Earlier this year, the White House convened the Federal Cloud Credential Exchange (FCCX) Tiger Team comprised of several federal agencies that have a vital need to better assist the public and reduce Federal costs by moving more services online. In alignment with President Obama’s National Strategy for Trusted Identities in Cyberspace, the FCCX Tiger Team’s objective is to facilitate the Federal government’s early adoption of secure, privacy-enhancing, efficient, easy-to-use, and interoperable identity solutions.
Over the past few months, the FCCX Tiger Team has worked on the use cases and the functional requirements necessary for the operation of an identity federation capability that can be integrated with a government agency web application to support and consume a full range of digital credentials such as PIV, PIV-I, and other third party credentials issued under a FICAM-approved Trust Framework Provider.
In simple terms, the Federal government is interested in leveraging one or more commercially available cloud service providers to streamline the burden agencies face in trusting and integrating with FICAM-approved credentials.
As the next step, the FCCX Tiger Team would like to hear from industry vendors on how they might implement a privacy-enhancing, cloud-based, federated credential exchange service.
If you are a product or solutions provider that has the ability to offer these capabilities and would like to help inform the service, please submit your name and company via e-mail to icam [at] gsa [dot] gov by Wednesday, August 1, 2012 and we will provide more information about the requested written response and associated logistics.
In addition, for those who contact us, GSA Office of Governmentwide Policy (GSA OGP) will be holding an Industry Day on Tuesday, August 7th, 2012 (9am – 12:30pm EST) at GSA OCS, 1275 First Street NE, Washington DC, Room 1201B (NoMa-Gallaudet Station – DC Metro Red Line) to gather more information and answer questions from industry vendors regarding the FCCX initiative. We will be able to host both virtually and in person. In person space is limited, so let us know your preference when you contact us.
As an overview, the following topics should be addressed in your written response which will be due by 5 P.M. EDT on Monday, August 13 20, 2012:
- Proposed high level architecture for enabling authentication to an Agency application using third party credentials to include:
- Shared service operated in a cloud environment servicing multiple Agencies
- Operation in an Agency-hosted environment
- User interface approaches for selection of approved credentials
- Credential registration and authentication strategies for citizens with multiple approved credentials
- User enrollment approaches
- Assurance level escalation approaches
- Attribute request/consumption approaches
- Supported protocols, profiles and schemas for creating and sending assertions
- Abstracting and streamlining business relationships with FICAM approved credential providers at all levels of assurance
- Preserving privacy (minimize storage of personal information and “panopticality” of the service)
- Auditing
- Scalability of the service
- Costs models (Pay per User or application using tiered volume discounts, O&M)
- Other relevant information
UPDATE (8/3/12): We've had a couple of questions about what is meant by "panopticality" above.
Within the context of FCCX it means two things:
- It is the ability of Credential Providers to "see" all the Service Providers to which a citizen authenticates
- It is the visibility that the FCCX service itself may have into the citizen information that is flowing thru it
:- by Deb Gallagher (GSA) & Naomi Lefkovitz (NIST) - FCCX Tiger Team Co-Chairs