Leadership Communications Brief

steamgloomyElectronics - Devices

Nov 15, 2013 (3 years and 7 months ago)

151 views

Federal CIO Council

Information Security and Identity Management Committee

IDManagement.gov

IDManagement.gov

Leadership Communications Brief

Last Updated:
June 13, 2013

2

Choose your own adventure! This briefing deck is intended for agencies to
leverage in a manner that is most appropriate for them. The deck includes
summary information as well as more detailed slides related to particular
topics.


The slides are broken down into the following categories:


ICAM Goals and Objectives


Current Challenges and ICAM Solutions


Intersection of ICAM and Emerging Needs


Resources


Content Overview

ICAM Overview

4

What is
Identity, Credential, and Access Management (ICAM)?

ICAM represents the intersection of digital identities, credentials, and access
control into one comprehensive approach that is focused
on
delivering greater
convenience and appropriate security
and privacy protection, with less effort and
at a lower cost
.

ICAM Includes:



Digital Identity


Credentialing


Privilege
Management


Authentication


Authorization
and Access


Federation


Cryptography


Auditing and
Reporting

5

What Does ICAM Provide?

Component 2

Component 4

Component 3


Protection of PII*


Simplify management of
user data


Streamlined on
-
boarding



1

4

2

3

1

Identity Management

The
ICAM Target State architecture enhances alignment, clarity,
and interoperability across the Federal Government while
improving security, eliminating redundancies, and reducing
costs.


Improved interoperability


Resistance to fraud and
tampering


Enhanced interagency
trust



2

Credential Management


Stronger authentication


Streamlined access to
resources


Reduced enterprise costs



3

Access Management


Improved collaboration
with partners


Reduced management
burden on external users



4

Federation

* Personally Identifiable Information (PII)


Enhanced activity logging


Ability to support security
forensics



5

Auditing and Reporting

5

6

ICAM addresses federal
identity, credential, and access management programs
and demonstrates the importance of implementing the ICAM segment architecture
in support
of five
overarching strategic goals and their related objectives.

ICAM Goals and Objectives


Comply with Federal
Laws Relevant to
ICAM



Facilitate E
-
Government by
Streamlining Access
to Services


Improve Security
Posture across the
Federal Enterprise

Enable Trust and
Interoperability

Reduce Costs and
Increase Efficiency

Key Objectives


Align and coordinate
federal policies and
key initiatives
impacting ICAM
implementation


Establish and
Enforce
Accountability for
ICAM
Implementation to
Governance Bodies


Expand secure
electronic access to
government data
and systems


Promote public
confidence through
transparent ICAM
practices


Support
cybersecurity
programs


Integrate electronic
verification
procedures with
PACS


Drive the use of a
role
-
based
framework for
access control


Improve electronic
audit capabilities


Support ISE
communities of
interest


Align processes with
external partners


Establish and
maintain trust
relationships


Leverage standards
and COTS for ICAM
services


Reduce
administrative
burden associated
with performing
ICAM tasks


Align existing and
reduce redundant
ICAM programs


Increase
interoperability and
reuse of ICAM
programs and
systems

Goal 1

Goal
2

Goal
3

Goal
4

Goal
5

7

Federal agencies are responsible for the
agency
-
level
initiatives found in
the FICAM Roadmap and Implementation Guidance* as required by

M
-
11
-
11.

Agency ICAM Responsibilities




Streamline Collection
& Sharing of Digital
Identity Data



Fully Leverage PIV
and PIV
-
I Credentials



Modernize PACS &
LACS Infrastructure



Implement Federated
Identity Capability

Key Objectives


Establish and
leverage authoritative
data sources


Automatically and
electronically share
identity data


Authenticate
cardholders using the
mechanisms on
PIV/PIV
-
I cards


Accept PIV cards
from other agencies


Use PIV card for data
security operations
(e.g., encryption)


PIV enable
PACS/LACS


Automate
provisioning of user
access privileges


Implement enterprise
solutions for cost
savings


Leverage FPKI and
trust framework
processes


Enable applications
to accept third party
credentials

Initiative 5

Initiative 6

Initiative 7 & 8

Initiative 9

* FICAM Roadmap and Implementation Guidance

8

The Federal ICAM Initiative was created based on the recommendation of the
National Science and Technology Council (NSTC) Identity Management Task
Force Report, as an endeavor to provide streamlined coordination and
management for related programs, including Federal Public Key Infrastructure
(PKI), E
-
Authentication, and Homeland Security Presidential Directive 12 (HSPD
-
12).


The ICAM Evolution

2000

2002

2003

2009

2011

M
-
11
-
11

February 2011


1990’s

2002

2003

FCPA Operational

September 2002

FISMA

October 2002

E
-
Gov

December 2002

M
-
04
-
04

December 2003

2004

HSPD
-
12

August 2004

Development of Special

Publications

(Issuance of PIV Begins)

2006

2007

2008

2005

2011

FICAM Roadmap &
Implementation

Guidance v1.0

November 2009

ISIMC Chartered

December 2008


Development of ICAM

Segment Architecture

Development of

Implementation Guidance

GPEA

October 1998

FIPS 201

March 2006

FICAM Roadmap &
Implementation

Guidance v2.0

Dec. 2011

M
-
05
-
24

August 2005

2010

NSTC Task

Force Report

September 2008


9

There are a number of drivers related to security, privacy, and efficiency
that have converged to emphasize the need for coordinated ICAM efforts
.



Increasing Cybersecurity threats


There is no National, International, Industry “standard” approach to individual identity
on the network. (President’s 60 Day Cyberspace Policy Review)


Security weaknesses found across agencies included the areas of user identification
and authentication, encryption of sensitive data, logging and auditing, and physical
access.
(GAO
-
09
-
701T)


Need for improved physical security


Lag in providing government services electronically


Vulnerability of Personally Identifiable Information (PII)


Lack of interoperability


“The ICAM segment architecture will serve as an important tool for providing
awareness to external mission partners and drive the development and implementation
of interoperable solutions.” (President’s FY2010 Budget)


High costs for duplicative processes and data management


ICAM Drivers

10

ICAM seeks to streamline government
-
wide identity, credential, and
access management activities to ensure alignment and clarity, minimize
duplication of effort, and promote government
-
wide interoperability.



Fostering effective
government
-
wide

identity and access management


Enabling
trust

in online transactions through
common identity and access
management policies and approaches


Aligning federal agencies
around common identity and access management
practices


Reducing the identity and access management burden

for individual
agencies by fostering common interoperable approaches


Ensuring alignment
across all identity and access management activities that
cross individual agency boundaries


Collaborating with
external identity management
activities through
inter
-
federation

to enhance interoperability


ICAM Mission

11

ICAM
provides a foundational capability to manage identity accounts, user
credentials, and access to your agency’s
resources.

Supporting

Your Agency’s
Mission with ICAM

Agency Employees

& Contractors

Customers

Business

Partners

Identity

Management

Access

Management

Credential Management

Leverage trusted
externally
-
issued
credentials

Protect

personally
identifiable
information

Implement

PIV for

employees &
contractors

Leverage
PKI

Access

federal

facilities

Manage users
& accounts

Access

IT Resources

Federate

access for
external users


First


Last


ID

Securely share
attributes


First


Last


ID

Agency Challenges and Solutions

13

ICAM can assist an agency in implementing solutions to overcome a
variety of obstacles.


Today’s Agency Challenges

Budget Constraints

Differing Agency
Priorities

Technical
Comprehension

Collaboration Between
Agency Stakeholders

Multiple Federal

Laws
and Policies

Distributed Organizations

Agency Resources

PIV

and
PIV
-
enablement

Understanding How FICAM Impacts
Agency Programs

Budget Constraints

15

Agencies
may have existing investments in place that are capable of
providing
services
in a manner consistent with the target state ICAM
segment architecture.



Software.
Cost of software including licenses and maintenance fees
that can be decommissioned or redeployed across all environments for
development, testing, and production


Hardware.
Cost of hardware that could be decommissioned or
redeployed across all environments for development, testing, and
production


The availability of enterprise software licenses should be investigated, as
these can significantly lower acquisition costs and influence an agency’s
make or buy decision.

Leverage Existing Investments

This information has been derived from the FICAM Roadmap.

16

Leverage existing tools and documentation to plan for ICAM investments!

Tools to Support Agency ICAM Planning

FICAM Roadmap

V2.0

ICAM ROI

Toolkit

*

ICAM Maturity

Model


Capital planning guidance
is found in Chapter 6


Planning for physical and
logical access
implementations is found
in Chapters 10 and 11
respectively


T
he ROI dashboard tool
can be used to determine
potential ICAM costs and
benefits


Based on estimated costs,
the Toolkit assists
agencies in building a
business case


I
dentify how and where
programs are being
successful


The findings can inform an
agency on where
resources can be
leveraged

* Please contact
ICAM@gsa.gov

to access the ICAM ROI Toolkit.

17

FICAM Roadmap and Implementation Guidance

The FICAM Roadmap and Implementation Guidance document consists of two
components: Part A outlines the government
-
wide ICAM segment architecture;
and Part B provides agencies with implementation guidance, critical for achieving
alignment.

Part A provides the ICAM segment architecture which outlines a cohesive
target state to ensure clarity and interoperability across agency
-
level
initiatives, including:


Complies with the Federal Segment Architecture Methodology (FSAM)


Various use cases which illustrate the as
-
is and target states of high level ICAM
functions and frame a gap analysis between the as
-
is and target states


Detailed transition roadmap and milestones which define a series of logical steps or
phases that enable the implementation of the target architecture

Part B provides guidance on a broad range of topics to enable a holistic
approach for alignment with the ICAM segment architecture, including:


Information for planning and managing an agency’s ICAM program


Sample solution architectures for expected target state technical capabilities


Important considerations, benefits, and limitations for different implementation
approaches


Numerous tips, FAQs, and lessons learned from real ICAM implementations

PART A: ICAM Segment Architecture (Chapters 3
-

5)

PART B: Implementation Guidance (Chapters 6
-

12)

FICAM Roadmap V2.0

18

The ROI Toolkit* is a resource that agencies can leverage when
demonstrating the value of ICAM and/or building their business case for
an ICAM implementation.





ROI Case Study Inventory.
Summarizes federal and commercial
ICAM case studies and sound bites that can be leveraged to help
scope an ICAM business case analysis. The sound bites can be
leveraged as more anecdotal improvement metrics or results
.


ROI Dashboard Tool.
Provides templates for calculating ICAM costs
and benefits as well as example
reports that can be used when
planning for an ICAM implementation.


Building an ICAM Business Case Presentation.
Provides a more
detailed, step
-
by
-
step approach for building an ICAM business case
and the cost calculations associated with it. It is to be used in
conjunction with the ICAM ROI Dashboard Tool.





ROI Toolkit Overview

* Please contact
ICAM@gsa.gov

to access the ICAM ROI Toolkit.

19

The ICAM Maturity Model tool provides a government
-
wide approach for
evaluating the progress of an agency’s capabilities against the ICAM
segment architecture.




Provides a series of questions for
an agency
to answer related to:


Governance & Program Management


Identity Management


Credential Management


Physical Access Management


Logical Access Management


Federation


Identifies capability gaps between the current state and

the ICAM target state via a summary dashboard


Provides the steps necessary to achieve the next phase of ICAM
maturity

ICAM Maturity Model

ICAM
Maturity Model

Technical Comprehension

21

Understanding the key characteristics of ICAM technology can help an
agency in moving towards achievement of the ICAM target state.

ICAM technology characteristics:


Provides protection
of both physical (e.g., buildings, offices) and logical (e.g.,
networks, applications) agency resources and assets


Promotes collaboration
among federal agencies and with mission partners


Aligns with multiple agency missions and needs
(i.e., provides a high
degree of customization and flexibility)


Supports ability to manage multiple users
and their privileges when
accessing agency resources (i.e., networks and applications)


Promotes a high
-
level of security, privacy, and protection
for sharing and
storage of sensitive data and information


Provides a logging process
to support a clear audit trail

ICAM Technology at a Glance

Understanding How FICAM Impacts Agency
Programs

23

Experience
the
following benefits
across your agency business processes
by implementing
ICAM:



Increased security,
which correlates directly to reduction in identity theft, data
breaches, and trust violations.


Compliance with laws, regulations, and standards
as well as resolution of
issues highlighted in GAO reports of agency progress.


Improved interoperability,
specifically between agencies using their PIV
credentials along with other partners carrying PIV
-
interoperable or
third
-
party
credentials that meet the requirements of the federal trust
framework.


Enhanced
customer service,
both within agencies and with their business
partners and constituents. Facilitating secure, streamlined, and user
-
friendly
transactions.


Elimination of redundancy,
both through agency consolidation of processes
and workflow and the provision of government
-
wide services to support ICAM
processes.


Increase
in protection of Personally Identifiable Information (PII)
by
consolidating and securing identity
data.

ICAM Can Support Other Agency
Programs

Collaboration Between Agency
Stakeholders

25

Collaboration
between all relevant stakeholders during each phase of the
Capital Planning and Investment Control (CPIC)
process is critical to ensure
that the overlapping elements of different ICAM activities are addressed
.


Capital

Planning for ICAM


To support capital planning for ICAM programs, an
agency should:


Coordinate capital planning efforts
across
individual ICAM projects and Exhibit 300 business
cases


Ensure alignment
throughout the organization to
consolidate redundant ICAM investments across
agency components


Support collaboration
across ICAM projects and
systems to improve visibility and accountability of
the agency’s spending on ICAM
-
related investments


Evaluate agency specific needs
to determine the
appropriate and most cost efficient Exhibit 300
submission approach



Agencies should work to incorporate ICAM
requirements into its CPIC and investment
request processes by:


Identifying

key criteria for an investment to be
considered aligned with the ICAM target state;


Incorporating

that criteria into CPIC processes and
guidance; and,


Communicating

any changes to the relevant
stakeholders and CPIC process participants.

26

Coordinate
with the appropriate stakeholders at your agency early and
often! Suggested coordination activities include:

ICAM Touches Many Programs

This information has been derived from the FICAM Roadmap, for more detailed information see section
6.1.2 Program Stakeholders.

P
roblem
-
Solving

Teams

F
ocus Groups/

Tiger Team


Develop expert problem
-
solving teams, such as
working groups that are established to address
issues and present solutions.


Help
to identify and escalate business and
technical challenges that may not be known at
the enterprise level but could impede ICAM
implementation throughout the agency.


Share implementation lessons learned across
bureaus/components or individual programs to
reduce overall ICAM program risk and increase
speed and efficiency in implementation


Stand up smaller focus groups or tiger teams
for the purpose of resolving specific program
issues or providing direct support for
implementation.


Improve
stakeholder buy
-
in associated with
enterprise approaches and services by
promoting better understanding and a sense of
inclusion and ownership in the program.


Improve consistency across an agency’s ICAM
implementation, a key goal when implementing
the ICAM segment architecture

Multiple Federal Laws and Policies

28

Implementing ICAM promotes alignment with multiple policies.



HSPD
-
12:
Homeland Security Presidential Directive 12 was issued August 27, 2004 to
create a common identification standard for federal employees and contractors for
accessing federally
-
controlled facilities and federal information systems
.


OMB M
-
11
-
11:
Issued February 3, 2011, OMB M
-
11
-
11 provides additional guidance for
agencies in the continued implementation of HSPD
-
12 and requires federal agencies to
designate a lead official and issue a policy requiring use of the PIV credential.


NSTIC:
In
April 2011, The National Strategy for Trusted Identities in Cyberspace
(NSTIC) was developed to enable individuals and organizations to utilize improved
identity solutions to access online services in a manner that promotes confidence,
privacy, choice, and innovation
.


VanRoekel Memo:
On October 6, 2011 the Office of Management and Budget (OMB)
released a policy memorandum related to the acceptance of externally
-
issued identity
credentials by federal applications
.


NSISS:
The National Strategy for Information Sharing and Safeguarding (NSISS) was
signed by the President on December 19, 2012 and contains
goals, principles, and
objectives that outline a plan on how the Federal Government will responsibly share and
safeguard to enhance and protect national security information.

The Current ICAM Policy Landscape

29

The ICAM Landscape contains a multitude of policy drivers that enable
the interoperability
and trust
necessary to
accomplish secure
information
sharing within and beyond
the boundaries of the Federal
Government.

Policy Shaping the ICAM Landscape

Facilitates government
-
wide interoperability and
trusted collaboration
across the unclassified,
secret, and top secret
fabrics.

Promotes
the use of
enhanced security
measures to protect
government systems,
resources, and facilities.



Uphold Security
Posture

Secure Information
Sharing

Establishes a foundation
of internal and external
trust to drive the
development and
implementation of
interoperable solutions.

Enable Trust and
Interoperability

References:


Homeland Security
Presidential Directive 12
(HSPD
-
12)


Federal Information Security
Management Act (FISMA)


FIPS 201
-
2

References:


Intelligence Reform and
Terrorism Prevention Act


Executive Order (E.O) 13587


National
Strategy for
Information Sharing and
Safeguarding (NSISS)

References
:


National Security Strategy
(2010)


Van
Roekel

Memo


National Strategy for Trusted
Identities in Cyberspace
(NSTIC)



Supports
the elimination
of paper based forms to
streamline existing
processes and reduce
redundancies.

Facilitate

E
-
Government

References:


E
-
Government Act of 2002


OMB M
-
04
-
04


The Digital Government
Strategy


Government Paper
Elimination Act (GPEA)

HSPD
-
12

31

Homeland Security Presidential Directive 12 was issued August 27, 2004
to create a common identification standard for federal employees and
contractors for accessing federally
-
controlled facilities and federal
information systems.



HSPD
-
12

Security Objectives:


Establish a mandatory, government
-
wide standard for secure and reliable
forms of identification that:


Is issued based on sound criteria for verifying an individual employee's
identity;


Is strongly resistant to identity fraud, tampering, counterfeiting, and
terrorist exploitation;


Can be rapidly authenticated electronically; and


Is issued only by providers whose reliability has been established by

an
official accreditation process.

Results:


A standard, interoperable credential: the PIV credential


Consistent processes for identity vetting and proofing


A common, secure approach for accessing facilities and networks


An increased level of government efficiency

http://www.dhs.gov/homeland
-
security
-
presidential
-
directive
-
12

32

Before HSPD
-
12, the key efforts in the federal environment, such as
physical and logical access and identity vetting and identity processes,
were managed separately and inconsistently.


The Environment Prior to HSPD
-
12




Management of multiple
passwords and user
accounts increasing
inefficiencies


Use of lower assurance
credentials (e.g., password)
introducing security risks


Inconvenience to users to
remember/manage different
passwords and tokens


Various processes for
confirming identity of user
prior to issuance of
credential, making it
possible for individuals to
claim a false identity


Inconsistent vetting
requirements, resulting in
varying levels of suitability


No trust or reciprocity
across agencies, leading to
duplication of investigation
efforts and costs


Over 200 types of valid IDs,
leading to inefficiencies and
security challenges


Prevalence of IDs that could
be easily counterfeited,
enhancing potential for a
security breach


In many cases, no means of
electronic verification,
providing little to no
assurance of user’s identity
and introducing the
opportunity for human error

Physical
Access

Logical

Access

Identity
Processes

33

The PIV credential has a variety of security features, notably the use of
Public Key Infrastructure (PKI) cryptography to provide strong identity
assurance in an interoperable manner.


PIV Credential Overview

Identity proofing and background
investigation processes that build a
chain of trust.

Fingerprint and/or iris information
used for authentication that binds
the identity of the user to the
credential.

Something that only the user
knows and is used to access
various applications. Replaces
cumbersome and insecure
passwords for applications.


Strong anti
-
counterfeiting features
(e.g., laser etching, holographic
images).

Chain of Trust

Identity Proofing Process

PIN

Biometric Authentication

Common Processes

Physical Features

PKI Authentication

Affiliation

Civilian

Lastname

Firstname, M.

United States Government

Agency/Department

Department of
Homeland Security


Issued

01/01/10

Expires

01/01/15

Federal Emergency Response Official

Color

Photograph

Contact
Chip

PKI Digital Signature

PKI Encryption

For cryptographically protecting
data at rest and in transit in order to
provide confidentiality.

For electronically signing
documents to provide non
-
repudiation and message integrity.

Digital certificate on the card that
supports electronic verification of
the cardholder.

34

By implementing HSPD
-
12 and standardizing the PIV credential, agencies
experience significant cost
-
savings and added value
.

HSPD
-
12 Streamlines Operations and Reduces Duplication

Cost
-
savings from:


Minimized password resets


Reduced infrastructure and hosting
costs on other credential types


Minimized security breaches


Phasing out duplicative processes and
IT investments

Added value from:


Minimized paperwork/manual
processes


Enhanced information
-
sharing


Improved user
-
satisfaction from
having to remember a single PIN vs.
multiple passwords

Security breach
remediation

Multiple
password resets

Repeated data entry

Manual/redundant paperwork

Duplicative
processes

Distributed physical security

Extensive IT and
infrastructure
costs

HSPD
-
12 Environment

Multiple

credentials

needed

Prior to HSPD
-
12

35

Imagine a world where a single credential gets you in the front door to
your office, onto your computer, allows you to securely sign and encrypt
data,
and
access government
-
wide tools and resources at other agencies.
This world is possible today with the PIV credential.



Using the PIV Credential

Interoperable for
Government
-
wide Use

Digital
Signatures

Encryption

Transit/
Payment

Leverage Value
-
add
Applications

Access Your Agency’s

Resources

Government
-
wide

Applications

Access at other

agencies

36

The PIV credential provides many features and benefits that other
credentials are unable to offer, as depicted below.


PIV Credential vs. Other Credentials

Password

OTP Tokens

PIV

User vetting







High identity assurance





Interoperability



Accredited issuance processes



Cross
-
agency

trust



Use for physical and logical access



Encryption




Digital Signature



Efficiencies



Biometric binding of identity



37

The PIV credential is an enabler for efforts across the Federal
Government to move toward a stronger, more secure, and more efficient
presence on the internet.


HSPD
-
12: PIV is an Enabler



Promotes the use of
electronic forms and
offers online
-
based
government services for
strong authentication.

Encourages sustained,
responsible, and trusted
collaboration to support
interoperability across
the government.

Strengthens the security
and resiliency of critical
infrastructure against
evolving threats to
safeguard the
government.




Cybersecurity

E
-
Government

Information
Sharing

Emphasizes planning
and spending control
processes for investment
in information systems
to support agency
missions.

Good Steward of
IT Resources

References:


Cybersecurity Strategy


FISMA


PPD on Critical
Infrastructure Security and
Resilience

References:


The Digital Government
Strategy


E
-
SIGN Act


E
-
Government Act

References:


National Strategy for
Information Sharing and
Safeguarding


ISS EO 13587

References
:


Clinger
-
Cohen Act


M
-
12
-
10: PortfolioStat


M
-
13
-
02: Strategic
Sourcing

IT
Spending

Investment
Performance

38

There is an emerging desire across federal employees to have more
flexibility in their work. The Federal Government is moving toward the use
of mobile devices and allowing employees to telework.


Standards
-
based Solutions for Meeting Emerging Needs


Strongly authenticate


Digitally sign and
encrypt data


Access applications

PIV
-
derived
Credential

Use mobile devices to
strongly authenticate
to agency resources!

Perform these secure
transactions from any
location!

39

When considering the HSPD
-
12 objective to move toward a common
credential, the government is succeeding. Today a large number of PIV
credentials have been issued; however, an agency is not able to capitalize
on the true return on this investment until they begin fully leveraging the
credential.


Agency Status

40

As a result of HSPD
-
12, agencies have the capabilities necessary to
strengthen their current IT infrastructure and address the risks associated
with the evolving threat environment.


Look at the Numbers

The percentage of
incidents reported from
unauthorized access

GAO
-
13
-
187

17%


The estimated cost of a data breach
per incident

Bloomberg

$7.2M

The estimated cost to Americans
related to Identity theft cost

Huffington Post

$1.52B

Increase in
cybersecurity

incidents
reported by federal agencies 2006
-

2012

GAO
-
13
-
187


782%

Decrease in successful
network intrusions
resulting from smart
card
-
based

PKI logon in the DoD

Realized Value of FPKI

46%

Estimated agency savings per year on password resets

Forrester

$1464/user

Reduction of document handling
costs, shipping costs and processing
costs by using digital signature

Signix.com

75%

Total cost savings per
user, per year by
avoiding use of one
-
time password tokens

Tyntec

$100

Decrease in the number of successful
social engineered e
-
mail attacks in the

DoD, from use of smart card/PKI

Realized Value of FPKI


30%

Estimated savings realized from
switching to digital transactions

Economist

$2.9B/year

41


PIV is
fiscally responsible IT
, provides for consolidation of
investments, reduces redundancy and stove pipes, and promotes
integration


PKI is a
robust technology
that is used everyday so that websites can
be trusted to conduct transactions and supports two and three level
factors of authentication.


HSPD
-
12 provides a
very

high level of assurance of identity
and
this
facilitates trust
.


HSPD
-
12 provides
interoperable, crypto
-
based authentication
for
logical and physical access.


The PIV credential can be used for
value
-
added functionality
such as
digital signatures, which
reduce paper forms
,
and

encryption
,

which
protects data at rest and data in transmission.


Takeaways

42


Use
the PIV Credential

at
your Agency!



Ensure that contracts for procurements of IT, building access, and
systems enable the PIV credential


Mandate the use of the PIV credential for network log on and building
access


Accept the PIV credentials of other agency users


Identify, prioritize, and PIV
-
enable multi
-
agency applications


Phase out redundant infrastructure


Call to Action

OMB M
-
11
-
11

44

Issued February 3, 2011, OMB M
-
11
-
11 provides additional guidance for
agencies in the continued implementation of HSPD
-
12 and requires
federal agencies to designate a lead official and issue a policy requiring
use of the PIV credential. Key points include:


Effective immediately, all new systems under development

must be enabled to use PIV credentials prior to being made

operational


Effective the beginning of FY2012, existing physical and

logical access control systems must be upgraded to use PIV

credentials prior to the agency using development and

technology refresh funds to complete other activities


Procurements for services and products involving facility or

system access control must be in accordance with

HSPD
-
12 policy and the Federal Acquisition Regulation


Agency processes must accept and electronically verify

PIV credentials issued by other federal agencies


The government
-
wide architecture and agency transition plans

must align, as described in the Federal Identity, Credential,

and Access Management Roadmap and Implementation

Guidance


M
-
11
-
11

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11
-
11.pdf

NSTIC

46

In April 2011, The
National Strategy for Trusted Identities in Cyberspace
(NSTIC) was developed to enable individuals and organizations to utilize
improved identity solutions to access online services in a manner that
promotes confidence, privacy, choice, and innovation
.



Addresses
the need for a “cybersecurity focused identity

management
vision and strategy,” as stated in the
President’s

2009
Cyberspace Policy Review


Seeks to establish an Identity Ecosystem where individuals

and
organizations can trust each other and have confidence

in
the security of online transactions


NSTIC Guiding Principles state that Identity Solutions will

be:


Privacy
-
enhancing and voluntary


Secure and resilient


Interoperable


Cost
-
effective and easy to use


NSTIC

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11
-
11.pdf

VanRoekel Memo

48

On October 6, 2011 the Office of Management and Budget (OMB)
released a policy memorandum related to the acceptance of externally
-
issued identity credentials by federal applications.

VanRoekel Memo

Objectives:


Calls
for agencies to enable the use of externally
-
issued
credentials on web sites that allow members of the public
and business partners to register or log on.


Requires
that agencies only accept externally
-
issued
credentials that are issued in accordance with National
Institute of Standards and Technology guidelines and
Federal Chief Information Officers (CIO) Council
processes.


Externally
-
issued
credentials are those that have been
issued by an entity other than the Federal Government. In
this document, the term externally
-
issued credential is used
interchangeably with third party credential.

Results:


R
educe
the agency costs associated with issuing and
managing user
credentials.


Decrease
the burden on system users by allowing reuse of
an existing credential.

http://www.howto.gov/sites/default/files/omb
-
req
-
externally
-
issued
-
cred_0.pdf

NSISS Priority Objective #4

50


The NSISS contains
Priority Objective
#
4
(PO #4) to
implement
FICAM on each of the three security fabrics:
Unclassified, Secret, and
Top Secret
.


NSISS, Priority Objective #4


As a result of PO #4, implementation plans
will be developed for each fabric:


The
Unclassified
Implementation Plan will
include all unclassified, Sensitive but
Unclassified (SBU), and Controlled
Unclassified Information (CUI) federal
systems and systems/users that interact with
these systems.


The
Secret

Implementation Plan will include
all systems of the Executive Branch that
contain secret information.


The
Top Secret
Implementation Plan will
include all systems of the Executive Branch
that contain top secret information.


Distributed Organizations

52

The
ICAM Maturity Model can help an agency identify their ICAM
priorities,
see where they are succeeding, determine
where to make
additional investment, and decide on the next steps needed to continue
improvement.


Bring your Agency Together with ICAM

The ICAM Maturity Model helps measure across distributed program areas which
will likely be in different stages of implementation.

ICAM
Maturity Model

PIV and PIV
-
enablement

54

The PIV credential has a variety of security features, notably the use of
Public Key Infrastructure (PKI) cryptography to provide strong identity
assurance in an interoperable manner.


PIV Credential Overview

Identity proofing and background
investigation processes that build a
chain of trust.

Fingerprint and/or iris information
used for authentication that binds
the identity of the user to the
credential.

Something that only the user
knows and is used to access
various applications. Replaces
cumbersome and insecure
passwords for applications.


Strong anti
-
counterfeiting features
(e.g., laser etching, holographic
images).

Chain of Trust

Identity Proofing Process

PIN

Biometric Authentication

Common Processes

Physical Features

PKI Authentication

Affiliation

Civilian

Lastname

Firstname, M.

United States Government

Agency/Department

Department of
Homeland Security


Issued

01/01/10

Expires

01/01/15

Federal Emergency Response Official

Color

Photograph

Contact
Chip

PKI Digital Signature

PKI Encryption

For cryptographically protecting
data at rest and in transit in order to
provide confidentiality.

For electronically signing
documents to provide non
-
repudiation and message integrity.

Digital certificate on the card that
supports electronic verification of
the cardholder.

55

Imagine a world where a single credential gets you in the front door to
your office, onto your computer, allows you to securely sign and encrypt
data,
and
access government
-
wide tools and resources at other agencies.
This world is possible today with the PIV credential.



Using the PIV Credential

Interoperable for
Government
-
wide Use

Digital
Signatures

Encryption

Transit/
Payment

Leverage Value
-
add
Applications

Access Your Agency’s

Resources

Government
-
wide

Applications

Access at other

agencies

56

The
Employee Express (EEX)
application
is
operated by
OPM.
EEX
provides federal employees from participating agencies with a central hub
to manage a variety of employment
-
related information such as tax
withholding, health coverage, and direct deposit.



To
support an
enhanced user experience and promote a secure and
trusted means of access and authentication
, EEX was enabled to accept
the PIV
card and NASA participated in the pilot deployment of the PIV
-
enabled
application.


The NASA community boasts a sizeable total user population,
with
approximately
18,500


NASA users with the PIV card option
. In the
beginning of the pilot, there was an average of over 1,000 PIV card logins each
month and during January 2013, EEX was accessed over 3,000 times with PIV
cards.


NASA employees
have provided positive feedback
which indicates PIV
-
enablement of applications increases ease of use, decreases the need for
multiple passwords and usernames, and provides an added level of security
.


PIV Credential Success Story

57

The PIV credential provides many features and benefits that other
credentials are unable to offer, as depicted below.


PIV Credential vs. Other Credentials

Password

OTP Tokens

PIV

User vetting







High identity assurance





Interoperability



Accredited issuance processes



Cross
-
agency

trust



Use for physical and logical access



Encryption




Digital Signature



Efficiencies



Biometric binding of identity



Differing Agency Priorities

59

Based on varying priorities, agencies can choose to focus their
implementation efforts around a particular aspect of ICAM to achieve desired
results. The ROI toolkit provides case studies that may be leveraged when
addressing agency priorities.


The State Department
experienced a decrease in the percentage of help
desk tickets related to password issues (2006


12.6%, and 2007


8.1%).


The General Services Administration’s (GSA)
IAM Logical Access
Initiative worked to lower IT administrative costs by eliminating the need for
application
-
specific passwords and their resetting.


The Bureau of Land Management,

within the Department of Interior,
undertook a staged rollout of logical access and integrated its credentialing
and electronic forms. This facilitated a high reliability
of electronic
forms via
digital signatures.


The Department of Defense (DoD)
decreased the number of successful
intrusions by 46% due to a requirement that all DOD personnel log on to
unclassified networks using a CAC.


Align ICAM with your Agency’s Priorities


These case studies can be found in more detail in the ROI
toolkit. * Please contact
ICAM@gsa.gov

for access.

60

The ROI Toolkit is a resource that agencies can leverage when
demonstrating the value of ICAM and/or building their business case for
an ICAM implementation.



ROI Case Study Inventory.
Summarizes federal and commercial
ICAM case studies and sound bites that can be leveraged to help
scope an ICAM business case analysis. The sound bites can be
leveraged as more anecdotal improvement metrics or results
.


ROI Dashboard Tool.
Provides templates for calculating ICAM costs
and benefits as well as example
reports that can be used when
planning for an ICAM implementation.


Building an ICAM Business Case Presentation.
Provides a more
detailed, step
-
by
-
step approach for building an ICAM business case
and the cost calculations associated with it. It is to be used in
conjunction with the ICAM ROI Dashboard Tool.





ROI Toolkit Overview

Please
contact
ICAM@gsa.gov

to access the ICAM ROI Toolkit.

Agency Mission Drivers

62

ICAM at
USDA

“To provide leadership on food, agriculture, natural
resources, rural development, nutrition, and related
issues based on sound public policy, the best available
science, and efficient management
.”



Supports compliance
with USDA and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
USDA’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between USDA PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the USDA enterprise and
with mission partners


Allows USDA to focus

limited
funds and personnel resources
on promoting nutrition for the American
Public and protecting food and natural resources.


The Department of Agriculture

How ICAM Supports USDA’s
Mission

63

ICAM at
DOC

“To promote job
creation, economic growth,
sustainable development
, and

improved living standards for all Americans, by
working in partnership with business, universities,

communities, and
workers.”


Supports compliance
with DOC and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOC’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability

between DOC PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DOC enterprise and
with mission partners


Allows
DOC
to focus

limited funds and personnel resources
on promoting a sustainable work
environment for the American Public.

The Department of Commerce

How ICAM Supports DOC’s
Mission

64

ICAM at
DoD


“To
provide the military forces needed to deter war

and
to protect the security of our country
.”



Supports compliance
with
DoD

and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DoD’s

physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between
DoD

CAC holders, agency PIV cardholders, and other
partners
carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal trust
framework


Promotes
collaboration
across the
DoD

enterprise and
with mission partners


Allows
DoD

to focus

limited funds and personnel resources on
protecting the safety of the American
Public and Armed Forces.

The Department of Defense

How ICAM Supports
DoD’s

Mission

65

ICAM at
ED

“To
promote student achievement and preparation
for global competitiveness by fostering educational
excellence and ensuring equal
access.”



Supports compliance
with ED and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
ED’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between ED PIV cardholders, agency PIV cardholders, and other
partners
carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal trust
framework


Promotes
collaboration
across the ED enterprise and
with mission partners


Allows
ED
to focus

limited funds and personnel resources on promoting
student achievement and
academic excellence.

The Department of Education

How ICAM Supports
ED
’s
Mission

66

ICAM at
DOE

“To ensure America’s security and prosperity by
addressing its energy, environmental and nuclear
challenges through transformative science and
technology solutions
.”



Supports compliance
with DOE and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOE’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DOE PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DOE enterprise and
with mission partners


Allows
DOE
to focus

limited funds and personnel resources on
modernizing the energy grid and
protecting the environment.

The Department of Energy

How ICAM Supports
DOE
’s
Mission

67

ICAM at
HHS

“To serve as
the United States government's
principal agency for protecting health and providing
essential human services to Americans.”



Supports compliance
with HHS and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
HHS physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between HHS PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the HHS enterprise and
with mission partners


Allows
HHS
to focus

limited funds and personnel resources on
providing essential health
-
related
services to the American Public.

The Department of Health

and Human Services

How ICAM Supports
HHS

Mission

68

ICAM at
DHS

“To ensure a homeland that is safe, secure, and
resilient against terrorism and other hazards
.”



Supports compliance
with DHS and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DHS physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DHS PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DHS enterprise and
with mission partners


Allows
DHS
to focus

limited funds and personnel resources on
safeguarding the American Public
from foreign and domestic threats.

The Department of

Homeland

Security

How ICAM Supports
DHS

Mission

69

ICAM at
HUD

“To
create strong, sustainable, inclusive
communities and quality affordable homes for
all.”



Supports compliance
with HUD and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
HUD’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between HUD PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the HUD enterprise and
with mission partners


Allows
HUD
to focus

limited funds and personnel resources on promoting
strong communities and
living environments.

The Department of Housing

and Urban

Development

How ICAM Supports
HUD
’s
Mission

70

ICAM at
DOJ

“To enforce the law and defend the interests of the United
States according to the law; to ensure public safety against
threats foreign and domestic; to provide federal leadership in
preventing and controlling crime; to seek just punishment for
those guilty of unlawful behavior; and to ensure fair and
impartial administration of justice for all Americans.”



Supports compliance
with DOJ and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOJ’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DOJ PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DOJ enterprise and
with mission partners


Allows
DOJ
to focus

limited funds and personnel resources on promoting
and defending federal law.

The Department of Justice

How ICAM Supports
DOJ
’s
Mission

71

ICAM at
DOL

“To foster, promote, and develop the welfare of the
wage earners, job seekers, and retirees of the United
States; improve working conditions; advance
opportunities for profitable employment; and assure
work
-
related benefits and
rights.”



Supports compliance
with DOL and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOL’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DOL PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DOL enterprise and
with mission partners


Allows
DOL
to focus

limited funds and personnel resources on promoting
the well being of the
American worker through protection of work
-
related benefits and rights.

The Department of Labor

How ICAM Supports
DOL
’s
Mission

72

ICAM at
STATE

“To create a more secure, democratic, and
prosperous world for the benefit of the American
people and the international community
.”



Supports compliance
with STATE and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
STATE’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between STATE PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the STATE enterprise and
with mission partners


Allows
STATE
to focus

limited funds and personnel resources on promoting
on United State
diplomacy abroad.

The Department of State

How ICAM Supports
STATE
’s
Mission

73

ICAM at
DOI

“To
protect
America’s natural resources and
heritage,
honor
our cultures and tribal communities,
and
supply
the energy to power our future
.”



Supports compliance
with DOI and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOI’s physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DOI PIV cardholders, agency PIV cardholders, and other
partners
carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal trust
framework


Promotes
collaboration
across the DOI enterprise and
with mission partners


Allows
DOI
to focus

limited funds and personnel resources on promoting
the protection and
sustainment of natural resources and tribal communities.

The Department of Interior

How ICAM Supports
DOI
’s
Mission

74

ICAM at
TREAS

“Maintain a strong economy and create economic and job
opportunities by promoting the conditions that enable
economic growth and stability at home and abroad,
strengthen national security by combating threats and
protecting the integrity of the financial system, and manage
the U.S. Government’s finances and resources
effectively.”



Supports compliance
with TREAS and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
TREAS physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between TREAS PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the TREAS enterprise and
with mission partners


Allows
TREAS
to focus

limited funds and personnel resources on
managing and promoting the
integrity of the U.S. financial system.

The Department of Treasury

How ICAM Supports
TREAS’

Mission

75

ICAM at
DOT

“To serve
the United States by ensuring a fast, safe, efficient,
accessible and convenient transportation system that meets
our vital national interests and enhances the quality of life of
the American people, today and into the future
.”


Supports compliance
with DOT and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
DOT physical
(e.g., buildings, offices) and logical (e.g., networks,
applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between DOT PIV cardholders, agency PIV cardholders, and other
partners carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal
trust
framework


Promotes
collaboration
across the DOT enterprise and
with mission partners


Allows
DOT to
focus

limited funds and personnel resources on promoting
transportation and
infrastructure to meet the needs of the American people.

The Department of
Transportation

How ICAM Supports
DOT’s

Mission

76

ICAM at
VA

“To fulfill President Lincoln's promise “To care for him
who shall have borne the battle, and for his widow, and
his orphan” by serving and honoring the men and
women who are America’s veterans.”


Supports compliance
with VA and government
-
wide laws
, regulations, and standards as well as
resolution of issues highlighted in GAO reports of agency
progress


Provides protection
of
VA physical
(e.g., buildings, offices) and logical (e.g., networks, applications)
resources
and
assets


Promotes a high
-
level of security
, privacy, and protection for sharing and storage of sensitive data
and
information


Improves interoperability
between VA PIV cardholders, agency PIV cardholders, and other
partners
carrying PIV
-
interoperable or third
-
party credentials that meet the requirements of the federal trust
framework


Promotes
collaboration
across the VA enterprise and
with mission partners


Allows
VA
to focus

limited funds and personnel resources on
protecting
Veteran information and
secure
data/infrastructure
assets from internal and external threats.

The Department of
Veterans

Affairs

How ICAM Supports
VA’s

Mission

Agency Resources

78

There are many ICAM resources available to agencies to address the
various aspects of ICAM implementation.


ICAM Resources

FICAM Roadmap

V2.0

ICAM ROI

Toolkit
*

ICAM Maturity

Model

ICAM Snapshot

Brochure

Modernized
PACS

Brochure

Modernized
LACS

Brochure

* Please
contact
ICAM@gsa.gov

to
access the ICAM ROI Toolkit.

Intersection of ICAM and Emerging Needs

80

As the ICAM
landscape continues
to evolve, agencies are looking for
ways to
meet
these demands.



Intersection of ICAM and Emerging Needs

Evolution of
mobile security

Popularity of
cloud computing

Keeping pace with the
commercial IAM space

Support for federation
and visitor management

Growth of
shared
services

Surge of single
sign
-
on solutions

Implementing an
enterprise
IAM system

Evolution of Mobile Security

82

The proliferation of
internet
-
enabled
mobile devices has
created the need
to
secure the use of the device and
manage employee and contractor
access
to data from a device to maintain security regardless of how a user
is accessing resources.


Did you know that……




Evolution of Mobile Security

PIV
-
derived Credential

The government is working to certify and
acquire mobile devices that meet
its needs!

PIV
-
derived
credentials will
be the approved credentials for
securely accessing and using mobile devices.

Growth of Shared Services

84

Agencies are working together to
develop services to address common
agency capabilities and capitalize on efficiencies in an effort to meet ICAM
goals while saving money for the Federal Government. These common
services include:


Backend Attribute Exchange (BAE)
is
a secure and standards
-
based retrieval of
information from authoritative sources that enables access control decisions and
secure information sharing
.


Federal Cloud Credential Exchange (FCCX)
is a core capability to consume,
validate, and translate third
-
party credentials to relying party applications across
multiple agencies, providing a single, easy
-
to
-
access integration
point.


The
GSA USAccess Managed Service Office (MSO)
is the executive

agent
responsible for providing
federal
agencies with interoperable

identity
management and credentialing
solutions.


Growth of Shared Services

For more information on Goal 4:
FICAM
Roadmap
V2.0

Backend Attribute Exchange (BAE)

86

The BAE specification was first developed in May 2008 and has since
been successfully demonstrated through a pilot program between the
Department of Defense (DoD) and the Department of Homeland Security
(DHS) to support information exchange between mission partners during
emergency response events.


The Background of the BAE

The BAE Business Case and Lifecycle Sustainment
Analysis was created as a joint effort supported by the
Program
Manager for the Information Sharing
Environment (PM
-
ISE
)
and the ICAMSC. This effort:



Explored key business drivers, benefits, and challenges
related to the pursuit of the enterprise BAE capability


Identified expected lifecycle costs and funding
considerations


Provided recommendations regarding the feasibility of the
enterprise BAE capability and potential implementation
considerations

87

The enterprise BAE capability:
represents the common interest of both PM
-
ISE and ICAMSC communities to securely and efficiently share mission
-
specific attribute information in a collaborative environment. PM
-
ISE supports
innovation and implementation of secure information sharing capabilities
among the Federal Government and collaborating
organizations.
The
ICAMSC develops and recommends policies, procedures, and standards
related to identity management, authentication, and secure
access.



The analysis represented in this presentation highlight
s

the following high
-
level
benefits regarding the enterprise BAE capability, as it:



Offers
increased flexibility and scalability
.
BAE provides a secure way to share
information and facilitate collaboration between multiple organizations. It aligns with
multiple mission needs and is applicable to a broad variety of applications and
uses.


Brings a strong, broad potential customer base.
An enterprise BAE capability
would have a strong, immediate customer base within the information sharing
environment which could include agencies and stakeholders (i.e., anyone who has
an information sharing need).


Extends the federal trust infrastructure.
Through its centralized governance
structure, the enterprise BAE capability promotes trust between the attribute
provider and consumer.


The BAE Capability Defined

88

GSA’s
Office of Governmentwide Policy (OGP) has the responsibility to
support coordination across the various policy and standards efforts
affecting the Federal ICAM Initiative and to promote the consistent
implementation of ICAM solutions at the agency level.











BAE’s Authority

OMB M
-
11
-
11

requires agencies to align
with the ‘Federal Identity, Credential, and
Access Management (FICAM) Roadmap
and Implementation Guidance.’

FICAM Roadmap Initiative 5
calls for
streamlining the collection and sharing of
digital identity data through the use of the
BAE to support sharing of data elements
for use in shared mission or business
areas.

89

BAE for Information Sharing

Agency A User
with Credential

Agency B

Protected Resource

1.
Agency A user needs
access to or information
from Agency B

3.
Agency B needs “off
-
credential”
info to
authorize User A to access
resource. It “asks” its own

Authorization Engine
B

4.
Agency B and Agency A
communicate to exchange
user information about
User A

2.
User A is
Authenticated

5. User is granted
Access

Agency A

Attribute
Service

(BAE
Profile
Compliant)

Externalized

Authorization

Manager B

(PDP)

90

Due to the flexibility of the BAE model it can support any set of attributes
as agreed upon by a particular community.


The
following slides offer a description of several sample use scenarios
for the BAE to help demonstrate its possible applications, including:



Attribute Based Access Control (ABAC)


Sensitive but Unclassified (SBU) Environment Simplified Sign
-
on (SSO)


Background Investigation Reciprocity


Visitor Management


BAE Use Case Scenarios

91

Focuses on characteristics that describe people, resources, and
environments. The requester provides attributes which are compared to
those documented as requirements for granting or denying access, at
which point an access decision is made.


ABAC is a suggested use for an organization due to:


Existing complex access rule sets


The high
-
volume of visitors requesting access to systems


Your mission is focused on collaboration


Attribute

Based Access Control (ABAC)

92

The following table summarizes the key details associated with the ABAC
use scenario:

Attribute Based Access Control (ABAC)

Elements

Details

ICAM Services Provided


Authorization and Access


偲楶楬敧攠M慮慧敭敮e


Transactional Data


Mission
-
specific attributes


Privilege attributes


Benefits


Requires only one set of information
-
sharing agreements to join,
instead of needing to establish multiple bilateral attribute sharing
agreements between multiple partners.


䕮桡湣敳 慢楬楴y t漠c潯牤楮慴o w楴栠灡牴湥牳 潵os楤攠t桥hf敤敲慬es灡p攮


偬慣敳 牥r灯湳pb楬楴y 潮o扯b栠慴t物扵re 灲潶楤敲i慮搠c潮o畭e爠f潲o
attribute information lifecycle management.


Requires no advance knowledge of requestors.


fs 桩杨汹 慤慰瑡扬攠t漠c桡湧楮朠湥敤猻 敦f楣楥it f潲o慧敮捩敳aw桥牥h
楮摩i楤畡汳 c潭攠慮搠杯gf牥煵敮r汹.


93

A mechanism which reduces the need for multiple logins and
authentication processes when accessing a variety of independently
owned and maintained SBU/CUI resources.


SBU SSO is a suggested use for an organization due to:


Current federal, state, local, and tribal partners


Your work at DHS Fusion Centers


Your need for access to a SSO SBU/CUI service


Partnering with PM
-
ISE


SBU Environment Simplified Sign
-
on (SSO)

94

The following table summarizes the key details associated with the
SBU/CUI environment SSO use scenario:

SBU Environment Simplified Sign
-
on (SSO)

Elements

Details

ICAM Services Provided


Authorization and Access


a楧楴慬af摥湴楴y M慮慧敭敮t


Transactional Data


Mission
-
specific attributes


Personnel attributes needed for authentication


Benefits


Provides a means of maintaining integrity of multiple SBU/CUI systems
by quickly identifying, authenticating, and authorizing a user.


卵灰潲瑳 慮搠敮桡湣敳e卂pLCrf 楮i潲o慴楯渠c潬污扯牡o楯i f潲o
楮摩i楤畡汳 w楴栠愠v慲楥ay 潦 潲条湩o慴楯湡氠慦f楬楡i楯isI 楮i汵摩湧l湯n
J
f敤敲慬e灡牴湥牳


o敱畩牥e 潮汹 潮攠s整 潦 楮i潲o慴楯i
J
s桡h楮i 慧牥敭敮ts t漠橯楮j 牡r桥爠
than needing to establish multiple bilateral attribute sharing
agreements between multiple partners


Allows an individual’s attributes to be correlated from multiple
organizations or sources to create a unified identity for SSO login.


o敤畣敳 灯楮瑳 潦 敮e特 慮搠楮i牥慳敳 灲敶慬敮a攠潦 卓传c慰慢楬楴a敳
慣牯rs m畬u楰汥i慰灬楣慴楯湳.


卵灰潲瑳 楮i敲潰敲慢楬楴y w楴栠t桥h䝬潢慬dc敤敲慴e搠f摥湴楴y 慮搠
Privilege Management (GFIPM) and National Information Exchange
Federation (NIEF).


95

The process by which an individual’s background check completeness
attribute is requested and received from the authoritative source.



Background investigation reciprocity is a suggested use for an
organization due to:


Your high volume of visitors


Your high volume of outside collaboration


Your on
-
boarding of contractors


How you temporarily employs detailed personnel


You have multiple inter
-
agency personnel transfers


Current federal, state, local, and tribal partners


Background Investigation Reciprocity

96

The following table summarizes the key details associated with the
Background Investigation Reciprocity use scenario:

Background Investigation Reciprocity

Elements

Details

ICAM Services Provided


Digital Identity Management


䅵A桯物h慴楯i 慮搠䅣c敳s


Transactional Data


Background investigation completeness attribute


Benefits


Reduces the time needed for an agency to confirm that a background
check has been completed.


Potentially streamlines contractor on
-
boarding, inter
-
agency personnel
transfer, internal hiring, and Visitor Management Systems
(VMS)/services.


䅳s楳ts 楮i牥摵r楮朠灡灥牷潲o s畢u楳s楯i 慮搠慤a楮楳t牡t楶攠扵牤敮b
潮o扯b栠t桥h潲条湩oat楯渠慮搠t桥h楮摩i楤畡氮


卵灰潲瑳 m潲攠敦f楣楥it 偉嘠c慲搠灲潶楳楯湩湧⸠


97

A Visitor Management System (VMS) gathers a visiting individual’s
personal information, allows for its processing, and takes any additionally
needed internal and external steps to prepare the agency for a visitor.


Visitor management is a suggested use for an organization due to:


The fact that you are an authoritative attribute provider of background
investigation completeness


You are an attribute consumer


Your organization has a high volume of visitors, including state, local, and tribal
law enforcement partners, as well as contractors


Your organization has a high volume of outside collaboration


Your agency temporarily employs detailed personnel


Visitor Management

98

The following table summarizes the key details associated with the Visitor
Management use scenario:

Visitor Management

Elements

Details

ICAM Services Provided


Authorization and Access


Transactional Data


Background investigation status


Clearance level


Various identity attributes


健牳潮慬汹 f摥湴楦楡扬攠f湦潲o慴楯i ⡐Ef⤠慴t物扵res


Benefits


Offers opportunity for increased efficiency over commonly used point
-
to
-
point attribute sharing relationships.


Improves timeliness of obtaining visitor attributes from the individual’s
home organization.


Supports more efficient Visitor Management System (VMS) pre
-
screening prior to an individual’s arrival at the agency


卵灰潲瑳 c畳t潭楺慴楯i 潦 䉁䔠c慰慢楬楴a 慣c潲摩湧 t漠慧敮捹 湥敤猠
慮搠楮i敲湡氠噍匠灲潣敳s敳.


䅳s楳ts 楮i慣桩敶楮朠t桥ht慲来a st慴攠摥dc物扥r 楮it桥hcfC䅍 o潡摭慰a
w桩h栠s灥p楦楥i 慮a慧敮捹 m潶攠慷慹 f牯r m慮畡氠灡灥p
J
扡b敤
m整桯摳hf潲om慮慧楮朠v楳楴潲o 慮搠業灬敭敮e楮朠慮a敬散t牯r楣
enterprise VMS capability, leveraging existing PIV infrastructure.


Offers opportunity to reduce paperwork submission and administrative
burden, on both the organization and the individual.


99

Benefits Realized by BAE Customer

The benefits associated with enterprise BAE capability adoption include:


.

Increased National Security
.
Contributes
to enhancing the ability to detect, prevent, or disrupt terrorist activity
and reduced incident response time to terrorist and natural