Interagency Advisory BoardMeeting Agenda, March 23, 2011

1. Open Remarks (Mr. Tim Baldridge, IAB Chair)

2. Impact of M-11-11 on PACS (Ron Martin, HHS)

3. FIPS 201-2 Update (Bill MacGregor, NIST)

4. Status Brief on ICAM Roadmap (Shelly Hartsook, Deloitte)

5. Status of FPKI Management Authority (MA Team, GSA)

6. Closing Remarks (Mr. Tony Cieri)

Identity, Credential, and Access Management

Federal CIO CouncilInformation Security and Identity Management Committee

FICAM Roadmap and Implementation Guidance:

Part B Update

Shelly HartsookProject Manager, GSA Support Teamshartsook@deloitte.comFICAMRoadmap@deloitte.com

Identity, Credential, and Access Management

Agenda

Recap of the FICAM Roadmap “Part A” FICAM Roadmap Document v1.0 Key Aspects of the Target State Transition Roadmap Initiatives

Introduction to the FICAM Roadmap “Part B” Part B Chapter Summary Guidance Development Process

Current Status Phase 1 Workplan Progress Phase 2 Workplan Progress Accomplishments Document Review Milestones

33

Identity, Credential, and Access Management

Chapter 1: Introduction. Provides background information on the ICAM Initiative and an overview of the purpose, scope, and structure of the document.Chapter 2: Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization.

Chapter 3: ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agencies.Chapter 4: ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states.Chapter 5: Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture.

PART A: ICAM Segment Architecture

The purpose of the Federal ICAM segment architecture is to provide federal agencies with astandards-based approach for implementing government-wide ICAM initiatives. The use ofenterprise architecture techniques will help ensure alignment, clarity, and interoperabilityacross agency ICAM initiatives and enable agencies to eliminate redundancies by identifyingshared ICAM services across the Federal Government.

FICAM Roadmap Document v1.0

34

Identity, Credential, and Access Management

Increased automation and streamlining of business processes Establishment of authoritative sources for identity data and the

capability to exchange that data between systems Full implementation of PIV credentials for employees, contractors, and

affiliates accessing physical and logical resources Creation of enterprise-wide ICAM services to eliminate redundancy Adoption of standards and commercially-available products Increased emphasis on high levels of identity assurance Improved trust and interoperability

across agencies and with external communities Enhanced capabilities for handling

external users Protecting privacy in all process

and system improvements

Key Aspects of the Target State

35

Identity, Credential, and Access Management

Transition Roadmap Initiatives

36

Identity, Credential, and Access Management

Chapter 6. ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs. Chapter 7. Initiative 5: Streamline Collection and Sharing of Digital Identity Data. Provides guidance for agency activities required to eliminate redundancies in the collection and maintenance of identity data and mitigate the inefficiencies and security and privacy risks associated with current identity data management processesChapter 8. Initiative 6: Fully Leverage PIV and PIV-interoperable Credentials. Provides guidance for activities required to meet the intent of HSPD-12 for the usage of PIV credentials, make better use of cryptographic capabilities, and use of externally-issued PIV-interoperable credentialsChapter 9. Access Control Convergence. Includes guidance topics that are applicable to both physical and logical access and will tie into PACS and LACS implementation chapters.Chapter 10. Initiative 7: Modernize PACS Infrastructure. Provides guidance for agency activities required to update physical security processes and systems for routine access for PIV cardholders and visitor access for individuals with other acceptable credentials.Chapter 11. Initiative 8: Modernize LACS Infrastructure. Provides guidance for upgrading logical access control systems to enable the PIV card and automate and streamline capabilities to increase efficiency and improve security.Chapter 12. Initiative 9: Implement Federated Identity Capability. Provides guidance for agency activities to support streamlined service delivery to external consumers and reduce redundancy in ICAM programs by leveraging a government-wide federated identity framework

Part B Chapter SummaryPART B: Implementation Guidance

37

Identity, Credential, and Access Management

Guidance Development ProcessThe development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government working groups. Multiple agencies represented within

the CIO council subcommittees and working groups

Interagency Security Committee (ISC) Office of Management and Budget National Institute of Standards and

Technology (NIST) Office of National Coordinator (ONC)

for Health IT Information Sharing Environment

(ISE) White House National Science and

Technology Council (NSTC)

The Roadmap Development Team of the ICAMSC is the key group responsible for providing inputs to the guidance and reviewing the document for accuracy and completeness.

38

Identity, Credential, and Access Management

Chapter 6 – ICAM Implementation Planning

Chapter 9 – Access Control Convergence

Chapter 10 – Initiative 7: Modernize PACS

Chapter 11 – Initiative 8: Modernize LACS

Key

Top

ics

• Defining ICAM Program Stakeholders

• Risk Management• Capital Planning for ICAM

Investments• Security Considerations• Privacy Considerations

• Access Control Models• Policy Management• Asset/resource

Management• Provisioning• PKI Credentials• Key History Management

• Physical Access Implementation Planning

• Physical Access Control System Implementation (Architecture & Technical Implementation)

• Local Facility Access• Visitor Access

• Logical Access Implementation Planning

• Logical Access Control System Implementation (Architecture & Technical Implementation)

• Application Integration• E-Authentication

Dev

elop

men

t Act

iviti

es

• Request for Agency Information on implementation planning best practices

• Collaborate with RDT on content development

• Coordinate with CIO Council Privacy Committee

• Develop draft narrative

• Request for Agency Information on access control approaches and lessons learned

• Conduct asset management working session with RDT

• Conduct provisioning working session with RDT

• Coordinate with Fed PKI CPWG, LAWG, and ISC

• Develop draft narrative

• Request for Agency Information on PACS design, implementation, and lessons learned

• Collaborate with ISC Convergence Subcommittee on content development

• Conduct ad hoc sessions with RDT, as necessary

• Integrate government inputs and complete narrative

• Request for Agency Information on LACS design, implementation, and lessons learned

• Review existing LAWG drafts

• Collaborate with LAWG on content development

• Integrate government inputs and complete narrative

Phase 1 Workplan Progress

39

• Not Started CompletedIn Progress

Chapter 6 – ICAM Implementation Planning

Chapter 9 – Access Control Convergence

Chapter 10 – Initiative 7: Modernize PACS

Chapter 11 – Initiative 8: Modernize LACS

Key

Top

ics

• Defining ICAM Program Stakeholders

• Risk Management• Capital Planning for ICAM

Investments• Security Considerations• Privacy Considerations

• Access Control Models• Policy Management• Asset/resource

Management• Provisioning• PKI Credentials• Key History Management

• Physical Access Implementation Planning

• Physical Access Control System Implementation (Architecture & Technical Implementation)

• Local Facility Access• Visitor Access

• Logical Access Implementation Planning

• Logical Access Control System Implementation (Architecture & Technical Implementation)

• Application Integration• E-Authentication

Dev

elop

men

t Act

iviti

es

Request for Agency Information on implementation planning best practicesCollaborate with RDT on

content developmentCoordinate with CIO

Council Privacy CommitteeDevelop draft narrative

Request for Agency Information on access control approaches and lessons learnedConduct asset

management working session with RDTConduct provisioning

working session with RDTCoordinate with Fed PKI

CPWG, LAWG, and ISCDevelop draft narrative

Request for Agency Information on PACS design, implementation, and lessons learnedCollaborate with ISC

Convergence Subcommittee on content developmentConduct ad hoc sessions

with RDT, as necessaryIntegrate government

inputs and complete narrative

Request for Agency Information on LACS design, implementation, and lessons learnedReview existing LAWG

draftsCollaborate with LAWG on

content developmentIntegrate government

inputs and complete narrative

Identity, Credential, and Access Management

Chapter 7 – Initiative 5: Streamline Collection and Sharing of Digital Identity

Data

Chapter 8 – Initiative 6: Fully Leverage PIV and

PIV-I Credentials

Chapter 12 – Initiative 9: Implement Federated

Identity CapabilityAppendix B – Glossary

Key

Top

ics

• Enterprise digital identity• Identity life cycle process

improvement• Reciprocity of background

Investigations• Digital identity attribute

exchange approaches

• PIV and PIV-I overview• Credential authentication• Lost/forgotten cards• Alternate biometrics• Encryption and digital

signature• Key history management

• Federal trust frameworks• Scheme adoption

certification process• Provisioning external users• Federated access using

third party credentials

• Key ICAM terminology• Use case actor definitions• Service component

definitions

Dev

elop

men

t Act

iviti

es

• Request agency information on digital identity data management

• Collaborate with AWG and FIWG on content development

• Develop draft narrative• Conduct reviews and

finalize draft

• Request Agency information on usage of PIV and PIV-I credentials

• Collaborate with RDT on content development

• Incorporate guidance from the CPWG

• Develop draft narrative• Conduct reviews and

finalize draft

• Request Agency information on implementation of federated identity capabilities

• Collaborate with FIWG, COFG, and AWG on content development

• Develop draft narrative• Conduct reviews and

finalize draft

• Review existing glossaries and lexicons with terminology related to ICAM

• Collaborate with RDT Glossary Tiger Team on recommended definitions

• Review and gain consensus on Glossary draft

Chapter 7 – Initiative 5: Streamline Collection and Sharing of Digital Identity

Data

Chapter 8 – Initiative 6: Fully Leverage PIV and

PIV-I Credentials

Chapter 12 – Initiative 9: Implement Federated

Identity CapabilityAppendix B – Glossary

Key

Top

ics

• Enterprise digital identity• Identity life cycle process

improvement• Reciprocity of background

Investigations• Digital identity attribute

exchange approaches

• PIV and PIV-I overview• Credential authentication• Lost/forgotten cards• Alternate biometrics• Encryption and digital

signature• Key history management

• Federal trust frameworks• Scheme adoption

certification process• Provisioning external users• Federated access using

third party credentials

• Key ICAM terminology• Use case actor definitions• Service component

definitions

Dev

elop

men

t Act

iviti

es

Request agency information on digital identity data managementCollaborate with AWG and

FIWG on content developmentDevelop draft narrative Conduct reviews and

finalize draft

Request Agency information on usage of PIV and PIV-I credentialsCollaborate with RDT on

content developmentIncorporate guidance from

the CPWGDevelop draft narrative Conduct reviews and

finalize draft

Request Agency information on implementation of federated identity capabilities Collaborate with FIWG,

COFG, and AWG on content developmentDevelop draft narrative Conduct reviews and

finalize draft

Review existing glossaries and lexicons with terminology related to ICAMCollaborate with RDT

Glossary Tiger Team on recommended definitions Review and gain

consensus on Glossary draft

Phase 2 Workplan Progress

40• Not Started In Progress Completed

Identity, Credential, and Access Management

Accomplishments

41

Month Key AccomplishmentsMay 2010 • Kicked off effort

• Developed Phase 1 Workplan

June 2010 • Held RDT Workplan Review meeting on June 8th • Requested agency information and documentation as resource material• Began engaging ICAMSC working groups on chapter content development

July 2010 • Delivered Chapter 6: ICAM Implementation Planning Draft to RDT on July 8th • Held RDT Chapter 6 Draft Review meeting on July 13th • Conducted Ad Hoc brainstorming session for Chapter 9: Access Control

Convergence on July 21st

August 2010 • Delivered Chapter 9: Access Control Convergence draft to RDT on August 5th• Began conducting follow up interviews with agencies to supplement guidance • Continued collaboration with LAWG on Chapter 11: Modernize LACS• Continued collaboration with ISC Convergence Subcommittee on Chapter 10:

Modernize PACS

September 2010 • Delivered Chapter 11: Modernize LACS draft to RDT on September 16th

• Awarded contract to support Phase 2 Implementation Guidance chapters on September 28th

• Delivered Chapter 10 – Initiative 7: Modernize PACS Infrastructure draft to RDT on September 30th

Identity, Credential, and Access Management

Accomplishments (continued)

42

Month Key AccomplishmentsOctober 2010 • Held RDT Chapter 10 Draft Review meeting on October 5th

• Delivered consolidated Phase 1 draft to RDT on October 22, 2010

November 2010 • Finalized and delivered Initial Phase 1 ICAM Release Draft of the Implementation Guidance to the ICAM community on November 19th

• Drafted outlines and storyboards for Phase 2 chapters (Chapters 7, 8, and 12)

December 2010 • Finalized outlines and storyboards for Phase 2 chapters with the RDT on December 13th

• Collected comments on the Initial Phase 1 ICAM Release Draft of the Implementation Guidance through Friday, December 17th

January 2011 • Delivered Chapter 8 - Initiative 6: Fully Leverage PIV and PIV-I Credentials draft to RDT on Friday, January 21st

February 2011 • Delivered Chapter 7 - Initiative 5: Streamline Collection and Sharing of Digital Identity Data draft to RDT on Thursday, February 10th

• Delivered Chapter 12 - Initiative 9: Implement Federated Identity Capability to the RDT on February 24th

• Delivered Initial Phase 1 Public Release Draft to GSA OGP on February 27th

March 2011 • Held Ad-Hoc RDT Working Session on March 11th to discuss requested revisions for Chapters 7 and 12

• Continued revising Phase 2 chapters for delivery to RDT on March 25th

Identity, Credential, and Access Management

Document Review Milestones

43

Date EventFriday, March 25, 2011 Initial Phase 2 Draft provided to RDT for two-week review period

Friday, April 8, 2011 RDT comments due on Initial Draft

Friday, April 22, 2011* Complete ICAM Release Draft (incorporating RDT comments ) provided to ICAM Community for 30-day review period

Friday, May 20, 2011 ICAM Community comments due on Release Draft

Friday, June 24, 2011* Public Draft of Phase 2 chapters released

*Release dates subject to change based upon the volume and complexity of comments received during the comment periods.