds and personnel resources on promoting the well being of the American worker through protection of work-related benefits and rights. The Department of Labor How ICAM Supports DOL’s Mission

72 72 ICAM at STATE “To create a more secure, democratic, and prosperous world for the benefit of the American people and the international community.” Supports compliance with STATE and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of STATE’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between STATE PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the STATE enterprise and with mission partners Allows STATE to focus limited funds and personnel resources on promoting on United State diplomacy abroad. The Department of State How ICAM Supports STATE’s Mission

73 73 ICAM at DOI “To protect America’s natural resources and heritage, honor our cultures and tribal communities, and supply the energy to power our future.” Supports compliance with DOI and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOI’s physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOI PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOI enterprise and with mission partners Allows DOI to focus limited funds and personnel resources on promoting the protection and sustainment of natural resources and tribal communities. The Department of Interior How ICAM Supports DOI’s Mission

74 74 ICAM at TREAS “Maintain a strong economy and create economic and job opportunities by promoting the conditions that enable economic growth and stability at home and abroad, strengthen national security by combating threats and protecting the integrity of the financial system, and manage the U.S. Government’s finances and resources effectively.” Supports compliance with TREAS and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of TREAS physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between TREAS PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the TREAS enterprise and with mission partners Allows TREAS to focus limited funds and personnel resources on managing and promoting the integrity of the U.S. financial system. The Department of Treasury How ICAM Supports TREAS’ Mission

75 75 ICAM at DOT “To serve the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets our vital national interests and enhances the quality of life of the American people, today and into the future.” Supports compliance with DOT and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of DOT physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between DOT PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the DOT enterprise and with mission partners Allows DOT to focus limited funds and personnel resources on promoting transportation and infrastructure to meet the needs of the American people. The Department of Transportation How ICAM Supports DOT’s Mission

76 76 ICAM at VA “To fulfill President Lincoln's promise “To care for him who shall have borne the battle, and for his widow, and his orphan” by serving and honoring the men and women who are America’s veterans.” Supports compliance with VA and government-wide laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress Provides protection of VA physical (e.g., buildings, offices) and logical (e.g., networks, applications) resources and assets Promotes a high-level of security, privacy, and protection for sharing and storage of sensitive data and information Improves interoperability between VA PIV cardholders, agency PIV cardholders, and other partners carrying PIV-interoperable or third-party credentials that meet the requirements of the federal trust framework Promotes collaboration across the VA enterprise and with mission partners Allows VA to focus limited funds and personnel resources on protecting Veteran information and secure data/infrastructure assets from internal and external threats. The Department of Veterans Affairs How ICAM Supports VA’s Mission

77 Agency Resources

78 78 There are many ICAM resources available to agencies to address the various aspects of ICAM implementation. ICAM Resources FICAM Roadmap V2.0 ICAM ROI ToolkitICAM ROI Toolkit* ICAM Maturity Model ICAM Snapshot Brochure Modernized PACS Brochure Modernized LACS Brochure * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

79 Intersection of ICAM and Emerging Needs

80 80 As the ICAM landscape continues to evolve, agencies are looking for ways to meet these demands. Intersection of ICAM and Emerging Needs Evolution of mobile security Popularity of cloud computing Keeping pace with the commercial IAM space Support for federation and visitor management Growth of shared services Surge of single sign-on solutions Implementing an enterprise IAM system

81 Evolution of Mobile Security

82 82 The proliferation of internet-enabled mobile devices has created the need to secure the use of the device and manage employee and contractor access to data from a device to maintain security regardless of how a user is accessing resources. Did you know that…… Evolution of Mobile Security PIV-derived Credential The government is working to certify and acquire mobile devices that meet its needs! PIV-derived credentials will be the approved credentials for securely accessing and using mobile devices.

83 Growth of Shared Services

84 84 Agencies are working together to develop services to address common agency capabilities and capitalize on efficiencies in an effort to meet ICAM goals while saving money for the Federal Government. These common services include: Backend Attribute Exchange (BAE) is a secure and standards-based retrieval of information from authoritative sources that enables access control decisions and secure information sharing. Federal Cloud Credential Exchange (FCCX) is a core capability to consume, validate, and translate third-party credentials to relying party applications across multiple agencies, providing a single, easy-to-access integration point. The GSA USAccess Managed Service Office (MSO) is the executive agent responsible for providing federal agencies with interoperable identity management and credentialing solutions. Growth of Shared Services For more information on Goal 4: FICAM Roadmap V2.0FICAM Roadmap V2.0

85 Backend Attribute Exchange (BAE)

86 86 The BAE specification was first developed in May 2008 and has since been successfully demonstrated through a pilot program between the Department of Defense (DoD) and the Department of Homeland Security (DHS) to support information exchange between mission partners during emergency response events. The Background of the BAE The BAE Business Case and Lifecycle Sustainment Analysis was created as a joint effort supported by the Program Manager for the Information Sharing Environment (PM-ISE) and the ICAMSC. This effort:  Explored key business drivers, benefits, and challenges related to the pursuit of the enterprise BAE capability  Identified expected lifecycle costs and funding considerations  Provided recommendations regarding the feasibility of the enterprise BAE capability and potential implementation considerations

87 87 The enterprise BAE capability: represents the common interest of both PM- ISE and ICAMSC communities to securely and efficiently share mission- specific attribute information in a collaborative environment. PM-ISE supports innovation and implementation of secure information sharing capabilities among the Federal Government and collaborating organizations. The ICAMSC develops and recommends policies, procedures, and standards related to identity management, authentication, and secure access. The analysis represented in this presentation highlights the following high-level benefits regarding the enterprise BAE capability, as it:  Offers increased flexibility and scalability. BAE provides a secure way to share information and facilitate collaboration between multiple organizations. It aligns with multiple mission needs and is applicable to a broad variety of applications and uses.  Brings a strong, broad potential customer base. An enterprise BAE capability would have a strong, immediate customer base within the information sharing environment which could include agencies and stakeholders (i.e., anyone who has an information sharing need).  Extends the federal trust infrastructure. Through its centralized governance structure, the enterprise BAE capability promotes trust between the attribute provider and consumer. The BAE Capability Defined

88 88 GSA’s Office of Governmentwide Policy (OGP) has the responsibility to support coordination across the various policy and standards efforts affecting the Federal ICAM Initiative and to promote the consistent implementation of ICAM solutions at the agency level. BAE’s Authority OMB M-11-11 requires agencies to align with the ‘Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance.’ FICAM Roadmap Initiative 5 calls for streamlining the collection and sharing of digital identity data through the use of the BAE to support sharing of data elements for use in shared mission or business areas.

89 89 BAE for Information Sharing Agency A User with Credential Agency B Protected Resource 1.Agency A user needs access to or information from Agency B 3.Agency B needs “off- credential” info to authorize User A to access resource. It “asks” its own Authorization Engine B 4.Agency B and Agency A communicate to exchange user information about User A 2.User A is Authenticated 5. User is granted Access Agency A Attribute Service (BAE Profile Compliant) Externalized Authorization Manager B (PDP)

90 90 Due to the flexibility of the BAE model it can support any set of attributes as agreed upon by a particular community. The following slides offer a description of several sample use scenarios for the BAE to help demonstrate its possible applications, including:  Attribute Based Access Control (ABAC)  Sensitive but Unclassified (SBU) Environment Simplified Sign-on (SSO)  Background Investigation Reciprocity  Visitor Management BAE Use Case Scenarios

91 91 Focuses on characteristics that describe people, resources, and environments. The requester provides attributes which are compared to those documented as requirements for granting or denying access, at which point an access decision is made. ABAC is a suggested use for an organization due to:  Existing complex access rule sets  The high-volume of visitors requesting access to systems  Your mission is focused on collaboration Attribute Based Access Control (ABAC)

92 92 The following table summarizes the key details associated with the ABAC use scenario: Attribute Based Access Control (ABAC) ElementsDetails ICAM Services Provided Authorization and Access Privilege Management Transactional Data Mission-specific attributes Privilege attributes Benefits Requires only one set of information-sharing agreements to join, instead of needing to establish multiple bilateral attribute sharing agreements between multiple partners. Enhances ability to coordinate with partners outside the federal space. Places responsibility on both attribute provider and consumer for attribute information lifecycle management. Requires no advance knowledge of requestors. Is highly adaptable to changing needs; efficient for agencies where individuals come and go frequently.

93 93 A mechanism which reduces the need for multiple logins and authentication processes when accessing a variety of independently owned and maintained SBU/CUI resources. SBU SSO is a suggested use for an organization due to:  Current federal, state, local, and tribal partners  Your work at DHS Fusion Centers  Your need for access to a SSO SBU/CUI service  Partnering with PM-ISE SBU Environment Simplified Sign-on (SSO)

94 94 The following table summarizes the key details associated with the SBU/CUI environment SSO use scenario: SBU Environment Simplified Sign-on (SSO) ElementsDetails ICAM Services Provided Authorization and Access Digital Identity Management Transactional Data Mission-specific attributes Personnel attributes needed for authentication Benefits Provides a means of maintaining integrity of multiple SBU/CUI systems by quickly identifying, authenticating, and authorizing a user. Supports and enhances SBU/CUI information collaboration for individuals with a variety of organizational affiliations, including non- federal partners Requires only one set of information-sharing agreements to join, rather than needing to establish multiple bilateral attribute sharing agreements between multiple partners Allows an individual’s attributes to be correlated from multiple organizations or sources to create a unified identity for SSO login. Reduces points of entry and increases prevalence of SSO capabilities across multiple applications. Supports interoperability with the Global Federated Identity and Privilege Management (GFIPM) and National Information Exchange Federation (NIEF).

95 95 The process by which an individual’s background check completeness attribute is requested and received from the authoritative source. Background investigation reciprocity is a suggested use for an organization due to:  Your high volume of visitors  Your high volume of outside collaboration  Your on-boarding of contractors  How you temporarily employs detailed personnel  You have multiple inter-agency personnel transfers  Current federal, state, local, and tribal partners Background Investigation Reciprocity

96 96 The following table summarizes the key details associated with the Background Investigation Reciprocity use scenario: Background Investigation Reciprocity ElementsDetails ICAM Services Provided Digital Identity Management Authorization and Access Transactional Data Background investigation completeness attribute Benefits Reduces the time needed for an agency to confirm that a background check has been completed. Potentially streamlines contractor on-boarding, inter-agency personnel transfer, internal hiring, and Visitor Management Systems (VMS)/services. Assists in reducing paperwork submission and administrative burden on both the organization and the individual. Supports more efficient PIV card provisioning.

97 97 A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor. Visitor management is a suggested use for an organization due to:  The fact that you are an authoritative attribute provider of background investigation completeness  You are an attribute consumer  Your organization has a high volume of visitors, including state, local, and tribal law enforcement partners, as well as contractors  Your organization has a high volume of outside collaboration  Your agency temporarily employs detailed personnel Visitor Management

98 98 The following table summarizes the key details associated with the Visitor Management use scenario: Visitor Management ElementsDetails ICAM Services Provided Authorization and Access Transactional Data Background investigation status Clearance level Various identity attributes Personally Identifiable Information (PII) attributes Benefits Offers opportunity for increased efficiency over commonly used point- to-point attribute sharing relationships. Improves timeliness of obtaining visitor attributes from the individual’s home organization. Supports more efficient Visitor Management System (VMS) pre- screening prior to an individual’s arrival at the agency Supports customization of BAE capability according to agency needs and internal VMS processes. Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure. Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual.

99 99 Benefits Realized by BAE Customer The benefits associated with enterprise BAE capability adoption include:. Increased National Security. Contributes to enhancing the ability to detect, prevent, or disrupt terrorist activity and reduced incident response time to terrorist and natural-disaster related emergencies and an increase in the ability to share information with other organizations responding to the same national security-related issues Enhanced service delivery. Enhances service delivery for mission partners and customers by shortening the time from when an information sharing need is identified to when it is delivered Increased opportunity for collaboration. Increases the possibility of ease of collaboration between federal, state, local and tribal law enforcement agencies, as well as other mission partners Improved efficiency. Improves the efficiency related to the collection and maintenance of information. By allowing for the streamlined electronic request and transfer of information, the enterprise BAE capability can reduce the administrative burden on an organization Reduced total investment. Reduces the total investment costs incurred by customers to a secure information sharing capability. The total investment is considerably less than the costs associated with establishing individual information sharing systems

100 Federal Cloud Credential Exchange (FCCX)

101 101 FCCX is a White House-initiated effort to establish a secure, efficient, and privacy enhancing cloud-based government-wide service that will provide federal agencies with the ability to accept and authenticate FICAM-approved third-party credentials for their externally-facing applications. Once fully-functional, the FCCX capability will:  Support the ability to consume, validate, and translate credentials to relying party applications across multiple agencies.  Provide a single, easy-to-access integration point that can ensure agencies do not have to keep building and maintaining single-use, point to point connections for the same approved credentials. At present, the FCCX effort is focused on the following activities:  Developing governance documents that will outline the expectations for customers, third-party credential providers, another parties interested in the service;  Procuring a technology provider to support the technical services and infrastructure required to operate the FCCX capacity;  Determining agency resources that are currently being expended to support credentialing and authentication of external users;  Working with identity providers to determine an appropriate business model for issuing and authenticating third-party credentials via the FCCX capability; and  Coordinating resources to efficiently implement the FCCX proof-of-concept. FCCX Overview

102 102 FCCX Facilitates Alignment of Federal Goals NSTIC Objective 2.3: Implement the Federal Government Elements of the Identity Ecosystem The Federal Government must continue to lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework. The Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions. Agency Challenges Uncovered Multiple credentials/accounts for single users Difficulty managing accounts and account access rights Operating at a lower level of assurance than required for the information being transferred FICAM Strategic Goals Comply with federal laws, regulations, standards and governance Facilitate eGovernment by streamlining access to services Improve security posture across the Federal Enterprise Enable trust and interoperability Reduce costs and increase efficiency associated with ICAM Achieve credential interoperability, ensuring that customers can use a single FICAM accredited credential, if they so choose, across all agencies at the same Level of Assurance (LOA) rather than be asked to get a new credential for each agency application 1 2 Make it easier for any agency to quickly and affordably integrate with – and consume – credentials provided by accredited third parties for customers to access online applications 3 Ensure that agencies (and the taxpayer) do not duplicate efforts and expenditures to build the same system and pay for the associated maintenance and updates to that system

103 103 FCCX Federal Cloud Credential Exchange Each agency connects just once FCCX does the heavy lifting Guaranteed interoperability of credentials across agencies Offers agencies and citizens an easy path to more choice OpenID/LOA1 SAML/LOA3 OpenID/LOA1 PKI Open ID/LOA1 SAML/LOA3 OpenID/LOA1

104 The GSA USAccess Managed Service Office (MSO)

105 105 The GSA Federal Acquisition Service launched the HSPD-12 Managed Services Office (HSPD-12 MSO) on September 13, 2006, providing turn- key services to produce compliant PIV credentials. The MSO established the USAccess program, a managed, shared service solution that simplifies the process of procuring and maintaining compliant PIV credentials.  The USAccess program enables U.S. Federal Government agencies to credential employees, contractors, and affiliates.  The USAccess program provides agencies with all the key components necessary to manage the full life-cycle of a PIV credential. The GSA USAccess Managed Service Office

106 Popularity of Cloud Computing

107 107 As agencies modernize their infrastructures, they should seek to take advantage of the benefits offered by cloud computing. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud leverages: Popularity of Cloud Computing On-demand self-service Broad network access Massive scale Virtualization Resilient computing Geographic distribution Service orientation Advanced security technologies

108 108 Leveraging shared infrastructure and the economies of scale associated with cloud computing, agencies can measure and pay for the IT resources they consume to match current requirements and budget constraints. Cloud Computing in the Federal Environment http://www.dhs.gov/sites/default/files/publications/digital- strategy/federal-cloud-computing-strategy.pdf http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_ 2010/m10-19.pdf The Federal Cloud Computing Strategy Emphasizes the capability of cloud computing to reduce inefficiencies and improve service delivery. M-10-19 Directs agencies to evaluate the potential to adopt cloud computing solutions by analyzing computing alternatives for IT investments.

109 109 There is a fundamental shift in focus from asset ownership to service management when leveraging cloud computing. Agencies need to actively monitor emerging security threats and re-evaluate the service received periodically. As agencies modify their IT portfolios to fully take advantage of the benefits of cloud computing, they will be able to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. Agencies will also realize the following benefits:  Increased efficiency (with improved asset and server utilization).  Enhanced productivity in application development, application management, network, and end-use.  Increased responsiveness to urgent agency needs.  Enhanced collaboration with private sector innovation.  Increased linking to emerging technologies (e.g., devices). Cloud Computing Considerations http://www.dhs.gov/sites/default/files/publications/digital-strategy/federal-cloud-computing-strategy.pdf

110 Keeping Pace with the IAM Commercial Space

111 111 FICAM incorporates best practices from the commercial space. The government is following the lead that the commercial space has set in creating efficiencies in a cost effective manner, particularly around cloud computing:  The commercial space has taken advantage of the technologies available for cloud computing to improve resource utilization, increase service responsiveness, and achieve meaningful benefits in efficiency, agility, and innovation.  Cloud computing offers the government an opportunity to apply the innovations of the commercial space through more effective use of IT investments. Keeping Pace with the IAM Commercial Space

112 Support for Federation and Visitor Management

113 113 Today there are various ad hoc processes in place when an employee or contractor visits another agency. A Visitor Management System (VMS) gathers a visiting individual’s personal information, allows for its processing, and takes any additionally needed internal and external steps to prepare the agency for a visitor.  Improves timeliness of obtaining visitor attributes from the individual’s home organization.  Supports more efficient VMS pre-screening prior to an individual’s arrival at the agency.  Assists in achieving the target state described in the FICAM Roadmap, which specifies an agency move away from manual paper-based methods for managing visitors and implementing an electronic enterprise VMS capability, leveraging existing PIV infrastructure.  Offers opportunity to reduce paperwork submission and administrative burden, on both the organization and the individual. Support for Federation for Visitor Management The BAE can improve this process!

114 114 A customer of the BAE is positioned to realize benefits internal to the agency as well as to the larger Federal Government. Visitor Management Benefits Associated with the BAE Reduce Risk Decrease Hassle Increase Power Gain Praise Save Money Reduce the paperwork submission of personally identifiable information (PII) on both the organization and the individual. Support more efficient visitor management pre-screening prior to an individual’s arrival at the agency to reduce the need for human intervention. Reduce administrative burden and redundant processes. Improve timeliness of obtaining visitor attributes from the individual’s home organization. Lead in innovation by supporting the FICAM target state through protecting, serving, and safeguarding. Assist in achieving M-11-11 through alignment with the FICAM Roadmap, in moving away from manual paper-based methods for managing visitors. Reduce upfront cost through leveraging the shared service which GSA is providing. Support customization of the BAE capability according to the agency needs and internal visitor management processes. Retain full control of information held allowing the opportunity to maintain ownership of information and maintain discretion on access to information. Increase national security by transmitting data in a secure and consistent format.

115 Surge of Single-Sign on Solutions

116 116 Single Sign-On (SSO) – a mechanism by which a single act of user authentication and log on enables access to multiple independent resources. When agencies are considering modernizing their Logical Access architecture and design, SSO should be a consideration to help relieve application owners from managing and administering credentials, but it is also great for the user! SSO…  Eliminates the need to authenticate multiple times with the PIV credential (access protection applications as the session and application policy allow)  Streamlines the access process  Creates transparency in access across applications Surge of Single Sign-on Solutions This information has been derived from the FICAM Roadmap, for more detailed information see Chapter 11.

117 Implementing an Enterprise IAM System

118 118 An enterprise solution for ICAM allows an agency to maximize investment while meeting ICAM requirements in a consistent, secure manner. Implementing an Enterprise IAM System A department with a modern, homogeneous infrastructure could save as much as 30 percent on infrastructure costs, field applications more quickly and less costly, and provide improved IT security. Given the structure of Agency budgets and organizations, it is very difficult for an Agency CIO to have the tools available to drive such standardization. The DHS CIO testimony before the House Committee on Oversight and Government Reform released on February 27, 2013 An enterprise IAM solution allows an agency to:  Standardize and streamline processes  Leverage existing tools across multiple components/bureaus  Pass identity data and information across functional areas  Eliminate redundant IT investments

119 119 An enterprise solution provides benefits that span across the agency and helps to check the boxes of the ICAM target state. Implementing an Enterprise IAM System Reduced administrative burden Increased interoperability with partners Reduced infrastructure costs through enterprise technology Increased cost savings through leveraging enterprise licensing

120 Resources

121 121 There are many ICAM resources available to agencies today! ICAM Resources FICAM Roadmap V2.0 ICAM ROI ToolkitICAM ROI Toolkit* ICAM Maturity Model ICAM Snapshot Brochure Modernized PACS Brochure Modernized LACS Brochure * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

122 FICAM Roadmap

123 123 FICAM Roadmap and Implementation Guidance The FICAM Roadmap and Implementation Guidance document consists of two components: Part A outlines the government-wide ICAM segment architecture; and Part B provides agencies with implementation guidance, critical for achieving alignment. Part A provides the ICAM segment architecture which outlines a cohesive target state to ensure clarity and interoperability across agency-level initiatives, including:  Complies with the Federal Segment Architecture Methodology (FSAM)  Various use cases which illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states  Detailed transition roadmap and milestones which define a series of logical steps or phases that enable the implementation of the target architecture Part B provides guidance on a broad range of topics to enable a holistic approach for alignment with the ICAM segment architecture, including:  Information for planning and managing an agency’s ICAM program  Sample solution architectures for expected target state technical capabilities  Important considerations, benefits, and limitations for different implementation approaches  Numerous tips, FAQs, and lessons learned from real ICAM implementations PART A: ICAM Segment Architecture (Chapters 3 - 5) PART B: Implementation Guidance (Chapters 6 - 12) FICAM Roadmap V2.0

124 ROI Toolkit

125 125 The ROI Toolkit* is a resource that agencies can leverage when demonstrating the value of ICAM and/or building their business case for an ICAM implementation. ROI Case Study Inventory. Summarizes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results. ROI Dashboard Tool. Provides templates for calculating ICAM costs and benefits as well as example reports that can be used when planning for an ICAM implementation. Building an ICAM Business Case Presentation. Provides a more detailed, step-by-step approach for building an ICAM business case and the cost calculations associated with it. It is to be used in conjunction with the ICAM ROI Dashboard Tool. ROI Toolkit Overview * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

126 126 The case study inventory includes federal and commercial ICAM case studies and sound bites that can be leveraged to help scope an ICAM business case analysis. The sound bites can be leveraged as more anecdotal improvement metrics or results. ROI Toolkit: Case Study Inventory Type or IndustryCase Study Name Federal, CivilianSTATE: Cost Benefit Comparison between PKI/BLADE and Password-based Authentication GSA IAM Logical Access Initiative Common Access Card for US Bureau of Land Management Federal, DefenseDrivers for use of CAC in the DoD Community TransportationTransit Industry Case Study – Transit Smartcards for Automatic Fare collection HealthcareUse of Smartcards in the Healthcare Community Health Industry Case Study – Multi-function Smart ID Badge for Hospital Staff SAFE-BioPharma Digital Signatures – AstraZeneca example GeneralValue of Converged Access, SSO, and Remote Access Solutions Password Management and Single Sign-on Opening the Door to e-Business Password Reset: Using Self-Service Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

127 127 The building an ICAM business case presentation provides a detailed, step-by-step approach for building an ICAM business case and the associated cost calculations. ROI Toolkit: Building an ICAM Business Case Presentation Strategy and Requirements Alternatives Planning Measurement and Reporting Defining an ICAM Strategy Completing the stakeholder analysis Constructing the ICAM business case Completing a gap analysis Conducting an alternatives analysis Completing a detailed cost analysis Calculating quantitative and qualitative benefits Completing an end-to-end cost summary Selecting performance metrics and reports 1 2 3 * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

128 128 The ROI dashboard tool provides templates for calculating ICAM costs and benefits. ROI Toolkit: ROI Dashboard Tool Dashboard tool components:  Cost summary  Cost analysis  Quantitative benefits  Qualitative benefits  Net benefits graph  Break even analysis * Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

129 129 Through ICAM implementations, federal agencies have been able to experience the benefits associated with successful ICAM solutions. The State Department experienced a decrease in the percentage of help desk tickets related to password issues (2006 – 12.6%, and 2007 – 8.1%). The General Services Administration’s (GSA) IAM Logical Access Initiative worked to lower IT administrative costs by eliminating the need for application-specific passwords and their resetting. The Bureau of Land Management, within the Department of Interior, undertook a staged rollout of logical access and integrated its credentialing and electronic forms. This facilitated a high reliability of electronic forms via digital signatures. The Department of Defense (DoD) decreased the number of successful intrusions by 46% due to a requirement that all DOD personnel log on to unclassified networks using a CAC. ICAM Success Story Snapshot These case studies can be found in more detail in the ROI toolkit. Please contact ICAM@gsa.gov to access the ICAM ROI Toolkit.ICAM@gsa.gov

130 ICAM Maturity Model

131 131 The ICAM Maturity Model tool provides a government-wide approach for evaluating the progress of an agency’s capabilities against the ICAM segment architecture.  Provides a series of questions for an agency to answer related to:  Governance & Program Management  Identity Management  Credential Management  Physical Access Management  Logical Access Management  Federation  Identifies capability gaps between the current state and the ICAM target state via a summary dashboard  Provides the steps necessary to achieve the next phase of ICAM maturity ICAM Maturity Model

132 132  Initial.  ICAM related projects and work streams are initiated and managed in an ad-hoc manner;  There is little structure or opportunity for coordination between related ICAM projects and work streams;  ICAM related processes are often conducted manually using paper-based methods, often creating duplicative and redundant efforts; and  Users are issued credentials for access to agency resources that are not PIV cards. ICAM Maturity Model – Initial

133 133  Repeatable.  A coordinated plan for the establishment of an ICAM program exists within the agency;  An agency-level ICAM program management structure has been designed and a plan exists to implement it;  A plan for the reduction of redundant, manual, and paper-based processes related to ICAM has been defined; and  A plan has been developed to transition to issuance of the PIV card, while minimizing the issuance of other credential types. ICAM Maturity Model – Repeatable

134 134  Defined.  A coordinated agency-level ICAM program/approach has been implemented;  An agency-level ICAM program management structure is in place;  Redundant, manual, and paper-based processes related to ICAM have been reduced and electronic and automated processes have been introduced; and  The PIV card is being issued to users within the organization. ICAM Maturity Model – Defined

135 135  Managed.  There is an operational ICAM program with clearly defined programs and project goals and objects;  The agency has formalized leadership support and there is close coordination between agency-level ICAM efforts;  A single, enterprise digital identity record has been established for each user within the organization and a mechanism is in place to securely share authoritative identity data with agency systems and processes that use it;  The PIV card is the only credential issued to employees and contractors; and  Users are electronically authenticated to physical and logical resources, using the technology on the PIV card (e.g., CHUID/FASC-N [PACS] and PIV Authentication Key [LACS]). ICAM Maturity Model – Managed

136 136  Optimized.  The agency has an effective ICAM program with formalized and robust management mechanisms in place;  ICAM related processes have been streamlined, automated, and converted to electronic mechanisms, wherever possible; and  Enhanced management capabilities (e.g., enhanced auditing and reporting, leadership dashboard capabilities, etc.) have been implemented to increase security and reduce administrative burden. ICAM Maturity Model – Optimized

137 137 Based on the answers provided for each of the ICAM areas, the tool coordinates measuring maturity and accountability across agency-level activities and performance metrics from the ICAM segment architecture and the ICAM transition plan template. ICAM Maturity Model Note: Guidance for use of the ICAM Maturity Model by federal agencies is forthcoming.

138 FICAM Testing Program

139 139 The FICAM Testing Program:  Serves as a comprehensive testing and evaluation capability  Supports the selection and procurement of qualified products and services for federal agencies  Enables the implementation of a federated and interoperable ICAM segment architecture The FICAM Approved Products List (APL): Provides agency purchasers with a list of products that have been tested and approved under the FICAM Testing Program for purchase and use by federal agencies FICAM Testing Program Access the new FICAM Testing Program page herehere New!

140 ICAM Web Content Series

141 141 The ICAM Web Content Series provides agency implementers with a succinct summary of the highlighted subject matter. It translates complex and technical topics, illustrating them in a digestible fashion for implementers while providing a holistic summary of how the identified topic fits within the ICAM landscape. The PIV in LACS Web Content provides guidance, best practices, and helpful tips to federal agencies on PIV- enabling logical resources at the enterprise level to meet federal requirements. The PIV in LACS video provides additional resources, such as: Information on the multiple benefits of PIV-enablement Common questions and answers that may arise during the implementation process A checklist of actionable next steps for PIV-enablement ICAM Web Content Series Coming Soon! The PIV in PACS and Mobile Security Web Content Videos

142 ICAM Brochures

143 143 As an accompaniment for the FICAM Roadmap, snapshot brochures are available. ICAM Brochures ICAM Snapshot Brochure: Provides summary information around what ICAM is, the FICAM Roadmap target state, the strategic vision for ICAM, and its value proposition. Modernized PACS Brochure: Provides summary information around the implementation of an enterprise PACS, the benefits of PACS modernization, the steps for implementing a modernized PACS solution, and PIV-enablement. Modernized LACS Brochure: Provides summary information around the implementation of an enterprise LACS, the benefits of LACS modernization, and design approaches and application integration for LACS. Leadership Communications Brochure: Provides high-level summary information about ICAM programs for leadership and explains how ICAM supports an agency in achieving its mission.

144 144 AlignCollaborateEnable


Download ppt "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Leadership Communications Brief Last Updated: June 13, 2013."

Similar presentations


Ads by Google