Identity Management Reference Architecture

1 / March 2008 /

Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management

Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz

2 / March 2008 /

Agenda

•  Introductions

•  Present the Practicum

•  Recommendations & Lessons Learned

3 / March 2008 /

Team Members

•  Greg Black, Paul Kavitz, Jay Ryan •  Recognizing culture as a leading risk factor,

the IDM team sought after areas of personal growth that added value toward an overall problem statement.

•  Experience, both professional and personal, were contributed by each member through their work ethics and desire to embrace and employ enterprise architecture.

•  Capitalized on individualism, experience, education, and leadership to provide perspectives.

•  Diverse backgrounds and individual work ethics of each team member helped create a rich, cohesive approach to gap analysis and problem solving.

Paul Kavitz, MSP

Greg Black, Government

Jay Ryan, IDM & PKI Consultancy

4 / March 2008 /

Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management


5 March 2008 Identity Management Reference Architecture

Executive Summary

Audience • Government policy and decision makers concerned with the Federal

Enterprise Architecture (FEA) and Identity Management (IDM) architectures

Motivation and Intent • To define an extension to the FEA Framework that facilitates

alignment of agency identity management architectures and improves benefits case realization.

Structure and Scope • This presents a reference architecture designed to provide a

standard pattern baseline for identity management architecture implementations government wide.

• The core components are scoping and contextual artifacts common to identity management architectures

• The summary also includes architecture governance, transition, communication, and maintenance plans.


What do we mean by IDM Reference Architecture?


What is the business scenario that grounds this effort?


Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope

THE ENTERPRISE

INVENTORY IDENTIFICATION

INVENTORY TYPES

PROCESS IDENTIFICATION

PROCESS TYPES

NETWORK IDENTIFICATION

NETWORK TYPES

MOTIVATION IDENTIFICATION

MOTIVATION TYPES

TIMING DEFINITION

BUSINESS CYCLE BUSINESS MOMENT

INVENTORY REPRESENTATION

SYSTEM ENTITY SYSTEM RELATIONSHIP

NETWORK REPRESENTATION

SYSTEM LOCATION SYSTEM CONNECTION

ORGANIZATION REPRESENTATION

SYSTEM ROLE SYSTEM WORK

TIMING REPRESENTATION

SYSTEM CYCLE SYSTEM MOMENT

MOTIVATION REPRESENTATION

SYSTEM END SYSTEM MEANS

INVENTORY SPECIFICATION

TECHNOLOGY ENTITY TECHNOLOGY RELATIONSHIP

PROCESS SPECIFICATION

TECHNOLOGY TRANSFORM TECNOLOGY INPUT

NETWORK SPECIFICATION

TECHNOLOGY LOCATION TECHNOLOGY CONNECTION

ORGANIZATION SPECIFICATION

TECHNOLOGY ROLE TECHNOLOGY WORK

TIMING SPECIFICATION

TECHNOLOGY CYCLE TECHNOLOGY MOMENT

MOTIVATION SPECIFICATION

TECHNOLOGY END TECHNOLOGY MEANS

INVENTORY CONFIGURATION

COMPONENT ENTITY COMPONENT RELATIONSHIP

PROCESS CONFIGURATION

COMPONENT TRANSFORM COMPONENT INPUT

NETWORK CONFIGURATION

COMPONENT LOCATION COMPONENT CONNECTION

ORGANIZATION CONFIGURATION

COMPONENT ROLE COMPONENT WORK

TIMING CONFIGURATION

COMPONENT CYCLE COMPONENT MOMENT

MOTIVATION CONFIGURATION

COMPONMENT END COMPONENT MEANS

INVENTORY INSTANTIATION

OPERATIONS ENTITY OPERATIONS RELATIONSHIP

PROCESS INSTANTIATION

OPERATIONS TRANSFORM OPERATIONS INPUT

NETWORK INSTANTIATION

OPERATIONS LOCATION OPERATIONS CONNECTION

ORGANIZATION INSTANTIATION

OPERATIONS ROLE OPERATIONS WORK

TIMING INSTANTIATION

OPERATIONS CYCLE OPERATIONS MOMENT

MOTIVATION INSTANTIATION

OPERATIONS END OPERATIONS MEAN

STRATEGISTS

EXECUTIVE LEADERS

DESIGNERS

ENGINEERS

TECHNICIANS

WORKERS

SCOPE

BUSINESS

SYSTEM

TECHNOLOGY

COMPONENT

OPERATIONS

WHAT HOW WHERE WHO WHEN WHY

INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION


PROCESS TYPES


MOTIVATION TYPES


INVENTORY TYPES


NETWORK TYPES

ORGANIZATION IDENTIFICATION

ORGANIZATION TYPES

TIMING IDENTIFICATION

TIMING TYPES

NETWORK DEFINITION

BUSINESS LOCATION BUSINESS CONNECTION

MOTIVATION DEFINITION

BUSINESS END BUSINESS MEANS

ORGANIZATION DEFINITION

BUSINESS ROLE BUSINESS WORK

INVENTORY DEFINITION

BUSINESS ENTITY BUSINESS RELATIONSHIP

PROCESS REPRESENTATION

SYSTEM TRANSFORM SYSTEM INPUT

PROCESS DEFINITION

BUSINESS TRANSFORM BUSINESS INPUT

Problem Def.

Business Concept Graphic

AFM

Guidance

Indicators Inventory

Missions Dictionary Event List BNC

Line of Sight

Mission Distribution

Map BNC

Context

Data

Performance

Network

Process

CDM

L of S


Identity Management Reference Architecture Artifact Inventory

Short Name

Deliverable Name Description

Problem Def. Architectural Problem Statement Complete statement of purpose of the Identity Management Reference Architecture

Guidance Guidance summary A summary list of relevant directives, regulation, and guidance constraining the implementation of personal identity verification.

Dictionary Integrated Data Dictionary An inventory of data types that define the scope of personal identity verification.

Event List Operational Information Cycles A composite artifact showing the relationship of [reference] business cycles to the state of information in the Integrated Data Dictionary.

BNC Business Node Connectivity Model Scoping artifact showing the information relationships between organizations collaborating on the implementation of Personal Identity Verification.

CDM Concept Data Model Conceptual Data Model using Object Relational Modeling conventions to describe the semantic relationships of the primary data entities pertaining the identity management.

AFM Activity Flow Model Design artifact using IDEF0 describing a example (model) process implementation of Personal identity Verification in the adjacent suprasystem of processes necessary to operate this function. Framed by the Federal Enterprise Architecture Service Component Reference Model

BCG Business Concept Graphic Graphic describing multiple functional relationships between processes and business missions related to personal identity verification.

Missions Related Federal Missions A list of missions and supporting business functions, framed by the FEA Business Reference Model, that have some role in personal identity verification.

Indicator Inventory

Candidate Performance Measurement Indicators

A list of potential measurement indicators across technical, process, and citizen-service measurement areas relevant to assessing performance of personal identity verification.

Line of Sight Line of Sight Example Example artifact demonstrating application of a set of performance measurement indicators across a specific service component relevant to personal identity verification.

Map Geographic Distribution of Network Types

A global map identifying different types of countries with shared high-level characteristics relevant to the implementation of personal identity verification.

Mission Distribution

Organizational Mission Distribution Composite artifact integrating Organization (Agency), Network (Geography) and Process (Business Sub-function missions) relevant to assessing scope for personal identity verification.

Context

Data

Performance

Network

Process


Appendix A: Artifact Summary Identity Management Reference Architecture



Architecture Problem Statement

Core Problem Statement •  Define a Reference Architecture

that aligns the motivations and objectives of the acquirers and providers of credentialing systems in the US Federal Enterprise (see table below)

Extended Problem Statement •  Interpret the ‘US Federal

Enterprise’ above and shared objective #1 below in terms of the public-private interactions required to fulfill the homeland security mission objectives predicated by credentialing requirements.

# IT MSP Enterprise Objective Federal Enterprise Objective Primary artifacts

1 What is the total addressable market in the US government for identity management?

Where can identity management be reused across government? Missions, Line of Sight, Mission Distribution

2 What are the cross-sell opportunities for a credentialing solution?

What is the integrated suprasystem surrounding a credentialing service required to realize the projected benefits?

Dictionary, Event List, BNC, AFM, BCG, Map

3 What is the market value proposition for the identity management solution?

What are the citizen-centric benefits and performance measures for identity management investments? (eGovernment)

Indicator Inventory, Line of Sight

Federal Policy

Identity Management Reference Architecture

IT MSP Enterprise

(IT MSP EA)

Market System (Commercial Sector operators

Driven primarily by investor priorities)

US Federal Enterprise

(FEAF)

Market Policy (Market Interventions)

Operational Policy (Government-wide policy)

US Defense Enterprise

(DODAF)

A

A Critical Sector (Industry EA)

Critical Sector (e.g. Electricity EA)

Critical Sector (e.g. Transportation EA)

Critical Sector (e.g. Defense-

Industrial Base EA)

Industry-specific Policy (Industry Regulation)

B

B

B B

B

A


Business Concept Graphic

IDM Reference Architecture

Valid Person

Credential

Physical Access

Logical Access

Invalid Person

Managed Service

Credentialing

Identity

Information Technology & Communications Sectors

Facilities Sector

Elec

tric

ity

Tran

spor

tation

D

efen

se-I

ndus

tria

l Bas

e Ban

king

& F

inan

ce

Nuc

lear

O

il &

Gas

Fo

od

Management

Agencies accountable for their own and external

critical infrastructure sectors

Critical Infrastructure Sectors

(from HSPD-7 and NIPP)

Agencies accountable for only their own

critical IT & facilities

IDM Reference Architecture can be used by Agencies

IDM Reference Architecture can be used by Critical Sectors

Credential Standards Defined by HSPD-12

And FIPS201


Guidance Map


Federal Missions Related to Identity Management


Business Node Connectivity Model

Agency’s have NOT outsourced IDM in total

BI Largely Outsourced Credential Mfg. Largely

Outsourced

Key “Virtual” Node is often Hiring Managers

Collaboration is INTENSE

Often Forgotten Nodes

•  Help Desk •  Information & Technology Mgmt •  Contractor

Sponsors


Activity Flow Model


Operational Event List Identity

Management Operational

Events

Identity On/Off Boarding

Events

Identity Change Events

Credential Management

Events

Infrastructure Management

Events

Bullet Proofing the Identity Management Capability

• Event Handling

• Event Linkage


Conceptual Data Model

Artifact Summary •  Provides semantic information

relationships for business stakeholder communications

•  Key entities include person, credential, permission, portal, and assets (information, system, and physical)

Artifact Alignment •  Information entities support the

Activity Flow Model •  Entities defined in the Dictionary

Artifact Use •  Used to bridge CIO Council Data

Sub-committee and Universal Core efforts with logical data models in reference agencies.


Integrated Data Dictionary – Subset Snapshot

Artifact Summary •  Defines key terms used in architecture,

primarily at scoping perspective Artifact Alignment

•  Dictionary to Business Node Connectivity (BNC) All business nodes (organization) and need lines (data) displayed in the BNC are defined.

•  Dictionary to Activity Flow Model (AFM) All processes, inputs, and outputs displayed in the AFM are defined.

•  Dictionary to Conceptual Data Model (CDM) All semantic data objects displayed in the CDM are defined.

•  Dictionary to the Related Federal Missions All business reference model topics that are in scope of the assignment are defined.

Artifact Use •  Should be used to understand terms used

within the IDM-RA •  This artifact seeks alignment with other

governmental data definition workgroups, and should be maintained as standard federal information definitions evolve.

•  Architects using this reference architecture to define identity management implementations can use this dictionary as one source of standard definitions for identity-related information.

Artifact Term Definition

Activity Flow Model Conceptual Data Model BNC Model

Person A person is a human that has a context within the enterprise which requires access to digital or physical assets.

Conceptual Data Model Clearance A label or set of labels about a Person that identifies a level of trust in that Person

Activity Flow Model Conceptual Data Model

Position The job description (e.g. title, manager/staff, organization) describing an expected set of behaviors and corresponding activities and rights for a person

Conceptual Data Model Gender Sex of the person

Conceptual Data Model Name Legal labeling of person based on birth record or other legal assignment.

Conceptual Data Model Birth The act of being born or establishing an existence. Conceptual Data Model Birthplace The location where a person is born usually identified as city and state or

geospatial key number.

Conceptual Data Model Party A collection of persons or other parties that share a common goal or interest. This would cover collections that are inside or outside the enterprise and that are persistent or temporary.


Credential A physical or logical token representing the identity of a person.


Certificate A structured set of information uniquely authenticating a person.

Conceptual Data Model Facility A physical asset that is temporarily or permanently immobile physical structure encompassing a physical space which can be occupied by human beings

Conceptual Data Model Jurisdiction The legal context and authority governing activity in a physical space. Conceptual Data Model Compound A collection of one or more facilities with a common perimeter serving some

shared purpose

Conceptual Data Model Boundary A physical perimeter bounding a space


Control The physical and logical controls governing human passage across a portal.

Conceptual Data Model Portal Audit The survey conducted by a human being assessing the access controls of a portal.

Conceptual Data Model Portal Audit Findings

The discrete, individual representations of an auditor's survey of the state of a portal's access controls.


Portal An access control point where human beings are able to cross a physical or logical boundary


Distribution of Organization Mission

90% or greater

70-89%

50-69%

30-49%

<30%

No Birth Registration System

Country Birth Registration Rate


Distribution of Network Types

90% or greater

70-89%

50-69%

30-49%

<30%

No Birth Registration System

Country Birth Registration Rate


Candidate Performance Measurement Indicators


Line of Sight Example


Next Steps & Key Observations

Next Steps •  Find way to ensure Managed Service

Providers (MSPs) are aligned to this reference model

•  The National Infrastructure Protection Plan (NIPP) is managed through a collection of committees. This committee structure, with the Critical Infrastructure Partnership Advisory Council (CIPAC) at its apex, could be adapted to form the governance for cross-industry alignment

•  This reference architecture could be extended to include a reference transition plan for an implementing agency. This might describe means by which agencies would prioritize and group identity management improvements.

Key Observations •  Identity document verification challenges

overseas •  Federal data architecture activities •  U.S. missions overseas •  Activity Flow Model responsibility •  Need to “fill the gap” beyond what the

FEA profile provides •  Relationship between IDM and

governmental mission of CIP in commercial enterprises


Implementation Strategy Rollout Target Architecture

•  The end state for the IDM-RA is the acceptance and standardization of this reference architecture as a baseline upon which implementing agencies draw to establish their enterprise architectures pertaining to identity management.

Socialize with Stakeholders •  Socialization of this RA with the target client

community, specifically the FICC and the leading federal credentialing managed services providers.

•  Identify groups working, including existing groups working on standardization of ‘Person’ data types.

FEA Addendum •  Extend the FEAF with a new type of reference

model exemplified by the IDM-RA. •  Build upon the current RA primitives with a set of

composite RAs relevant to a particular government imperative and common to multiple agencies.

Establish IDM Reference Architecture Community

•  Integrate RA into the CPIC process, maintenance of a website and possibly a wiki and collaboration forums to incorporate best-practice feedback from pervasive agency implementations.

•  This forum and governance would provide the means to measure the performance of the IDM-RA effort and tune the model and the approach to be responsive to community needs and feedback.

Summary 1. Progressive diffusion and adoption of this RA as a baseline input for each agency’s EA artifacts that pertain to IDM. (Referred to as the IDM-RA Transition Strategy. 2. The “as-is” and “to-be” target architectures of each agency will differ widely, as will their transition plan. Therefore, the second level of implementation strategy is the iterative transition of each agency’s operational architecture (the instantiation of IDM in that agency) in ways that progressively improve the benefits case realization and ability to interoperate with other agency’s IDM architecture. Each agency is expected to have an “as-is” and “to-be” and will define its own contextual transition strategy relevant to its priorities and goals. This transition is important, and must be governed effectively government-wide to realize the overall objectives of IDM.

Phase 2 Phase 3 Phase 1

Stakeholder Socialization

Reference Architecture Community

FEA Addendum


Implementation Strategy Assurance

Governance •  Governance of the Federal Enterprise-Wide

Identity Management Capability •  Governance of the Agency Identity

Management Capability •  Governance of the Identity Management

Reference Architecture

Maintenance •  Should evolve as the many different agencies

incorporate it within their specific EA. •  Changes should be captured and

documented, justified on the basis of costs, benefits, and risks.

•  Changes should be processed through established change control processes and board authority.

•  The change documentation should characterize the problem, solution, and alternatives chosen and rejected in light of established priorities.

Communications •  Create materials describing the scope of the

EA and the value, benefits, and importance of EA and the IDM-RA.

•  One-page briefing or brochure, key concept map, Frequently-Asked Questions (FAQ) document, and PowerPoint presentation.

•  Post on an EA website, SharePoint, Wiki, or other collaboration tool.

Performance Management •  Performance of an agency in meeting the stated performance indicators •  Performance of the reference architecture as a tool to meet the end goal

Capital Planning Integration •  Each agency implementing the IDM model designs its own CPIC process for

structuring budget formulation and execution to ensure that investments consistently support strategic goals.

•  All IT projects should align with the agency mission and support business needs. The target architecture and the sequencing plan provide information for the three phases of the CPIC process.

Compliance •  Compliance will be implemented according to the Federal CIO Council’s EA

Alignment and Assessment guide (AAG). •  Business Performance and Technical Standards will be evaluated


Recommendations and Lessons Learned



Lessons Learned & Recommendations

•  Choose a Good Topic – Domain Expertise – Choose a REAL Challenge – Get Interests Aligned

•  Handle the Practicum Like a Project – Nail the Statement of Work, BCG, and Problem Definition – Communication, Collaboration, and Workload Sharing – Gold in the professor feedback

•  Leverage Homework Assignments – Really understand your assignment scope – Really understand your assignment schedule – Really confirm your understanding of EA

•  Leverage your Team – 80% of what you learn will be cemented by your team

collaboration


Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope

THE ENTERPRISE


INVENTORY TYPES


PROCESS TYPES


NETWORK TYPES


MOTIVATION TYPES

TIMING DEFINITION
















































STRATEGISTS

EXECUTIVE LEADERS

DESIGNERS

ENGINEERS

TECHNICIANS

WORKERS

SCOPE

BUSINESS

SYSTEM

TECHNOLOGY

COMPONENT

OPERATIONS




PROCESS TYPES


MOTIVATION TYPES


INVENTORY TYPES


NETWORK TYPES


ORGANIZATION TYPES


TIMING TYPES

NETWORK DEFINITION










PROCESS DEFINITION


5.1

5.7

5.6

5.2

5.9

5.8 5.3 5.4

5.5 5.10

5.10

5.12

5.11 5.5

Context

Data

Performance

Network

Process


Appendix B: Supporting Detail



5.2 Guidance Summary # Document Title Notes

6.1 Homeland Security Presidential Directive-12 Designed to increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees. http://csrc.nist.gov/drivers/documents/Presidential-Directive-Hspd-12.html

Strategic Directive Level

6.2 Federal Information Processing Standard (FIPS) 201: “Personal Identity Verification of Federal Employees and Contractors “

This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. developed to satisfy the requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005


Pub. L. 107-347, E-Government Act of 2002. To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.

Law Executive/Legislative Level

Pub. L. 107-347, E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA) of 2002.

Enacted to streamline—while at the same time strengthening—the requirements of its predecessor, the Government Information Security Reform Act (GISRA). FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. Yet FISMA compliance presents significant challenges for federal agencies, and for any organization that deals with federal information.


Pub. L. 101-576, The Chief Financial Officers (CFO) Act of 1990

intended to improve the government's financial management, outlining standards of financial performance and disclosure. Among other measures, the Office of Management and Budget (OMB) was given greater authority over federal financial management.



5.2 Guidance Summary (cont’d) # Document Title Notes

President's Management Agenda of 2002 An aggressive strategy for improving the management of the Federal government. It focuses on five areas of management weakness across the government where improvements and the most progress can be made.


Government Performance and Results Act of 1993. Seeks to shift the focus of government decision-making and accountability away from a preoccupation with the activities that are undertaken - such as grants dispensed or inspections made - to a focus on the results of those activities, such as real gains in employability, safety, responsiveness, or program quality. Under the Act, agencies are to develop multiyear strategic plans, annual performance plans, and annual performance reports.


44 U.S.C. 3501, et seq., Paperwork Reduction Act of 1995, Pub. L. 104-13, as amended.

Minimize the paperwork burden for individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government.


40 U.S.C. 1401, et seq., Chapter 808 of Pub. L 104-208, the Clinger-Cohen Act of 1996 [renaming, in pertinent part, the Information Technology Management Reform Act (ITMRA), Division E of Pub. L 104-106].

Provides that the government information technology shop be operated exactly as an efficient and profitable business would be operated. Acquisition, planning and management of technology must be treated as a "capital investment." While the law is complex, all consumers of hardware and software in the Department should be aware of the Chief Information Officer's leadership in implementing this statute.


OMB Circular No. A-123, Management Accountability and Control, dated June 21, 1995.

Requires Federal employees to design management structures that help ensure accountability for results, and include appropriate, cost-effective controls and provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls.



5.2 Guidance Summary (cont’d) # Document Title Notes

OMB Circular No. A-130, Appendix III Management of Federal Information Resources dated November 28, 2000.

This Circular establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices.


M04-04 Presidential memorandum: E-Authentication Guidance for Federal Agencies

Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing Credential Service Providers (CSPs) on behalf of Federal agencies. This document will assist agencies in determining their e-government authentication needs. Agency business-process owners bear the primary responsibility to identify assurance levels and strategies for providing them. This responsibility extends to electronic authentication systems http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

Homeland Security Presidential Directive-7 This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.


National Infrastructure Protection Plan The National Infrastructure Protection Plan (NIPP) and supporting Sector-Specific Plans (SSPs) provide a coordinated approach to critical infrastructure and key resources (CI/KR) protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. The NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster.



Appendix X: Arguments Clarifications, assumptions, and defense of artifacts



5.5 Business Node Connectivity Diagram

From Slide 19, Overview of

Architecture Views

From Slide 9, Overview of Architecture Views

From Slide 20, FEAF

Architecture Products


Reference Enterprise Architecture Scope Mapped to Deliverables – Utility of FEA RMs

THE ENTERPRISE


INVENTORY TYPES


PROCESS TYPES


NETWORK TYPES


MOTIVATION TYPES

TIMING DEFINITION
















































STRATEGISTS

EXECUTIVE LEADERS

DESIGNERS

ENGINEERS

TECHNICIANS

WORKERS

SCOPE

BUSINESS

SYSTEM

TECHNOLOGY

COMPONENT

OPERATIONS




PROCESS TYPES


MOTIVATION TYPES


INVENTORY TYPES


NETWORK TYPES


ORGANIZATION TYPES


TIMING TYPES

NETWORK DEFINITION










PROCESS DEFINITION


5.1

5.7

5.6

5.2

5.9

5.8 5.3 5.4

5.5 5.10

5.10

5.12

5.11 5.5

Context

Data

Performance

Network

Process

BRM

SRM

PRM


Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors

Energy (oil, gas, and electric power, not nuclear) Department of Energy

Public Health and Healthcare Department of Health and Human Services

National Monuments and Icons Department of the Interior

Banking and Finance Department of the Treasury

Chemical Commercial Facilities Dams, Locks, and Levees Department of Homeland Security Emergency Services Commercial Nuclear Reactors, Materials, and Waste

Information Technology Department of Homeland Security Telecommunications

Postal and Shipping Department of Homeland Security

Transportation Systems Department of Homeland Security

Defense Industrial Base Department of Defense

Agriculture & Food Department of Agriculture (meat, poultry, and egg foods) Food and Drug Administration (other foods)

Drinking Water and Water Treatment Systems Environmental Protection Agency

Government Facilities Department of Homeland Security

Critical Infrastructure Sector Sector-Specific Agency


Government/Market framework for Identity Management Reference Architecture


IT MSP Enterprise

(IT MSP EA)


(FEAF)


(DODAF)


Federal Policy

Market System framework for Identity Management Reference Architecture


IT MSP Enterprise

(IT MSP EA)

Market System (Commercial Sector operators

Driven primarily by investor priorities)

Critical Sector (Industry EA)

Critical Sector (e.g. Electricity EA)

Critical Sector (e.g. Transportation EA)


(FEAF)

Critical Sector (e.g. Defense-

Industrial Base EA)

Market Policy (Market Interventions)

EA Policy (Government-wide policy)

Industry-specific Policy (Industry Regulation)


(DODAF)

A

B

B

B B


Identity Management Reference Architecture Statement of Work



1.  Introduction Background

1. Introduction •  This project defines a reference enterprise architecture for the personal identity

verification (PIV) managed service and its surrounding identity management suprasystem as guided by Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standard (FIPS) 201.

2. Background •  Homeland Security Presidential Directive-12 (HSPD-12) mandates implementation of

personal identity verification smart card credentials for all employees and contractors of the US Federal government

•  The GSA Schedule for HSPD-12 has identified a number of managed service providers qualified to deliver credentialing services to agencies required to comply with the directive.

•  Beyond the narrow implementation of this directive, a credentialing service must be integrated within the larger Enterprise Architecture of each agency across the Federal Government and their facilities distributed across the world.

•  Furthermore, many Federal missions require the ability for government to assure the identity of various public communities including alien visitors and immigrants, operators of critical infrastructures (i.e. transportation), etc. These all have other means to credential individuals that are regulated by other various, non-integrated standards.

•  With multiple identity management implementations already underway, GSA seeks an enterprise architecture as a decision support tool to inform the governance of the identity management implementations across government. The intent is to promote realization of the anticipated security benefits these credentials afford and to minimize the variety of implementations.


3. Scope •  This project will define an enterprise reference architecture that places the HSPD-12

personal identity verification (PIV) credential managed service in the context of the broader Federal Enterprise Architecture. – As such, it intends to identity opportunities for GSA, each implementing agency, and

the managed service providers –  to identify reuse opportunities, improve integration, and realize business benefits of

common personal identity verification (PIV) services across all of government. •  Bounds and magnitudes

– The Personal Identity Verification Enterprise Reference Architecture (PIV-ERA) shall define multiple architectural perspectives limited to descriptive representations of the PIV function and its immediately adjacent systems (the proximate suprasystem). At the business and system level, the PIV-ERA shall a reference model only, and as such shall be neutral with regards to any particular agency, however it will be specific to the US Federal Government.

– The Zachman Enterprise Architecture Framework v2.01 (Ref. 6.4) serves to further clarify the boundary for this SOW (see fig. 3.1) As follows:

•  Scoping identification (Zachman Row 1) for Personal Identity Verification shall be developed for all focus areas (Inventory, Process, Network, Organization, and Motivation).

•  Business conceptual definitions (Zachman Row 2) for Personal Identity Verification shall be developed for the Inventory, Process, and Motivation focus areas. (Cells 2,1; 2,2; and 2,6).

•  A reference System Process Representation (Zachman Cell 3,2) shall be developed for Personal Identity Verification

– Estimated total effort for development of PIV-ERA is approximately a three person effort over 8 weeks for a total of about 300 person-hours effort.


Fig. 3.1 Identity Management Scope Enterprise View

THE ENTERPRISE


INVENTORY TYPES


PROCESS TYPES


NETWORK TYPES


MOTIVATION TYPES

TIMING DEFINITION
















































STRATEGISTS

EXECUTIVE LEADERS

DESIGNERS

ENGINEERS

TECHNICIANS

WORKERS

SCOPE

BUSINESS

SYSTEM

TECHNOLOGY

COMPONENT

OPERATIONS




PROCESS TYPES


MOTIVATION TYPES


INVENTORY TYPES


NETWORK TYPES


ORGANIZATION TYPES


TIMING TYPES

NETWORK DEFINITION










PROCESS DEFINITION



Task 3

Task 2 Task 1 Input Documents

4.Deliverable Schedule & Dependencies

6.1

6.2

6.3

5.1

5.2

5.3

5.4

5.5

5.8

5.6

5.7

Task 4

5.9

5.10

Task 5

5.11

5.12

Task Award

Task 1 Signoff

Task 2,3 Signoff

Task 4,5 Signoff

SOW

Final Presentation

Grades Awarded

Data Artifacts

Context Artifacts Process Artifacts

Performance Artifacts

6.4

Network Artifacts Context Artifacts

Identity Management Reference Architecture

Education

Transcript of Identity Management Reference Architecture