interagency advisory board - fips201.com · chapter 4: icam use cases. illustrate the as-is and...
TRANSCRIPT
Interagency Advisory BoardMeeting Agenda, March 23, 2011
1. Open Remarks (Mr. Tim Baldridge, IAB Chair)
2. Impact of M-11-11 on PACS (Ron Martin, HHS)
3. FIPS 201-2 Update (Bill MacGregor, NIST)
4. Status Brief on ICAM Roadmap (Shelly Hartsook, Deloitte)
5. Status of FPKI Management Authority (MA Team, GSA)
6. Closing Remarks (Mr. Tony Cieri)
Identity, Credential, and Access Management
Federal CIO CouncilInformation Security and Identity Management Committee
FICAM Roadmap and Implementation Guidance:
Part B Update
Shelly HartsookProject Manager, GSA Support [email protected]@deloitte.com
Identity, Credential, and Access Management
Agenda
Recap of the FICAM Roadmap “Part A” FICAM Roadmap Document v1.0 Key Aspects of the Target State Transition Roadmap Initiatives
Introduction to the FICAM Roadmap “Part B” Part B Chapter Summary Guidance Development Process
Current Status Phase 1 Workplan Progress Phase 2 Workplan Progress Accomplishments Document Review Milestones
33
Identity, Credential, and Access Management
Chapter 1: Introduction. Provides background information on the ICAM Initiative and an overview of the purpose, scope, and structure of the document.Chapter 2: Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization.
Chapter 3: ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agencies.Chapter 4: ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states.Chapter 5: Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture.
PART A: ICAM Segment Architecture
The purpose of the Federal ICAM segment architecture is to provide federal agencies with astandards-based approach for implementing government-wide ICAM initiatives. The use ofenterprise architecture techniques will help ensure alignment, clarity, and interoperabilityacross agency ICAM initiatives and enable agencies to eliminate redundancies by identifyingshared ICAM services across the Federal Government.
FICAM Roadmap Document v1.0
34
Identity, Credential, and Access Management
Increased automation and streamlining of business processes Establishment of authoritative sources for identity data and the
capability to exchange that data between systems Full implementation of PIV credentials for employees, contractors, and
affiliates accessing physical and logical resources Creation of enterprise-wide ICAM services to eliminate redundancy Adoption of standards and commercially-available products Increased emphasis on high levels of identity assurance Improved trust and interoperability
across agencies and with external communities Enhanced capabilities for handling
external users Protecting privacy in all process
and system improvements
Key Aspects of the Target State
35
Identity, Credential, and Access Management
Transition Roadmap Initiatives
36
Identity, Credential, and Access Management
Chapter 6. ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs. Chapter 7. Initiative 5: Streamline Collection and Sharing of Digital Identity Data. Provides guidance for agency activities required to eliminate redundancies in the collection and maintenance of identity data and mitigate the inefficiencies and security and privacy risks associated with current identity data management processesChapter 8. Initiative 6: Fully Leverage PIV and PIV-interoperable Credentials. Provides guidance for activities required to meet the intent of HSPD-12 for the usage of PIV credentials, make better use of cryptographic capabilities, and use of externally-issued PIV-interoperable credentialsChapter 9. Access Control Convergence. Includes guidance topics that are applicable to both physical and logical access and will tie into PACS and LACS implementation chapters.Chapter 10. Initiative 7: Modernize PACS Infrastructure. Provides guidance for agency activities required to update physical security processes and systems for routine access for PIV cardholders and visitor access for individuals with other acceptable credentials.Chapter 11. Initiative 8: Modernize LACS Infrastructure. Provides guidance for upgrading logical access control systems to enable the PIV card and automate and streamline capabilities to increase efficiency and improve security.Chapter 12. Initiative 9: Implement Federated Identity Capability. Provides guidance for agency activities to support streamlined service delivery to external consumers and reduce redundancy in ICAM programs by leveraging a government-wide federated identity framework
Part B Chapter SummaryPART B: Implementation Guidance
37
Identity, Credential, and Access Management
Guidance Development ProcessThe development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government working groups. Multiple agencies represented within
the CIO council subcommittees and working groups
Interagency Security Committee (ISC) Office of Management and Budget National Institute of Standards and
Technology (NIST) Office of National Coordinator (ONC)
for Health IT Information Sharing Environment
(ISE) White House National Science and
Technology Council (NSTC)
The Roadmap Development Team of the ICAMSC is the key group responsible for providing inputs to the guidance and reviewing the document for accuracy and completeness.
38
Identity, Credential, and Access Management
Chapter 6 – ICAM Implementation Planning
Chapter 9 – Access Control Convergence
Chapter 10 – Initiative 7: Modernize PACS
Chapter 11 – Initiative 8: Modernize LACS
Key
Top
ics
• Defining ICAM Program Stakeholders
• Risk Management• Capital Planning for ICAM
Investments• Security Considerations• Privacy Considerations
• Access Control Models• Policy Management• Asset/resource
Management• Provisioning• PKI Credentials• Key History Management
• Physical Access Implementation Planning
• Physical Access Control System Implementation (Architecture & Technical Implementation)
• Local Facility Access• Visitor Access
• Logical Access Implementation Planning
• Logical Access Control System Implementation (Architecture & Technical Implementation)
• Application Integration• E-Authentication
Dev
elop
men
t Act
iviti
es
• Request for Agency Information on implementation planning best practices
• Collaborate with RDT on content development
• Coordinate with CIO Council Privacy Committee
• Develop draft narrative
• Request for Agency Information on access control approaches and lessons learned
• Conduct asset management working session with RDT
• Conduct provisioning working session with RDT
• Coordinate with Fed PKI CPWG, LAWG, and ISC
• Develop draft narrative
• Request for Agency Information on PACS design, implementation, and lessons learned
• Collaborate with ISC Convergence Subcommittee on content development
• Conduct ad hoc sessions with RDT, as necessary
• Integrate government inputs and complete narrative
• Request for Agency Information on LACS design, implementation, and lessons learned
• Review existing LAWG drafts
• Collaborate with LAWG on content development
• Integrate government inputs and complete narrative
Phase 1 Workplan Progress
39
• Not Started CompletedIn Progress
Chapter 6 – ICAM Implementation Planning
Chapter 9 – Access Control Convergence
Chapter 10 – Initiative 7: Modernize PACS
Chapter 11 – Initiative 8: Modernize LACS
Key
Top
ics
• Defining ICAM Program Stakeholders
• Risk Management• Capital Planning for ICAM
Investments• Security Considerations• Privacy Considerations
• Access Control Models• Policy Management• Asset/resource
Management• Provisioning• PKI Credentials• Key History Management
• Physical Access Implementation Planning
• Physical Access Control System Implementation (Architecture & Technical Implementation)
• Local Facility Access• Visitor Access
• Logical Access Implementation Planning
• Logical Access Control System Implementation (Architecture & Technical Implementation)
• Application Integration• E-Authentication
Dev
elop
men
t Act
iviti
es
Request for Agency Information on implementation planning best practicesCollaborate with RDT on
content developmentCoordinate with CIO
Council Privacy CommitteeDevelop draft narrative
Request for Agency Information on access control approaches and lessons learnedConduct asset
management working session with RDTConduct provisioning
working session with RDTCoordinate with Fed PKI
CPWG, LAWG, and ISCDevelop draft narrative
Request for Agency Information on PACS design, implementation, and lessons learnedCollaborate with ISC
Convergence Subcommittee on content developmentConduct ad hoc sessions
with RDT, as necessaryIntegrate government
inputs and complete narrative
Request for Agency Information on LACS design, implementation, and lessons learnedReview existing LAWG
draftsCollaborate with LAWG on
content developmentIntegrate government
inputs and complete narrative
Identity, Credential, and Access Management
Chapter 7 – Initiative 5: Streamline Collection and Sharing of Digital Identity
Data
Chapter 8 – Initiative 6: Fully Leverage PIV and
PIV-I Credentials
Chapter 12 – Initiative 9: Implement Federated
Identity CapabilityAppendix B – Glossary
Key
Top
ics
• Enterprise digital identity• Identity life cycle process
improvement• Reciprocity of background
Investigations• Digital identity attribute
exchange approaches
• PIV and PIV-I overview• Credential authentication• Lost/forgotten cards• Alternate biometrics• Encryption and digital
signature• Key history management
• Federal trust frameworks• Scheme adoption
certification process• Provisioning external users• Federated access using
third party credentials
• Key ICAM terminology• Use case actor definitions• Service component
definitions
Dev
elop
men
t Act
iviti
es
• Request agency information on digital identity data management
• Collaborate with AWG and FIWG on content development
• Develop draft narrative• Conduct reviews and
finalize draft
• Request Agency information on usage of PIV and PIV-I credentials
• Collaborate with RDT on content development
• Incorporate guidance from the CPWG
• Develop draft narrative• Conduct reviews and
finalize draft
• Request Agency information on implementation of federated identity capabilities
• Collaborate with FIWG, COFG, and AWG on content development
• Develop draft narrative• Conduct reviews and
finalize draft
• Review existing glossaries and lexicons with terminology related to ICAM
• Collaborate with RDT Glossary Tiger Team on recommended definitions
• Review and gain consensus on Glossary draft
Chapter 7 – Initiative 5: Streamline Collection and Sharing of Digital Identity
Data
Chapter 8 – Initiative 6: Fully Leverage PIV and
PIV-I Credentials
Chapter 12 – Initiative 9: Implement Federated
Identity CapabilityAppendix B – Glossary
Key
Top
ics
• Enterprise digital identity• Identity life cycle process
improvement• Reciprocity of background
Investigations• Digital identity attribute
exchange approaches
• PIV and PIV-I overview• Credential authentication• Lost/forgotten cards• Alternate biometrics• Encryption and digital
signature• Key history management
• Federal trust frameworks• Scheme adoption
certification process• Provisioning external users• Federated access using
third party credentials
• Key ICAM terminology• Use case actor definitions• Service component
definitions
Dev
elop
men
t Act
iviti
es
Request agency information on digital identity data managementCollaborate with AWG and
FIWG on content developmentDevelop draft narrative Conduct reviews and
finalize draft
Request Agency information on usage of PIV and PIV-I credentialsCollaborate with RDT on
content developmentIncorporate guidance from
the CPWGDevelop draft narrative Conduct reviews and
finalize draft
Request Agency information on implementation of federated identity capabilities Collaborate with FIWG,
COFG, and AWG on content developmentDevelop draft narrative Conduct reviews and
finalize draft
Review existing glossaries and lexicons with terminology related to ICAMCollaborate with RDT
Glossary Tiger Team on recommended definitions Review and gain
consensus on Glossary draft
Phase 2 Workplan Progress
40• Not Started In Progress Completed
Identity, Credential, and Access Management
Accomplishments
41
Month Key AccomplishmentsMay 2010 • Kicked off effort
• Developed Phase 1 Workplan
June 2010 • Held RDT Workplan Review meeting on June 8th • Requested agency information and documentation as resource material• Began engaging ICAMSC working groups on chapter content development
July 2010 • Delivered Chapter 6: ICAM Implementation Planning Draft to RDT on July 8th • Held RDT Chapter 6 Draft Review meeting on July 13th • Conducted Ad Hoc brainstorming session for Chapter 9: Access Control
Convergence on July 21st
August 2010 • Delivered Chapter 9: Access Control Convergence draft to RDT on August 5th• Began conducting follow up interviews with agencies to supplement guidance • Continued collaboration with LAWG on Chapter 11: Modernize LACS• Continued collaboration with ISC Convergence Subcommittee on Chapter 10:
Modernize PACS
September 2010 • Delivered Chapter 11: Modernize LACS draft to RDT on September 16th
• Awarded contract to support Phase 2 Implementation Guidance chapters on September 28th
• Delivered Chapter 10 – Initiative 7: Modernize PACS Infrastructure draft to RDT on September 30th
Identity, Credential, and Access Management
Accomplishments (continued)
42
Month Key AccomplishmentsOctober 2010 • Held RDT Chapter 10 Draft Review meeting on October 5th
• Delivered consolidated Phase 1 draft to RDT on October 22, 2010
November 2010 • Finalized and delivered Initial Phase 1 ICAM Release Draft of the Implementation Guidance to the ICAM community on November 19th
• Drafted outlines and storyboards for Phase 2 chapters (Chapters 7, 8, and 12)
December 2010 • Finalized outlines and storyboards for Phase 2 chapters with the RDT on December 13th
• Collected comments on the Initial Phase 1 ICAM Release Draft of the Implementation Guidance through Friday, December 17th
January 2011 • Delivered Chapter 8 - Initiative 6: Fully Leverage PIV and PIV-I Credentials draft to RDT on Friday, January 21st
February 2011 • Delivered Chapter 7 - Initiative 5: Streamline Collection and Sharing of Digital Identity Data draft to RDT on Thursday, February 10th
• Delivered Chapter 12 - Initiative 9: Implement Federated Identity Capability to the RDT on February 24th
• Delivered Initial Phase 1 Public Release Draft to GSA OGP on February 27th
March 2011 • Held Ad-Hoc RDT Working Session on March 11th to discuss requested revisions for Chapters 7 and 12
• Continued revising Phase 2 chapters for delivery to RDT on March 25th
Identity, Credential, and Access Management
Document Review Milestones
43
Date EventFriday, March 25, 2011 Initial Phase 2 Draft provided to RDT for two-week review period
Friday, April 8, 2011 RDT comments due on Initial Draft
Friday, April 22, 2011* Complete ICAM Release Draft (incorporating RDT comments ) provided to ICAM Community for 30-day review period
Friday, May 20, 2011 ICAM Community comments due on Release Draft
Friday, June 24, 2011* Public Draft of Phase 2 chapters released
*Release dates subject to change based upon the volume and complexity of comments received during the comment periods.