ICAM: A roadmap for FIPS 201 applications
15 March, 2010
category:
Mission of new initiative is to help agencies, others put PIV credentials to use
The presidential directive ordering a standard, interoperable identification credential for federal employees is coming up on its sixth birthday. The deadline to have these Personal Identification Verification (PIV) credentials issued is more than a year old.
And while every federal employee may not yet be carrying around a PIV there have been more than 4 million credentials issued. So it just makes sense that the next step should be creating use cases for the IDs.
“No two agencies are in the same place and no two agencies have the same need,” says Judith Spencer, chair of the Federal Public Key Infrastructure Steering Committee for the GSA. “So they need to figure out what they need to do and what needs to be applied.”
Enter ICAM or Identity, Credential and Access Management, a group of government officials co-chaired by the General Services Administration and Department of Defense and charged with aligning the identity management activities of the federal government.
- Augment policy and implementation guidance to agencies
- Establish federated identity framework for the federal government
- Enhance performance measurement and accountability within ICAM initiatives
- Provide government-wide services for common ICAM requirements
- Streamline collection and sharing of digital identity data
- Fully leverage PIV and PIV-I credentials
- Modernize physical and logical access infrastructures
- Implement federated identity capabilities
The organization released a “Roadmap and Implementation Guidance” document for officials late in 2009. Now ICAM is working on a more robust version of the implementation guidance, tentatively called Part B, which it hopes to complete by the end of September. “The Federal Government is operating in a constantly shifting threat environment–data breaches are all too common, identity theft is on the rise, and trust relationships are enforced in an inconsistent and hard-to understand manner,” states the Roadmap.
The hope is that ICAM work will extend outside the federal space. “The resulting framework can be leveraged in other areas as well–promoting data security, privacy and the high-assurance authentication needed to support improvements in health care and immigration and to promote collaboration through secure information sharing and transparency in government,” the document states.
The PIV is an essential component to ICAM. Some 4.1 million federal employees, or 71%, have been issued credentials, according to the Fiscal Year 2011 Federal Budget. The ICAM Roadmap is also cited in the budget, a fact that highlights just how ingrained the PIV credentials are with federal employees.
“The ICAM roadmap, issued in November 2009, outlines a number of transition activities for agencies to complete,” the document states. “It also serves as an important tool for providing awareness to external mission partners and driving the development and implementation of interoperable solutions. ICAM solutions will leverage the existing investments in the federal government while promoting efficient use of tax dollars when designing, deploying and operating ICAM systems.”
In preparation for the September issuance of the implementation guidance Part B, six different ICAM working groups have been created:
- The Federation Interoperability Working Group is looking at business rules and requirements for how agencies will establish reciprocal trust agreements so credentials can be used at other agencies, Spencer says.
- The Architecture Working Group is developing “how to’s” and expanding the new technical architecture of the credentials. The group is also working on 11 use cases for the credential, Spencer says.
- The Federal PKI Authority Working Group is looking at strong-assurance technology and administering the federal PKI policies.
- The Roadmap Development Team is reviewing the development and content of the ICAM Roadmap and Implementation Guidance.
- The Citizen Outreach Focus Group is working on recommendations concerning solutions for government-to-citizen interaction and how ID technology may play a role in the future.
- The Logical Access Working Group is developing guidance and best practices to assist agencies in implementing log on/authentication capabilities using PIV cards.
The ICAM roadmap also details some of the benefits agencies will experience via the implementation of ICAM systems and technology:
- Increased security, which correlates to reduction in identity theft, data breaches, and trust violations.
- Compliance with laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress.
- Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-Interoperable or third-party credentials that meet the requirements of the federal trust framework.
- Enhanced customer service, both within agencies and with their business partners and constituents.
- Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes.
- Increased protection of personally identifiable information by consolidating and securing identity data.
Where does PIV-I fit?
ICAM is also considering how the PIV-I will interact with government credentialing, says Steve Howard, vice president of operations at CertiPath. The architecture group is working with a PIV-I subgroup to figure out use cases for how the two credentials will work together. “Their goal is to come up with the governing requirements that will translate to certificate policy,” he says.
While PIV-I has been looked at as a standard for first responders and state officials, federal contractors will also be using it, Howard says. This makes interaction unavoidable.