Identity, Credential, and Access Management

Federal CIO CouncilInformation Security and Identity Management Committee

The Future of Federal Identity Management

Judith SpencerAgency Expert - IDMOffice of Governmentwide PolicyGSAJudith.Spencer@GSA.Gov

www.idmanagement.gov

Identity, Credential, and Access Management

What is ICAM?

ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach.

Key ICAM Service Areas Include: Digital Identity Credentialing Privilege Management Authentication Authorization & Access Cryptography Auditing and Reporting

Identity, Credential, and Access Management

ICAM Drivers

Increasing Cybersecurity threats There is no National, International, Industry “standard” approach to individual identity

on the network. (CyberSecurity Policy Review) Security weaknesses found across agencies included the areas of user identification

and authentication, encryption of sensitive data, logging and auditing, and physical access (GAO-09-701T)

Need for improved physical security Lag in providing government services electronically Vulnerability of Personally Identifiable Information (PII) Lack of interoperability

“The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.” (President’s FY2010 Budget)

High costs for duplicative processes and data management

3

Identity, Credential, and Access Management

ICAM Scope

Per

son

sP

erso

ns

No

n-P

erso

ns

No

n-P

erso

ns

Lo

gic

al A

cces

sL

og

ical

Acc

ess

Ph

ysic

al A

cce

ssP

hys

ical

Acc

ess

Identity, Credential, and Access Management

The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government working groups.

The Roadmap team identified the key outputs of the Federal Segment Architecture Methodology (FSAM) needed for an ICAM segment architecture and coordinated these groups to develop workable approaches to enable cross-government solutions.

5

Interagency Security Committee (ISC) Information Sharing Environment (ISE) White House National Science and

Technology Council (NSTC) Committee for National Security Systems

(CNSS) Office of Management and Budget National Institute of Standards and

Technology (NIST) Office of National Coordinator (ONC) for

Health IT Multiple agencies represented within the

CIO council subcommittees and working groups

FICAM Development Process

Identity, Credential, and Access Management

Components of the ICAM Segment Architecture

6

Identity, Credential, and Access Management

7

ICAM Goals and ObjectivesThe Federal ICAM Roadmap addresses unclassified federal identity, credential, and access management programs and demonstrates the importance of implementing the ICAM segment architecture in support five overarching strategic goals and their related objectives.

Identity, Credential, and Access Management

Eleven Use Cases Covering:

Identity, Credential, and Access Management

Measuring Success

Identity, Credential, and Access Management

On-Going Activities

PIV Interoperability: Defining the parameters for an industry smart card that emulates the PIV credential FIPS 201 is limited to the Federal community External interoperability/trust is achievable

Trust Framework Providers and Scheme Adoption Non-cryptographic solutions at lower levels of assurance Industry self-regulation with government recognition Working with Open Solutions to enable open government

Federal PIV deployment exceeds 70% LACS deployment beginning PACS demonstration system operational

Identity, Credential, and Access Management

Increasing the Trusted Credential Community

Back to Basics – M-04-04 and NIST 800-63 are still the foundational policy/technical guidance for identity management in the Federal government.

Establish unified architecture for Identity Management

Expand our use of Assertion-based solutions (Levels 1&2) Stronger industry alignment for trust and technology standards

Federal Bridge interoperability will continue to play a role at Levels 3 & 4

Outreach to communities of interest Explore natural affinities

Identity, Credential, and Access Management

M-04-04:E-Authentication Guidance for Federal Agencies

OMB Guidance establishes 4 authentication assurance levels

Level 4Level 3Level 2Level 1Little or no confidence

in asserted identity Some confidence in

asserted identityHigh confidence in asserted identity

Very high confidence in the asserted

identity

Assurance Levels

Self-assertionminimum records

On-line, instant qualification – out-of-

band follow-up

On-line with out-of-band verification for

qualificationCryptographic

solution

In person proofingRecord a biometric

Cryptographic SolutionHardware Token

Assertion-based Crypto-based

Identity, Credential, and Access Management

FIPS 199 Risk/Impact Profiles Assurance Level Impact Profiles

Potential Impact Categories for Authentication Errors

1 2 3 4

Inconvenience, distress or damage to standing or reputation

Low Mod Mod High

Financial loss or agency liability Low Mod Mod High

Harm to agency programs or public interests

N/A Low Mod High

Unauthorized release of sensitive information

N/A Low Mod High

Personal Safety N/A N/A Low ModHigh

Civil or criminal violations N/A Low Mod High

Maximum Potential Impacts

Identity, Credential, and Access Management

Goals

Leverage Industry credentials for Government use Make Government more transparent to the Public Make it easier for American Public to access government

information Avoid issuance of application-specific credentials Leverage Web 2.0 technologies Demonstrate feasibility with application(s) assessed at

Assurance Level 1 Support applications at higher assurance levels as

appropriate

Identity, Credential, and Access Management

Enabling e-Government

Business Process Redesign will result in standardized interfaces for logical access

Streamlined access control/provisioning

Well-understood Federated trust at multiple levels of assurance Level 4 will require PIV-I Levels 1-3 will recognize

multiple solutions/identity schemes

Greater trust in external credential validity

Repeatable process

Identity, Credential, and Access Management

16

Identity and Access Management Are Foundational to Information Sharing and Collaboration

First release of Trust Framework Provider Approval Process and Identity Scheme Adoption Process available for public review www.idmanagement.gov

Industry Partners are Fielding Identity Credentials as well as Creating Federations for Sharing & Collaboration Open ID Foundation infoCard Foundation InCommon Federation

Progress Depends on Public-Private Partnering

Summary