EDUCAUSE June 15, 2006

1. Federal Identity Management InitativesDavid Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy EDUCAUSE June 15, 2006

2. Industry and EAI ID Federation/Authentication Alignment The Federal Government is seeking to align with industry in the following ways in order to meet the mandates for government-wide e-Authentication services: • Common trust framework for reciprocal trust • Common business & operating rules for business interoperability • Common technical infrastructure (i.e., architecture, protocols, data models, testing) for technical interoperability • Common business models for ID federation adoption/interoperability.

3. A VERY Simplified View of the Federal EAI Architecture EAI SAML Trust List PIN, Passwords User ID Levels 1 & 2 Online Apps & Services Banks Financial Inst. Universities Agency Apps Commercial CSPs CAF Levels 1 & 2 CSPs SAML Assertions SDT Digital Certificates Levels 3 & 4 Online Apps & Services Levels 3 & 4 CSPs FBCA X-Certification Digital Certificates One-Time Passwords Multi-Factor Authentication (HSPD-12) FBCA PKI Trust List Federal Agency PKIs Other Gov PKIs Commercial PKIs PKI Bridges

4. EAI/EAP Common Trust Framework • EAI: OMB M-04-04 - Established and defined 4 authentication assurance levels as Governmentwide policy • EAP: Adopted OMB M-04-04 authentication assurance levels 1. Establish & define authentication risk and assurance levels • EAI: NIST Special Pub 800-63 Authentication Technical Guidance – Established authentication technical standards at 4 established assurance levels • EAP: Adopted NIST SP 800-63 standards 2. Establish technical standards & requirements for e-Authentication systems at each assurance level • EAI: Credential Assessment Framework – Standard methodology for assessing authentication systems of credential service providers • EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers 3. Establish methodology for evaluating authentication systems at each assurance level 5. Perform assessments and maintain trust list of trusted CSPs • EAP: Trusted CSP List • EAI: Trusted CSP List (pending) • EAI: EAI Federation Business Rules and Service Agreements • EAP: EAP Business Rules and Agreements 6. Establish common business rules for approved CSPs

5. EAI/EAP Alignment EAI EAP Common Assurance Levels Common Authentication Standards 2004 2005 CSP Assessments CSP Trust Lists 2006 Reciprocal CSP Trust Certifications Common Designated Assessors EAP Projects EAI Projects 2007 Joint Pilots And Projects Common Business Rules 2008 Common Architecture Common Protocols Common Data Models Common Business Model

6. Components of EAP Trust Framework in FiXs Pilot 1. Establish & define authentication risk and assurance levels • EAP/FiXs: Adopted OMB M-04-04 authentication assurance levels 2. Establish technical standards & requirements for e-Authentication systems at each assurance level • EAP: Adopted NIST SP 800-63 standards • FiXs: Adopted NIST FIPS 201 standards • EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers • FiXs: Certification standards and security requirements 3. Establish methodology for evaluating authentication systems at each assurance level 5. Perform assessments and maintain trust list of trusted CSPs • EAP/FiXs: Trusted CSP Lists 6. Establish common business rules for approved CSPs • EAP: EAP Business Rules and Agreements • FiXs: FiXs Business and Operating Rules

7. Core FiXs Pilot Objectives - EAP

8. FiXs Pilot Objectives - Expanded

9. Cross-Federation Trust Certifications • FiXs trust certifications will be made at assurance level 4+, as FiXs will be certifying against FIPS 201/HSPD-12 standards/requirements. • EAP may determine to accept FiXs certifications as meeting EAP SAC level 4 authentication assurance • Federal EAI may determine to accept FiXs and/or EAP certifications as meeting EAI CAF level 4 authentication assurance EAP Trust Certifications FiXs Trust Certifications EAI Trust Certifications

10. Federal Interoperability Lab • Tests interoperability of products for participation in e-Authentication architecture. • Conformance testing to Fed e-Authentication Interface Specification • Interoperability testing among all approved products • Currently 11 SAML 1.0 products on Approved Product List. • See URL: http://cio.gov/eauthentication • Multiple protocol interoperability testing will be very complex • 4 Products approved for PKI certificate path discovery & validation • GSA intends to continue to test architecture components for interoperability and capability to meet governmentwide use requirements

11. And then there’s HSPD-12 … Homeland Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004

12. IDM Policy and Acquisition Landscape • Key governmentwide initiatives have established program, policy, and technical requirements for authentication and identity management. • GSA Is establishing “approved products/services” for each authentication service line based on compliance with established requirements. • Consolidate multiple offerings of Identity Management products & services from GSA acquisition schedules and GWACs onto IT Schedule 70, SIN 132-60, Authentication Products and Services • Authentication service lines on SIN 132-60 include: • ACES • PKI Shared Service Providers (HSPD-12) • PIV Service Components (HSPD-12) • PIV Integrators (HSPD-12) • Approved FIPS-201 Products and Services (HSPD-12) • E-Authentication Architecture Components. • All require active program management to ensure compliance with program requirements and keep pace with marketplace changes.

13. OMB Guidance – Key Points OMB Guidance for HSPD-12 - M-05-24:   • To ensure government-wide interoperability, agencies must acquire only products and services that are on the approved products list • Agencies must include language implementing the FIPS 201 Standard in applicable new contracts • GSA is designated the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12 • GSA will make approved products and services available through blanket purchase agreements under IT Schedule 70 • GSA will ensure all approved BPA suppliers provide products and services that meet all applicable federal standards and requirements http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf

14. GSA’s Role • Establish interoperability and common performance testing to meet NIST standards • Compliance for GSA contractors (e.g., cleaning, maintenance, etc.) • Award SIN 132-62 listings as approved products and services become available • Establish Approved Products Lists for product categories requiring FIPS 201 compliance • Provide full-range of qualified products and services to meet Agency implementation needs

15. HSPD-12 Service Components Enrollment Service Provider Systems Infrastructure Provider Production Service Provider Enrollment/registration Stations & managed service Enrollment Data Card Data CMS Card Printing Inventory, Distribution IDMS Services inside dotted rings may be provided as shared infrastructure. FPKI SSP FPKI SSP & FBCA Cross-certified PKI Card Management Services Agency PACS Finalization Service Provider Cards issued and Activated Agency LACS

16. For More Information • Visit our Websites: • http://www.idmanagement.gov • http://www.cio.gov/eauthentication • http://www.cio.gov/ficc • http://www.cio.gov/fbca • http://www.cio.gov/fpkipa • http://www.cio.gov/fpkisc • http://www.smart.gov/ • Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov