Spring 2013 ICAM Day Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential & Access Management Sub-Committee ICAM is part of the Foundation for Major Initiatives Continuous Monitoring Mobile Device and Mobile Device Management FICAM helps Federal Agencies support disaster recovery efforts Ex. DoD supporting FEMA and local law enforcement agencies FICAM is a crucial component of secure information sharing Through strong authentication, continuous monitoring, and driving out anonymity, national cyber security goals can be reached National Strategy for Trusted Identities in Cyberspace (NSTIC) National Strategy for Information Sharing and Safeguarding (NSISS) 2 Emerging Capabilities being Driven by ICAM Through the PIV and PIV-I Cards, ICAM is seeking new capabilities that will increase the value to users and encourage the use of stronger credentials The DC area and Philadelphia area transit authorities are converting their systems to accept PIV-I Cards starting next year TSA Pilot with DoD to use CAC/PIV to allow for express security at airports. Looking to convert separate military service payment cards (Eagle Cash, Navy Cash, etc.) into one interoperable card and eventually add this to the CAC Potential to add the Government Credit Card capabilities to the PIV 3 Attributes of Success PIV Used in All Executive Branch in compliance with HSPD-12. No anonymous entities (person/non-person) on our networks. Same token for physical and logical access. All Executive Branch applications enabled to authenticate PIV, PIV-I, and other ICAM approved credentials where identity based access is required. Transactions will be signed and encrypted when sensitive. Provide external users the capability to opt-up to stronger credentials for more privileges and more individual security and privacy. Achieve paperless processes efficiencies. Broad adoption of ICAM solutions beyond the Executive Branch 4 DoD IdAM Drivers ICAM Key Performance Indicators • 100% of federal employees and eligible contractors have PIV cards and using them for: IdAM Objectives • Access control is dynamic (automatic and data-driven) Cryptographic Log-On • Person and non-person entity discovery capabilities are implemented Day-to-Day Business (e.g., Signature) • Activity monitoring is enabled • 100% of applications authenticating federal employees and contractors use PIV credentials • Person and non-person entity data are complete, trusted, accurate, and accessible • Access data/website/apps via identity credentials • Collaboration and interoperability is enabled • 100% of physical access transactions electronically authenticate the PIV credential of federal employees • IdAM is institutionalized Joint Information Environment (JIE) • EXORD gave direction of develop technical specifications/documents for integrated active cyber defense, attribute-based access management, metadata tagging capabilities, identity and access management, and single security architecture • IdAM Incremental Upgrades - joint directory services implemented, and accounts synchronized by IdSS, DoD Visitor installed in enterprise directory services, White page service implemented • 100% of electronic transactions with external businesses and citizens use third party credentials (e.g. PIV-I, and other NFI) 5 DoD currently uses high assurance identity credentials for most access to DoD resources e.g. JPAS authenticates using CAC, PIV, and PIV-I Cards DoD also manages and issues some of these lower assurance credentials – already incurring costs Family Members, Retirees, Beneficiaries Some business partners delivering goods and services Foreign Military Sales customers DoD components may enable unclassified systems to use NFI credentials where mission required Benefits: Reduce Number of Credentials Maintained by DoD Reduce Costs (e.g. Helpdesk credential problems) Improve user experience and control of PII OMB and DoD have issued guidance on acceptance and use of Non-Federally Issued (NFI) Credentials (e.g., DoDI 8520.03) Approved Trust Framework Providers and Identity Providers posted on http://www.IDmanagement.gov DoD Approved External PKIs are posted on www.iase.mil 6 Acceptance of Approved Externally-Issued Credentials A recent white paper summarized the current state of DoD and its acceptance of externally-issued credentials: The Problem: DoD Relying Parties are not Accepting DoD-approved externally-issued identity credentials DoD requires Federal contractors to perform strong authentication to DoD hosted applications To fulfill this requirement, DoD typically issues Federal contractors DoD credentials or requires them to procure DoD credentials (ECA) Many Federal contractors issue their employees company credentials which are DoD-approved strong credentials (CAC-Like) These company credentials should be accepted by DoD applications but often application owners will only accept DoD issued credentials (CAC or ECA) DoD CIO policy exists on acceptance of these company credentials but only encourages application owners to accept DoD-approved credentials, it does not require their acceptance The Consequence: Duplication, unnecessary costs and security vulnerabilities Need for DoD and industry partners to support multiple identities for these individual Unnecessary costs of operations to both DoD and DIB members Diverts partner resources from the target of employer credentials Duplicate identities credentials Security gaps that introduce risk 7 DoD Requirements for Accepting Non-Federally Issued Identity Credentials CIO memo signed 24 January 2013 The DoD and Executive Branch will leverage identity credentials from NonFederal Issuers (NFI) as authentication options to Federal information systems and services. The NFI identity credential initiative allows the Federal Government to: Reduce the need and costs to issue and maintain credentials for mission partners Protect partners by minimizing the collection and storage of personal information Benefit partners by minimizing the number of credentials they must protect and maintain Support the National Strategy for Trusted Identities in Cyberspace (NSTIC) Components will ensure that unclassified information systems will be enabled to accept NFI credentials for authorized users. Components will ensure that information systems will support identity authentication using all credential strengths that meet or exceed the minimum level identified. Components will accept a DoD approved very high assurance credential from a user authorized system access rather than require the procurement of a DoD credential. 8 Backup Slides ICAMSC Working Group Structure 10 Cybersecurity Policy Development Partnerships DoD participates in development of CNSS and NIST documents ensuring DoD equities are met DoD leverages CNSS and NIST policies and filters requirements to meet DoD needs DoD participates in CNSS and NIST policy development as a vested stakeholder with the goals of a more synchronized cybersecurity landscape and to protect the unique requirements of DoD Missions and warfighters 11 11 Dynamic Access Control DoD Identity and Access Management (IdAM) “Person and non-person entities can securely access all authorized DoD resources, anywhere, at any time.” IdAM Data yes Authenticated? Request Access yes Authorized? Logging/ Auditing with credentials no Logging/ Auditing IT-Based Resource or Physical Resource no Access Denied 12 Automatic and Data Driven 13 DoD IdAM Strategy Overview DoD IdAM is the DoD implementation of FICAM DoD has a strategy for implementing IdAM which is an authoritative reference that illustrates DoD commitment and focuses DoD IdAM activities Goals of the strategy include: Improve mission effectiveness by ensuring that users and systems have timely and secure access to the data and services needed for mission accomplishment, regardless of location Increase security by knowing who is operating on our networks with a high degree of confidence by denying adversaries freedom of maneuverability within the JIE Realize IT efficiencies by institutionalizing IdAM 14 DoD IdAM Document Overview DoD is working on a roadmap to enable decision-making that aligns and focuses activities to a common enterprise solution Goals of the roadmap: Inform and enable proactive, data-driven decision making Improve cross-program synchronization There is also a DoD Reference Architecture in development that will guide and constrain the implementation. This will be a living document that is being produced by a team containing both IdAM and architecture experts. 15 The Way Ahead for DoD Communicating and securing leadership agreement with the proposed direction Continuing to work with key stakeholders on refining the DoD IdAM Strategy Continuing to develop the reference architecture and capability roadmap Continuing to capture information on IdAM initiatives that support/implement IdAM strategic concepts Focusing on the acceptance of non-DoD approved credentials 16 Acceptance of Non-DoD Approved Identity Credentials DoD has issued a number of documents related to the acceptance of DoD Approved Identity Credentials: 2011 DoD CIO Memo, DoD Continued Implementation of HSPD-12 and ICAM Guidance, (Nov 15) “DoD logical and physical access control systems will also be enabled to use other Federal PIV credentials” “Components will ensure that all new logical and physical access control systems are enabled to use and electronically verify PIV credentials in accordance with HSPD-12 for authenticating DoD and Federal employees and contractors.” “Components will ensure that beginning in FY2012, all logical and physical access control systems that are funded for upgrade include enablement to use and electronically verify PIV credentials” 2011 DoD Instruction 8520.02 Public Key Infrastructure and PK Enabling, (May 24) “The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication in accordance with DoDI 8520.03” “DoD mission partners shall use certificates issued by the DoD External Certification Authority (ECA) program or a DoD-approved PKI, when interacting with the DoD in unclassified domains.” 17 Acceptance of Non-DoD Approved Identity Credentials 2011 DoD Instruction 8520.03, Identity Authentication for Information Systems, (May 13) “The information system or DoD network shall ensure that any credential used for identity authentication has been issued by an approved DoD identity credential provider or a DoDapproved Federal or industry partner identity credential provider” 2010 DoD Memo, Acceptance and Use of PIV-Interoperable Credentials, (October 05) “In those cases where DoD Relying Parties, installation commanders, and facility coordinators determine that granting access is appropriate and that appropriate vetting requirements are met, they should begin accepting DoD-approved PIV-I credentials for authentication and access” 2008 DoD CIO Memo, Approval of External Public Key Infrastructures, (July 22) (superseceded by DoD I 8520.02) “The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication” 2004 DoD PKI PMO Letter to Federal PKI Policy Authority, (Mar 19) “Today, over 3 million DoD personnel have a Common Access Card (CAC)…” “We hope to achieve 2-way interoperability with the FBCA by the end of calendar year 2004.” 18