Presentation is loading. Please wait.

Presentation is loading. Please wait.

2009 IT Summit Federal CIO Council Breakout Session #5 Identity and Access Management Federal IT Summit October 28, 2009 Moderator: Paul Christy, SBA Paul.

Published byLisandro Meekins Modified over 8 years ago

Similar presentations

Presentation on theme: "2009 IT Summit Federal CIO Council Breakout Session #5 Identity and Access Management Federal IT Summit October 28, 2009 Moderator: Paul Christy, SBA Paul."— Presentation transcript:

1 2009 IT Summit Federal CIO Council Breakout Session #5 Identity and Access Management Federal IT Summit October 28, 2009 Moderator: Paul Christy, SBA Paul Grant—DoD Owen Unangst, USDA Vance Hitch, USDoJ

2 2009 IT Summit Federal CIO Council Identity, Credential, and Access Management in and with The Federal Government Paul D. Grant Special Assistant, Federated IDM and External Partnering Office of the CIO DoD Paul.Grant@OSD.Mil Federal IT Summit October 28, 2009 http://www.IdManagement.Gov

3 3 What is ICAM? ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach. Key ICAM Service Areas Include: Digital Identity Credentialing Privilege Management Authentication Authorization & Access Cryptography Auditing and Reporting

4 4 Presidents Budget for FY 2010 Extract from Section 9. LEVERAGING THE POWER OF TECHNOLOGY TO TRANSFORM THE FEDERAL GOVERNMENT To support this effort, the Federal Identity, Credential, and Access Management (ICAM) segment architecture provides Federal agencies with a consistent approach for managing the vetting and credentialing of individuals requiring access to Federal information systems and facilities The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.

5 5 ICAM Scope PersonsNon-Persons Logical Access Physical Access Alignment of Federal ICAM and CNSS Identity and Access Management (National Security Systems) Interagency Security Committee (Physical Access Control) Awareness to External Mission Partners for interoperable solutions

6 6  The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government groups.  The Roadmap team has produced the key outputs of the FSAM needed for an ICAM segment architecture, and have coordinated these groups to develop workable approaches to enable cross-government solutions. FICAM Development Process  Committee for National Security Systems (CNSS)  Interagency Security Council (ISC)  Information Sharing Environment (ISE)  White House National Science and Technology Council (NSTC)  Office of Management and Budget  National Institute of Science and Technology (NIST)  Office of National Coordinator (ONC) for Health IT  Multiple agencies represented within the CIO council subcommittees and working groups

7 7 Summary & Conclusions Strong Identity and Access Management Are Foundational to Secure Information Sharing, Collaboration and Cybersecurity Shared Guidance is Improving: Much Room for More Improvement Clear, Concise, Consistent, Credible For Ourselves and Our Mission Partners Federal Identity, Credential, and Access Management (ICAM) is providing this consistent approach (with your help) Mission Partners are Fielding Strong Identity Credentials as well as Creating Federations for Sharing & Collaboration Progress Depends on Public-Private Partnering Domestically and Internationally

8 8 Back Up Slides

9 9 Enabling Policy and Guidance The Mandate: HSPD-12 August 27, 2004 The Standard: FIPS-201 February 25, 2005 The Implementing Guidance: OMB M-05-24 August 5, 2005 Federal PKI Common Policy Framework Special Publications Technical Specs. The E-Gov Act 0f 2002 The Implementing Guidance: OMB M-04-04 December 16, 2003 The Technical Spec: SP 800-63 June 2004 The Government Paperwork Elimination Act 0f 1998 Federal Bridge Model Policy The Implementing Guidance: OMB M-05-05 December 20, 2004 The Implementing Guidance: OMB M-00-10 April 25, 2000

10 10 M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Identity Assurance Levels (IAL) Level 1 Little or no confidence in asserted identity Self-assertion minimum standards Level 3 High confidence in asserted identity On-line out-of-band verification for qualification Cryptographic Solution Level 2 Some confidence in asserted identity On-line instant qualification, out-of- band follow-up Level 4 Very high confidence in asserted identity In person proofing Record a biometric Cryptographic solution Hardware Token

11 11 FICAM Roadmap & Implementation Guidance Overview Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization. ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agency initiatives. ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states. Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture. ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs. Implementation Guidance. Provides guidance to agencies on how to implement the transition roadmap initiatives identified in the segment architecture, including best practices and lessons learned. PART A: ICAM Segment Architecture (Phase 1 of the effort) PART B: Implementation Guidance (Phase 2 of the effort)

12 12 ICAM Overview from ICAM Segment Architecture

13 13 Services Framework Categorization Scheme Service Type Provides a layer of categorization that defines the context of a specific set of service components Service Component A self contained business process or service with predetermined and well-defined functionality that may be exposed through a well-defined and documented business or technology interface Service Type Service Component

14 14 Credentialing Issuance Enrollment/Registration* Credential Lifecycle Management Sponsorship Self-Service* Auditing and Reporting Audit Trail* Reports Management Authorization and Access Policy Decision Policy Enforcement Policy Administration Backend Attribute Retrieval Authentication Credential Validation Biometric Validation Session Management Federation Services Framework Cryptography Encryption/Decryption Digital Signature* Key Management Privilege Management Provisioning Account Management* Bind/Unbind Privilege Administration Resource Attribute/ Metadata Management Digital Identity Digital Identity Lifecycle Management Identity Proofing Linking/Association* Adjudication Vetting Authoritative Attribute Exchange

15 15 ICAM Subcommittee Accomplishments Summary for FY 2009 Issued “Personal Identity Verification Interoperability (PIV-I) for non-Federal Issuers” in May, 2009 providing guidance on achieving identity credentials that are consistent with the PIV Credential and trustable by the Federal community. Initiated work on the ICAM Segment Architecture as Part One of the ICAM Roadmap and Implementation Guidance mandated in the President’s FY-10 Budget. Produced and coordinated multiple drafts. Final release is imminent. Published Federal profiles for the implementation of open identity solutions for interaction with the American Public. Current profiles include OpenID and InfoCard for transactions at identity assurance level one. Worked with Federal PKI Shared Service Providers to extend strong identity credentialing to the external community in support of PIV Interoperability. Published Trusted Framework Providers Adoption Process. Conducted ICAMSC leadership outreach to other identity initiatives in the Federal community, in order to foster a “Clear, Concise, Consistent and Credible” message for ourselves and our external partners; and further socializing this message with state governments and industry through participation in multiple conferences and meetings. Developed ICAM Work Plan for 2010

16 2009 IT Summit Federal CIO Council Owen Unangst Director of Innovation US Department of Agriculture

17 Enterprise SSO EEMS EEMS Administration Auditing and Reporting Monitoring Workflow Engine Rules Engine NEIS PayPers EmpowHR Stand-Alone Servers Mainframe AS/400 Active Directories ePACS HSPD-12 VPN/NAC eAuthentication Identity Management System Provisioning System Enterprise Directory Enterprise & Business Apps 17 USDA’s ICAM Model Implementing Policies, Procedures & Technologies - Available Now (Phase 1)- In Progress (Phase 1a)- FY 10 Deliverables(Phase 2) EmpowHR Person Model

18 18 Example Utilization: Single Sign-On Desktops Laptops VPN’s eAuthentication Whole Disk Encryption Encrypted Thumb Drives

19 19 Example Utilization: Physical Access Controls For “Ultimately” 220 MCF’s … National Infrastructure in Place Almost 100 Facilities Already Connected Authentication Controlled Nationally Authorization Controlled Locally

20 Example Utilization: Role Based Access Control 20 New Process: If “Loan Officer” = True Then Do not add role = “Loan Approver” Manual Process: - Over 200 persons to manage roles - 73 to handle audit issues

21 21 Distribution Layer Switch Wired Network Access Controller Remediate Wireless Access Point Wireless USDA Enterprise Directory VPN IDS Health Check: Pass Health Check: Fail NAC Agent BigFix Anti-X Patch Management Disk Encryption FDCC File Integrity Checking Host-Based FW Host-Based IPS Data Loss Prevention User Roles ASOC Auditing and Reporting Remote Access Local Access Example Utilization: Network Admission Control

22 22 Example Utilization: Digital Signatures @ USDA Scope –Adobe Acrobat files and forms – Versions 8 & 9 –Microsoft Office (Word, Excel, PowerPoint) – Versions 2003 & 3007 –Microsoft Outlook – Versions 2003 & 2007 –Business Transactions

23 2009 IT Summit Federal CIO Council Vance Hitch Chief Information Officer US Department of Justice

24 Identity, Credential, and Access Management Today’s Law Enforcement Environment  Today’s World  Law Enforcement Agencies rely on their numerous systems to provide critical information to officers  Some systems are internal to an agency but many more are parts of a national network –Internal Records Management systems –Regional Information Sharing Networks (LINK’s,ARGIS etc.) –National Systems  CJIS  NCIC  N-Dex  IAFIS (NGI)  NICS  The end goal is to provide the “Right Information to the Right Person, at the Right Times”  The end result is to provide officer and analysts with critical information that keeps them and the American Public safe and secure.

25 Identity, Credential, and Access Management How are we accomplishing this mission?  We have developed a trusted relationship with limited access points for information sharing  We communicate over trusted networks like: –CJIS WAN –LEO –RISS –HISN  Established through policies and procedures developed by participants and governing boards such as the FBI’s APB  Supported through the use of MOU’s signed by all participants that dictate how and what we will share

26 Identity, Credential, and Access Management Problem  Today’s world requires users to have Passwords for every system they access.  Each system must validate and manage access to their own system  There is a need to have individuals’ identities validated, managed and vouched for by trusted organizations in a secure way so that other entities do not have to redo it

27 Identity, Credential, and Access Management Examples of Ongoing Federated Identity Management Initiatives  Global Federated Identity & Privilege Management (GFIPM)  CJIS Federated Identity Management Services (FIMS)  DOJ’s Trusted Broker pilot  The DOJ currently provides a “trusted broker” pilot to help enable organizations to connect Identity Providers to Service Providers more simply and inexpensively  These initiatives are complementary, not competitive, and are interoperable today

28 Identity, Credential, and Access Management DOJ’s Trusted Broker Pilot  Currently Deployed to 4,400 users at:  DOJ, Chicago PD, RISS, LEO  Service Providers  JABs  HISIN-Intel  LEO-Intelink  RISS-Intelink  Criminal Information Sharing Alliance Network (Southwest Border)  RISSNET Portal  myFX – secure internet file sharing offered by DOJ  New Service Providers in process  N-DEx, Tripwire, Bomb & Arson Tracking Systems (BATS- ATF), NGIC

29 Identity, Credential, and Access Management Trusted Broker Operation

30 Identity, Credential, and Access Management Federated Identity Management Using a Trusted Broker Solution  Benefits  More information available to more users  Single sign-on (enhanced user experience)  Comprehensive audit capability  Improved alliances across government entities  Streamlined vetting (cost avoidance/reduction)  Improved interoperability  Improved security –Vetting is done closer to user –More secure authentication mechanisms –Dynamic de-provisioning

31 2009 IT Summit Federal CIO Council Questions? http://www.cio.gov/committees/InformationSecurity.cfm

Download ppt "2009 IT Summit Federal CIO Council Breakout Session #5 Identity and Access Management Federal IT Summit October 28, 2009 Moderator: Paul Christy, SBA Paul."

Similar presentations

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.

Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
Federal Identity Management

Federal Identity Management
HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Security Controls – What Works

Security Controls – What Works
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Information Security Policies and Standards

Information Security Policies and Standards
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.

Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Similar presentations

Ads by Google