1 / 13

Identity Management in the Federal Government

Identity Management in the Federal Government. Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority. Agenda. What the Feds are up to in IdM Policy and Technical Foundations of Federal IdM Requirements for FedFed Membership at Levels 1 & 2

paul
Télécharger la présentation

Identity Management in the Federal Government

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management in the Federal Government Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

  2. Agenda • What the Feds are up to in IdM • Policy and Technical Foundations of Federal IdM • Requirements for FedFed Membership at Levels 1 & 2 • Requirements for FedFed Membership at Levels 3 & 4 • Interfederation • What This Means To You • What you ought to be doing about it Tempe CAMP 2006

  3. Internally – issuing digital certificates on PIV cards to all Feds and inside-the-firewall contractors; requires serious ID vetting and proofing (FIPS 201), PKI on nextgen SmartCards (NIST SP 800-7x) Externally – forming a federation composed of government agency online applications and agency and private sector credential services providers Building interfederation relationships with sector partners What the Feds are up to in IdM Tempe CAMP 2006

  4. Policy OMB M-04-04 Common Policy Framework eAuthentication PMO Mission Statement FBCA CP FPKI Crits & Methods FPKI Charter & Bylaws EAI Business and Operating Rules HSPD-12 Technical FIPS 199 FIPS 201 NIST SP 800-53, 63, 67 NIST SP 800-7x Policy and Technical Foundations of Federal IdM Tempe CAMP 2006

  5. Requirements for FedFed Membership at Levels 1 & 2 (Assertion-Based AuthenticationTechnologies) • Credential Assessment • Signing Business and Operating Rules • Technical interoperability at SAML 1.0 Tempe CAMP 2006

  6. Requirements for FedFed Membership at Levels 3 & 4 (Crypto-based Authentication Technologies) • Cross-certification with Federal PKI • Cross-certification with Federal PKI • Cross-certification with Federal PKI Tempe CAMP 2006

  7. Interfederation • Federal PKI currently cross-certifying CertiPath (Aerospace industry) bridge for PKI interfederation interoperability at EAuthentication Levels 3 & 4 • inCommon currently developing proposal to EAI for assertion-based interfederation interoperability for EAuthentication Level 1 Tempe CAMP 2006

  8. Credential Services Requirements to Play with the Feds either way • Policy – policy documents that control issuance, management and revocation of identity credentials at a defined LOA • Procedures – that implement policy • Technology – that satisfies or exceeds the trustworthiness requirements of policy • Evaluation – independent review of operations to ensure compliance Tempe CAMP 2006

  9. Service Provider Requirements to Join Federal Federation Directly • Online services agree to eAuthentication Business and Operating Rules • Risk Analysis • Service levels • Security levels • Compliance with FIPS and NIST SPs • Reporting requirements • CSPs agree to procedural, audit and documentation requirements Tempe CAMP 2006

  10. What Federal Government IdM Means to You • Greater security requirements for your IdM services in the future, regardless • Credentials you issue to your faculty, staff and students may be used to authenticate to online government services; conversely, you may accept government and government federation member credentials to authenticate to Your online services • Each Federal Agency is required to field two EAI-enabled online services by October, 2006 Tempe CAMP 2006

  11. What You Ought To Be Doing About It • Invest in your credential services at assertion and crypto technologies: aim to raise LOA over time • Affiliate with a sector identity management federation: there is strength in numbers • Watch the Feds – online apps are coming this year • Don’t invest in obsolete strategies; dropping by the wayside: proprietary identity federation schemes and userID/passwords Tempe CAMP 2006

  12. Further Information • Peter.alterman@nih.gov • http://csrc.nist.gov • www.cio.gov/eauthentication • www.cio.gov/fpkipa • www.certipath.com • http://www.cybertrust.com/industries/healthcare_pharma/safe/ Tempe CAMP 2006

  13. Common Policy Certification Authority Assurance Assurance Level 2 Level 1 C4 Policy Certification Authority High MediumHW Medium Basic Rudimentary Federal Bridge Certification Authority Credential Service Provider PKI? Yes No E-Authentication FPKI Federal PKIPA Policy Mapping E-Governance Credential Assessment Evaluation Certification Authority Application Assurance Level 1&2 Level 1 FBCA Technical Interoperability Testing CSP Certification Assurance Assurance Level 1 Level 2 FBCA Cross-Certification Trusted Provider List Level 1 Level 2 Level 3 Level 4 Tempe CAMP 2006

More Related