Overview of US Federal Identity Management Initiatives

1. Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH

2. Federal Initiatives • eAuthentication • Focus on eCommerce, services, etc. • HSPD-12 • Focus on security

3. eAuthentication Initiative • Provide electronic identity authentication services for online government applications • Manage the Federal Federation – extends services to private sector credential providers and online services • Set standards for assertion-based authentication tools • Offers standard risk assessment tool • Standard Architecture and Policy foundations

4. Architecture SAML assertions for LOA 1, 2 (encapsulate userid/passwords) Vendor interoperability required for addition to approved vendor list SAML 1.0 currently supported; SAML 2.0 specs being developed PKI or OTP for LOA 3 PKI for LOA 4 Scheme translator available VOMS-like transactions Policy/Procedures Credential assessments for all CSPs, CAF for assertion-based credentials; cross certification with Federal PKI for crypto-based credentials Federal PKI Policies define requirements for digital certificate trustworthiness Business and Legal Rules define service requirements for all LOA Minimal addition to Federal PKI agreements Summary of Architecture and Policy/Procedures

5. Credential Service Providers Covers 4 LOA Assertion-based identity credentials for L 1, 2 Crypto-based identity credentials for L 3, 4 Service Requirements Related to uptime, user support, etc. Interfederation Arrangements Encouraged Agency Applications Federal Agency Applications and Services Mandated by Administration Service Requirements Related to uptime, user support, etc. The Federal Federation

6. Homeland Security Presidential Directive 12 • A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too • Medium Hardware or High Assurance digital certificates on PIV-2 cards (nextgen SmartCards) • Fast-tracked for implementation starting 10/2006 • Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series)

7. Interoperability Initiatives • CertiPath – Federal Bridge cross-certification complete • SAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management; initial work about to begin • inCommon – EAI interoperability initiative under way (Internet2 push; assertion-based technology, LOA 1 & 2) – demonstration project with NSF scheduled for fall 2006

8. Overview of Federal PKI Common Policy SSPs In discussion TAGPMA CertiPathSSP FBCA Test since 2002 begun CertiPath SAFE C4 HEBCA? Industry PKIs eGCA (3)

9. Overview of Federal PKI HEBCA? DOD DHS NASA Commerce USPS USPTO HHS DOE ILUSDA/NFC DOJ Boeing State DOD/ECA GPO Treasury Wells Fargo MIT LL Common Policy Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar? Identrust? Entrust? TAGPMA Serving all other Agencies CertiPathSSP FBCA begun Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals CertiPath SAFE C4 Industry PKIs USHER? Boeing Northrop Grumman Raytheon Lockheed Martin Airbus BAE eGCA (3) EAF member CSPs TLS certs

10. Technology Implications • US Government LOA likely to be general model, • standardized risk analysis, • standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere • Pickup already noted in pharmaceutical industry, aerospace industry, homeland security

11. Resources • www.cio.gov/eauthentication • http://csrc.nist.gov/pki • www.cio.gov/ficc • www.smartcardalliance.org