Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.

Published byMoses Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session."— Presentation transcript:

1 E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session The E-Authentication Initiative

2 2 E-Authentication: What’s IN, What’s OUT  The Federal Government going it alone: an authentication system and operating rules that are “agency-specific,” “State-unique,” etc. OUT!

3 3 The E-Authentication Initiative E-Authentication Bugle: What’s IN, What’s OUT  Developing a partnership between Government, relying parties, IT vendors and advocacy groups – collaboration! IN!

4 4 The E-Authentication Initiative E-Authentication Bugle: What’s IN, What’s OUT  Developing Government-only, proprietary solutions, e.g. Gateways OUT!

5 5 The E-Authentication Initiative E-Authentication Bugle: What’s IN, What’s OUT  Enabling interoperability between disparate systems. IN!

6 6 The E-Authentication Initiative E-Authentication Bugle: What’s IN, What’s OUT  Being beholden to one particular approach. OUT!

7 7 The E-Authentication Initiative E-Authentication Bugle: What’s IN, What’s OUT  Movement towards common standards that all interested parties can adopt. IN!

8 8 The E-Authentication Initiative Policy + Technology + Credentials + Agency Applications + Management & Administration = E-Authentication

9 9 The E-Authentication Initiative E-Authentication 5 Work Packages POLICY APPLICATIONS INTEGRATION CREDENTIALS MANAGEMENT TECHNOLOGY PROGRAM MANAGEMENT OFFICE

10 10 The E-Authentication Initiative Factor Token Very High Medium Standard Low Employee Screening for a High Risk Job Obtaining Govt. Benefits Applying for a Loan Online Access to Protected Website Surfing the Internet Click-wrap Knowledge Pin/Password -Based PKI/ Digital Signature Multi- Increased $ Cost Increased Need for Identity Assurance Approaching Authentication…

11 11 The E-Authentication Initiative Part of a Larger Policy Framework Federal Identity Credentialing Component Credential Assessment Framework Federal PKI Bridge Certificate Policy NIST Authentication Technical Guidance E-Authentication Guidance for Federal Agencies FINAL: OMB M-04-04, December 16, 2003 SP-83, Out for Comment Jan 29, 2004 Expected final March 04 Interim version now final Policies Ongoing

12 12 The E-Authentication Initiative Role of OMB ….  Mandate implementation FEA Budget Authority Policy Authority  Issue Govt wide information policy  Oversee and ensure success of Presidential E- Government Initiative.

13 13 The E-Authentication Initiative OMB Authentication Guidance  M-04-04 Signed by OMB Director on 12/16/2003  Supplements OMB Guidance on implementation of GPEA  Establishes 4 identity authentication assurance levels  Requires agencies to conduct “e-authentication risk assessments” Result: A more consistent application of electronic authentication across the Federal Government

14 14 The E-Authentication Initiative Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels NIST SP-83 Electronic Authentication NIST technical guidance to match technology implementation to a level Level 4Level 3Level 2Level 1 Little or no confidence in asserted identity (e.g. self identified user/password) Some confidence in asserted identity (e.g. PIN/Password) High confidence in asserted identity (e.g. digital cert) Very high confidence in the asserted identity (e.g. Smart Card)

15 15 The E-Authentication Initiative Scope Applies To:  Remote authentication of human users of Federal agency IT systems for e-government.  Identification and analysis of the risks associated with each step of the authentication process Does Not Apply To:  Authentication of servers, or other machines and network components.  Authorization -- the actions permitted of an identity after authentication has taken place.  Issues associated with “intent to sign,” or agency use of authentication credentials as electronic signatures.  Identifying which technologies should be implemented.

16 16 The E-Authentication Initiative Risk Assessment Steps 1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements.

17 17 The E-Authentication Initiative Categories of Harm and Impact  Inconvenience, distress, or damage to standing or reputation  Financial loss or agency liability  Harm to agency programs or public interests  Unauthorized release of sensitive information  Personal safety  Civil or criminal violations.

18 18 The E-Authentication Initiative Maximum Potential Impacts Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1234 Inconvenience, distress or damage to standing or reputation LowMod High Financial loss or agency liabilityLowMod High Harm to agency programs or public interestsN/ALowModHigh Unauthorized release of sensitive informationN/ALowModHigh Personal SafetyN/A LowMod High Civil or criminal violationsN/ALowModHigh

19 19 The E-Authentication Initiative NIST SP 83: Recommendation for Electronic Authentication  Maps to OMB E-Authentication guidance  Covers conventional token based remote authentication May be additional guidance on “knowledge based authentication”  Draft for comment at: http://csrc.nist.gov/eauthhttp://csrc.nist.gov/eauth  Comment period ends: March 15

20 20 The E-Authentication Initiative NIST SP 83: Recommendation for Electronic Authentication  What type of token should be used for each level? Password? PKI?  What Protections required for each level?  What type of ID proofing is required?  How does it map to the Federal Bridge?

21 21 The E-Authentication Initiative Effective Dates  90 days from completion of the final NIST E- Authentication Technical Guidance—New authentication systems should begin to be categorized, as part of the system design.  December 15, 2004—Systems classified as “major” should be categorized.  September 15, 2005—All other existing systems requiring user authentication should be categorized.

22 22 The E-Authentication Initiative Wrapping Up  Questions? Jeanette Thornton 202.395.3562

Download ppt "E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session."

Similar presentations

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.
1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.

1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
NMFS FIS ER eSignature Project Risk Analysis October 1, 2008.

NMFS FIS ER eSignature Project Risk Analysis October 1, 2008.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
Federal Identity Management

Federal Identity Management
HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,

U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.

1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Similar presentations

Ads by Google