Showing posts with label TFP. Show all posts
Showing posts with label TFP. Show all posts

FICAM Trust Framework Solutions (TFS) Program - Updated

The FICAM Trust Framework Solutions (TFS) is the federated identity framework for the U.S. federal government. It includes guidance, processes and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

For the first time since the inception of the Program in 2009, we are releasing a comprehensive update to the Program to incorporate Agency implementation feedback, ongoing lessons learned regarding the operational needs of shared service initiatives such as the Federal Cloud Credential Exchange (FCCX), as well as updates made as a result of changes in the private sector marketplace of identity services.

The FICAM Trust Framework Solutions Overview provides a holistic overview of the FICAM TFS Program
  • Description of the components that make up the TFS Program
  • The TFS role in supporting Government-wide policy and National Strategy implementations
  • TFS and its implementation by Government Agencies
  • TFS fast-track process for Financial Institutions required to implement a Customer Identification Program by Government regulators 
  • Relationship to the FICAM Testing Program for on-premise vendor solutions that implement FICAM protocol profiles 

The components of the FICAM TFS Program are:
  • The Trust Framework Provider Adoption Process for All Levels of Assurance describes the process by which the TFS Program evaluates and adopts commercial Trust Frameworks for use by the U.S. federal government
    • Overview of the Trust Framework Adoption Process
    • Incorporation of the privacy trust criteria into the Trust Framework adoption process
    • Updated trust criteria to incorporate NIST SP-800-63-2
    • Streamlined LOA 1 Trust Criteria
    • Introduction of ongoing verification as an OPTIONAL trust criteria
    • Support for Component Identity Services, and associated standardized terminology
    • TFS Program's relationship to entities (CSPs etc.) that are assessed and evaluated by an adopted Trust Framework Provider
       
  • The Authority To Offer Services (ATOS) for FICAM TFS Approved Identity Services makes explicit the requirements that identity services need to satisfy in order to offer their services to the U.S. federal government
    • Clarification of approval decision authority of the FICAM TFS Program
    • Explicit testing and verification of service interfaces to assure conformance to approved protocols and profiles
    • Requirement to implement tested interfaces by the solution provider when offering the service to Government
    • Standards based attribute requirements to enable identity resolution by Government relying parties at LOA 2 and greater
       
  • The Identity Scheme and Protocol Profile Adoption Process describes the process by which protocol profiles are created, adopted and used by the government to ensure that the RP application and the CSP communicate in a secure, interoperable and reliable manner.
    • Updated to allow the flexibility for Government to adopt protocol profiles created by industry, provided it meets Government needs for security, privacy and interoperability
    • Standardized assurance level URIs for use in protocol profiles
       
  • The Relying Party Guidance for Accepting Externally Issued Credentials provides guidance to Agencies on leveraging federated identity technologies to accept externally issued credentials
     
  • The E-Governance Trust Services Certificate Authority provides a certificate issuance capability that supports the federated identity use cases of Agencies that require endpoint and message level protections
     
  • The E-Governance Trust Services Metadata Services (EGTS Metadata Services), once implemented and made available, provides a trusted mechanism for the collection and distribution of metadata to enable identity federation capabilities
All of the above documents, except for the Relying Party Guidance and the EGTS CA Concept of Operations, are currently in DRAFT status while we seek feedback from our Public and Private sector stakeholders.

For those outside the U.S. federal government, there will be an opportunity to engage in a facilitated discussion and Q&A with the FICAM TFS Program Manager during the December 4, 2013 meeting of the IDESG Trust Framework and Trustmark (TFTM) Committee.

UPDATE 2/7/2014:  The updates to the FICAM TFS have been finalized and are now available.

RELATED INFO

:- by Anil John
:- Program Manager, FICAM Trust Framework Solutions
Posted
Labels: , ,

FICAM Trust Framework Solutions TFPAP Update v1.1.0

The FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) has been updated to v1.1.0 (PDF).
TFS TFPAP v1 1 0
This is a point update that does not change any of the existing TFP processes but instead:
  • Acknowledges an existing internal Government process in order to recognize non-federally issued PKI providers, who are cross-certified with the Federal Bridge, as approved Credential Service Providers under the FICAM Trust Framework Solutions umbrella. 
  • Incorporates the Trust Framework Solutions (TFS) "branding" under FICAM. 
The relevant text that acknowledges the existing processes is the following:
The FICAM Trust Framework Solutions (TFS) cover remote electronic authentication of human users to IT systems over a network. It does not address the authentication of a person who is physically present.
The TFS is inclusive of externally issued PKI and non-PKI credentials at OMB Levels of Assurance 1, 2, 3 and 4:
  • For PKI based credentials the TFS recognizes the Federal PKI Policy Authority (FPKIPA) as a TFS approved Trust Framework Provider and will rely on its proven criteria and methodology for non-Federally issued PKI credentials. 
  • For non-PKI credentials, each Identity Provider and TFP must demonstrate trust comparable to each of five categories (registration and issuance, tokens, token and credential management, authentication process, and assertions) for each Level of Assurance it wishes its credentials trusted by government applications (including physical access control systems).
The other point to note is the establishment of the Trust Framework Solutions "branding" under FICAM to acknowledge the C2G and B2G aspects that FICAM is responsible for (FICAM in the Federal Government covers areas beyond C2G and B2G). At a high level, we are bucketing the C2G and B2G pieces under the TFS umbrella and are expecting the TFS, in the near term, to "own" the:
  1. Trust Framework Provider Adoption Process (TFPAP)
  2. The Relying Party Guidance on Accepting Externally Issued Credentials (Currently under internal review)
  3. FICAM TFS Trust Mark (Future)
RELATED INFO
:- by Anil John
Posted
Labels: , ,

What is new in the FICAM Trust Framework Provider Adoption Process?

The FICAM Trust Framework Provider Adoption Process (TFPAP) is the mechanism used by the Government to leverage industry-based credentials, that citizens already have, for use at Government web sites.

The current version of the Trust Framework Provider Adoption Process (PDF) was finalized in 2009. Since that time there has been great progress in E-Government activities, such as the launching of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the decision to move out on the FCCX initiative.

Input from Agencies that desire to deliver higher value Government to Citizen services combined with the increasing maturity and practical experience around credential and identity proofing offerings for higher Levels of Assurance are factors that affect this process.

To assure that the TFPAP is keeping pace with policy, technology and process advancements, we are starting the work needed to update the Trust Framework Provider Adoption Process. Some of the items we expect to address as part of this update include:

  • Bringing all externally issued credentials from LOA 1 to 4, both non-PKI and PKI (i.e. PIV-I and Medium/HW credentials), under the TFPAP so that there is a consistent policy and guidance about how Agencies can best utilize these externally issued credentials. 
  • Privacy Guidance, which was separately developed by the FICAM will be updated and integrated directly into the new TFPAP.
  • Exploring how best to bring the TFPAP to bear on the Identity Provider / Attribute Provider / Relying Party aspects individually, and together.
  • Integrating a robust and ongoing Test and Evaluation program into the TFPAP
  • More...

Ultimately we are looking to make the TFPAP a more agile process and will be working with multiple stakeholders including, and especially, our existing approved Trust Framework Providers. The goal, as always, is to assure that we meet the needs of both Citizens and Agencies that seek to leverage these externally issued credentials.

RELATED POSTS


:- by Anil John

Posted
Labels: , , , ,

RFI/RFP Language for Federation Solutions and Identity Proofing Solutions

As noted in my earlier blog post "Comply with Requirements Quickly and Easily with RFI and RFP Templates", FICAM is working to make it easier for Agencies to align with OMB/NIST/FICAM policies. Given below is recommended language that aligns with policy for incorporation into Agency RFIs and RPFs.  The language covers both identity federation solutions, when the Agency is acting as a relying party, as well as identity proofing solutions.

Identity Federation Solution for Agency as Relying Party

Details: A federation solution is typically integrated with an Agency web application, and needs to support both non-government issued approved credentials as well as government issued credentials. Government issued credentials in this case are Agency issued PIV Cards and approved non-government credentials such as PIV-I and those that are governed by the FICAM Trust Framework Solutions Process.

Identity Proofing Service

  • MUST have an identity proofing service capable of implementing [remote and/or in-person] identity proofing processes at [OMB-O4-04 LOA Level(s) here] per NIST SP 800-63-1

Details: NIST SP 800-63-1(PDF) is the authoritative document that provides information on the technical controls and approaches that an Agency must use for remote as well as in-person identity proofing requirements from LOA 1-4. Currently, FICAM does not have a certification process for a stand-alone identity proofing capability; current FICAM certification, via the Trust Framework Adoption Process, applies to a combined identity proofing-credential issuance solution. As such the requirements levied on an Identity Proofing service are based on the foundational requirements that all US Government Agencies must follow in complying with NIST Guidance.

Do keep in mind the following:

  • The focus above is on the technical bits-n-bytes
  • The above is just a starting point; Agencies are free to modify and add on other requirements as needed
  • The above is subject to change based on new and/or updated policies

RELATED POSTS


:- by Anil John

Posted
Labels: , , ,

GSA OGP Announces an Industry Day on Federal Federated Identity Solutions

Earlier this year, the White House convened the Federal Cloud Credential Exchange (FCCX) Tiger Team comprised of several federal agencies that have a vital need to better assist the public and reduce Federal costs by moving more services online. In alignment with President Obama’s National Strategy for Trusted Identities in Cyberspace, the FCCX Tiger Team’s objective is to facilitate the Federal government’s early adoption of secure, privacy-enhancing, efficient, easy-to-use, and interoperable identity solutions.

Over the past few months, the FCCX Tiger Team has worked on the use cases and the functional requirements necessary for the operation of an identity federation capability that can be integrated with a government agency web application to support and consume a full range of digital credentials such as PIV, PIV-I, and other third party credentials issued under a FICAM-approved Trust Framework Provider.

In simple terms, the Federal government is interested in leveraging one or more commercially available cloud service providers to streamline the burden agencies face in trusting and integrating with FICAM-approved credentials.

As the next step, the FCCX Tiger Team would like to hear from industry vendors on how they might implement a privacy-enhancing, cloud-based, federated credential exchange service.

If you are a product or solutions provider that has the ability to offer these capabilities and would like to help inform the service, please submit your name and company via e-mail to icam [at] gsa [dot] gov by Wednesday, August 1, 2012 and we will provide more information about the requested written response and associated logistics.

In addition, for those who contact us, GSA Office of Governmentwide Policy (GSA OGP) will be holding an Industry Day on Tuesday, August 7th, 2012 (9am – 12:30pm EST) at GSA OCS, 1275 First Street NE, Washington DC, Room 1201B (NoMa-Gallaudet Station – DC Metro Red Line) to gather more information and answer questions from industry vendors regarding the FCCX initiative. We will be able to host both virtually and in person. In person space is limited, so let us know your preference when you contact us.

As an overview, the following topics should be addressed in your written response which will be due by 5 P.M. EDT on Monday, August 13 20, 2012:

  • Proposed high level architecture for enabling authentication to an Agency application using third party credentials to include:
    • Shared service operated in a cloud environment servicing multiple Agencies
    • Operation in an Agency-hosted environment
  • User interface approaches for selection of approved credentials
  • Credential registration and authentication strategies for citizens with multiple approved credentials
  • User enrollment approaches
  • Assurance level escalation approaches
  • Attribute request/consumption approaches
  • Supported protocols, profiles and schemas for creating and sending assertions
  • Abstracting and streamlining business relationships with FICAM approved credential providers at all levels of assurance
  • Preserving privacy (minimize storage of personal information and “panopticality” of the service)
  • Auditing
  • Scalability of the service
  • Costs models (Pay per User or application using tiered volume discounts, O&M)
  • Other relevant information

UPDATE (8/3/12): We've had a couple of questions about what is meant by "panopticality" above.

Within the context of FCCX it means two things:

  1. It is the ability of Credential Providers to "see" all the Service Providers to which a citizen authenticates
  2. It is the visibility that the FCCX service itself may have into the citizen information that is flowing thru it


:- by Deb Gallagher (GSA) & Naomi Lefkovitz (NIST) - FCCX Tiger Team Co-Chairs

Posted
Labels: , , , , ,

New Kantara Assessment Process Provides Flexibility While Maintaining Rigor

FICAM's Trust Framework Adoption Process allows us to use comparability criteria to adopt industry trust frameworks for use by the Government. Flexibility and innovation in managing the process are critical to making sure Government requirements can take advantage of innovation in the industry. Kantara Initiative, one of our approved Trust Framework Providers (TFPs), recently updated their assessment criteria in a manner that continues to meet the requirements of FICAM and NIST, while at the same time providing flexibility in assessing solution providers.

Kantara Initiative LogoKantara's trust framework, which has been approved by FICAM, is called the Kantara Initiative Identity Assurance Framework. A critical component of it is the Service Assessment Criteria which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all FICAM Credential Service Providers are verified for assurance.

General thinking of the TFPs has been a single entity would perform all activities of a solution, but it has always been feasible under the Trust Framework Solutions process to have separate entities doing the identity proofing and credential issuance functions. Kantara has restructured their Identity Assurance Service Assessment Criteria to accommodate independent assessment of these functions, which in turn can now be offered by different providers as a component of the complete solution.

In line with how the E-Authentication model in NIST SP 800-63 provides for logical and physical separation between the Registration/Identity-Proofing function and the Token/Credential Management function, Kantara's restructured service assessment criteria performs assessments across two dimensions:

  1. Organizational Assessment, which is required of all entities undergoing assessment
  2. Operational Criteria Assessment, which covers the actual component services being offered

The flexibility in this approach comes from the fact that multiple organizations, each with its own unique service offering, can now come together to offer component services. The restructured assessment criteria now allows for these individual service components to be assessed independently. These services can be unique to each assurance level, but taken together provides a full service capability that combines both Registration/Identity-Proofing and Credential Management.

This approach provides significant opportunities for partnering between organizations, which can now put together unique and tailored solutions that, in total, satisfy the service assessment criteria. From the FICAM perspective, it is important to note that we apply the "FICAM Approved" label only to the total package made up of the various service components that together offer the complete Registration/Identity-Proofing and Credential Management functions.

National Institute of Standards and Technology (NIST) and General Services Administration (GSA) personnel welcome this new approach from Kantara, which without reducing the rigor of the assessment criteria, allows for innovative industry partnering as well as tailored and flexible service offerings to the Government.

RELATED POSTS


:- by Deb Gallagher

Posted
Labels: , , , , ,

FICAM Trust Framework Solutions - A Primer

It is in the Government's best interest to not re-invent the wheel and leverage Industry resources whenever possible. To support E-Government activities, FICAM aims to leverage industry-based credentials that citizens already have for other purposes. At the same time, the Government has specific Privacy and Security requirements that need to be satisfied in order for a Government relying party to trust a credential that has been issued by an entity other than the US Federal Government.

The approach used to assess external (to the US Federal Government) credential issuance processes against these privacy and security requirements is called the FICAM Trust Framework Solutions:


As you can see in the diagram above, the entities in this mix are a Trust Framework Provider, one or more Identity Providers (IdPs), and FICAM.
  • A Trust Framework Provider (TFP) is an entity, separate from the Federal Government, that has a certain level of organizational maturity and owns/manages/has a mechanism to assess credentialing process across a range of facets that include assurance, privacy as well as auditing & certification processes using qualified independent auditors i.e. it owns and is responsible for a Trust Framework.
  • The Trust Framework Provider in turn has the capability to assess Identity Providers to see if the IdP has a certain level of organizational maturity and if its registration & identity proofing processes, credentials,  credential issuance processes and privacy policies meet the policies codified under the TFP's Trust Framework.
  • Where FICAM comes into the picture is via using our Trust Framework Adoption Process (PDF) in order to "adopt" an existing Industry Trust Framework. What that means is that we use the adoption process to see if the requirements of the Trust Framework we are using internally within the Government are comparable to the existing Industry Trust Framework. I especially want to emphasize that the intent here is comparability and NOT compliance. If they are indeed comparable, we adopt and certify that industry Trust Framework Provider, and customers of Identity Providers who have been assessed and approved by that TFP can now use those credentials at TFP-enabled Federal Government relying parties.
It is important to call out some specific points:
  • Trust Framework Providers are NOT Identity Providers
  • Trust Framework Providers assess IdPs for conformance against their Trust Framework and not the Government Trust Framework
  • The Government does not directly certify Identity Providers under the Trust Framework Solutions Process; The Government directly certifies ("adopts") Trust Framework Providers
It is critical to note that the Level of Assurance (LOA) you can have in an Identity is a big deal to the US Federal Government, and as you go to higher LOAs (from 1 to 4) the more stringent the credential issuance and identity proofing processes become.  As such, TFPs and their Trust Frameworks need to have comparable processes to the Government Trust Framework at higher LOAs in order for them to be able to assess IdPs as being able to issue higher LOA credentials.  In some cases, a TFP may make a conscious choice that they will assess only IdPs at specific LOA levels.

Let me, at this point in time, add a bit of nuance to this process. The Government E-Authentication Model provides for a logical and physical separation between the Registration/Identity-Proofing function and the Token and Credential Registration/Issuance function. In the IdP model noted above those functions are shown together. They do not have to be. It is perfectly feasible under the Trust Framework Solutions Model to have separate entities doing the Identity Proofing and the Credential Issuance, and coming together to provide a combined solution that can be certified by a TFP. Simply be aware that under the current FICAM TFP regime the term "FICAM Approved" applies to that combined solution and NOT to the individual components.

Since October 2011, there has been an OMB Policy that requires Government web sites that allow members of the public and business partners to register or log on, to be enabled to accept externally-issued credentials (i.e. credentials issued by an entity other than the US Federal Government) in accordance with government-wide requirements (PDF). The Trust Framework Solutions Process satisfies that requirement by enabling a scalable model for extending identity assurance across a broad range of citizen and business needs.

Related Information
:- by Anil John
Posted
Labels: , , , ,
Subscribe to: Posts (Atom)