Federal ICAM Information Sharing Day and Vendor Expo

The Federal ICAM Information Sharing Day and Vendor Expo will take place on Tuesday, June 18, 2013 from 8:00 a.m. to 4:00 p.m.

This event will consist of presentations, panel discussions, and breakout sessions on pressing issues facing the Federal Government’s ICAM programs today. Attendees will also benefit from a vendor exhibit, showcasing technology solutions to satisfy ICAM needs.

This free event is open to government employees, contractors, and industry representatives (e.g., vendors).

LOGISTICS/VENUE INFORMATION  

The ICAM Information Day and Vendor Expo will be held on June 18, 2013 from 8:00 a.m. to 4:00 p.m. at the following location:

GSA One Constitution Square Building
1275 First Street NE, Washington

REGISTRATION INFORMATION

Those attending ICAM Information Day and Vendor Expo should register at the following site: http://www.gsa.gov/ICAMexpo

Special Information for Vendor Registration

If you plan to participate in the Spring 2013 ICAM Day’s Vendor Expo, please complete the registration process and choose your affiliation as a "Vendor". Upon registration, you will be contacted by the conference coordinator to provide additional details for exhibit coordination. ICAM Day vendor registration is free, but limited to the first 25 vendors.

AGENDA

Please note that the agenda is subject to change.

Timeframe	Description	Speaker
8:00 – 9:00	Registration
9:00 – 9:10	Welcome and Opening Remarks	Deb Gallagher (GSA) Paul Grant (DoD)
9:10 – 9:30	FIPS 201/FICAM Testing Program Update	Chi Hickey (GSA)
9:30 – 10:30	Panel Discussion: Attribute Exchange and Information Sharing in Action Panelists will share the latest updates on technology and approaches for attribute exchange and the importance of information sharing and safeguarding to the national cybersecurity agenda.	Anil John (GSA), Moderator David Coxe (ID DataWeb, Inc.) Dieter Schuller (Radiant Logic) Nathaniel (Ted) Sobel (DHS) John F. Wandelt (GTRI) Martin Smith (PM-ISE)
10:30 – 11:30	Panel Discussion: Externalizing Authentication Panelists will provide insights into how Agencies can externalize authentication using shared services. Participants include members of the OMB MAX Authentication Team as well as members of the Federal Cloud Credential Exchange (FCCX) Team.	Anil John (GSA), Moderator FCCX Team MAX.GOV Team
11:30 – 12:30	Lunch break (lunch not provided)
12:30 – 4:00	Vendor Expo
12:30 – 1:15	Breakout Session 1  FICAM Procurement [Government Only. PIV Required for Entrance] An interactive discussion with agencies with regards to challenges and gaps in procuring PACS components/systems from the Approved Products List. Potential discussion topics include breakdown of new PACS categories, severity levels/risks, ICAM test cards, development of acquisition language that complies with policy and meets agency needs, and defining acquisition requirements for relevant ICAM systems. Driving Mobility Forward with ICAM A discussion of current trends and technology within the mobile environment. Potential discussion topics include contactless, enterprise architecture, and strategies for supporting a mobile, remote workforce. Enterprise PACS Solution Best Practices A discussion of lessons learned, solutions, and processes to support implementation of agency-wide enterprise PACS and PIV-enablement. Potential discussion topics include managing risk, designing an enterprise PACS, and migrating to strong authentication using the PIV Card. Realizing the Value of ICAM A discussion of how to plan, implement, and measure an agency ICAM program focused on efficiency, cost-savings, and value. Potential discussion topics include the strategic importance of ICAM as a mission enabler, messaging ICAM to leadership, prioritizing and securing investments, and selecting cost-effective design and solutions for implementation.
1:20 – 2:05	Breakout Session 2  FICAM Procurement [Government Only. PIV Required for Entrance] An interactive discussion with agencies with regards to challenges and gaps in procuring PACS components/systems from the Approved Products List. Potential discussion topics include breakdown of new PACS categories, severity levels/risks, ICAM test cards, development of acquisition language that complies with policy and meets agency needs, and defining acquisition requirements for relevant ICAM systems. Driving Mobility Forward with ICAM A discussion of current trends and technology within the mobile environment. Potential discussion topics include contactless, enterprise architecture, and strategies for supporting a mobile, remote workforce. Enterprise PACS Solution Best Practices A discussion of lessons learned, solutions, and processes to support implementation of agency-wide enterprise PACS and PIV-enablement. Potential discussion topics include managing risk, designing an enterprise PACS, and migrating to strong authentication using the PIV Card. Realizing the Value of ICAM A discussion of how to plan, implement, and measure an agency ICAM program focused on efficiency, cost-savings, and value. Potential discussion topics include the strategic importance of ICAM as a mission enabler, messaging ICAM to leadership, prioritizing and securing investments, and selecting cost-effective design and solutions for implementation.
2:10 – 2:35	Accelerating the implementation timeline and reducing the cost of PIV in application by using Cloud services	Xceedium Amazon Web Services
2:35 – 3:35	Panel Discussion: Tackling an Evolving Mobile Environment Panelists will discuss approaches for addressing common mobility and security-related challenges. Panel will include agency representatives at different stages of program planning and execution, as well as participants from policy and technical viewpoints.	Donna Dodson (NIST), Moderator John Hickey (DOD/DISA) Tom McCarty (DHS) Adam Zeimet (USDA)
3:35 – 3:55	OMB ICAM Update [Government Only. PIV Required for Entrance]	Carol Bales (OMB)
3:55 – 4:00	Closing Remarks	Salomeh Ghorbani (GSA)

What are FICAM Technical Profiles and Identity Schemes?

A critical technology underpinning of the FICAM Trust Framework Solutions process is the need to enable the ability of the federal government to utilize industry standards. This blog post provides an overview of the FICAM protocol profiling work that enables the federal government to utilize industry standards in a secure and interoperable manner.

As anyone who has been involved in technical protocol standards development will know, a finalized standard is often a compromise. In particular there is a great tension around the need to provide flexibility and extensibility, security and privacy, and interoperability in the standards development process. The result often ends up being a standards document that provides multiple ways of accomplishing the same thing, all of which are "compliant" to the standard but often may not be interoperable.

For the federal government to utilize industry standards, they need to be widely deployed by multiple vendors, interoperable, and meet the security and privacy policy requirements articulated by authoritative federal government bodies such as OMB, NIST, CIO Council etc.

This requires the standard to undergo a "Profiling" process that:

• DOES NOT change the standard in any way
• DOES take into consideration security requirements of the federal government
• DOES take into consideration privacy requirements of the federal government
• Locks down the MUSTs, SHOULDs, SHOULD NOTs etc. in the specification language so that there is assured interoperability between profile implementations
• Results in a "Test-able" product

When this process was initially envisioned, we were very much focused on authentication.  As such, the end result of the profiling process was the development of "portable identity schemes" which enabled the use of identity federation protocols to convey information for the purpose of authentication.

The "FICAM Profile of SAML 2.0 for Web SSO (PDF)" and the "FICAM OpenID 2.0 Profile (PDF)" are clear examples of portable identity schemes that incorporate standards profiling. We will continue to utilize identity schemes as an item that an identity provider needs to implement in order to interoperate securely with a federal government relying party (service provider).

As our requirements have grown, we have found it necessary to expand beyond authentication to areas such as attribute exchange, authorization and more. Profiles such as the "SAML 2.0 Identifier and Protocol Profiles for BAE v2.0 (PDF)" and "SAML 2.0 Metadata Profile for BAE v2.0" stand on their own and are not authentication related.

We expect this to continue and expand in the future.

As an example, the currently underway work on the "FICAM Profile of OAUTH 2" is not an identity scheme, given that OAUTH 2 requires an additional authentication layer to convey identity information. Once the OAUTH 2 profiling is complete, we will be working to identify and profile the pieces that make up that additional identity layer. The combination may result in a FICAM approved portable identity scheme that utilizes OAUTH 2.

In short, going forward we expect to continue our work to profile protocol standards such that they are usable by themselves, as well as use profiles as building blocks to enable portable identity schemes.

RELATED INFORMATION

• FICAM Technical Profiles and Identity Schemes

:- by Anil John

New Kantara Assessment Process Provides Flexibility While Maintaining Rigor

FICAM's Trust Framework Adoption Process allows us to use comparability criteria to adopt industry trust frameworks for use by the Government. Flexibility and innovation in managing the process are critical to making sure Government requirements can take advantage of innovation in the industry. Kantara Initiative, one of our approved Trust Framework Providers (TFPs), recently updated their assessment criteria in a manner that continues to meet the requirements of FICAM and NIST, while at the same time providing flexibility in assessing solution providers.

Kantara's trust framework, which has been approved by FICAM, is called the Kantara Initiative Identity Assurance Framework. A critical component of it is the Service Assessment Criteria which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all FICAM Credential Service Providers are verified for assurance.

General thinking of the TFPs has been a single entity would perform all activities of a solution, but it has always been feasible under the Trust Framework Solutions process to have separate entities doing the identity proofing and credential issuance functions. Kantara has restructured their Identity Assurance Service Assessment Criteria to accommodate independent assessment of these functions, which in turn can now be offered by different providers as a component of the complete solution.

In line with how the E-Authentication model in NIST SP 800-63 provides for logical and physical separation between the Registration/Identity-Proofing function and the Token/Credential Management function, Kantara's restructured service assessment criteria performs assessments across two dimensions:

1. Organizational Assessment, which is required of all entities undergoing assessment
2. Operational Criteria Assessment, which covers the actual component services being offered

The flexibility in this approach comes from the fact that multiple organizations, each with its own unique service offering, can now come together to offer component services. The restructured assessment criteria now allows for these individual service components to be assessed independently. These services can be unique to each assurance level, but taken together provides a full service capability that combines both Registration/Identity-Proofing and Credential Management.

This approach provides significant opportunities for partnering between organizations, which can now put together unique and tailored solutions that, in total, satisfy the service assessment criteria. From the FICAM perspective, it is important to note that we apply the "FICAM Approved" label only to the total package made up of the various service components that together offer the complete Registration/Identity-Proofing and Credential Management functions.

National Institute of Standards and Technology (NIST) and General Services Administration (GSA) personnel welcome this new approach from Kantara, which without reducing the rigor of the assessment criteria, allows for innovative industry partnering as well as tailored and flexible service offerings to the Government.

RELATED POSTS

• FICAM Trust Framework Solutions - A Primer

:- by Deb Gallagher

Comply with Requirements Quickly and Easily with RFI and RFP Templates

A challenge agencies face when putting out an RFI/RFP is in making sure that the intent of the policies and guidance they need to comply with comes through. From the perspective of the organizations that are responsible for policy and guidance, Agencies getting the language right in the RFI/RFP closes the loop by aligning acquisitions with standards and policy. When it comes to Federal Government Agency Identity, Credential and Access Management RFIs and RFPs, FICAM is working to make this easier for Agencies.

We have taken note of the increased RFIs and RFPs for ICAM components that are going out. At the same time, we also realize that the hard working folks who are putting these together face challenges when it comes to making sure that the language in the RFI/RFP reflect the required technical standards and policies.

Let me use language from a recent Agency RFI to discuss how we can help:

[...] requirement of integrating remote/on-line proofing functionality into the [Agency's Identity and Access Management Capability] Identity Proofing Services. To be capable of meeting this requirement, a vendor:

• Must currently hold a Level 2 FICAM certification
• Shall have the ability to achieve a Level 3 FICAM certification by [Future Date]
• [More …]

The above sounds reasonable, but there is a problem; there currently is NO FICAM certification for a stand-alone identity proofing capability. FICAM certification, via our adopted Trust Framework Providers, currently applies only to a combined identity proofing and credential issuance solution. By using the language of FICAM certification above and associating it only with ID Proofing, the results end up being:

• Confusion in the market about what exactly is being asked for
• Limiting and/or eliminating qualified vendors who may be able to meet the actual intended requirements

Given that this is a Federal Government Agency who has to comply with OMB Levels of Assurance (LOA) requirements and the associated NIST technical implementation guidance for remote identity proofing, the solution to the above is a minor tweak to the language to convey the actual intent:

• Must have an identity proofing service capable of implementing remote identity proofing process at LOA 2 per NIST 800-63-1
• Shall have the ability to implement remote identity proofing processes at LOA 3 per NIST 800-63-1 by [Future Date]

So, in order to help the Agencies up-front to comply with OMB, NIST and FICAM guidance, we are currently working on standardized technical language/templates for specific ICAM capabilities (Identity Proofing, Identity Federation etc.). Agencies will be able to easily incorporate this standard language into their RFI/RPF going forward.

If you are an Agency looking for information on ICAM components or policy for an RFI/RFP you are putting together, please feel free to contact us at icam (at) gsa (dot) gov and we would be happy to answer your questions.

RELATED POSTS

• RFI/RFP Language for Federation Solutions and Identity Proofing Solutions

:- by Anil John

Federation, FICAM and Guidance

The FICAM Roadmap and Implementation Guidance calls out initiatives that are both Government-wide as well as Agency-specific. Two Government-wide initiatives that are of relevance to identity federation are:

1. Establish a federated identity framework for the Federal Government
2. Provide Government-wide services for common ICAM requirements

A very large piece of the federated identity framework is the Trust Framework Solutions (TFS) initiative under FICAM.  The TFS is a process by which Industry Trust Frameworks (The codification of requirements for credentials and their issuance, privacy and security requirements, as well as auditing qualifications and processes) are evaluated and assessed for potential use by the Government.  A Trust Framework that is comparable to federal standards is adopted through this process, which allows Federal Government Relying Parties (RPs) to trust Credential Service Providers a.k.a Identity Providers that have been assessed under that particular trust framework. The key point here is that there is a level of abstraction in that the Government does not directly evaluate or certify Identity Providers, but instead adopts a Trust Framework Provider who does that evaluation and certification.

I will leave the shared services piece for a future blog post.

The current list of adopted trust framework providers, and the upper limit of the LOA levels they are approved to assess IdPs, can be found here.  IdPs that have been assessed by these Trust Framework Providers are now able to offer credentials at LOA1 to non-PKI LOA3. For Agencies who need higher levels of assurance, there are now Shared Service Providers that now offer PIV-I Credentials (PKI Credentials at LOA4 that can be issued by Non-Federal Organizations) as well.

This in turn has positioned the eco-system to be able to fulfill the OMB Mandate to Executive Branch Agencies to accept externally-issued, FICAM approved, identity credentials [PDF] on their public facing web sites.  FICAM has been actively engaging with Agencies across the US Government to help them light up these capabilities on their externally facing web sites so Citizens have flexibility and choice in using their existing credentials to obtain services from Government web sites.

In addition, the FICAM Federation Interoperability Working Group (FIWG), composed of cross-government stakeholders, is working on:

1. Developing guidance around federated access using credentials at various levels of assurance
2. Profiling federated identity protocols to integrate government security and privacy requirements
3. Facilitating relationships for interoperability within the Federal Government and outside of the Federal Government (C2G, B2G, and G2G)
4. Supporting activities that bridge the gap between technical and policy aspects of ICAM

The first deliverable that we are working on within the FIWG is a living resource/document called the "FICAM Relying Party Guidance". It seeks to provide guidance, best practices and approaches on how Federal Government web sites (Relying Parties) can accept FICAM approved third party credentials for C2G and B2G use cases, while still accepting PIV Credentials for G2G use cases.

 

I am sure that we are not the first to do this and we have little interest in re-inventing the wheel. If you are a member of an active Identity Federation, I would be very interested in pointers to documents or having a conversation regarding guidance you provide to your Relying Parties (policy, technical, ROI and more) that eases their concerns about Federation and lowers their barriers to entry.

 

:- by Anil John

FICAM Roadmap and Implementation Guide Overview

The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance v2 (PDF) is a pretty comprehensive document i.e. an abundance of good stuff to read!

Deb Gallagher (ICAMSC Co-Chair) and I had to opportunity yesterday to provide an overview of the FICAM Roadmap at an open event to a cross-section of people from .gov/.mil/IC, folks who support those communities, and some who were simply interested in the topic.

Deb provided an Overview of the FICAM Roadmap while I focused on its Initiative 5, which gives guidance to Agencies on how they can streamline the collection and sharing of digital identity data as part of their alignment to the FICAM Roadmap.

The presentation is provided below for your viewing pleasure and for download (PDF). Thanks to everyone who attended and for the many questions on the topic. Hope we were able to provide some of the answers you were looking for.

:- by Anil John

FICAM Mission and 2012 Execution Priorities

The US Federal Identity, Credential and Access Management (Federal ICAM or FICAM) Program is tasked with aligning the Identity Management activities of the US Government.

The Federal ICAM mission is to:

1. Align federal agencies around common practices by fostering effective government-wide identity, credential and access management
2. Collaborate with federal government and external identity management activities (non-federal, commercial and more) to leverage best practices and enhance interoperability
3. Enable trust and interoperability in online transactions, through the application of common policies and approaches, in activities that cross organizational boundaries

For 2012, our Execution Priorities are to:

• Drive Usage of FICAM Approved Credentials
  

  FICAM approved credentials include PIV Cards for Government to Government use (HSPD-12 directive) as well as the use of credentials issued by Credential Providers outside of Government that have been approved for use with Government Relying Parties via the the FICAM Trust Framework Solutions Initiative.

• Demonstrate the Value of Policy Driven Access Control within Government Systems
  

  There has been significant investments in building out a trust anchor for the Government via the Federal PKI as well as in the use of strong credentials such as PIV and PIV-I which provides the ability to answer the question of "Who are you?" with a very high level of assurance. We are building on top of those investments by focusing on answering the question of "What are you allowed to do?" via the work we are undertaking on Attribute Management, Operationalizing Privacy and Information Sharing.

• Increase Outreach and Collaboration
  

  We recently completed our annual Program of Work Review which resulted in ICAM Working Groups being re-aligned and focused to address the increasing needs of federal agencies.  We are also making a conscious effort to actively engage the ICAM community (this blog being an example) as we move forward. 

:- by Anil John