1. 1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy

2. 2 EAI/EAP Common Trust Framework 1. Establish & define authentication risk and assurance levels EAI: OMB M-04-04 - Established and defined 4 authentication assurance levels as Governmentwide policy EAP: Adopted OMB M-04-04 authenticatcion assurance levels 2. Establish technical standards & requirements for e-Authentication systems at each assurance level EAI: NIST Special Pub 800-63 Authentication Technical Guidance – Established authentication technical standards at 4 established assurance levels EAP: Adopted NIST SP 800-63 standards 3. Establish methodology for evaluating authentication systems at each assurance level EAI: Credential Assessment Framework – Standard methodology for assessing authentication systems of credential service providers EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers 5. Perform assessments and maintain trust list of trusted CSPs EAP: Trusted CSP List EAI: Trusted CSP List 6. Establish common business rules for approved CSPs EAI: EAI Federation Business Rules and Service Agreements EAP: EAP Business Rules and Agreements

3. 3 Identity Federation Models  Bi-lateral (peer-to- peer)  Hub & Spoke (unilateral)  Circle of Trust (many-to-many) ID The models for identity federation strongly impact decisions on technical architecture and governance.

4. 4 IDP SP/RP EAP Vision: Multiple, Interoperable Federations Federation 1 Federation 2 EAP Common Governance Common Trust Framework & Rules Common Architecture & Interoperable Products

5. 5 EAI/EAP Alignment EAI EAP Common Assurance Levels Common Authentication Standards Reciprocal CSP Trust Certifications Common Designated Assessors Common Business Rules Common Architecture Common Protocols Common Data Models 2004 2005 2006 2007 Joint Pilots And Projects

6. 6 EAP. Established to create a structure to use government-approved credentials for logical access for government and business applications. Has business process and trust framework for logical access but needs to add transaction processing for e-authentication and an accreditation process for federations that adopt EAP rules. U.S. General Services Administration. Needs to facilitate e-authentication for commercial sector partners and a commercial process for certifying logical and physical authentication service providers and federations. FiXs. Established to provide federated authentication of credentials for the purpose of physical access to DoD facilities and contractor sites. Wants to provide logical access functionality and PIV/HSPD-12 functionality in a federated environment for its membership. U.S. Department of Defense. Seeks high security and identity assurance for external access to DoD systems and to leverage its investment in physical access authentication. FiXs & EAP Pilot Sponsors Objective Demonstrate interoperability by enabling federated single card authentication for logical and physical authentication for token based access to commercial and government facilities and systems.

7. 7 DCCIS Background Challenge for DoD and its Contractors: Need for authentication system for DoD employees and its contractors for physical access at their respective facilities without issuing an additional set of credentials. Solution: DCCIS Pilot & Prototype. DCCIS pilot/prototype system for DMDC employees to use CAC cards and several contractors to use their corporate badges to authenticate at participating facilities using a Trust Gateway Broker to retrieve identification data and validate credentials. (2003) DCCIS TGB Contractor 1 Contractor 2 Contractor n DoD Facility 1 DoD Facility 2 DoD Facility n AUTHENTICATION PHYSICALACCESS

8. 8 FiXs: An Extension to DCCIS Challenge for DoD and its Contractors: Need to deploy DCCIS system to 224 DoD bases and their contractors (@ 110,000) in a timely and cost-effective manner. Solution: FiXs. Commercial system that mimics and links to DCCIS to extend the authentication system out to encompass all eligible participants. FiXs TGB DCCIS TGB Contractor 1 Contractor 2 AUTHENTICATION FOR PHYSICAL ACCESS Contractor 4 Contractor 5 Contractor 6 Contractor 3 Contractor n DoD Facility 4 DoD Facility 5 DoD Facility 6 DoD Facility n DoD Facility 1 DoD Facility 2 DoD Facility 3

9. 9 EAP: Trust Framework for E-Authentication Challenge for Federal Agencies and the Commercial Sector: Need to deploy a cross-domain electronic authentication system that enables secure logical access between the Federal government and commercial contractors and companies. Solution: EAP. Create a structure to use government-approved credentials used under E- Authentication Initiative, ECA, the Federal Bridge, etc. for other business applications. EAP Framework EAI Company 1 Network AUTHENTICATION FOR LOGICAL ACCESS Fed Gov Network 1 ECA, Etc. Fed Bridge Company 2 Network Company 3 Network Company n Network Fed Gov Network 2 Fed Gov Network 3 Fed Gov Network n

10. 10 EAP Framework FiXs Expansion: EAP + PIV/HSPD-12 System Usage Expansion. New member recruitment, deployment to DoD sites worldwide, potential expansion and compliance with PIV/HSPD-12. Expansion to Logical Access. Logical access functionality will be piloted by aligning with EAP and other federations in the future, e.g., TSCP. Company 1 Facility/Network Company 2 Facility/Network Company 3 Facility/Network Company n Facility/Network Fed Gov Facility/Network 1 Fed Gov Facility/Network 2 Fed Gov Facility/Network 3 Fed Gov Facility/Network n EAI AUTHENTICATION FOR LOGICAL ACCESS ECA, Etc. Fed Bridge FiXs TGB DCCIS TGB PHYSICAL ACCESS

11. 11 Attributes of the Business Model Association Model. Control processes across entities that are not directly affiliated. Funding based on membership and dues. Intermediary Multi-Party Contracts. Members sign contract to single intermediary rather than multi-lateral contracts across Members. Operating Rules. Provides uniformity and process control and incorporates policies and technical specifications by reference. Distribution of Investment, Risks & Liabilities. Reduces risks to individual Members through risk and liability allocation and spreading investment across Members. Community of Interest of Users. Provides forum for policy alignment and resolution of issues that are obstacles to market development using a trust model. Recognized by Government. Government requirements incorporated into system and program – government acknowledges and regulates by reference.

12. 12 FiXs & EAP Pilot Outcome Align Rules & Policies. Align FiXs Operating Rules and policies with EAP Business Rules and trust framework. Harmonize Certification Process. Establish requirements and a process for certifying FiXs and EAP Issuers and Relying Parties as well as infrastructure components. Build Out Technical Architecture. Build out FiXs technical architecture to accommodate EAP e-authentication transactions and establish a combined transaction environment. Adapt Technical Specifications. Adapt FiXs interface design, system software design and hardware/software functional requirements that enable a FiXs and EAP operational environment. Accommodate Multiple Tokens. Accommodate existing FiXs and EAP Member tokens/cards/credentials and migrate to PIV/HSPD-12 compliant card. To enable interoperability between FiXs and EAP for combined physical and logical access in a federated environment, fill in the gaps and harmonize existing policies and infrastructure.