Spring 2013 ICAM Day
Federal CIO Council
Information Security and Identity Management Committee
IDManagement.gov
Value of ICAM
Breakout Session
Paul D. Grant
Director of Cybersecurity Policy, DoD CIO
Co-Chair, Federal Identity, Credential & Access Management Sub-Committee
ICAM is part of the Foundation for Major Initiatives
 Continuous Monitoring
 Mobile Device and Mobile Device Management
 FICAM helps Federal Agencies support disaster recovery
efforts
 Ex. DoD supporting FEMA and local law enforcement agencies
 FICAM is a crucial component of secure information
sharing
 Through strong authentication, continuous monitoring, and
driving out anonymity, national cyber security goals can be
reached
National Strategy for Trusted Identities in Cyberspace (NSTIC)
National Strategy for Information Sharing and Safeguarding (NSISS)
2
Emerging Capabilities being Driven by ICAM
 Through the PIV and PIV-I Cards, ICAM is seeking new
capabilities that will increase the value to users and
encourage the use of stronger credentials
 The DC area and Philadelphia area transit authorities are converting
their systems to accept PIV-I Cards starting next year
 TSA Pilot with DoD to use CAC/PIV to allow for express security at
airports.
 Looking to convert separate military service payment cards (Eagle
Cash, Navy Cash, etc.) into one interoperable card and eventually add
this to the CAC
 Potential to add the Government Credit Card capabilities to the PIV
3
Attributes of Success








PIV Used in All Executive Branch in compliance with HSPD-12.
No anonymous entities (person/non-person) on our networks.
Same token for physical and logical access.
All Executive Branch applications enabled to authenticate PIV, PIV-I,
and other ICAM approved credentials where identity based access is
required.
Transactions will be signed and encrypted when sensitive.
Provide external users the capability to opt-up to stronger
credentials for more privileges and more individual security and
privacy.
Achieve paperless processes efficiencies.
Broad adoption of ICAM solutions beyond the Executive Branch
4
DoD IdAM Drivers
ICAM Key
Performance Indicators
• 100% of federal employees and
eligible contractors have PIV cards
and using them for:
IdAM Objectives
• Access control is dynamic
(automatic and data-driven)
 Cryptographic Log-On
• Person and non-person entity
discovery capabilities are
implemented
 Day-to-Day Business (e.g.,
Signature)
• Activity monitoring is enabled
• 100% of applications authenticating
federal employees and contractors
use PIV credentials
• Person and non-person entity data
are complete, trusted, accurate, and
accessible
• Access data/website/apps via
identity credentials
• Collaboration and interoperability is
enabled
• 100% of physical access
transactions electronically
authenticate the PIV credential of
federal employees
• IdAM is institutionalized
Joint Information
Environment (JIE)
• EXORD gave direction of develop
technical specifications/documents
for integrated active cyber defense,
attribute-based access
management, metadata tagging
capabilities, identity and access
management, and single security
architecture
• IdAM Incremental Upgrades - joint
directory services implemented, and
accounts synchronized by IdSS,
DoD Visitor installed in enterprise
directory services, White page
service implemented
• 100% of electronic transactions with
external businesses and citizens use
third party credentials (e.g. PIV-I,
and other NFI)
5

DoD currently uses high assurance identity credentials for most access to DoD
resources
 e.g. JPAS authenticates using CAC, PIV, and PIV-I Cards

DoD also manages and issues some of these lower assurance credentials – already
incurring costs
 Family Members, Retirees, Beneficiaries
 Some business partners delivering goods and services
 Foreign Military Sales customers


DoD components may enable unclassified systems to use NFI credentials where mission
required
Benefits:
 Reduce Number of Credentials Maintained by DoD
 Reduce Costs (e.g. Helpdesk credential problems)
 Improve user experience and control of PII



OMB and DoD have issued guidance on acceptance and use of Non-Federally Issued
(NFI) Credentials (e.g., DoDI 8520.03)
Approved Trust Framework Providers and Identity Providers posted on
http://www.IDmanagement.gov
DoD Approved External PKIs are posted on www.iase.mil
6
Acceptance of Approved Externally-Issued Credentials
A recent white paper summarized the current state of DoD and its
acceptance of externally-issued credentials:
 The Problem: DoD Relying Parties are not Accepting DoD-approved
externally-issued identity credentials
 DoD requires Federal contractors to perform strong authentication to DoD hosted applications
 To fulfill this requirement, DoD typically issues Federal contractors DoD credentials or requires
them to procure DoD credentials (ECA)
 Many Federal contractors issue their employees company credentials which are DoD-approved
strong credentials (CAC-Like)
 These company credentials should be accepted by DoD applications but often application
owners will only accept DoD issued credentials (CAC or ECA)
 DoD CIO policy exists on acceptance of these company credentials but only encourages
application owners to accept DoD-approved credentials, it does not require their acceptance
 The Consequence: Duplication, unnecessary costs and security
vulnerabilities





Need for DoD and industry partners to support multiple identities for these individual
Unnecessary costs of operations to both DoD and DIB members
Diverts partner resources from the target of employer credentials
Duplicate identities credentials
Security gaps that introduce risk
7
DoD Requirements for Accepting Non-Federally Issued Identity
Credentials
 CIO memo signed 24 January 2013
 The DoD and Executive Branch will leverage identity credentials from NonFederal Issuers (NFI) as authentication options to Federal information
systems and services. The NFI identity credential initiative allows the Federal
Government to:
 Reduce the need and costs to issue and maintain credentials for mission partners
 Protect partners by minimizing the collection and storage of personal information
 Benefit partners by minimizing the number of credentials they must protect and
maintain
 Support the National Strategy for Trusted Identities in Cyberspace (NSTIC)
 Components will ensure that unclassified information systems will be
enabled to accept NFI credentials for authorized users.
 Components will ensure that information systems will support identity
authentication using all credential strengths that meet or exceed the
minimum level identified.
 Components will accept a DoD approved very high assurance credential from
a user authorized system access rather than require the procurement of a
DoD credential.
8
Backup Slides
ICAMSC Working Group Structure
10
Cybersecurity Policy Development
Partnerships
DoD
participates in
development
of CNSS and
NIST
documents
ensuring DoD
equities are
met
DoD
leverages
CNSS and
NIST policies
and filters
requirements
to meet DoD
needs
DoD participates in CNSS and NIST policy development as a vested
stakeholder with the goals of a more synchronized cybersecurity landscape
and to protect the unique requirements of DoD Missions and warfighters
11
11
Dynamic Access Control
DoD Identity and Access Management (IdAM)
“Person and non-person entities can securely access all authorized DoD resources, anywhere, at
any time.”
IdAM
Data
yes
Authenticated?
Request
Access
yes
Authorized?
Logging/
Auditing
with credentials
no
Logging/
Auditing
IT-Based
Resource
or
Physical
Resource
no
Access Denied
12
Automatic and Data Driven
13
DoD IdAM Strategy Overview
 DoD IdAM is the DoD implementation of FICAM
 DoD has a strategy for implementing IdAM which is an
authoritative reference that illustrates DoD commitment and
focuses DoD IdAM activities
 Goals of the strategy include:
 Improve mission effectiveness by ensuring that users and systems
have timely and secure access to the data and services needed for
mission accomplishment, regardless of location
 Increase security by knowing who is operating on our networks with a
high degree of confidence by denying adversaries freedom of
maneuverability within the JIE
 Realize IT efficiencies by institutionalizing IdAM
14
DoD IdAM Document Overview
 DoD is working on a roadmap to enable decision-making that
aligns and focuses activities to a common enterprise solution
 Goals of the roadmap:
 Inform and enable proactive, data-driven decision making
 Improve cross-program synchronization
 There is also a DoD Reference Architecture in development that
will guide and constrain the implementation.
 This will be a living document that is being produced by a team
containing both IdAM and architecture experts.
15
The Way Ahead for DoD
 Communicating and securing leadership agreement with the
proposed direction
 Continuing to work with key stakeholders on refining the DoD
IdAM Strategy
 Continuing to develop the reference architecture and capability
roadmap
 Continuing to capture information on IdAM initiatives that
support/implement IdAM strategic concepts
 Focusing on the acceptance of non-DoD approved credentials
16
Acceptance of Non-DoD Approved Identity Credentials
DoD has issued a number of documents related to the acceptance of DoD Approved
Identity Credentials:
 2011 DoD CIO Memo, DoD Continued Implementation of HSPD-12 and ICAM
Guidance, (Nov 15)
 “DoD logical and physical access control systems will also be enabled to use other Federal PIV
credentials”
 “Components will ensure that all new logical and physical access control systems are enabled to
use and electronically verify PIV credentials in accordance with HSPD-12 for authenticating DoD
and Federal employees and contractors.”
 “Components will ensure that beginning in FY2012, all logical and physical access control
systems that are funded for upgrade include enablement to use and electronically verify PIV
credentials”
 2011 DoD Instruction 8520.02 Public Key Infrastructure and PK Enabling, (May
24)
 “The DoD shall enable DoD information systems to use DoD-approved PKIs for authentication in
accordance with DoDI 8520.03”
 “DoD mission partners shall use certificates issued by the DoD External Certification Authority
(ECA) program or a DoD-approved PKI, when interacting with the DoD in unclassified domains.”
17
Acceptance of Non-DoD Approved Identity Credentials
 2011 DoD Instruction 8520.03, Identity Authentication for Information
Systems, (May 13)
 “The information system or DoD network shall ensure that any credential used for identity
authentication has been issued by an approved DoD identity credential provider or a DoDapproved Federal or industry partner identity credential provider”
 2010 DoD Memo, Acceptance and Use of PIV-Interoperable Credentials,
(October 05)
 “In those cases where DoD Relying Parties, installation commanders, and facility
coordinators determine that granting access is appropriate and that appropriate vetting
requirements are met, they should begin accepting DoD-approved PIV-I credentials for
authentication and access”
 2008 DoD CIO Memo, Approval of External Public Key Infrastructures,
(July 22) (superseceded by DoD I 8520.02)
 “The DoD shall enable DoD information systems to use DoD-approved PKIs for
authentication”
 2004 DoD PKI PMO Letter to Federal PKI Policy Authority, (Mar 19)
 “Today, over 3 million DoD personnel have a Common Access Card (CAC)…”
 “We hope to achieve 2-way interoperability with the FBCA by the end of calendar year
2004.”
18