1. 1 Federal Identity Management Infrastructure and Policy David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide August 15, 2007

2. 2 Prioritize E-Government President’s Management Agenda: 1. Strategic Management of Human Capital 2. Competitive Sourcing 3. Improved Financial performance 4. Expanded Electronic Government 5. Budget and Performance Integration E-Government Act of 2002 OMB Office of E-Government and Technology

3. 3 Government to Govt.Internal Effectiveness and Efficiency Lead 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management President’s E-Gov Agenda OPM GSA OPM GSA NARA Lead SSA HHS FEMA DOI FEMA Lead GSA Treasury DoED DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics 5.Business Gateway 6.Int’l Trade Process Streamlining Lead GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: E-Authentication GSA Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4. 4 E-Authentication Key Policy Considerations  For Government-wide deployment : No National ID No National unique identifier No central registry of personal information, attributes, or authorization privileges Different authentication assurance levels are needed for different types of transactions Authentication – not authorization  For E-Authentication technical approach : No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information

5. 5 Key Sources for Privacy Requirements Privacy Act of 1974 OMB Circular A-130, Management of Federal Information Resources Federal Information Security Management Act (Pub. L. 107-296) Federal Information Processing Standards Publication (FIPS) 199, Standards for Security Classification of Federal Information and Information Systems NIST SP 800-53, Recommended Security Controls for Federal Information Systems, and SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems E-Government Act of 2002 (Pub. L. 107-347) OMB Memoranda M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, M-06-06, Sample Privacy Documents for Agency Implementation of HSPD-12, M-06-16, Protection of Sensitive Agency Information

6. 6 Multi-Factor Token Very High Medium Low Employee Screening for a High Risk Job Obtaining Govt. Benefits Applying for a Loan Online Access to Protected Website PIN/User ID - Knowledge Strong Password -Based PKI/ Digital Signature HSPD-12 PIV Card Increased $ Cost Increased Need for Identity Assurance Four Authentication Assurance Levels to meet multiple risk levels M-04-04 Biometrics

7. 7 Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare RHIOs IHE Healthcare providers Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Central Issue with Federated Identity – Who do you Trust? E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay E-Authentication Trust Network Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID, the e-Authentication initiative has used federated identity through trusted credentials providers at determined assurance levels. 300 Million Americans Millions of Businesses State/local/global Govts

8. 8 Core Federation Infrastructure Trust Establish common trust model Administer common identity management/authentication policies for Federation members Interoperability Determine intra-Federation protocol/communication standards and architecture Administer common interface specifications, use cases, profiles Test all products and interfaces for compliance Manage Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution

9. 9 Government Adoption of Federated IDM  Necessary in order to meet President’s E-Gov mandates GSA is directed to provide common authentication infrastructure for all Federal E-Gov business applications and E-access control.  In 2004 GSA established the EAI Federation EAI Federation allows identity federation between multiple industry and government entities and the Federal Government Technical architecture supports multiple authentication technologies, protocols, and IDM software products and components  In 2004 GSA partnered with industry to establish the Electronic Authentication Partnership Incorporated non-profit public/private sector forum to advance and accelerate IDM federation EAP Trust Framework issued 12/04  Key Federal Identity Federations HSPD-12 E-Authentication Initiative Federal Bridge Certificate Authority

10. 10 A Snapshot of the U.S. Federal PKI Treas. PKI Higher ED Bridge CA NASA PKI WF PKI Illinois PKI Federal Bridge CA ACES PKI DOD PKI DOE PKI DOJ PKI GPO PKI PTO PKI USDA PKI State Dept. PKI PKI SSPs DHS PKI SAFE Bridge CA Certipath Bridge CA ORC – Trusted PKI Provider for HIMSS Pilot

11. 11 The HSPD-12 Mandate Home Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” -- Signed by President: August 27, 2004  HSPD-12 has Four Control Objectives:  Issue Identification based on sound criteria to verify an individual’s identity.  Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation.  Personal Identity can be rapidly authenticated electronically.  Issued by providers who’s reliability has been established by an official accreditation process.

12. 12 Key Milestones TimelineAgency/Department Requirement/Milestone August 27, 2004HSPD-12 signed and issued Not later than 6 months (February 27, 2005) NIST Issue standard (FIPS-201) Not later than 8 months following issuance of standard (October 27, 2005) Compliance with FIPS-201 Part One: Identity Proofing and Enrollment. PIV-I Not later 20 months following issuance of standard (October 27, 2006) Commence deployment of FIPS- 201 compliant Identity Credentials (FIPS-201 Part Two). PIV-II Convert all employees to PIV standard (October 27, 2008) Compliance with FIPS-201 Part Two for all employees and contractors.

13. 13 Multiple Authentication Technologies To provide multiple authentication assurance levels, FIPS 201 requires multiple authentication technologies: Authentication using PIV Visual Credentials – Facial Image Authentication using the Cardholder Unique Identifier (CHUID) – contact or contact-less Authentication using PIN Authentication using Biometric (match on/off card) – fingerprint template Authentication using PIV asymmetric Cryptography (PKI) – authentication digital certificate Something I have – PIV Card Something I know - PIN Something I am - Biometric

14. 14 Key Architecture Design Considerations Different authentication assurance levels are needed for different types of transactions. Architecture must support multiple authentication technologies – PIN, biometric template, CHUID, authentication keys. Architecture must support multiple protocols. Federal Government will not mandate a single proprietary solution, therefore, Architecture must support multiple COTS products. All architecture components must interoperate with ALL other components (see www.idmanagement.gov) – requires product testing.www.idmanagement.gov Interface specifications are necessary for inter-system data exchange. Controls must protect privacy of personal information.

15. 15 Why Shared Services for E-Authentication, Federal Bridge CA and HSPD-12 Implementation? Efficiencies – Eliminate need for redundant infrastructure. Enhance Interoperability – Much easier to ensure interoperability across a limited number of systems (GSA & DOI bring 75+ customer agencies to common, shared solution). Accelerate implementation timeframes. Reduce cost/implementation for HSPD-12 system interfaces. Aggregate Federal acquisitions to maximize potential for volume buys. Organize Federal marketplace for all of the above.

16. 16 Conclusion This is the THE START … surface is only scratched There is much work … –Roll-out hundreds of enrollment stations nationwide –Issue to 2 million users in next 23 months –Test and Qualify systems –Build common applications for access control and e-Government Physical security Logical access E-commerce Emergency Response Stabilize operations … –Commitment to continue issuance –Protect and promote interoperability Testing, monitoring, auditing and configuration control Make life-cycle easier –Government procurement rules provide discipline Extend to other communities

17. 17 For More Information ● Visit our Websites: http://idmanagement.gov http://cio.gov/eauthentication http://.cio.gov/ficc http://cio.gov/fpkipa http://csrc.nist.gov/piv-project/ http://csrc.nist.gov/piv-project/ http://eapartnership.org ● Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov