Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential &

Published byBritney Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential &"— Presentation transcript:

1 Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential & Access Management Sub-Committee

2 ICAM is part of the Foundation for Major Initiatives
Continuous Monitoring Mobile Device and Mobile Device Management FICAM helps Federal Agencies support disaster recovery efforts Ex. DoD supporting FEMA and local law enforcement agencies FICAM is a crucial component of secure information sharing Through strong authentication, continuous monitoring, and driving out anonymity, national cyber security goals can be reached National Strategy for Trusted Identities in Cyberspace (NSTIC) National Strategy for Information Sharing and Safeguarding (NSISS)

3 Emerging Capabilities being Driven by ICAM
Through the PIV and PIV-I Cards, ICAM is seeking new capabilities that will increase the value to users and encourage the use of stronger credentials The DC area and Philadelphia area transit authorities are converting their systems to accept PIV-I Cards starting next year TSA Pilot with DoD to use CAC/PIV to allow for express security at airports. Looking to convert separate military service payment cards (Eagle Cash, Navy Cash, etc.) into one interoperable card and eventually add this to the CAC Potential to add the Government Credit Card capabilities to the PIV

4 Attributes of Success PIV Used in All Executive Branch in compliance with HSPD-12. No anonymous entities (person/non-person) on our networks. Same token for physical and logical access. All Executive Branch applications enabled to authenticate PIV, PIV-I, and other ICAM approved credentials where identity based access is required. Transactions will be signed and encrypted when sensitive. Provide external users the capability to opt-up to stronger credentials for more privileges and more individual security and privacy. Achieve paperless processes efficiencies. Broad adoption of ICAM solutions beyond the Executive Branch Examples of where paperless process efficiencies can be gained: OGE Form 450 for Confidential Financial Disclosure Report On-Line Training with Audit Records Annual Performance Reports.

5 ICAM Key Performance Indicators Joint Information Environment (JIE)
DoD IdAM Drivers ICAM Key Performance Indicators Joint Information Environment (JIE) IdAM Objectives 100% of federal employees and eligible contractors have PIV cards and using them for: Cryptographic Log-On Day-to-Day Business (e.g., Signature) 100% of applications authenticating federal employees and contractors use PIV credentials Access data/website/apps via identity credentials 100% of physical access transactions electronically authenticate the PIV credential of federal employees 100% of electronic transactions with external businesses and citizens use third party credentials (e.g. PIV-I, and other NFI) Access control is dynamic (automatic and data-driven) Person and non-person entity discovery capabilities are implemented Activity monitoring is enabled Person and non-person entity data are complete, trusted, accurate, and accessible Collaboration and interoperability is enabled IdAM is institutionalized EXORD gave direction of develop technical specifications/documents for integrated active cyber defense, attribute-based access management, metadata tagging capabilities, identity and access management, and single security architecture IdAM Incremental Upgrades - joint directory services implemented, and accounts synchronized by IdSS, DoD Visitor installed in enterprise directory services, White page service implemented

6 Use of Approved Non-DoD Credentials for Authentication
DoD currently uses high assurance identity credentials for most access to DoD resources e.g. JPAS authenticates using CAC, PIV, and PIV-I Cards DoD also manages and issues some of these lower assurance credentials – already incurring costs Family Members, Retirees, Beneficiaries Some business partners delivering goods and services Foreign Military Sales customers DoD components may enable unclassified systems to use NFI credentials where mission required Benefits: Reduce Number of Credentials Maintained by DoD Reduce Costs (e.g. Helpdesk credential problems) Improve user experience and control of PII OMB and DoD have issued guidance on acceptance and use of Non-Federally Issued (NFI) Credentials (e.g., DoDI ) Approved Trust Framework Providers and Identity Providers posted on DoD Approved External PKIs are posted on

7 Acceptance of Approved Externally-Issued Credentials
A recent white paper summarized the current state of DoD and its acceptance of externally-issued credentials: The Problem: DoD Relying Parties are not Accepting DoD-approved externally-issued identity credentials DoD requires Federal contractors to perform strong authentication to DoD hosted applications To fulfill this requirement, DoD typically issues Federal contractors DoD credentials or requires them to procure DoD credentials (ECA) Many Federal contractors issue their employees company credentials which are DoD-approved strong credentials (CAC-Like) These company credentials should be accepted by DoD applications but often application owners will only accept DoD issued credentials (CAC or ECA) DoD CIO policy exists on acceptance of these company credentials but only encourages application owners to accept DoD-approved credentials, it does not require their acceptance The Consequence: Duplication, unnecessary costs and security vulnerabilities Need for DoD and industry partners to support multiple identities for these individual Unnecessary costs of operations to both DoD and DIB members Diverts partner resources from the target of employer credentials Duplicate identities credentials Security gaps that introduce risk

8 DoD Requirements for Accepting Non-Federally Issued Identity Credentials
CIO memo signed 24 January 2013 The DoD and Executive Branch will leverage identity credentials from Non-Federal Issuers (NFI) as authentication options to Federal information systems and services. The NFI identity credential initiative allows the Federal Government to: Reduce the need and costs to issue and maintain credentials for mission partners Protect partners by minimizing the collection and storage of personal information Benefit partners by minimizing the number of credentials they must protect and maintain Support the National Strategy for Trusted Identities in Cyberspace (NSTIC) Components will ensure that unclassified information systems will be enabled to accept NFI credentials for authorized users. Components will ensure that information systems will support identity authentication using all credential strengths that meet or exceed the minimum level identified. Components will accept a DoD approved very high assurance credential from a user authorized system access rather than require the procurement of a DoD credential.

9 Backup Slides

10 ICAMSC Working Group Structure

11 Cybersecurity Policy Development Partnerships
DoD participates in development of CNSS and NIST documents ensuring DoD equities are met DoD leverages CNSS and NIST policies and filters requirements to meet DoD needs DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters

12 Dynamic Access Control
DoD Identity and Access Management (IdAM) “Person and non-person entities can securely access all authorized DoD resources, anywhere, at any time.” Request Access with credentials IT-Based Resource or Physical Resource Authorized? Authenticated? IdAM Data yes no Access Denied Logging/ Auditing

13 Automatic and Data Driven

14 DoD IdAM Strategy Overview
DoD IdAM is the DoD implementation of FICAM DoD has a strategy for implementing IdAM which is an authoritative reference that illustrates DoD commitment and focuses DoD IdAM activities Goals of the strategy include: Improve mission effectiveness by ensuring that users and systems have timely and secure access to the data and services needed for mission accomplishment, regardless of location Increase security by knowing who is operating on our networks with a high degree of confidence by denying adversaries freedom of maneuverability within the JIE Realize IT efficiencies by institutionalizing IdAM

15 DoD IdAM Document Overview
DoD is working on a roadmap to enable decision-making that aligns and focuses activities to a common enterprise solution Goals of the roadmap: Inform and enable proactive, data-driven decision making Improve cross-program synchronization There is also a DoD Reference Architecture in development that will guide and constrain the implementation. This will be a living document that is being produced by a team containing both IdAM and architecture experts.

16 The Way Ahead for DoD Communicating and securing leadership agreement with the proposed direction Continuing to work with key stakeholders on refining the DoD IdAM Strategy Continuing to develop the reference architecture and capability roadmap Continuing to capture information on IdAM initiatives that support/implement IdAM strategic concepts Focusing on the acceptance of non-DoD approved credentials

17 Acceptance of Non-DoD Approved Identity Credentials
DoD has issued a number of documents related to the acceptance of DoD Approved Identity Credentials: 2011 DoD CIO Memo, DoD Continued Implementation of HSPD-12 and ICAM Guidance, (Nov 15) “DoD logical and physical access control systems will also be enabled to use other Federal PIV credentials” “Components will ensure that all new logical and physical access control systems are enabled to use and electronically verify PIV credentials in accordance with HSPD-12 for authenticating DoD and Federal employees and contractors.” “Components will ensure that beginning in FY2012, all logical and physical access control systems that are funded for upgrade include enablement to use and electronically verify PIV credentials” 2011 DoD Instruction Public Key Infrastructure and PK Enabling, (May 24) “The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication in accordance with DoDI ” “DoD mission partners shall use certificates issued by the DoD External Certification Authority (ECA) program or a DoD-approved PKI, when interacting with the DoD in unclassified domains.”

18 Acceptance of Non-DoD Approved Identity Credentials
2011 DoD Instruction , Identity Authentication for Information Systems, (May 13) “The information system or DoD network shall ensure that any credential used for identity authentication has been issued by an approved DoD identity credential provider or a DoD-approved Federal or industry partner identity credential provider” 2010 DoD Memo, Acceptance and Use of PIV-Interoperable Credentials, (October 05) “In those cases where DoD Relying Parties, installation commanders, and facility coordinators determine that granting access is appropriate and that appropriate vetting requirements are met, they should begin accepting DoD-approved PIV-I credentials for authentication and access” 2008 DoD CIO Memo, Approval of External Public Key Infrastructures, (July 22) (superseceded by DoD I ) “The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication” 2004 DoD PKI PMO Letter to Federal PKI Policy Authority, (Mar 19) “Today, over 3 million DoD personnel have a Common Access Card (CAC)…” “We hope to achieve 2-way interoperability with the FBCA by the end of calendar year 2004.”

Download ppt "Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential &"

Similar presentations

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org FiXs ® - Federated and Secure Identity Management in Operation Implementing.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.

Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
National Incident Management System Overview. Homeland Security Presidential Directive 5 Directed Secretary, DHS to develop and administer: 1.National.

National Incident Management System Overview. Homeland Security Presidential Directive 5 Directed Secretary, DHS to develop and administer: 1.National.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Federal Identity Management

Federal Identity Management
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
United States DoD Public Key Infrastructure: Deploying the PKI Token

United States DoD Public Key Infrastructure: Deploying the PKI Token
Security Controls – What Works

Security Controls – What Works
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul

Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul
I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.

I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.
A Combat Support Agency Defense Information Systems Agency UNCLASSIFIED Program Executive Office GIG Enterprise Services (PEO-GES) 101 Briefing As of October.

A Combat Support Agency Defense Information Systems Agency UNCLASSIFIED Program Executive Office GIG Enterprise Services (PEO-GES) 101 Briefing As of October.

Similar presentations

Ads by Google