1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy EDUCAUSE June 15, 2006
2 Federal Identity Management Initiatives Industry and EAI ID Federation/Authentication Alignment The Federal Government is seeking to align with industry in the following ways in order to meet the mandates for government- wide e-Authentication services: Common trust framework for reciprocal trust Common business & operating rules for business interoperability Common technical infrastructure (i.e., architecture, protocols, data models, testing) for technical interoperability Common business models for ID federation adoption/interoperability.
3 Federal Identity Management Initiatives Levels 1 & 2 CSPs Levels 3 & 4 CSPs FBCA X-Certification Levels 1 & 2 Online Apps & Services Levels 3 & 4 Online Apps & Services SDT A VERY Simplified View of the Federal EAI Architecture EAI SAML Trust List EAI SAML Trust List Banks Financial Inst. Universities Agency Apps Commercial CSPs CAF FBCA PKI Trust List FBCA PKI Trust List Digital Certificates SAML Assertions Federal Agency PKIs Other Gov PKIs Commercial PKIs PKI Bridges (HSPD-12) One-Time Passwords Multi-Factor Authentication PIN, Passwords User ID
4 Federal Identity Management Initiatives EAI/EAP Common Trust Framework 1. Establish & define authentication risk and assurance levels EAI: OMB M Established and defined 4 authentication assurance levels as Governmentwide policy EAP: Adopted OMB M authentication assurance levels 2. Establish technical standards & requirements for e-Authentication systems at each assurance level EAI: NIST Special Pub Authentication Technical Guidance – Established authentication technical standards at 4 established assurance levels EAP: Adopted NIST SP standards 3. Establish methodology for evaluating authentication systems at each assurance level EAI: Credential Assessment Framework – Standard methodology for assessing authentication systems of credential service providers EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers 5. Perform assessments and maintain trust list of trusted CSPs EAP: Trusted CSP List EAI: Trusted CSP List (pending) 6. Establish common business rules for approved CSPs EAI: EAI Federation Business Rules and Service Agreements EAP: EAP Business Rules and Agreements
5 Federal Identity Management Initiatives EAI/EAP Alignment EAI EAP Common Assurance Levels Common Authentication Standards Reciprocal CSP Trust Certifications Common Designated Assessors Common Business Rules Common Architecture Common Protocols Common Data Models Joint Pilots And Projects CSP Assessments CSP Trust Lists 2008 Common Business Model EAI Projects EAP Projects
6 Federal Identity Management Initiatives Components of EAP Trust Framework in FiXs Pilot 1. Establish & define authentication risk and assurance levels EAP/FiXs: Adopted OMB M authentication assurance levels 2. Establish technical standards & requirements for e-Authentication systems at each assurance level EAP: Adopted NIST SP standards FiXs: Adopted NIST FIPS 201 standards 3. Establish methodology for evaluating authentication systems at each assurance level EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers FiXs: Certification standards and security requirements 5. Perform assessments and maintain trust list of trusted CSPs EAP/FiXs: Trusted CSP Lists 6. Establish common business rules for approved CSPs EAP: EAP Business Rules and Agreements FiXs: FiXs Business and Operating Rules
7 Federal Identity Management Initiatives Core FiXs Pilot Objectives - EAP EAP ComponentFiXs Pilot ObjectiveTest Outcomes Business RulesDevelop FiXs Operating Rules for electronic authentication that satisfy terms and conditions of EAP Business Rules. Adoption of EAP Business Rules by FiXs Federation through FiXs Operating Rules Signed Agreements to follow Operating Rules by FiXs pilot participants Service Assessment Criteria Develop FiXs CSP (“Issuer”) Certification Procedures and Security Requirements that satisfy EAP SAC requirements. Determination that FiXs Certification Procedures and Security Requirements satisfy EAP SAC requirements at assurance level 4. Determination that FiXs Certification Procedures and Security Requirements satisfy EAI CAF requirements at assurance level 4. CSP Trust ListMake FiXs CSP (“Issuer”) certifications that satisfy EAP SAC requirements. Determination that FiXs CSP “Issuer” certifications satisfy EAP SAC requirements at assurance level 4. Establish EAP CSP Trust List to include certified FiXs Issuers Determination that FiXs CSP “Issuer” certifications satisfy EAI CAF requirements at assurance level 4. Inter-Federation acceptance of FiXS Issuer certifications by EAP and EAI.
8 Federal Identity Management Initiatives Pilot ComponentFiXs Pilot ObjectiveTest Outcomes Interoperable Technical Architecture Develop FiXs Technical Architecture that will interoperate with DoD and EAI technical architectures for e- Authentication. Demonstrated interoperability of all aspects of e-Authentication transactions with FiXs pilot participants. Demonstrated interoperability of all aspects of e-Authentication transactions with DoD and EAI. Model technical architecture available for EAP use/adoption. Technical Interface Specifications Develop FiXs Technical Interface Specifications that permit interoperability in electronic authentication transactions and transaction data exchange with DoD and EAI. Common FiXs technical specifications for FiXs global roll-out. Demonstrated interoperability of all aspects of e-Authentication transactions and transaction data exchanges with DoD and EAI. Model technical interface specifications available for EAP use/adoption. Operating Rules Develop FiXs Operating Rules that define the operational and transaction requirements for FiXs e-Authentication transactions. Common FiXs operating Rules for FiXs global roll-out. Signed Agreements to follow Operating Rules by FiXs pilot participants. Model ID Federation Operating Rules available for EAP use/adoption. Registration, Enrollment and ID Verification procedures. Develop FiXs registration, enrollment and ID verification requirements/procedures that meet FIPS 201/HSPD-12 standards and requirements. Registration, enrollment, ID verification, and cross-credentialing requirements & procedures for non-Federal identity verification that can be accepted as meeting FIPS 201/HSPD-12 standards.. FiXs Pilot Objectives - Expanded
9 Federal Identity Management Initiatives Cross-Federation Trust Certifications FiXs trust certifications will be made at assurance level 4+, as FiXs will be certifying against FIPS 201/HSPD-12 standards/requirements. EAP may determine to accept FiXs certifications as meeting EAP SAC level 4 authentication assurance Federal EAI may determine to accept FiXs and/or EAP certifications as meeting EAI CAF level 4 authentication assurance FiXs Trust Certifications EAP Trust Certifications EAI Trust Certifications
10 Federal Identity Management Initiatives Federal Interoperability Lab Tests interoperability of products for participation in e- Authentication architecture. Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products Currently 11 SAML 1.0 products on Approved Product List. See URL: Multiple protocol interoperability testing will be very complex 4 Products approved for PKI certificate path discovery & validation GSA intends to continue to test architecture components for interoperability and capability to meet governmentwide use requirements
11 Federal Identity Management Initiatives And then there’s HSPD-12 … Homeland Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004
12 Federal Identity Management Initiatives IDM Policy and Acquisition Landscape Key governmentwide initiatives have established program, policy, and technical requirements for authentication and identity management. GSA Is establishing “approved products/services” for each authentication service line based on compliance with established requirements. Consolidate multiple offerings of Identity Management products & services from GSA acquisition schedules and GWACs onto IT Schedule 70, SIN , Authentication Products and Services Authentication service lines on SIN include: ACES PKI Shared Service Providers (HSPD-12) PIV Service Components (HSPD-12) PIV Integrators (HSPD-12) Approved FIPS-201 Products and Services (HSPD-12) E-Authentication Architecture Components. All require active program management to ensure compliance with program requirements and keep pace with marketplace changes.
13 Federal Identity Management Initiatives OMB Guidance – Key Points OMB Guidance for HSPD-12 - M-05-24: To ensure government-wide interoperability, agencies must acquire only products and services that are on the approved products list Agencies must include language implementing the FIPS 201 Standard in applicable new contracts GSA is designated the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12 GSA will make approved products and services available through blanket purchase agreements under IT Schedule 70 GSA will ensure all approved BPA suppliers provide products and services that meet all applicable federal standards and requirements
14 Federal Identity Management Initiatives GSA’s Role Establish interoperability and common performance testing to meet NIST standards Compliance for GSA contractors (e.g., cleaning, maintenance, etc.) Award SIN listings as approved products and services become available Establish Approved Products Lists for product categories requiring FIPS 201 compliance Provide full-range of qualified products and services to meet Agency implementation needs
15 Federal Identity Management Initiatives HSPD-12 Service Components Enrollment Service Provider Systems Infrastructure Provider Production Service Provider Finalization Service Provider Agency PACS Enrollment Data IDMS CMS Card Printing Inventory, Distribution Card Data Cards issued and Activated Enrollment/registration Stations & managed service Services inside dotted rings may be provided as shared infrastructure. FPKI SSP FPKI SSP & FBCA Cross-certified PKI Agency LACS Card Management Services
16 Federal Identity Management Initiatives For More Information ● Visit our Websites: ● Or contact: David Temoshok Director, Identity Policy and Management