130 likes | 685 Views
Identity Management in the Federal Government. Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority. Agenda. What the Feds are up to in IdM Policy and Technical Foundations of Federal IdM Requirements for FedFed Membership at Levels 1 & 2
E N D
Identity Management in the Federal Government Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority
Agenda • What the Feds are up to in IdM • Policy and Technical Foundations of Federal IdM • Requirements for FedFed Membership at Levels 1 & 2 • Requirements for FedFed Membership at Levels 3 & 4 • Interfederation • What This Means To You • What you ought to be doing about it Tempe CAMP 2006
Internally – issuing digital certificates on PIV cards to all Feds and inside-the-firewall contractors; requires serious ID vetting and proofing (FIPS 201), PKI on nextgen SmartCards (NIST SP 800-7x) Externally – forming a federation composed of government agency online applications and agency and private sector credential services providers Building interfederation relationships with sector partners What the Feds are up to in IdM Tempe CAMP 2006
Policy OMB M-04-04 Common Policy Framework eAuthentication PMO Mission Statement FBCA CP FPKI Crits & Methods FPKI Charter & Bylaws EAI Business and Operating Rules HSPD-12 Technical FIPS 199 FIPS 201 NIST SP 800-53, 63, 67 NIST SP 800-7x Policy and Technical Foundations of Federal IdM Tempe CAMP 2006
Requirements for FedFed Membership at Levels 1 & 2 (Assertion-Based AuthenticationTechnologies) • Credential Assessment • Signing Business and Operating Rules • Technical interoperability at SAML 1.0 Tempe CAMP 2006
Requirements for FedFed Membership at Levels 3 & 4 (Crypto-based Authentication Technologies) • Cross-certification with Federal PKI • Cross-certification with Federal PKI • Cross-certification with Federal PKI Tempe CAMP 2006
Interfederation • Federal PKI currently cross-certifying CertiPath (Aerospace industry) bridge for PKI interfederation interoperability at EAuthentication Levels 3 & 4 • inCommon currently developing proposal to EAI for assertion-based interfederation interoperability for EAuthentication Level 1 Tempe CAMP 2006
Credential Services Requirements to Play with the Feds either way • Policy – policy documents that control issuance, management and revocation of identity credentials at a defined LOA • Procedures – that implement policy • Technology – that satisfies or exceeds the trustworthiness requirements of policy • Evaluation – independent review of operations to ensure compliance Tempe CAMP 2006
Service Provider Requirements to Join Federal Federation Directly • Online services agree to eAuthentication Business and Operating Rules • Risk Analysis • Service levels • Security levels • Compliance with FIPS and NIST SPs • Reporting requirements • CSPs agree to procedural, audit and documentation requirements Tempe CAMP 2006
What Federal Government IdM Means to You • Greater security requirements for your IdM services in the future, regardless • Credentials you issue to your faculty, staff and students may be used to authenticate to online government services; conversely, you may accept government and government federation member credentials to authenticate to Your online services • Each Federal Agency is required to field two EAI-enabled online services by October, 2006 Tempe CAMP 2006
What You Ought To Be Doing About It • Invest in your credential services at assertion and crypto technologies: aim to raise LOA over time • Affiliate with a sector identity management federation: there is strength in numbers • Watch the Feds – online apps are coming this year • Don’t invest in obsolete strategies; dropping by the wayside: proprietary identity federation schemes and userID/passwords Tempe CAMP 2006
Further Information • Peter.alterman@nih.gov • http://csrc.nist.gov • www.cio.gov/eauthentication • www.cio.gov/fpkipa • www.certipath.com • http://www.cybertrust.com/industries/healthcare_pharma/safe/ Tempe CAMP 2006
Common Policy Certification Authority Assurance Assurance Level 2 Level 1 C4 Policy Certification Authority High MediumHW Medium Basic Rudimentary Federal Bridge Certification Authority Credential Service Provider PKI? Yes No E-Authentication FPKI Federal PKIPA Policy Mapping E-Governance Credential Assessment Evaluation Certification Authority Application Assurance Level 1&2 Level 1 FBCA Technical Interoperability Testing CSP Certification Assurance Assurance Level 1 Level 2 FBCA Cross-Certification Trusted Provider List Level 1 Level 2 Level 3 Level 4 Tempe CAMP 2006