NATIONAL DIRECTIVE FOR THE

clipperstastefulManagement

Nov 9, 2013 (3 years and 10 months ago)

468 views

Committee on National Security Systems


1

NATIONAL DIRECTIVE FOR THE
IMPLEMENTATION AND OPERATION
OF IDENTITY, CREDENTIAL AND
ACCESS MANAGEMENT

CAPABILITIES (ICAM)

ON THE

UNITED STATES (US)

FEDERAL SECRET FABRIC

C
N
S
S

P
o
l
i
c
y

N
o
.

3
0
0

R
e
v
i
s
e
d

A
p
r
i
l

2
0
0
4


CNSSD No. 507

May

2013


THIS

DOCUMENT

PRESCRIBES

MINIMUM

STANDARDS

Y
OUR

DEPA
RTMENT

OR

AGENCY

MAY

REQUIRE

FURTHER

IMPLEMENTATION

GUIDANCE


CNSS
D

No. 507


CNSS Secretariat (I
E32
)

National Security Agency * 9800 Savage Road * Suite 6716 * Ft Meade MD 20755
-
6716

cnss@radium.ncsc.mil



2


3


4

FOREW
ORD

5

1.

CNSS
Directive No.
5
07

governs how Identity, Credential and Access Management
6

(ICAM) capabilities will be implemented and
managed across the Federal Secret Fabric

to
7

promote secure information sharing and interoperability within the Federal Government
. It
8

establishes

the
mandate

to implement

the capabilities embodied within the
Federal Identity,
9

Credential, and Access Manage
ment

Roadmap and Implementation Guidance

version 2
.0

10

(FICAM)
,

dated December 2, 2011

on
Secret level applications, systems and networks owned,
11

operated or maintained by
US Government (
USG
) Departments and Agencies



hereby referred
12

to as the Secret Fabric


and
identifies specific
outcomes

and deadlines for achieving this goal
.


13

2.

The

National Strategy for Information Sharing and Safeguarding

(NSISS)

was signed
14

by the President in December, 2012 to provide a strategy
for sharing and securing our nation’s
15

information assets

and direct
s

the Federal government to improve interoperability, security, and
16

discovery of
sharable
information.

17

3.

Executive Order 13587
,
Structural Reforms to Improve the Security of Classified
18

Networ
ks and the Responsible Sharing and Safeguarding of Classified Information
,

signed

19

October 7,

2011
, requires all Departments and Agencies of the Federal government to implement
20

reforms to
their
networks and systems to improve the secure sharing of classifie
d information.

21

4.

CNSS is charged with establishing and managing improved interoperable ICAM
22

capabilities on the
Federal
Secret Fabric

that meet the intent of the
FICAM Roadmap and
23

Implementation Guidance
.
This Directive is essential to providing a common ap
proach
es

to
24

achieve these
goal
s and to provide a governance structure that promotes development of secure,
25

interoperable frameworks, systems and networks.

26

This
Directive

is available from the CNSS Secretariat, as noted below, or the CNSS
27

website:
http://www.cnss.gov
.

28

[Person’s Name]
29

CHAIR


CNSS
D

No. 507


1


30

NATIONAL
DIRECTIVE

FOR THE IMPLEMENTATION AND OPERATION
31

OF IDENTITY, CREDENTIAL

AND ACCESS MANAGEMENT CAPABILI
TIES
32

(ICAM)
ON

THE UNITED STATES (US) FEDERAL SECRET FABRIC

33

SECTION I

PURPOSE

34

1.

This
Directive
provides governance and milestones for implementing and managing
35

improved and interoperable ICAM capabilities on the Federal Secret Fabric. It
establishes the
36

requirement

for all
United States Government (USG) Departments and Agencies

to implement
37

the
applicable
capabilities
embodied in the
Federal Identity, Credential
, and Access
38

Management (FICAM) Roadmap and Implementation Guidance

on

the Federal Secret Fabric

and
39

other

ICAM capabilities as directed
.

This Directive
establish
es

roles

and

responsibilities

and
40

includes guidance for subordinate policies and execution strategies.

41

SECTION II

AUTHORITY

42

2.

Th
e authority to issue this
Directive

derives from National Security Directive 42,

43

National Policy for the Security of National Security Telecommunications and Information
44

Systems,
dated July 5, 1990
,

which outlines the roles and responsibilities for securing national
45

security systems, consis
tent with applicable law, E.O. 12333, as amended, and other Presidential
46

directives.


47

3.

Executive Order 13587,
Structural Reforms to Improve the Security of Classified
48

Networks and the Responsible Sharing and Safeguarding of Classified Information
, signed
49

O
ctober 7, 2011, requires all Departments and Agencies of the Federal
G
overnment
to
50

implement reforms to
their

networks and systems to improve the secure sharing of classified
51

information.

It further charges that effective technical safeguarding policies a
nd standards must
52

be developed in coordination with the CNSS by the E
xecutive
O
rder
's Executive Agent for
53

Safeguarding Classified Information on Computer Networks
.

54

4.

Nothing in this
Directive

should be interpreted as altering or superseding the existing
55

auth
orities of the Director of National Intelligence.

56

SECTION III

SCOPE

57

5.

This
Directive

applies to all
USG Departments and Agencies

and their sup
porting
58

contractors, agents,

non
-
federal affiliates
, and international partners

who own,
procure,
operate,
59

maintain
,

or interface with

information technology capabilities
on the
Federal
Secret Fabric
60

including
capabilities

that reside on closed networks.

61

a.

The Federal Secret Fabric consists of all USG Department

and
Agency Secret
-
62

level applications, systems, networks, and

electronic data



to include closed or stand
-
alone
63

systems and networks
,

as well as extended enterprises such as contractors and international
64

partners that interface with USG Department and Agency Secret level systems and networks.

65


CNSS
D

No. 507


2

6.

This Directive does no
t apply to NSS
systems that reside on
Unclassified or Top
66

Secret networks.

67

SECTION IV

POLICY

68

7.

USG Departments and Agencies
shall

implement
improved and interoperable
ICAM
69

capabilities on the Federal Secret Fabric consistent with the
FICAM Roadmap and
70

Implementation Guidance
and in accordance with timelines and incremental capability
71

deployment as c
oordinated by the
Program Manager
-

Information Sharing Environment (
PM
-
72

ISE
)
;

Federal
Chief Information Officer (
CIO
)

Council;

CNSS
;

and ot
her Departments,
73

Agencies, contractor organizations, and international partners

subject to this directive
.

74

8.

The end
-
state objective of FICAM implementation shall be a common set of ICAM
75

operational features that provide assurance and information sharing cap
abilities. These features
76

must at a minimum include, but are not limited to:

77

a.

Identity



USG Departments and Agencies shall establish an Identity
78

Management capability
on Secret networks leveraging the existing identity management
79

processes and technologies and shall work together to perform the activities required to lay the
80

foundation for identifying architecture standards, technologies, processes, and interfaces that
will
81

be used in future interoperability. The identity management capability shall have
the following
82

features:

83

i.

A
n

onboarding process for new internal and external members of the
84

owning organization which includes identity proofing
;

vetting
;

clearance proc
essing
;

subject
85

attribute issuance,
modification, revocation;
and unique digital identity creation
;

86

ii.

A process and mechanism for the authoritative establishment, exposure,
87

revocation, and alteration of a minimum set of common subject attributes that can be
shared
88

across the Secret Fabric for the purposes of
directory or
white

pages lookup or access decision
89

determination
;

90

iii.

Issuance of a unique credential, bound to the digital identity of the
91

individual and used for network boundary and application authenticat
ion
;

92

iv.

Processes

and mechanisms for digital identity and credential modification
93

and revocation
.

94

b.

Authentication


USG Departments and Agencies shall develop and implement a
95

common authentication capability on Secret networks leveraging the
NSS PKI
1

and

shall work
96




1

CNSSD 506, National Directive to Implement Public Key Infrastructure for the Protection of
Systems Operating on Secret Level Networks, provides additional architectural and technical
detail regarding the NSS PKI
.


CNSS
D

No. 507


3

together to perform the activities required to lay the foundation for identifying architecture
97

standards, technologies, processes, and interfaces that will be used in future interoperability.

98

This authentication capability shall have the follo
wing features:

99

i.

Certificate
-
based network logon including logging each access using
100

unique identifier contained in PKI digital certificates
;

101

ii.

Certificate
-
based authentication to high and moderate impact systems
;

102

iii.

Certificate
-
based authentication to systems ac
ross the Federal Secret
103

Fabric including employees, affili
ates and international partners
.

104

c.

Access


USG Departments and Agencies shall develop and implement access
105

management capabilities to all designated systems across the Federal Secret Fabric to suppor
t
106

secure information sharing, attribution, and data protection. All entities on the Federal Secret
107

Fabric shall work together to perform the activities required to lay the foundation for identifying
108

architecture standards, technologies, processes, and int
erfaces that will be used in future
109

interoperability. This access management capability shall have the following features:

110

i.

A shared set of subject attributes that are common across the Federal
111

Secret Fabric to ensure interoperability in access requests fo
r shared information
;

112

ii.

Designated

su
bject attribute authorities
;


113

iii.

Shared digital policy rules used to control access to
similarly protected
114

resources across the Federal Secret Fabric
;

115

iv.

For all

systems
, networks and applications


access using a
unique
116

identi
fier in digital certificates which

is
linked

to
the user’s
subject attributes
;


117

v.

For all specially designated systems


access using

Attribute Based Access
118

Control (
ABAC)
2

capabilities

where access decisions are
based on subject, resource, and
119

environment
attributes and digital policy rules
.

Specially designated systems will be identified
120

by the cognizant Department and Agenc
y representative

and shall, at a minimum, include all
121

systems that share restricted information outside of the cognizant Department o
r Agency.

122




2

While there are different mod
els for authorization such as Identity
-
B
ased Access Control
(IBAC), Role
-
B
ased Access Control (RBAC), Risk
-
Adaptive Access Control (RDAC), and
Dynamic Access Control (DAC), ABAC has been selected for this policy. It has the flexibility
that interoperabilit
y needs for secure sharing of information in a wide variety of environments
and has broad understanding in the Federal enterprise. Also, IBAC, RBAC, RDAC, and DAC
can be replicated through a combination of attributes and digital policies. For example, RBAC

uses only the subject’s role attribute.


CNSS
D

No. 507


4

vi.

Implemented processes for on
-
going maintenance of attributes and digital
123

policies
.

124

d.

Auditing and Reporting


USG Departments and Agencies shall
implement
125

auditing and reporting capabilities to all designated systems across the Federal Secret Fab
ric to
126

support secure information sharing, attribution, and data protection. All entities on the Federal
127

Secret Fabric shall work together to perform the activities required to lay the foundation for
128

identifying architecture standards, technologies, proce
sses, and interfaces that will be used in
129

future interoperability. This auditing and reporting capability shall have the following features:

130

i.

Ability to log digital identity and event information (time, originator IP
131

address,

originator organization,

opera
tions performed, etc.) for each authentication and
132

authorization

transaction

in order to ensure non
-
repudiation and enable the capture of forensic
133

data

in the event of an intrusion or in response to an internal threat
;

134

ii.

Ability to report

unsuccessful access

or authentication attempts for the
135

purposes of helping authorized users gain access and identifying suspicious activities by non
-
136

authorized users
.


137

SECTION V

RESPONSIBILITIES

138

9.

CNSS shall:

139

a.

Approve standards, interfaces and protocols for implementing FICAM
on Secret
140

ne
t
works.

141

b.

Publish the Policy or Directives required to support management of ICAM
142

capabilities on the Federal Secret Fabric, deployment of new capabilities, and interoperability
143

with foreign affiliates.

144

c.

Publish minimum service level requirements
for information confidentiality,
145

integrity and service availability for providers of shared services.

146

d.

Publish a waiver process
and guidance
to identify systems, networks and
147

applications that
should be exempt

from specific FICAM
requirements
.

148

10.

The CNSS IdAM

WG shall:

149

a.

Provide guidance to Departments and Agencies
for the
implementation of FICAM
150

on the Secret Fabric
.

151

b.

Recommend a trust model for information sharing between Departments and
152

Agencies that includes common authentication mechanisms based on the sensi
tivity of the
153

system or data
;
a common set of shared attributes (subject, resource, and environmental
);
digital
154

access rules required for authorization decisions
; and data governance models
.

155


CNSS
D

No. 507


5

c.

Designate, with
CNSS

Committee
approval, providers of shared serv
ices for
156

shared or common services required by multiple Departments and Agencies across the Federal
157

Secret Fabric.

158

d.

P
rovide
compliance
reports to
the Senior Information Sharing and Safeguarding
159

Steering Committee (
SISSSC
)

and other governing bodies as deter
mined by
the
SISSSC.

160

e.

Develop guidelines for
selecting specially designated
systems for ABAC
161

implementation
.

162

f.

Develop minimum and recommended FICAM capabilities for
closed or stand
-
163

alone systems and networks
that include, at a minimum, auditability and non
-
r
epudiation
164

capabilities

165

g.

Coordinate

resolution of

or exceptions from

conflicting requirements, standards,
166

interfaces or protocols

including coordinating the waiver process.

167

h.

Coordinate the development of Identity and Access policies and standards

168

keeping int
o account those policies and standards already in use on other networks to support
169

interoperability of applications deployed across multiple networks
.

170

i.

Provide recommendations for standards, interfaces and protocols to
the ICAM
171

Steering Committee (
ICAMSC
)

t
aking into account those standards, interfaces, and protocols
172

used on other fabrics to promote portability of applications to other fabrics
.

173

j.

Collaborate with other

fabric authorities to leverage lessons learned.

174

11.

Each
Department and Agency of the USG

owning or
operating
applications, systems,
175

or networks on Federal Secret Fabric shall
:

176

a.

Designate a lead official, representative, or governing body to serve as the single
177

point of coordination for that Department or Agency with the CNSS IdAM WG no later th
an
178

ninety days from the signature on this directive.

179

b.

Publish subordinate policies
; implementation plans;

and establish the
180

coordination, implementation, and reporting structures required to support the

development and
181

deployment of FICAM capabilities on th
e Secret Fabric

includ
ing

policies and activities required
182

by applicable security risk management procedures.

183

c.

Implement
applicable
FICAM
capabilities
on all of its applications, systems and
184

networks resident on or connected to the Federal Secret
Fabric
.

185

d.

Id
entify systems that meet the definition of high and
moderate

impacts as defined
186

in CNSS
I

1253
.

187

e.

I
dentify closed or stand
-
alone systems and networks
that should be partially or
188

fully exempt
and
provide justification
.

189


CNSS
D

No. 507


6

f.

Identify access control rules and policie
s for protected resources.

190

g.

Identify subject, resource, and environment attributes needed to satisfy access
191

control rules and policies.

192

h.

In coordination with other Departments and Agencies, identify a common set of
193

subject attributes to be used for informati
on sharing.

194

i.

In coordination with other Departments and Agencies, identify a common set of
195

shared ICAM services to be deployed to the Federal Secret Fabric.

196

j.

Establish trust agreements necessary to make access control information available
197

for use by access
control mechanisms in other Departments or Agencies where interoperability
198

and information sharing is required.

199

k.

Identify
specially
designated systems that will employ ABAC

and which systems
200

will use alternative authorization capabilit
ies
.

201

l.

Plan, program, an
d budget for the appropriate resources to implement and
202

maintain FICAM for the
Federal Secret Fabric

for their respective applications, systems and
203

networks in accordance with the Office of Management and Budget (OMB) A
-
130

and peer or
204

subordinate
D
epartme
nt or
A
gency policies and guidance
.

205

m.

Prepare
semi
-
annual
reports on the status of the agency’s FICAM implementation

206

and submit

them

to the
PM
-
ISE

and the SISSSC
.

This report shall also address technical and
207

resource limitations that may delay implementation.

208

12.

The

designated

providers of shared services

for ICAM on the Secret Fabric excluding
209

PKI
3

shall
:

210

a.

Execute Service Level Agreements

(SLAs)

that include
required
metrics for
211

information confidentiality, integrity, and service availability
; as well as
provisions for escalation
212

processes, problem resolution, change processes, and performance guarantees with related
213

penalties for lack of performance.

214

Encl
o
s
ures
:

215

ANNEX

A

-

Definitions

216

ANNEX B


References

217


218




3

Responsibilities of providers of shared PKI services are found
in

Common Service Providers in
CNSSD 506.


CNSS
D

No. 507


A
-
1

ANNEX A to

CNSSD No. 507

ANNEX A

219

13.

Definitions used in CNSSI No. 4009, National Information Assurance Glossary,
220

revised April 2010, apply as appropriate to this Directive
. Listed b
elow are some
additional
221

terms and their definitions. Within this Directive, these definitions are used exclusively for these
222

terms
.

223

DEFINITIONS

224


Attribute
-
Based Access Control:

A logical access control methodology where
authorization to perform a set of operations is determined by evaluating attributes
associated with the subject, object, requested operations, and, in some cases,
environment conditions against policy, rules, or r
elationships that describe the
allowable operations for a given set of attributes.


Common Services Provider

(CSP)
:

A federal organization that provides NSS
-
PKI support to other federal organizations, academia and industrial partners
requiring classifi
ed NSS
-
PKI support but without their own self
-
managed
infrastructure
s
.


Federal Secret Fabric
: All Secret level applications, systems and networks owned,
operated or maintained by USG Departments and Agencies or by their contractors,
agents, and
non
-
federal affiliates.


Identity, Credential, and Access Management (ICAM):

An integrated set of
capabilities to create and manage identities, credentials, and policy and
electronically automate authorization decisions for access to information resource
s.


Non
-
federal
A
ffiliate
:

Non
-
Executive branch USG organizations, including
domestic and foreign organizations.


225

226


CNSS
D

No. 507


B
-
1

ANNEX B to

CNSSD No.
507


227

ANNEX B

228

REFERENCES

229

1.

(U)
National Strategy for Information Sharing and Safeguarding
, December 2012

230

2.

(U) Executive Order 13587,
Structural Reforms to Improve the Security of Classified
231

Networks and the Responsible Sharing and Safeguarding of Classified Informa
tion
, October 7,
232

2011

233

3.

(U)
National Security Directive (NSD)
-
42,

National Policy for the Security of National Security
234

Telecommunications and Information Systems,

July 5, 1990

235

4.

(U) Executive Order 12333,
United States intelligence activities
, December 4, 198
1

236

5.

(U)

Federal Identity, Credential, and Access Management Roadmap and Implementation
237

Guidance version 2.0 (FICAM)
, December 2, 2011

238

6.

(U)
Committee on Natio
nal Security Systems Policy

Number
506

(CNSSP 506)
,
National
239

Directive to Implement Public Key
Infrastructure for the Protection of Systems Operating on
240

Secret Level Networks
, October 9, 2012

241

7.

(U) Committee on National Security Systems Instruction Number 1253 (CNSSI 1253),
242

Security Categorization and Control Selection for National Security Systems
, J
une 2011

243

8.

(U) Committee on National Security Systems Instruction Number 4009 (CNSSI 4009),
244

National Information Assurance (IA) Glossary
, current edition

245


246

RELATED DOCUMENTS

247

1.

(U)

Committee
on

National Security Systems

Policy Number 15 (
CNSSP 15
),
National
248

Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information
249

Among National Security Systems
, March 2010

250

2.


(U)
Recommendations for Implementing FICAM on U.S. Secret Networks
,
January 2013

251

3.

(U) NIST Special Publication 800
-
162,
Guide to Attribute Based Access Control (ABAC)
252

Definition and Considerations (Draft)
, April 2013

253