Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation

Slides:

Advertisements

Similar presentations

STRENGTHENING FINANCING FOR DEVELOPMENT: PROPOSALS FROM THE PRIVATE SECTOR Compiled by the UN-Sanctioned Business Interlocutors to the International Conference.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Internal Control–Integrated Framework

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state October.

Interoperability Roadmap Comments Package Implementation, Certification, and Testing (ICT) Workgroup February 13, 2015 Liz Johnson, co-chair Cris Ross,

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.

ANSI/ASQ E Overview Gary L. Johnson U.S. EPA

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

TFTM Sub-Committee What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, IDESG TFTM Committee1.

Proposed Workflow IDESG Self-Assessment and Attestation Program For TFP’s Discussion Deck TFTM Committee 09/23/

Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.

Trustworthy Repository Criteria, Virtual Organizations, and Infrastructure MacKenzie Smith, MIT Libraries NDIIPP Meeting, July 2010.

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

TFTM Deliverable Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, IDESG TFTM Committee1.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

How can projects be controlled?

Chicagoland IASA Spring Conference

DOCUMENT #:GSC15-PLEN-08 FOR:Presentation SOURCE:ISACC AGENDA ITEM:Opening Plenary (4.5) CONTACT(S):Jim MacFie ISACC Activities Since GSC-14 Jim MacFie.

Internal Auditing and Outsourcing

Query Health Business Working Group Kick-Off September 8, 2011.

1 Next Generation ISO Susan LK Briggs Presented to EFCOG/DOE EMS Implementation, Lessons Learned & Best Practices Training Workshop, 3/05.

Functional Model Workstream 1: Functional Element Development.

NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.

Identifying the Baseline IDESG Security Committee Discussion 10/23/

TFTM Interim Trust Mark/Listing Approach Paper Accreditation, Certification, and Trust Mark Program Key Administrative and Operational Responsibilities.

D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

SNIA/SSIF KMIP Interoperability Proposal. What is the proposal? Host a KMIP interoperability program which includes: – Publishing a set of interoperability.

Requirements Development & Template Presentation to All Chairs 8/12/2014.

InCommon Assurance Discussion on NSTIC Acitivities Jack Suess April 10, IDESG TFTM Committee1.

Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state November.

TFTM Deliverable Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, IDESG TFTM Committee1.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

INDUSTRY COMMITMENT TO INNOVATION IN NOTICE AND CHOICE AAAA, ANA, CBBB, DMA, IAB Convene Task-Force (April 2008) Coalition begins drafting industry principles.

Manuel Mariño Regional Director International Co-operative Alliance ACI-Américas CORPORATE GOVERNANCE AND CO-OPERATIVES Global Corporate Governance Forum.

MC Sub-Committee for Workplanning: Recommendations Report Chair/presenter: Paul Laurent.

The Assurance Services Market

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

DOCUMENT #:GSC15-PLEN-62 FOR:Presentation SOURCE:ISACC AGENDA ITEM:Opening Plenary (6.14) CONTACT(S):Jim MacFie Cloud Computing Jim MacFie Chairman, ISACC.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Cloud Computing, Policy Management and Standardization Europe Identity Conference 2011 John Sabo, Director Global Government Relations, CA Technologies.

Scalable Trust Community Framework STCF (01/07/2013)

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

IoT Trust Framework leading to self regulation code of conduct and certification models Craig Spiezle Executive Director & President Online.

NSTIC and the Identity Ecosystem Jim Sheire Senior Advisor NSTIC National Program Office, NIST 14 November 2012.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Commission 1: Landscape challenges Chairperson: Aslam Raffee Issues in the current environment : – Lack of sponsorship and accountability – No coordination.

Creating an Interoperable Learning Health System for a Healthy Nation Jon White, M.D. Acting Deputy National Coordinator Office of the National Coordinator.

© 2015 Open Grid Forum ETSI CSC activities Wolfgang Ziegler Area Director Applications, OGF Fraunhofer Institute SCAI Open Grid Forum 44, May 21-22, 2015.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

The Value of Creating the Identity Ecosystem. The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices and tools.

The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Higher Education’s Role in the Identity Ecosystem

InCommon Steward Program: Community Review

Welcome to the Revolution – Day Two

GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.

Policy and Best Practice … in practice

Baseline Expectations for Trust in Federation

Presentation transcript:

Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation

NSTIC Background Information Presidential directive signed in 2011 that stated internet identity and cyber-security are both lacking. Stated this must be a partnership between the private sector and governments. Suggested a consensus driven approach to governance using a plenary style process. Launched first Plenary in August of In 2014, created a not-for-profit corporation, named IDESG, to operate what is produced.

Launching the IDESG IDESG is designed to be the non- governmental entity that can operate what is approved through the plenary process. Plenary is a global entity open to any organization, not just U.S. organizations. Summer 2014, I chaired a IDESG board subcommittee that drafted the plan for rolling out our first product – a self-attested system for IdP’s and SP’s – called Identity Ecosystem Framework (IDEF) plan.

The Big Questions Debated in the IDEF What must the IDESG have as operational capabilities in order to deliver and maintain a Framework? How should the IDESG design and implement a Framework?

What IDESG Is Planning to Deliver 1.Requirements 2.Evaluation mechanisms 3.Trustmark management

What Requirements Are Necessary? 1.Requirements 2.Evaluation mechanisms 3.Trustmark management

Requirements ●Based on NSTIC principles and goals ●Forms part of language that IDESG uses to instruct organizations on how to operate in NSTIC ways ●Itemize the practices that uphold the NSTIC vision ●If implemented widely it will increase the trustworthiness of digital interactions for all parties

Approach to Requirements Definition ●As a starting place, IDESG committees should focus on requirements found in existing frameworks, standards, certifications, and protocols. ●Where there are gaps, the NSTIC committees process should develop their own requirements.

Evaluation Mechanisms ●What does the process of evaluating an organization look like? o IdP and SP will be evaluated. o Trust Framework committee defines the approach and is involved in disputes. o Framework office handles the back office operations. o Initial launch is a web-based listing service, similar to cloud security alliance.

What is the Role for Federations? In the initial version, none. In the next iteration, we are hoping to add in a model for federations to join. The rationale for delay is we needed to better understand the business models and value proposition for federations to join.

Third-Party Assessors ●Initial version is self-attested; however, self attestation should have some basis in 3 rd -party assessment. ●Have you been audited for basic IT controls? ●Do you have publicly accessible policies in place? ●For self-attestation, there will be little, if any, review of the self-attestation; however, the listing service will show the form. ●Being part of a federation can be noted in your attestation as evidence of good behavior.

Trustmark Management 1.Requirements 2.Evaluation mechanisms 3.Trustmark management

Why Trustmarks? ●The framework planning committee felt that the Georgia Tech Trustmark pilot was the best example of where the future will be. ●We felt that trustmarks provide a flexible approach that gives IDESG and organizations room to learn and improve ●There is still much debate over the degree of granularity for trustmarks.

Where Are We Today?

IDEF Requirements The committees generated 45 requirements that make up the baseline. Interoperability – 8 Privacy – 15 Security – 15 Usability – 7

Example Requirements INTEROP ‐ 6. FEDERATION COMPLIANCE When conducting digital identity management functions within an identity FEDERATION, entities MUST comply in all substantial respects with the published policies and system rules that explicitly are required by that FEDERATION, according to the minimum criteria set by that FEDERATION. PRIVACY ‐ 6. USAGE NOTICE Entities MUST provide concise, meaningful, and timely communication to USERS describing how they collect, generate, use, transmit, and store personal information.

SALS (Self-Attested Listing Service) SALS will provide a listing service – similar to cloud security alliance to list who self-attested. The process for self-attestation is being driven by Framework Monitoring Office (FMO). Expectation is that we initially work with NSTIC pilots and then tweak the business processes as we expand the offering.

Can You Say POP? The SALS process has many parallels to the original InCommon Principles of Practice, but much more detail is required. Ultimately, the plan is that federations may join. If Federation is shown to be conformant with the requirements, being a federation member will likely be sufficient for attestation. I personally believe there is a role for electronic trustmarks; however, that was decided to be out–of-scope for the initial release.

Why Should REFEDS Community Care? 1.Governments – especially in UK, Canada, Austrailia, and New Zealand are participating and sharing practices to support NSTIC and the IDESG. These groups will ultimately align on a solution. 2.If it is successful, the IDESG offers a potential way to improve practices, especially in privacy and accessibility, by pressuring cloud service providers. 3.We all want to increase the value of federation. Making certain that the NSTIC aligns with REFEDS work will help both parties. edugain, R&S, scalable privacy, and second factor are all aligned.

When you come to a fork in the road, take it. Yogi Berra