1. E  Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A. Timchak June 12, 2005 The E-Authentication Federation

2. 2 The Goal of E-Government Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment E-Authentication is a key component of the President’s Management Agenda Develop and implement an enterprise-wide E-Authentication strategy and solution that enables E-Government The Role of the E-Authentication Program

3. 3 The E-Authentication Federation Government to Govt.Internal Effectiveness and Efficiency 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management President’s E-Gov Agenda OPM GSA OPM GSA NARA Lead SSA HHS FEMA DOI FEMA Lead GSA Treasury DoED DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining Lead GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: E-Authentication GSA Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4. 4 The E-Authentication Federation The E-Authentication Initiative Strategy  Build the E-Authentication Federation Government agencies rely on electronic identity credentials – such as PINS/user IDs/passwords/PKI certificates – issued and managed by other organizations within and outside the federal government  How do we do it? Develop a federated identity authentication framework Supporting secure online transactions Reliant on existing trust relationships COTS and standards-based with interoperable products, supporting multiple protocols

5. 5 The E-Authentication Federation Why Adopt a Federated Approach?  Migration of applications to the web has precipitated increasing need for secure authentication  Identity management now perceived as one of the major enterprise IT challenges  Industry best practices moving toward enterprise identity management solution (portal) and federated identity  Use of Federated Identity is Growing According to Burton Group, more than 300 businesses deploying SAML-based federations this year

6. 6 The E-Authentication Federation Maintenance Website An Example of Federation

7. 7 The E-Authentication Federation Building the E-Authentication Federation Business & Operating Rules Operational Infrastructure Agency Applications/ Identity Credential Issuers Policy Technical Standards Complete FY 2004 Complete Scheduled for Federation membership Q4 FY ’05 and beyond

8. 8 The E-Authentication Federation Approved E-Authentication Technology Providers Novell

9. 9 The E-Authentication Federation E  Authentication Federation  The Federal Government agency application owners that have agreed to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains  The private and public sector trusted Credential Service Providers that agree to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains  Federation Management (E-Authentication PMO) that manages the technical, policy, and business rules that serve to make identity portable across domains

10. 10 The E-Authentication Federation Key Policy Considerations  For Governmentwide deployment: No National ID No National unique identifier No central registry of personal information, attributes, or authorization privileges Different authentication assurance levels are needed for different types of transactions Authentication – not authorization  For E-Authentication technical approach: No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information

11. 11 The E-Authentication Federation The Policy Foundation Is In Place  Policy infrastructure enables real business and trust– because it can be universally leveraged and accepted  Policy framework key to E-Authentication Federation context and cohesiveness  Policy framework necessary for: Technical architecture and interoperability Evaluation of identity credential issuers Determination of assurance level requirements Ease of contracting Efficient, reusable business processes  Key policy/guidance documents & tools: OMB M-04-04 E-Authentication Risk and Requirements Assessment (E-RA) NIST SP 800-63 Credential Assessment Framework (CAF) Matching the right level of authentication to business risk

12. 12 The E-Authentication Federation The Technical/Architectural Framework Is In Place  Based on industry best practices Open standards-based, federated identity management Supported by interoperable products, providing choice and market- driven pricing  Supports the coexistence of multiple federated identity schemes  Provides for the management of transitive trust  Accommodates both low and high level credentials using SAML and PKI  Supports the introduction of other authentication techniques over time Interoperability among trusted identity credential issuers

13. 13 The E-Authentication Federation Federation Operations First Gov Portal First Gov EAuth Apps ICI Web Site Agency Application Web Site Starting Point EAuth Validation Service EAuth Portal EAuth Step-down Translator EAuth Protocol Translator

14. 14 The E-Authentication Federation  Implementing a world-class operations capability, available 24x7x365 Federation Contact Center (Help Desk) Operations and maintenance of the portal, step-down translator(s), validation service and scheme translators Client and production services Standing Up Federation Operations Agency customers agreed that a well run operations capability was critical to the Federation’s success

15. 15 The E-Authentication Federation Governance: E-Authentication Oversight Moving From Initiative to Federation Executive Steering Committee  24 Cabinet Level Federal agency CIOs Venture capitalist perspective.. Proposed Uber Structure Federation Board of Directors User Groups Vendor Council E-Authentication Initiative E-Authentication Federation

16. 16 The E-Authentication Federation Federation Membership Requirements For Identity Credential Issuers and Relying Parties (Agencies) Business & Operating Rules  Technology standards integrated with common business rules  Developing business agreements that govern membership in the E-Authentication Federation How we bind the trust that drives interoperability

17. 17 The E-Authentication Federation Identity Credential Issuers  The Federal Government does not want to be in the credential management business  Various commercial entities – insurers and other financial institutions – are natural trusted credential service issuers (CSIs)  WHO PROVIDES AUTHENTICATION TODAY? Look in your wallet – what credentials are you most likely to find? A bank card A health insurance card School ID A State Government-issued driver’s license or photo ID Citizen/business convenience and trust are key to selecting identity credential issuers

18. 18 The E-Authentication Federation Targeting Financial Institutions First  Authentication lies at the core of existing financial services products Know-your-customer (KYC) required by law  Financial institutions own 3 powerful assets: Trust 90+% of the US population has banking relationship & 53M have bank-issued credentials (Pew) Strongly authenticated identities  Law requires more than KYC – it requires that customers’ identities be protected

19. 19 The E-Authentication Federation Financial Institutions as Authenticators Attribute  Strong  Mixed  Weak ConsumerThe RelationshipThe Authenticator Broad customer base Long term relationship Frequent use of credential Trusted entity? Strong registration process? Current Authenticators – with large bases of authenticated customer relationships Financial Institutions  ISP’s and Telco’s  Employers  Schools  Merchants & Service Providers  Future Authenticators – could have large bases of authenticated customer relationships Governments  Private ID Providers  Chart Courtesy of Glenbrook Partners Trusted Identity: Hidden Value From Customer Appreciation

20. 20 The E-Authentication Federation The Credential Assessment Framework  Potential ICIs must participate in a credential assessment using the methodology defined in the Credential Assessment Framework On site inspection Credentialing procedures Network and systems security Overall risk management profile  Upon successful assessment, ICIs can be added to E- Authentication’s Trusted Identity Credential Issuer List and to the E-Auth architecture (enabling acceptance of the credential by the Portal)

21. 21 The E-Authentication Federation Agencies Are Committed Moving E-Gov’t Services Online For Business Type of TransactionSample ApplicationPotential Users Licensing/Permits/ Accreditation Nat’l Park Service Research Permits 3500 researchers, 10,000 permits requested each year Compliance EPA Central Data Exchange15,000 businesses and laboratories Grants/Loans/ Subsidies FHA Connection90,000 mortgage lenders – 1.4M loans approved in FY04 Gov’t Contracting E-Offer8,000 primary business contracts; 100,000 projected business users Business Support NASA Integrated Information50,000 contractors, industry participants (350M transaction per year) Int’l Trade Export.gov3 million businesses

22. 22 The E-Authentication Federation Agencies Are Committed Moving E-Gov’t Services Online For Citizens Type of TransactionSample ApplicationPotential Users Social Security Direct Deposit Annual Benefit Statement 47M citizens receiving benefits Assistance USA JobsOver 15,000 job postings Recreation Recreation One Stop5.7M campers in 2003 Loans Dept. of Education’ National Student Loan 35M student users Public Safety Dept. of Justice’s Victim Internet System 13M victims and their attorneys Benefits 1010-Eligibility for Benefits70M veterans

23. 23 The E-Authentication Federation  Providing a “one-stop shop” for E-Authentication Federation products and services  Creating an “E-Authentication Federation Suite of Contracts” on Federal Supply Service (FSS) IT Schedule 70 Available to states as well as Federal agencies  Will include: Technology products Architectural components Credential services Accredited providers of Smartcard/HSPD-12/FICC-mandated credentials and tokens Federation Acquisition Marketplace

24. 24 The E-Authentication Federation E-Authentication Validated by Independent Report Burton Group, a respected IT research and advisory services firm, reports that E-Authentication: Aligns with industry best practices Provides flexible and pragmatic common approach to authentication Efforts should continue and expand, with fine tuning “ The E-Authentication Initiative’s goals are achievable. The anticipated benefits are real and far-reaching, and extend to end- users, governmental organizations, and commercial businesses alike. The E- Authentication Initiative is well-defined, flexible, technically sound, and employs industry best practices.” Burton Group Report on the Federal E-Authentication Initiative, 8/30/04

25. 25 The E-Authentication Federation Lessons Learned IT’S HARD!

26. 26 The E-Authentication Federation SUCCESS IS IN SIGHT!

27. 27 The E-Authentication Federation For More Information Phone E-mail Stephen A. Timchak Office: 703-872-8604 stephen.timchak@gsa.gov Project Executive E-Authentication Federation U.S. General Services Administration 2011 Crystal Drive, Suite 911 Crystal Park One Arlington, Virginia 22202 Website http://cio.gov/eauthentication