Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,"— Presentation transcript:

1 Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication, NIH

2 BRIITE 20072 Federal Initiatives eAuthentication –Focus on eCommerce, services, etc. HSPD-12 –Focus on security

3 BRIITE 20073 Security

4 4 Homeland Security Presidential Directive 12 A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too –Medium Hardware or High Assurance digital certificates on PIV-2 cards (next generation Smartcards) Fast-tracked for implementation starting 10/2006 Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series)

5 BRIITE 20075 Federal View of Electronic ID A validated, proofed identity using breeder documents and databases (FIPS 201) A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard Attributes are extensions not required by HSPD- 12, but optionally consumed by Applications –SAML assertions and/or database entries for attribute storage –USPerson profile being developed to standardize attribute representation

6 BRIITE 20076 Current Status All Federal Agencies are implementing the requirements of HSPD-12, which means 12 – 15 million high assurance digital certificates will be deployed and used by 2010. There are over 5.5 million high assurance digital certificates currently deployed and used in the Federal government

7 BRIITE 20077 Other Initiatives – Classified Stuff Defense, Law Enforcement, Intelligence Services Don’t want to know….

8 BRIITE 20078 E-Gov Services

9 BRIITE 20079 Current State of Affairs (60 years old now) You apply to the application owner for a password You use the password to access the system You forget the password The application owner gives you a new password You use the new password to access the system You forget the password No identity proofing No way to know who is actually on the system (Your secretary? Your postdoc? Your dog? Osama?)

10 BRIITE 200710 eAuthentication Initiative Provide electronic identity authentication services for online government applications Manage the Federal Federation – extends services to private sector credential providers and online services Set standards for assertion-based authentication tools Offers standard risk assessment tool Standard Architecture and Policy foundations

11 BRIITE 200711 Foundational Assumption Government online services shall trust externally-issued electronic identity credentials at known levels of assurance (LOA) Online applications shall determine required credential LOA using a standard methodology based on: 1.Risk assessment using standard tool, 2.OMB M-04-04 determines required authN LOA 3.NIST SP 800-63 translates required LOA to credential technology

12 BRIITE 200712 The Federal Federation Credential Service Providers Covers 4 LOA –Assertion-based identity credentials for L 1, 2 –Crypto-based identity credentials for L 3, 4 Service Requirements –Related to uptime, user support, etc. Interfederation Arrangements Encouraged Agency Applications Federal Agency Applications and Services Mandated by Administration Service Requirements –Related to uptime, user support, etc.

13 BRIITE 200713 Summary of Architecture and Policy/Procedures Architecture –SAML assertions for LOA 1, 2 (encapsulate userid/passwords) Vendor interoperability required for addition to approved vendor list SAML 1.0 currently supported; SAML 2.0 specs being developed –PKI or OTP for LOA 3 –PKI for LOA 4 –Scheme translator available Policy/Procedures –Credential assessments for all CSPs, CAF for assertion-based credentials; cross certification with Federal PKI for crypto- based credentials –Federal PKI Policies define requirements for digital certificate trustworthiness –Business and Legal Rules define service requirements for all LOA

14 BRIITE 200714 E-Authentication LOA and What They Mean* Little or no assurance of identity; assertion-based identity authentication Some assurance of identity; assertion-based identity authentication or policy-thin PKI Substantial assurance of identity; cryptographically-based identity authentication High assurance of identity; cryptographically-based identity authentication Level 1 Level 2 Level 3 Level 4 * Codified in OMB Memorandum 04-04

15 BRIITE 200715 E-Authentication LOA and What They Service** Online applications with little or no risk of harm from fraud, hacking; low risk Online applications with risk of some harm from fraud, hacking; some risks Online applications where there is risk of significant harm from fraud, hacking; significant risks Online applications where there is risk of substantial harm from fraud, hacking; substantial risks Level 1 Level 2 Level 3 Level 4 ** Codified in NIST SP 800-63

16 BRIITE 200716 General Considerations for Determining LOA of an Electronic Identity Credential Identity Proofing – how sure are you that the person is who he or she claims to be? Identity Binding – how sure are you that the person proffering the EIC is the person to whom the credential was issued? Credential integrity – how well does the technology and its implementation resist hacking, fraud, etc.?

17 BRIITE 200717 Summary of Lower-Level Identity Credentials Level 1: UserID/Password, SAML assertion (XML text) Level 2: “High entropy” UserID/Password; “policy-lite” PKI, e.g., Fed PKI Citizen and Commerce Class & Federal PKI Rudimentary, TAGPMA Classic Plus (in development)

18 BRIITE 200718 Summary of Cryptographic- Based Identity Credentials Level 3: One-time Password; Substantial assurance PKI at FPKI Basic, Medium Level 4: High assurance PKI at FPKI Medium Hardware, High

19 BRIITE 200719 A Little Complication The government has TWO LOA classifications: 1.Federal PKI LOA codified in the Certificate Policies of the Federal PKI Policy Authority 2.E-Authentication LOA codified in OMB M- 04-04

20 BRIITE 200720 LOA Mapping E-Auth to Fed PKI E-Auth Level 1 E-Auth Level 2 E-Auth Level 3 E-Auth Level 4 FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only)

21 BRIITE 200721 Fed PKI: View from 20,000 km FBCA C4 eGCA (3) Common Policy CA (HSPD-12) CertiPath SSPs Industry PKIs CertiPath SSP (HSPD-12- comparable) SAFE Industry PKIs Serving all other Agencies

22 BRIITE 200722 Fed PKI: View from 20,000 km FBCA C4 eGCA (3) Common Policy CA (HSPD-12) CertiPath SSPs Industry PKIs CertiPath “ SSP” DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO DOD/Interop Treasury Wells Fargo MIT LL UTexasSx Commercial “SSP-like” Serving all other Agencies Boeing Raytheon Lockheed Martin VeriSign Cybertrust ORC Treasury GPO Exostar Entrust/Cygnacom IdenTrusT? Total: 15 – 20M users EAF member CSPs TLS certs SAFE Industry PKIs Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research (HSPD-12- comparable) State of VA first responders ~ 500k users!

23 BRIITE 200723 Interoperability Initiatives CertiPathCertiPath – Federal Bridge cross- certification complete SAFESAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management inCommon NOWinCommon –assertion-based technology, LOA 1 & 2 – demonstration projects with NSF – interfederation with NIH NOW

24 BRIITE 200724 Technology Implications US Government LOA, standardized risk assessment, standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere –Pickup already noted in aerospace contractor space, homeland security Feds will have to deal with attributes eventually!

25 BRIITE 200725 Security and Online Services Implications for Higher Ed DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication –Financial services firms under SEC regulation are already falling in line, both within and outside the eAuthentication federation participation –DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.) –Treasury transfers > $1B daily via PKI Availability of online government apps drive schools to federate to take advantage of services/apps

26 BRIITE 200726 What About Privacy? No single database of identity credentials No requirement for only one identity credential The old tradeoff still exists: convenience vs. security Are there forces out there that want to know who you are at all times? –Of course; worry about RFID first.

27 BRIITE 200727 NIH E-Authentication Initiative Goals Researchers use their institutional identity credentials to authenticate to NIH online applications and services reliablesecuretrustedBuild a reliable, secure, trusted IT infrastructure that supports e-authentication

28 BRIITE 200728 NIH E-Authentication Initiative Goals Researchers use their institutional identity credentials to authenticate to NIH online applications and services reliablesecuretrustedBuild a reliable, secure, trusted IT infrastructure that supports e-authentication

29 BRIITE 200729 Current NIH Initiatives Interfederated with InCommon higher education Identity Management Federation at OMB LOA 1: low/no risk applications put online and consume identity credentials issued by universities that are members of InCommon; Extend interfederation agreement to OMB LOA 2 applications for universities that issue higher-assurance credentials under the InCommon Federation Silver program – for moderate risk applications (ETA 1/08); Direct trust relationship with University of Texas System Public Key Infrastructure

30 BRIITE 200730 NIH Pilot LOA 1 Applications NLM Proxy Redirector (initial application ) Good Clinical Practice (GCP) Community for Advanced Graduate Training (CAGT) NIH Login/ADFS/MOSS integration (general collaboration) More to follow

31 BRIITE 200731 NIH Pilot LOA 2 Applications Electronic Research Administration (eRA) caBIG data (via Grid interoperability?) Firebird (FDA, SAFE, NIAID involvement) More to follow

32 BRIITE 200732 End State for NIH All NIH outward-facing, online apps risk assessed and credential LOA requirements determined Credential validation infrastructure and/or linkages at production operational level All NIH outward-facing, online apps connected to NIH Login front end with validation service enabling infrastructure (e.g., Shibboleth, etc.) End State achieved… ???

33 BRIITE 200733 Resources altermap@mail.nih.gov http://csrc.nist.gov/pki www.cio.gov/fpkipa www.cio.gov/ficc www.cio.gov/eauthentication www.smartcardalliance.org

Download ppt "Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,"

Similar presentations

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Federal PKI Architecture Update

Federal PKI Architecture Update
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Ongoing Efforts to Build The US Federal PKI Bridge

Ongoing Efforts to Build The US Federal PKI Bridge
Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.

Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.
The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.

The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.
SAFE-BioPharma Association NSTIC Day How does industry drive forward.

SAFE-BioPharma Association NSTIC Day How does industry drive forward.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Similar presentations

Ads by Google