C2 Security Experiment

1
Federal IT Summit October 28, 2009
Breakout Session 5 Identity and Access Management
Moderator Paul Christy, SBA Paul GrantDoD Owen
Unangst, USDA Vance Hitch, USDoJ
2
Federal IT Summit October 28, 2009
Identity, Credential, and Access Management in
and with The Federal Government

• Paul D. Grant
• Special Assistant,
• Federated IDM and External Partnering
• Office of the CIO
• DoD
• Paul.Grant_at_OSD.Mil

http//www.IdManagement.Gov
3
What is ICAM?

• ICAM represents the intersection of digital
  identities, credentials, and access control into
  one comprehensive approach.
• Key ICAM Service Areas Include
• Digital Identity
• Credentialing
• Privilege Management
• Authentication
• Authorization Access
• Cryptography
• Auditing and Reporting

4
Presidents Budget for FY 2010 Extract from
Section 9. LEVERAGING THE POWER OF TECHNOLOGY
TO TRANSFORM THE FEDERAL GOVERNMENT

• To support this effort, the Federal Identity,
  Credential, and Access Management (ICAM) segment
  architecture provides Federal agencies with a
  consistent approach for managing the vetting and
  credentialing of individuals requiring access to
  Federal information systems and facilities
• The ICAM segment architecture will serve as an
  important tool for providing awareness to
  external mission partners and drive the
  development and implementation of interoperable
  solutions.

5
ICAM Scope
Persons Non-Persons
Logical Access Physical Access

• Alignment of Federal ICAM and
• CNSS Identity and Access Management (National
  Security Systems)
• Interagency Security Committee (Physical Access
  Control)
• Awareness to External Mission Partners for
  interoperable solutions

6
FICAM Development Process

• The development process involves coordination and
  collaboration with Federal Agencies, industry
  partners, and cross-government groups.
• The Roadmap team has produced the key outputs of
  the FSAM needed for an ICAM segment architecture,
  and have coordinated these groups to develop
  workable approaches to enable cross-government
  solutions.

• Committee for National Security Systems (CNSS)
• Interagency Security Council (ISC)
• Information Sharing Environment (ISE)
• White House National Science and Technology
  Council (NSTC)
• Office of Management and Budget
• National Institute of Science and Technology
  (NIST)
• Office of National Coordinator (ONC) for Health
  IT
• Multiple agencies represented within the CIO
  council subcommittees and working groups

7
Summary Conclusions

• Strong Identity and Access Management Are
  Foundational to Secure Information Sharing,
  Collaboration and Cybersecurity
• Shared Guidance is Improving Much Room for More
  Improvement
• Clear, Concise, Consistent, Credible
• For Ourselves and Our Mission Partners
• Federal Identity, Credential, and Access
  Management (ICAM) is providing this consistent
  approach (with your help)
• Mission Partners are Fielding Strong Identity
  Credentials as well as Creating Federations for
  Sharing Collaboration
• Progress Depends on Public-Private Partnering
• Domestically and
• Internationally

8
Back Up Slides
9
Enabling Policy and Guidance
The E-Gov Act 0f 2002
The Government Paperwork Elimination Act 0f 1998
Federal Bridge Model Policy
The Implementing Guidance OMB M-00-10 April 25,
2000
The Implementing Guidance OMB M-04-04 December
16, 2003
Federal PKI Common Policy Framework
The Mandate HSPD-12 August 27, 2004
The Technical Spec SP 800-63 June 2004
The Standard FIPS-201 February 25, 2005
The Implementing Guidance OMB M-05-05 December
20, 2004
The Implementing Guidance OMB M-05-24 August 5,
2005
10
Identity Assurance Levels (IAL)
M-04-04E-Authentication Guidance for Federal
Agencies OMB Guidance establishes 4
authentication assurance levels
11
FICAM Roadmap Implementation Guidance Overview

• Overview of Identity, Credential, and Access
  Management. Provides an overview of ICAM that
  includes a discussion of the business and
  regulatory reasons for agencies to implement ICAM
  initiatives within their organization.
• ICAM Segment Architecture. Standards-based
  architecture that outlines a cohesive target
  state to ensure alignment, clarity, and
  interoperability across agency initiatives.
• ICAM Use Cases. Illustrate the as-is and target
  states of high level ICAM functions and frame a
  gap analysis between the as-is and target states.
• Transition Roadmap and Milestones. Defines a
  series of logical steps or phases that enable the
  implementation of the target architecture.
• ICAM Implementation Planning. Augments standard
  life cycle methodologies as they relate to
  specific planning considerations common across
  ICAM programs.
• Implementation Guidance. Provides guidance to
  agencies on how to implement the transition
  roadmap initiatives identified in the segment
  architecture, including best practices and
  lessons learned.

PART A ICAM Segment Architecture (Phase 1 of the
effort)
PART B Implementation Guidance (Phase 2 of the
effort)
12
ICAM Overviewfrom ICAM Segment Architecture
13
Services Framework Categorization Scheme

• Service Type
• Provides a layer of categorization that defines
  the context of a specific set of service
  components
• Service Component
• A self contained business process or service with
  predetermined and well-defined functionality that
  may be exposed through a well-defined and
  documented business or technology interface

Service Type
Service Component
Service Component
Service Component
Service Component
14
Services Framework
15
ICAM SubcommitteeAccomplishments Summary for FY
2009

• Issued Personal Identity Verification
  Interoperability (PIV-I) for non-Federal Issuers
  in May, 2009 providing guidance on achieving
  identity credentials that are consistent with the
  PIV Credential and trustable by the Federal
  community.
• Initiated work on the ICAM Segment Architecture
  as Part One of the ICAM Roadmap and
  Implementation Guidance mandated in the
  Presidents FY-10 Budget. Produced and
  coordinated multiple drafts. Final release is
  imminent.
• Published Federal profiles for the implementation
  of open identity solutions for interaction with
  the American Public. Current profiles include
  OpenID and InfoCard for transactions at identity
  assurance level one.
• Worked with Federal PKI Shared Service Providers
  to extend strong identity credentialing to the
  external community in support of PIV
  Interoperability. Published Trusted Framework
  Providers Adoption Process.
• Conducted ICAMSC leadership outreach to other
  identity initiatives in the Federal community, in
  order to foster a Clear, Concise, Consistent and
  Credible message for ourselves and our external
  partners and further socializing this message
  with state governments and industry through
  participation in multiple conferences and
  meetings.
• Developed ICAM Work Plan for 2010

16
Owen Unangst Director of Innovation US Department
of Agriculture
17
USDAs ICAM Model Implementing Policies,
Procedures Technologies
EEMS
Auditing and Reporting
Workflow Engine
EmpowHR
eAuthentication
Monitoring
EEMS Administration
NEIS
EmpowHR Person Model
Enterprise Directory
Enterprise SSO
Provisioning System
Stand-Alone Servers
PayPers
Mainframe
AS/400
Enterprise Business Apps
ePACS
HSPD-12
Active Directories
VPN/NAC
- Available Now (Phase 1)
- In Progress (Phase 1a)
- FY 10 Deliverables(Phase 2)
18
Example Utilization Single Sign-On
Desktops Laptops VPNseAuthentication Whole
Disk Encryption Encrypted Thumb Drives
19
Example Utilization Physical Access Controls
For Ultimately 220 MCFs National
Infrastructure in Place Almost 100 Facilities
Already Connected Authentication Controlled
Nationally Authorization Controlled Locally
20
Example Utilization Role Based Access Control
Manual Process - Over 200 persons to manage
roles - 73 to handle audit issues
New Process If Loan Officer True Then Do
not add role Loan Approver
21
Example Utilization Network Admission Control
Remote Access
VPN
User Roles
Health Check Pass
Local Access
IDS
Network Access Controller
ASOC Auditing and Reporting
22
Example Utilization Digital Signatures _at_ USDA

• Scope
• Adobe Acrobat files and forms Versions 8 9
• Microsoft Office (Word, Excel, PowerPoint)
  Versions 2003 3007
• Microsoft Outlook Versions 2003 2007
• Business Transactions

23
Vance Hitch Chief Information Officer US
Department of Justice
24
Todays Law Enforcement Environment

• Todays World
• Law Enforcement Agencies rely on their numerous
  systems to provide critical information to
  officers
• Some systems are internal to an agency but many
  more are parts of a national network
• Internal Records Management systems
• Regional Information Sharing Networks (LINKs
  ,ARGIS etc.)
• National Systems
• CJIS
• NCIC
• N-Dex
• IAFIS (NGI)
• NICS
• The end goal is to provide the Right Information
  to the Right Person, at the Right Times
• The end result is to provide officer and analysts
  with critical information that keeps them and the
  American Public safe and secure.

25
How are we accomplishing this mission?

• We have developed a trusted relationship with
  limited access points for information sharing
• We communicate over trusted networks like
• CJIS WAN
• LEO
• RISS
• HISN
• Established through policies and procedures
  developed by participants and governing boards
  such as the FBIs APB
• Supported through the use of MOUs signed by all
  participants that dictate how and what we will
  share

26
Problem

• Todays world requires users to have Passwords
  for every system they access.
• Each system must validate and manage access to
  their own system
• There is a need to have individuals identities
  validated, managed and vouched for by trusted
  organizations in a secure way so that other
  entities do not have to redo it

27
Examples of Ongoing Federated Identity Management
Initiatives

• Global Federated Identity Privilege Management
  (GFIPM)
• CJIS Federated Identity Management Services
  (FIMS)
• DOJs Trusted Broker pilot
• The DOJ currently provides a trusted broker
  pilot to help enable organizations to connect
  Identity Providers to Service Providers more
  simply and inexpensively
• These initiatives are complementary, not
  competitive, and are interoperable today

28
DOJs Trusted Broker Pilot

• Currently Deployed to 4,400 users at
• DOJ, Chicago PD, RISS, LEO
• Service Providers
• JABs
• HISIN-Intel
• LEO-Intelink
• RISS-Intelink
• Criminal Information Sharing Alliance Network
  (Southwest Border)
• RISSNET Portal
• myFX secure internet file sharing offered by
  DOJ
• New Service Providers in process
• N-DEx, Tripwire, Bomb Arson Tracking Systems
  (BATS- ATF), NGIC

29
Trusted Broker Operation
30
Federated Identity ManagementUsing a Trusted
Broker Solution

• Benefits
• More information available to more users
• Single sign-on (enhanced user experience)
• Comprehensive audit capability
• Improved alliances across government entities
• Streamlined vetting (cost avoidance/reduction)
• Improved interoperability
• Improved security
• Vetting is done closer to user
• More secure authentication mechanisms
• Dynamic de-provisioning

31
Questions?
http//www.cio.gov/committees/InformationSecurity.
cfm