The FICAM Roadmap and Implementation Guidance calls out initiatives that are both Government-wide as well as Agency-specific. Two Government-wide initiatives that are of relevance to identity federation are:
- Establish a federated identity framework for the Federal Government
- Provide Government-wide services for common ICAM requirements
A very large piece of the federated identity framework is the Trust Framework Solutions (TFS) initiative under FICAM. The TFS is a process by which Industry Trust Frameworks (The codification of requirements for credentials and their issuance, privacy and security requirements, as well as auditing qualifications and processes) are evaluated and assessed for potential use by the Government. A Trust Framework that is comparable to federal standards is adopted through this process, which allows Federal Government Relying Parties (RPs) to trust Credential Service Providers a.k.a Identity Providers that have been assessed under that particular trust framework. The key point here is that there is a level of abstraction in that the Government does not directly evaluate or certify Identity Providers, but instead adopts a Trust Framework Provider who does that evaluation and certification.
I will leave the shared services piece for a future blog post.
The current list of adopted trust framework providers, and the upper limit of the LOA levels they are approved to assess IdPs, can be found here. IdPs that have been assessed by these Trust Framework Providers are now able to offer credentials at LOA1 to non-PKI LOA3. For Agencies who need higher levels of assurance, there are now Shared Service Providers that now offer PIV-I Credentials (PKI Credentials at LOA4 that can be issued by Non-Federal Organizations) as well.
This in turn has positioned the eco-system to be able to fulfill the OMB Mandate to Executive Branch Agencies to accept externally-issued, FICAM approved, identity credentials [PDF] on their public facing web sites. FICAM has been actively engaging with Agencies across the US Government to help them light up these capabilities on their externally facing web sites so Citizens have flexibility and choice in using their existing credentials to obtain services from Government web sites.
In addition, the FICAM Federation Interoperability Working Group (FIWG), composed of cross-government stakeholders, is working on:
I will leave the shared services piece for a future blog post.
The current list of adopted trust framework providers, and the upper limit of the LOA levels they are approved to assess IdPs, can be found here. IdPs that have been assessed by these Trust Framework Providers are now able to offer credentials at LOA1 to non-PKI LOA3. For Agencies who need higher levels of assurance, there are now Shared Service Providers that now offer PIV-I Credentials (PKI Credentials at LOA4 that can be issued by Non-Federal Organizations) as well.
This in turn has positioned the eco-system to be able to fulfill the OMB Mandate to Executive Branch Agencies to accept externally-issued, FICAM approved, identity credentials [PDF] on their public facing web sites. FICAM has been actively engaging with Agencies across the US Government to help them light up these capabilities on their externally facing web sites so Citizens have flexibility and choice in using their existing credentials to obtain services from Government web sites.
- Developing guidance around federated access using credentials at various levels of assurance
- Profiling federated identity protocols to integrate government security and privacy requirements
- Facilitating relationships for interoperability within the Federal Government and outside of the Federal Government (C2G, B2G, and G2G)
- Supporting activities that bridge the gap between technical and policy aspects of ICAM
The first deliverable that we are working on within the FIWG is a living resource/document called the "FICAM Relying Party Guidance". It seeks to provide guidance, best practices and approaches on how Federal Government web sites (Relying Parties) can accept FICAM approved third party credentials for C2G and B2G use cases, while still accepting PIV Credentials for G2G use cases.
I am sure that we are not the first to do this and we have little interest in re-inventing the wheel. If you are a member of an active Identity Federation, I would be very interested in pointers to documents or having a conversation regarding guidance you provide to your Relying Parties (policy, technical, ROI and more) that eases their concerns about Federation and lowers their barriers to entry.
