Overview of US Federal Identity Management Initiatives

Overview of US Federal Identity Overview of US Federal Identity Management InitiativesManagement Initiatives

Peter Alterman, Ph.D.

Chair, Federal PKI Policy Authority and

Asst. CIO E-Authentication, NIH

2

Federal InitiativesFederal Initiatives

• eAuthentication– Focus on eCommerce, services, etc.

• HSPD-12– Focus on security

3

Federal View of Electronic IDFederal View of Electronic ID

• A validated, proofed identity using breeder documents and databases (FIPS 201)

• A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next-generation SmartCard

• Attributes are extensions not required by HSPD-12, but optionally consumed by Applications– SAML assertions and/or database entries for attribute

storage– USPerson profile being developed to standardize attribute

representation

4

eAuthentication InitiativeeAuthentication Initiative

• Provide electronic identity authentication services for online government applications

• Manage the Federal Federation – extends services to private sector credential providers and online services

• Set standards for assertion-based authentication tools

• Offers standard risk assessment tool• Standard Architecture and Policy foundations

5

Summary of Architecture and Summary of Architecture and Policy/Procedures Based on NIST SP800-63Policy/Procedures Based on NIST SP800-63

• Architecture– SAML assertions for LOA

1, 2 (encapsulate userid/passwords)

• Vendor interoperability required for addition to approved vendor list

• SAML 1.0 currently supported; SAML 2.0 specs being developed

– PKI or OTP for LOA 3– PKI for LOA 4

– Scheme translator availableScheme translator available

• Policy/Procedures– Credential assessments for all

CSPs, • CAF for assertion-based

credentials; • cross certification with Federal

PKI for crypto-based credentials

– Federal PKI Policies define requirements for digital certificate trustworthiness

– EAF defines service requirements for all LOA

• Now included in Federal PKI policy requirements

6

The Federal FederationThe Federal Federation

• Credential Service Providers

• Covers 4 LOA

– Assertion-based identity credentials for L 1, 2

– Crypto-based identity credentials for L 3, 4

• Service Requirements

– Related to uptime, user support, etc.

• Interfederation Arrangements Encouraged

• Agency Applications

• Federal Agency Applications and Services

• Mandated by Administration

• Service Requirements

– Related to uptime, user support, etc.

7

Homeland Security Presidential Directive 12Homeland Security Presidential Directive 12

• A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the-firewall contractors, too

– Medium Hardware or High Assurance digital certificates on PIV-2 cards (nextgen SmartCards)

• Fast-tracked for implementation starting 10/2006

• Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP 800- 7x series)

8

Interoperability InitiativesInteroperability Initiatives

• CertiPathCertiPath – Federal Bridge cross-certification complete

• SAFESAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management – cross-certification under way

• inCommon/Federal Federation – interfederation efforts currently (9/06) on hold

9

Technology ImplicationsTechnology Implications

• US Government LOA, • standardized risk analysis, • standards for PIV cards and identity proofing and

vetting

are here and INEVITABLY will migrate everywhere– Pickup already noted in aerospace contractor space,

homeland security

• Feds will have to deal with attributes eventually!

10

Security and Online Services Security and Online Services Implications for Higher EdImplications for Higher Ed

• DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication– Financial services firms under SEC regulation are already

falling in line, both within and outside the eAuthentication federation participation

– DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.)

• Availability of online government apps drive schools to federate to take advantage of services/apps

11

What About Privacy?

• No single database of identity credentials

• No requirement for only one identity credential

• The old tradeoff still exists: convenience vs. security

• Are there forces out there that want to know who you are at all times?– Of course; worry about RFID first.

12

ResourcesResources

• www.cio.gov/eauthentication

• http://csrc.nist.gov/pki

• www.cio.gov/ficc

• www.smartcardalliance.org

13