Federal CIO Council Information Security and Identity Management Committee
Identity, Credential, and Access Management
FICAM Ecosystem
June 9, 2011
Chris Louden
�Identity, Credential, and Access Management
Agenda Standard Disclaimer Background / Scope
Goals / Drivers Policy Foundation
Trust Frameworks Structure
�Identity, Credential, and Access Management
Goals / Drivers
Principle focus on Government to Citizen Support E-Government traction
Electronic methods are cheaper, easier Authentication often necessary
Avoid credentialing of citizens
Costly, cumbersome to manage One more password for citizens
Accept identity asserted from trusted commercial providers Government instance of NSTIC Vision
3
�Identity, Credential, and Access Management
Policy Foundation: OMB M04-04
Risk/Impact Profiles
Potential Impact Categories for Authentication Errors Inconvenience, distress or damage to standing or reputation Financial loss or agency liability Harm to agency programs or public interests Unauthorized release of sensitive information Personal Safety Civil or criminal violations Assurance Level Impact Profiles 1 Low Low N/A N/A N/A N/A 2 Mod Mod Low Low N/A Low 3 Mod Mod Mod Mod Low Mod 4 High High High High Mod High High
�Identity, Credential, and Access Management
Policy Foundation: NIST Special Pub 800-63
SP 800-63 Technical Guidance
Allowed Token Types Hard crypto token One-time Password Device Soft crypto token Password & PINs 1
Assurance Level
�Identity, Credential, and Access Management
Non-PKI Approach: Scheme Adoption Scheme Adoption
Scheme specific type of authentication token and associated protocols (e.g. user ID & password; PKI; SAML assertion) Scheme Adoption produces a Federal Profile Profile defines MUSTs, SHOULDs, SHOULD NOTs, etc. for Identity Providers (IdPs) & Relying Parties (RPs) Goal is not to change the existing technical standard Profiles complete for OpenID, Information Card (IMI), and SAML. OAuth2 in Progress Federal ICAM Identity Scheme Adoption Process and scheme profiles posted on http://www.IDmanagement.gov
�Identity, Credential, and Access Management
Non-PKI Approach: Trust Framework Adoption Trust Framework Adoption
Adoption of Industry Trust Frameworks Adopts at Assurance Levels Considers requirements of NIST SP 800-63 Trust Framework Evaluation Team (TFET) reviews applications
Privacy Principles included
Opt in Minimalism Activity Tracking Adequate Notice Non Compulsory Termination
Federal ICAM Trust Framework Provider Adoption Process posted on http://www.IDmanagement.gov
�Identity, Credential, and Access Management
Non-PKI Approach: Trust Framework Adoption Provisionally* Adopted Trust Framework Providers (TFP)
Open Identity Exchange (OIX) (http://openidentityexchange.org/) Kantarra Initiative (http://kantarainitiative.org/) InCommon (http://www.incommonfederation.org/)
TFPs are key
Public / Private partnership Scalability *Provisional until finalization of the Privacy Guidance for Trust Framework Assessors and Auditors
�Identity, Credential, and Access Management
Non-PKI Approach: Trust Framework Adoption Approved Identity Providers
. IDP
Google Equifax Paypal Verisign Wave LOA 1 1 1 1 1 Scheme OpenID IMI, OpenID IMI, OpenID OpenID OpenID TFP OIX OIX OIX OIX OIX
Higher assurance levels?
�Identity, Credential, and Access Management
Structure Identity Credentialing and Access Sub Committee (ICAMSC)
Federal CIO Council Information Security and Identity Management Committee (ISIMC)
Trust Framework Evaluation Team (TFET)
Assesses Trust Framework Providers Stakeholder Representation
DHS, FTC, GSA, IRS, NASA, NIH, NSS
Architecture Working Group (AWG)
Scheme profiles
Infrastructure
E-Governance Trust Services (EGTS)
Metadata, IDP Certificates
10
