David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy

1. EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy

2. EAI/EAP Common Trust Framework • EAI: OMB M-04-04 - Established and defined 4 authentication assurance levels as Governmentwide policy • EAP: Adopted OMB M-04-04 authenticatcion assurance levels 1. Establish & define authentication risk and assurance levels • EAI: NIST Special Pub 800-63 Authentication Technical Guidance – Established authentication technical standards at 4 established assurance levels • EAP: Adopted NIST SP 800-63 standards 2. Establish technical standards & requirements for e-Authentication systems at each assurance level • EAI: Credential Assessment Framework – Standard methodology for assessing authentication systems of credential service providers • EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers 3. Establish methodology for evaluating authentication systems at each assurance level 5. Perform assessments and maintain trust list of trusted CSPs • EAP: Trusted CSP List • EAI: Trusted CSP List • EAI: EAI Federation Business Rules and Service Agreements • EAP: EAP Business Rules and Agreements 6. Establish common business rules for approved CSPs

3. Identity Federation Models The models for identity federation strongly impact decisions on technical architecture and governance. • Bi-lateral (peer-to- peer) • Hub & Spoke (unilateral) • Circle of Trust (many-to-many) Federated ID Federated ID Federated ID Federated ID Federated ID Federated Federated Federated ID ID ID Federated ID

4. EAP Vision: Multiple, Interoperable Federations EAP Common Governance Common Trust Framework & Rules Common Architecture & Interoperable Products IDP IDP IDP IDP IDP IDP Federation 2 Federation 1 SP/RP SP/RP SP/RP SP/RP SP/RP SP/RP SP/RP SP/RP

5. EAI/EAP Alignment EAP EAI Common Assurance Levels Common Authentication Standards 2004 Reciprocal CSP Trust Certifications Common Designated Assessors 2005 Joint Pilots And Projects Common Business Rules 2006 Common Architecture Common Protocols Common Data Models 2007

6. FiXs & EAP Pilot Sponsors • EAP.Established to create a structure to use government-approved credentials for logical access for government and business applications.Has business process and trust framework for logical access but needs to add transaction processing for e-authentication and an accreditation process for federations that adopt EAP rules. • U.S. General Services Administration.Needs to facilitate e-authentication for commercial sector partners anda commercial process for certifying logical and physical authentication service providers and federations. • FiXs.Established to provide federated authentication of credentials for the purpose of physical access to DoD facilities and contractor sites.Wants to provide logical access functionality and PIV/HSPD-12 functionality in a federated environment for its membership. • U.S. Department of Defense. Seeks high security and identity assurance for external access to DoD systems and to leverage its investment in physical access authentication. Objective Demonstrate interoperability by enabling federated single card authentication for logical and physical authentication for token based access to commercial and government facilities and systems.

7. DCCIS Background Challenge for DoD and its Contractors:Need for authentication system for DoD employees and its contractors for physical access at their respective facilities without issuing an additional set of credentials. Solution: DCCIS Pilot & Prototype.DCCIS pilot/prototype system for DMDC employees to use CAC cards and several contractors to use their corporate badges to authenticate at participating facilities using a Trust Gateway Broker to retrieve identification data and validate credentials. (2003) AUTHENTICATION Contractor 1 DoD Facility 1 DCCIS TGB PHYSICAL ACCESS Contractor 2 DoD Facility 2 Contractor n DoD Facility n

8. DCCIS TGB FiXs TGB FiXs: An Extension to DCCIS Challenge for DoD and its Contractors:Need to deploy DCCIS system to 224 DoD bases and their contractors (@ 110,000) in a timely and cost-effective manner. Solution: FiXs.Commercial system that mimics and links to DCCIS to extend the authentication system out to encompass all eligible participants. Contractor 1 DoD Facility 1 Contractor 2 DoD Facility 2 Contractor 3 DoD Facility 3 Contractor 4 DoD Facility 4 PHYSICAL ACCESS AUTHENTICATION FOR Contractor 5 DoD Facility 5 Contractor 6 DoD Facility 6 Contractor n DoD Facility n

9. ECA, Etc. Fed Bridge EAI EAP Framework EAP: Trust Framework for E-Authentication Challenge for Federal Agencies and the Commercial Sector:Need to deploy a cross-domain electronic authentication system that enables secure logical access between the Federal government and commercial contractors and companies. Solution: EAP.Create a structure to use government-approved credentials used under E-Authentication Initiative, ECA, the Federal Bridge, etc. for other business applications. Company 1 Network Fed Gov Network 1 Company 2 Network Fed Gov Network 2 LOGICAL ACCESS AUTHENTICATION FOR Company 3 Network Fed Gov Network 3 Company n Network Fed Gov Network n

10. FiXs TGB ECA, Etc. Fed Bridge DCCIS TGB EAI EAP Framework FiXs Expansion: EAP + PIV/HSPD-12 System Usage Expansion. New member recruitment, deployment to DoD sites worldwide, potential expansion and compliance with PIV/HSPD-12. Expansion to Logical Access. Logical access functionality will be piloted by aligning with EAP and other federations in the future, e.g., TSCP. Company 1 Facility/Network Fed Gov Facility/Network 1 Company 2 Facility/Network Fed Gov Facility/Network 2 LOGICAL ACCESS AUTHENTICATION FOR PHYSICAL ACCESS Company 3 Facility/Network Fed Gov Facility/Network 3 Company n Facility/Network Fed Gov Facility/Network n

11. Attributes of the Business Model • Association Model.Control processes across entities that are not directly affiliated. Funding based on membership and dues. • Intermediary Multi-Party Contracts.Members sign contract to single intermediary rather than multi-lateral contracts across Members. • Operating Rules.Provides uniformity and process control and incorporates policies and technical specifications by reference. • Distribution of Investment, Risks & Liabilities.Reduces risks to individual Members through risk and liability allocation and spreading investment across Members. • Community of Interest of Users.Provides forum for policy alignment and resolution of issues that are obstacles to market development using a trust model. • Recognized by Government.Government requirements incorporated into system and program – government acknowledges and regulates by reference.

12. FiXs & EAP Pilot Outcome To enable interoperability between FiXs and EAP for combined physical and logical access in a federated environment, fill in the gaps and harmonize existing policies and infrastructure. • Align Rules & Policies.Align FiXs Operating Rules and policies with EAP Business Rules and trust framework. • Harmonize Certification Process.Establish requirements and a process for certifying FiXs and EAP Issuers and Relying Parties as well as infrastructure components. • Build Out Technical Architecture. Build out FiXs technical architecture to accommodate EAP e-authentication transactions and establish a combined transaction environment. • Adapt Technical Specifications.Adapt FiXs interface design, system software design and hardware/software functional requirements that enable a FiXs and EAP operational environment. • Accommodate Multiple Tokens.Accommodate existing FiXs and EAP Member tokens/cards/credentials and migrate to PIV/HSPD-12 compliant card.