As noted in my earlier blog post "Comply with Requirements Quickly and Easily with RFI and RFP Templates", FICAM is working to make it easier for Agencies to align with OMB/NIST/FICAM policies. Given below is recommended language that aligns with policy for incorporation into Agency RFIs and RPFs. The language covers both identity federation solutions, when the Agency is acting as a relying party, as well as identity proofing solutions.
Identity Federation Solution for Agency as Relying Party
- The solution shall support all currently approved FICAM Protocol Profiles, as found on IDManagement.gov, for browser based SSO (OpenID 2.0 and SAML 2.0 required; IMI 1.0 support is optional)
- The solution shall support newly approved FICAM Protocol profiles, as found on IDManagement.gov, within [90 days] of final approval by the ICAMSC
- The solution shall be capable of supporting all FICAM Adopted Trust Framework Provider Approved Credential Providers
- The solution shall be capable of supporting PIV (for Government-to-Government use cases) and PIV-I Authentication. This support must include Trust Path Discovery and Trust Path Validation functionality
- If the solution implements a SAML 2.0 Attribute Query/Response mechanism, it shall support the FICAM SAML 2.0 Identifier and Protocol Profiles for BAE v2.0 and the associated FICAM SAML 2.0 Metadata Profile for BAE v2.0
- The solution shall, at a minimum, support the following protocols and assertion formats for communication between itself and the relying party Agency application:
- Protocols: HTTP(S), SAML 2.0
- Assertion Formats: SAML 2.0, XML, JSON
Details: A federation solution is typically integrated with an Agency web application, and needs to support both non-government issued approved credentials as well as government issued credentials. Government issued credentials in this case are Agency issued PIV Cards and approved non-government credentials such as PIV-I and those that are governed by the FICAM Trust Framework Solutions Process.
Identity Proofing Service
- MUST have an identity proofing service capable of implementing [remote and/or in-person] identity proofing processes at [OMB-O4-04 LOA Level(s) here] per NIST SP 800-63-1
Details: NIST SP 800-63-1(PDF) is the authoritative document that provides information on the technical controls and approaches that an Agency must use for remote as well as in-person identity proofing requirements from LOA 1-4. Currently, FICAM does not have a certification process for a stand-alone identity proofing capability; current FICAM certification, via the Trust Framework Adoption Process, applies to a combined identity proofing-credential issuance solution. As such the requirements levied on an Identity Proofing service are based on the foundational requirements that all US Government Agencies must follow in complying with NIST Guidance.
Do keep in mind the following:
- The focus above is on the technical bits-n-bytes
- The above is just a starting point; Agencies are free to modify and add on other requirements as needed
- The above is subject to change based on new and/or updated policies
RELATED POSTS
- Comply with Requirements Quickly and Easily with RFI and RFP Templates
- FICAM Trust Framework Solutions - A Primer
- Shared Services and Government as Attribute Service Provider
:- by Anil John
