FICAM TFS TEM on Identity Resolution Needs for Online Service Delivery

The FICAM Trust Framework Solutions (TFS) Program is convening public and private sector experts in identity proofing, identity resolution and privacy for an Identity Resolution Needs for Online Service Delivery Technical Exchange Meeting (TEM) on 5/1/14 from 9:00 AM - 5:00 PM EST in Washington, DC.

REGISTRATION

Save the 5/1/14 date! In-person attendance and early registration (due to limited space) are recommended.

Register Now!

Registration is now closed for this event!

Event Location: GSA, 1800 F St NW, Washington, DC 20405

In-person event logistics information will be provided to registered attendees. Remote attendance information will be made available to registered attendees who are not able to attend in-person.

Questions? Please contact the FICAM TFS Program at TFS.EAO@gsa.gov

BACKGROUND

Identity attributes that are used to uniquely distinguish between individuals (versus describing individuals) are referred to as identifiers. Identity resolution is the ability to resolve identity attributes to a unique individual (e.g. no other individual has the same set of attributes) within a particular context.

Within the context of enabling high value and sensitive online government services to citizens and businesses, the ability to uniquely resolve the identity of an individual is critical to delivering government benefits, entitlements and services.

As part of the recent update to FICAM TFS, we recognized the Agency need for standardized approaches to identity resolution in our Approval process for Credential Service Providers (CSPs) and Identity Managers (IMs).

The study done by the NASPO IDPV Project, "Establishment of Core Identity Attribute Sets & Supplemental Identity Attributes – Report of the IDPV Identity Resolution Project (February 17, 2014)" is currently being used as an industry based starting point for addressing this need. The study proposed 5 equivalent attribute bundles that are sufficient to uniquely distinguish between individuals in at least 95% of cases involving the US population.

TEM FOCUS

However, the FICAM TFS Program recognizes that the NASPO IDPV study, while a starting point, is just the start and not the end. As such, we are convening this TEM to:
  • Articulate the identity federation needs of government agencies as it relates to identity resolution that balances identity assurance, privacy respecting approaches and cost-effectiveness
  • Solicit feedback from participants with expertise in identity proofing and attribute management on publicly sharable data, studies and approaches that enable unique identity resolution within the U.S. population for the explicit purpose of delivering high value online government services
  • Identify short-comings in current studies on this topic, discuss factors to mitigate them, and identify areas to focus on for near term and future research investments

REQUEST FOR DISCUSSION TOPICS and STUDIES

If you have expertise in identity resolution, identity proofing and related privacy aspects, and have data-backed research and results to share on this topic, we are interested in hearing from you. Please contact us at TFS.EAO@gsa.gov by COB 4/16/14 with your proposed discussion topic.


DRAFT AGENDA for 05/01/2014

09:00 AM - 09:30 AM Attendee Check-In
09:30 AM - 10:10 AM Welcome & TEM Overview/Goals/Level Set

10:15 AM - 11:10 AM Agency Viewpoint Panel on Identity Resolution + Privacy
[CMS, DHS, GSA, NIST, SSA, State Dept - Moderated by NIST]
11:15 AM - 11:45 AM Audience Discussion / Q&A

11:45 AM - 01:00 PM LUNCH (On your own) & NETWORKING

01:00 PM - 01:55 PM Industry Viewpoint Panel on Identity Resolution + Privacy
[CertiPath, Experian, ID/DataWeb, LexisNexis, SecureKey, Socure, Symantec - Moderated by NIST]
02:00 PM - 02:30 PM Audience Discussion / Q&A

02:30 PM - 02:45 PM BREAK

02:45 PM - 03:40 PM Joint Panel on Business Models / Cost / Innovation
[Agency & Industry Panelists - Moderated by Kantara Initiative]
03:45 PM - 04:15 PM Audience Discussion and Q&A

04:15 PM - Event Wrap-up

Sign up for our notification list @ http://www.idmanagement.gov/trust-framework-solutions to be kept updated on this and future FICAM TFS news, events and announcements.


:- by Anil John
:- Program Manager, FICAM Trust Framework Solutions

ICAM Information Sharing Day and Vendor Expo - Spring 2014

We are pleased to announce that attendee registration is now open for the Spring 2014 ICAM Information Sharing Day and Vendor Expo. 

The event will be held at the GSA Central Office location (1800 F Street NW, Washington, DC 20405) on Wednesday, April 16th  with registration beginning at 8:00 a.m. and closing remarks wrapping up at 3:15 p.m.

This event will consist of panel discussions, government-wide updates, interactive breakout sessions, a vendor expo with representation from over 20 vendors, and dedicated time for informal networking. 

The theme of this year’s ICAM Day will focus on Leveraging ICAM to Address Cybersecurity Threats, and will provide a variety of insights for ICAM professionals.  Session topics will include enabling secure information sharing, addressing mobile security with ICAM, and responding to the impacts of NIST guidelines to ICAM. 

This event is open to government employees, contractors, and industry representatives (e.g., vendors).

Space is limited and early registration is recommended. Online registration at http://www.gsa.gov/portal/content/188995

:- Deb Gallagher, Paul Grant & Leo Scanlon
:- ICAMSC Co-Chairs

HOW-TO: Become a FICAM TFS Approved Identity Service

The FICAM Trust Framework Solutions (TFS) Program is focused on enabling and supporting the security, privacy and interoperability requirements of Government to Citizen (G2C) and Government to Business (G2B) online services.

The assurance needs of such services range from level 1 to level 4, with the majority of services requiring assurance levels 2 and/or 3. The following is a high level overview of the FICAM TFS Approval Process for Identity Services at assurance levels 2 and 3:





Step 1 in the above process can be initiated by contacting the FICAM TFS Program @ TFS.EAO@gsa.gov

A complete overview of the program and of the end-to-end approval processes can be found in the "FICAM Trust Framework Solutions Overview" and "Authority To Offer Services (ATOS) for FICAM TFS Approved Identity Services" documents which also has information on:
  • Streamlined level 1 approval process
  • Fast-track approval process for Financial Institutions required to implement a Customer Identification Program by Government regulators
  • High assurance approval process for PKI/Level 4 identity services that leverage existing Federal PKI Policy Authority processes

RELATED INFORMATION


:- by Anil John
:- Program Manager, FICAM Trust Framework Solutions

FICAM TFS Component Identity Services Terminology

As part of a recent update, the concept of component identity services was incorporated into the FICAM Trust Framework Solutions (TFS). The component identity service model "separates the functions of authentication and attribute providers".

This is supported by an industry trend whereby these functions are now offered by separate service providers. This trend has been driven by the fact that:
  • Vendors have focused their offerings according to their core strengths, which leads to improved quality of service for agency Relying Parties.
  • Some identity solution architectures require or desire the use of separated services, which offers agency Relying Parties a greater quantity of service choice and increased flexibility in selecting only those services that are needed from an external provider.
The model, shown below, utilizes the following OMB and NIST terminology:
  • Token: Something that an individual possesses and controls that is used to authenticate the individual
    • Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are)
  • Identity: A set of attributes that uniquely describe an individual within a given context
  • Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual


NOTE: The above model is based on assurance and identity concepts that have been discussed in multiple jurisdictions and communities. In particular, the FICAM TFS Program would like to acknowledge the contributions of the Canada TBS and the Kantara IAWG.

The value of the model lies in the flexibility possible in combining the various functions as part of an industry service offering.

Within the framework of the FICAM TFS Program, the following three combinations are recognized:

A Credential Service Provider, which offers:
  • Token Management Services
  • Authentication Services
  • Identity Proofing Services
  • Attribute Validation Services



A Token Manager, which offers:
  • Token Management Services
  • Authentication Services 




An Identity Manager, which offers:
  • Identity Proofing Services
  • Attribute Validation Services


It should be noted that in all three cases, consent services are implementation specific and driven by policy.

The FICAM TFS Program recognizes that, especially in the private sector, identity service functions may be conducted by separate and independent entities that have relationships based on contracts as well as laws and regulations. As such, it supports a flexible conceptual model that brings together token managers, identity managers and credential service providers.

:- by Anil John

FICAM Trust Framework Solutions (TFS) Program - Updated

The FICAM Trust Framework Solutions (TFS) is the federated identity framework for the U.S. federal government. It includes guidance, processes and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

For the first time since the inception of the Program in 2009, we are releasing a comprehensive update to the Program to incorporate Agency implementation feedback, ongoing lessons learned regarding the operational needs of shared service initiatives such as the Federal Cloud Credential Exchange (FCCX), as well as updates made as a result of changes in the private sector marketplace of identity services.

The FICAM Trust Framework Solutions Overview provides a holistic overview of the FICAM TFS Program
  • Description of the components that make up the TFS Program
  • The TFS role in supporting Government-wide policy and National Strategy implementations
  • TFS and its implementation by Government Agencies
  • TFS fast-track process for Financial Institutions required to implement a Customer Identification Program by Government regulators 
  • Relationship to the FICAM Testing Program for on-premise vendor solutions that implement FICAM protocol profiles 

The components of the FICAM TFS Program are:
  • The Trust Framework Provider Adoption Process for All Levels of Assurance describes the process by which the TFS Program evaluates and adopts commercial Trust Frameworks for use by the U.S. federal government
    • Overview of the Trust Framework Adoption Process
    • Incorporation of the privacy trust criteria into the Trust Framework adoption process
    • Updated trust criteria to incorporate NIST SP-800-63-2
    • Streamlined LOA 1 Trust Criteria
    • Introduction of ongoing verification as an OPTIONAL trust criteria
    • Support for Component Identity Services, and associated standardized terminology
    • TFS Program's relationship to entities (CSPs etc.) that are assessed and evaluated by an adopted Trust Framework Provider
       
  • The Authority To Offer Services (ATOS) for FICAM TFS Approved Identity Services makes explicit the requirements that identity services need to satisfy in order to offer their services to the U.S. federal government
    • Clarification of approval decision authority of the FICAM TFS Program
    • Explicit testing and verification of service interfaces to assure conformance to approved protocols and profiles
    • Requirement to implement tested interfaces by the solution provider when offering the service to Government
    • Standards based attribute requirements to enable identity resolution by Government relying parties at LOA 2 and greater
       
  • The Identity Scheme and Protocol Profile Adoption Process describes the process by which protocol profiles are created, adopted and used by the government to ensure that the RP application and the CSP communicate in a secure, interoperable and reliable manner.
    • Updated to allow the flexibility for Government to adopt protocol profiles created by industry, provided it meets Government needs for security, privacy and interoperability
    • Standardized assurance level URIs for use in protocol profiles
       
  • The Relying Party Guidance for Accepting Externally Issued Credentials provides guidance to Agencies on leveraging federated identity technologies to accept externally issued credentials
     
  • The E-Governance Trust Services Certificate Authority provides a certificate issuance capability that supports the federated identity use cases of Agencies that require endpoint and message level protections
     
  • The E-Governance Trust Services Metadata Services (EGTS Metadata Services), once implemented and made available, provides a trusted mechanism for the collection and distribution of metadata to enable identity federation capabilities
All of the above documents, except for the Relying Party Guidance and the EGTS CA Concept of Operations, are currently in DRAFT status while we seek feedback from our Public and Private sector stakeholders.

For those outside the U.S. federal government, there will be an opportunity to engage in a facilitated discussion and Q&A with the FICAM TFS Program Manager during the December 4, 2013 meeting of the IDESG Trust Framework and Trustmark (TFTM) Committee.

UPDATE 2/7/2014:  The updates to the FICAM TFS have been finalized and are now available.

RELATED INFO

:- by Anil John
:- Program Manager, FICAM Trust Framework Solutions

Federal ICAM Information Sharing Day and Vendor Expo

The Federal ICAM Information Sharing Day and Vendor Expo will take place on Tuesday, June 18, 2013 from 8:00 a.m. to 4:00 p.m.

This event will consist of presentations, panel discussions, and breakout sessions on pressing issues facing the Federal Government’s ICAM programs today. Attendees will also benefit from a vendor exhibit, showcasing technology solutions to satisfy ICAM needs.

This free event is open to government employees, contractors, and industry representatives (e.g., vendors).

LOGISTICS/VENUE INFORMATION  

The ICAM Information Day and Vendor Expo will be held on June 18, 2013 from 8:00 a.m. to 4:00 p.m. at the following location:

GSA One Constitution Square Building
1275 First Street NE, Washington

REGISTRATION INFORMATION

Those attending ICAM Information Day and Vendor Expo should register at the following site: http://www.gsa.gov/ICAMexpo

Special Information for Vendor Registration

If you plan to participate in the Spring 2013 ICAM Day’s Vendor Expo, please complete the registration process and choose your affiliation as a "Vendor". Upon registration, you will be contacted by the conference coordinator to provide additional details for exhibit coordination. ICAM Day vendor registration is free, but limited to the first 25 vendors.

AGENDA

Please note that the agenda is subject to change.

Timeframe
Description
Speaker
8:00 – 9:00
Registration
 
9:00 – 9:10
Deb Gallagher (GSA)
Paul Grant (DoD)
9:10 – 9:30
Chi Hickey (GSA)
9:30 – 10:30
Panel Discussion: Attribute Exchange and Information Sharing in Action
Panelists will share the latest updates on technology and approaches for attribute exchange and the importance of information sharing and safeguarding to the national cybersecurity agenda.
Anil John (GSA), Moderator
  • David Coxe (ID DataWeb, Inc.)
  • Dieter Schuller (Radiant Logic)
  • Nathaniel (Ted) Sobel (DHS)
  • John F. Wandelt (GTRI)
  • Martin Smith (PM-ISE)
10:30 – 11:30
Panel Discussion: Externalizing Authentication
Panelists will provide insights into how Agencies can externalize authentication using shared services. Participants include members of the OMB MAX Authentication Team as well as members of the Federal Cloud Credential Exchange (FCCX) Team.
Anil John (GSA), Moderator
  • FCCX Team
  • MAX.GOV Team
11:30 – 12:30
Lunch break (lunch not provided)
12:30 – 4:00
Vendor Expo
12:30 – 1:15
Breakout Session 1 

FICAM Procurement [Government Only. PIV Required for Entrance]
An interactive discussion with agencies with regards to challenges and gaps in procuring PACS components/systems from the Approved Products List. Potential discussion topics include breakdown of new PACS categories, severity levels/risks, ICAM test cards, development of acquisition language that complies with policy and meets agency needs, and defining acquisition requirements for relevant ICAM systems.

Driving Mobility Forward with ICAM
A discussion of current trends and technology within the mobile environment. Potential discussion topics include contactless, enterprise architecture, and strategies for supporting a mobile, remote workforce.

Enterprise PACS Solution Best Practices
A discussion of lessons learned, solutions, and processes to support implementation of agency-wide enterprise PACS and PIV-enablement. Potential discussion topics include managing risk, designing an enterprise PACS, and migrating to strong authentication using the PIV Card.

Realizing the Value of ICAM
A discussion of how to plan, implement, and measure an agency ICAM program focused on efficiency, cost-savings, and value. Potential discussion topics include the strategic importance of ICAM as a mission enabler, messaging ICAM to leadership, prioritizing and securing investments, and selecting cost-effective design and solutions for implementation.
1:20 – 2:05
Breakout Session 2 

FICAM Procurement [Government Only. PIV Required for Entrance]
An interactive discussion with agencies with regards to challenges and gaps in procuring PACS components/systems from the Approved Products List. Potential discussion topics include breakdown of new PACS categories, severity levels/risks, ICAM test cards, development of acquisition language that complies with policy and meets agency needs, and defining acquisition requirements for relevant ICAM systems.

Driving Mobility Forward with ICAM
A discussion of current trends and technology within the mobile environment. Potential discussion topics include contactless, enterprise architecture, and strategies for supporting a mobile, remote workforce.

Enterprise PACS Solution Best Practices
A discussion of lessons learned, solutions, and processes to support implementation of agency-wide enterprise PACS and PIV-enablement. Potential discussion topics include managing risk, designing an enterprise PACS, and migrating to strong authentication using the PIV Card.

Realizing the Value of ICAM
A discussion of how to plan, implement, and measure an agency ICAM program focused on efficiency, cost-savings, and value. Potential discussion topics include the strategic importance of ICAM as a mission enabler, messaging ICAM to leadership, prioritizing and securing investments, and selecting cost-effective design and solutions for implementation.
2:10 – 2:35
Accelerating the implementation timeline and reducing the cost of PIV in application by using Cloud services
  • Xceedium
  • Amazon Web Services
2:35 – 3:35
Panel Discussion: Tackling an Evolving Mobile Environment
Panelists will discuss approaches for addressing common mobility and security-related challenges. Panel will include agency representatives at different stages of program planning and execution, as well as participants from policy and technical viewpoints.
Donna Dodson (NIST), Moderator
  • John Hickey (DOD/DISA)
  • Tom McCarty (DHS)
  • Adam Zeimet (USDA)
3:35 – 3:55
OMB ICAM Update
[Government Only. PIV Required for Entrance]
Carol Bales (OMB)
3:55 – 4:00
Closing Remarks
Salomeh Ghorbani (GSA)

FICAM Trust Framework Solutions TFPAP Update v1.1.0

The FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) has been updated to v1.1.0 (PDF).
TFS TFPAP v1 1 0
This is a point update that does not change any of the existing TFP processes but instead:
  • Acknowledges an existing internal Government process in order to recognize non-federally issued PKI providers, who are cross-certified with the Federal Bridge, as approved Credential Service Providers under the FICAM Trust Framework Solutions umbrella. 
  • Incorporates the Trust Framework Solutions (TFS) "branding" under FICAM. 
The relevant text that acknowledges the existing processes is the following:
The FICAM Trust Framework Solutions (TFS) cover remote electronic authentication of human users to IT systems over a network. It does not address the authentication of a person who is physically present.
The TFS is inclusive of externally issued PKI and non-PKI credentials at OMB Levels of Assurance 1, 2, 3 and 4:
  • For PKI based credentials the TFS recognizes the Federal PKI Policy Authority (FPKIPA) as a TFS approved Trust Framework Provider and will rely on its proven criteria and methodology for non-Federally issued PKI credentials. 
  • For non-PKI credentials, each Identity Provider and TFP must demonstrate trust comparable to each of five categories (registration and issuance, tokens, token and credential management, authentication process, and assertions) for each Level of Assurance it wishes its credentials trusted by government applications (including physical access control systems).
The other point to note is the establishment of the Trust Framework Solutions "branding" under FICAM to acknowledge the C2G and B2G aspects that FICAM is responsible for (FICAM in the Federal Government covers areas beyond C2G and B2G). At a high level, we are bucketing the C2G and B2G pieces under the TFS umbrella and are expecting the TFS, in the near term, to "own" the:
  1. Trust Framework Provider Adoption Process (TFPAP)
  2. The Relying Party Guidance on Accepting Externally Issued Credentials (Currently under internal review)
  3. FICAM TFS Trust Mark (Future)
RELATED INFO
:- by Anil John