Identity Management Reference Architecture

1,854 views

Published on

Published in: Education, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,854
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
107
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Identity Management Reference Architecture

  1. 1. Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz 1 / March 2008 /
  2. 2. Agenda •  Introductions •  Present the Practicum •  Recommendations & Lessons Learned 2 / March 2008 /
  3. 3. Team Members •  Greg Black, Paul Kavitz, Jay Ryan •  Recognizing culture as a leading risk factor, the IDM team sought after areas of personal growth that added value toward an overall problem statement. •  Experience, both professional and personal, were contributed by each Paul Kavitz, MSP member through their work ethics and desire to embrace and employ enterprise architecture. •  Capitalized on individualism, experience, education, and leadership to provide perspectives. •  Diverse backgrounds and individual work ethics of each team member helped create a rich, cohesive approach to gap analysis Jay Ryan, IDM & PKI and problem solving. Consultancy Greg Black, Government 3 / March 2008 /
  4. 4. Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz 4 / March 2008 /
  5. 5. Executive Summary Audience •  Government policy and decision makers concerned with the Federal Enterprise Architecture (FEA) and Identity Management (IDM) architectures Motivation and Intent •  To define an extension to the FEA Framework that facilitates alignment of agency identity management architectures and improves benefits case realization. Structure and Scope •  This presents a reference architecture designed to provide a standard pattern baseline for identity management architecture implementations government wide. •  The core components are scoping and contextual artifacts common to identity management architectures •  The summary also includes architecture governance, transition, communication, and maintenance plans. Identity Management Reference Architecture 5 March 2008
  6. 6. What do we mean by IDM Reference Architecture? Identity Management Reference Architecture 6 March 2008
  7. 7. What is the business scenario that grounds this effort? Identity Management Reference Architecture 7 March 2008
  8. 8. Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope WHAT HOW WHERE WHO WHEN WHY INVENTORY IDENTIFICATION PROCESS IDENTIFICATION NETWORK IDENTIFICATION ORGANIZATION IDENTIFICATION TIMING IDENTIFICATION MOTIVATION IDENTIFICATION Problem Def. Dictionary Missions Mission Distribution Event Guidance SCOPE STRATEGISTS L of S Map BNC List Indicators BNC INVENTORY TYPES PROCESS TYPES NETWORK TYPES ORGANIZATION TYPES TIMING TYPES Inventory MOTIVATION TYPES INVENTORY DEFINITION PROCESS DEFINITION NETWORK DEFINITION ORGANIZATION DEFINITION TIMING DEFINITION MOTIVATION DEFINITION Business Line of EXECUTIVE BUSINESS CDM Concept Sight LEADERS BUSINESS ENTITY Graphic BUSINESS TRANSFORM BUSINESS LOCATION BUSINESS ROLE BUSINESS CYCLE BUSINESS END BUSINESS RELATIONSHIP BUSINESS INPUT BUSINESS CONNECTION BUSINESS WORK BUSINESS MOMENT BUSINESS MEANS INVENTORY REPRESENTATION PROCESS REPRESENTATION NETWORK REPRESENTATION ORGANIZATION REPRESENTATION TIMING REPRESENTATION MOTIVATION REPRESENTATION SYSTEM AFM DESIGNERS SYSTEM ENTITY SYSTEM TRANSFORM SYSTEM LOCATION SYSTEM ROLE SYSTEM CYCLE SYSTEM END SYSTEM RELATIONSHIP SYSTEM INPUT SYSTEM CONNECTION SYSTEM WORK SYSTEM MOMENT SYSTEM MEANS INVENTORY SPECIFICATION PROCESS SPECIFICATION NETWORK SPECIFICATION ORGANIZATION SPECIFICATION TIMING SPECIFICATION MOTIVATION SPECIFICATION TECHNOLOGY ENGINEERS TECHNOLOGY ENTITY TECHNOLOGY TRANSFORM TECHNOLOGY LOCATION TECHNOLOGY ROLE TECHNOLOGY CYCLE TECHNOLOGY END TECHNOLOGY RELATIONSHIP TECNOLOGY INPUT TECHNOLOGY CONNECTION TECHNOLOGY WORK TECHNOLOGY MOMENT TECHNOLOGY MEANS INVENTORY CONFIGURATION PROCESS CONFIGURATION NETWORK CONFIGURATION ORGANIZATION CONFIGURATION TIMING CONFIGURATION MOTIVATION CONFIGURATION Context COMPONENT TECHNICIANS Data COMPONENT ENTITY COMPONENT TRANSFORM COMPONENT LOCATION COMPONENT ROLE COMPONENT CYCLE COMPONMENT END COMPONENT RELATIONSHIP COMPONENT INPUT COMPONENT CONNECTION COMPONENT WORK COMPONENT MOMENT COMPONENT MEANS INVENTORY INSTANTIATION PROCESS INSTANTIATION NETWORK INSTANTIATION ORGANIZATION INSTANTIATION TIMING INSTANTIATION MOTIVATION INSTANTIATION Process Performance Network OPERATIONS OPERATIONS ENTITY OPERATIONS RELATIONSHIP THE ENTERPRISE OPERATIONS TRANSFORM OPERATIONS INPUT OPERATIONS LOCATION OPERATIONS CONNECTION OPERATIONS ROLE OPERATIONS WORK OPERATIONS CYCLE OPERATIONS MOMENT OPERATIONS END OPERATIONS MEAN WORKERS INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION Identity Management Reference Architecture 8 March 2008
  9. 9. Identity Management Reference Architecture Artifact Inventory Short Deliverable Name Description Name Problem Def. Architectural Problem Statement Complete statement of purpose of the Identity Management Reference Architecture Guidance Guidance summary A summary list of relevant directives, regulation, and guidance constraining the implementation of personal identity verification. Dictionary Integrated Data Dictionary An inventory of data types that define the scope of personal identity verification. Event List Operational Information Cycles A composite artifact showing the relationship of [reference] business cycles to the state of information in the Integrated Data Dictionary. BNC Business Node Connectivity Model Scoping artifact showing the information relationships between organizations collaborating on the implementation of Personal Identity Verification. CDM Concept Data Model Conceptual Data Model using Object Relational Modeling conventions to describe the semantic relationships of the primary data entities pertaining the identity management. AFM Activity Flow Model Design artifact using IDEF0 describing a example (model) process implementation of Personal identity Verification in the adjacent suprasystem of processes necessary to operate this function. Framed by the Federal Enterprise Architecture Service Component Reference Model BCG Business Concept Graphic Graphic describing multiple functional relationships between processes and business missions related to personal identity verification. Missions Related Federal Missions A list of missions and supporting business functions, framed by the FEA Business Reference Model, that have Context some role in personal identity verification. Indicator Candidate Performance A list of potential measurement indicators across technical, process, and citizen-service measurement areas Data Inventory Measurement Indicators relevant to assessing performance of personal identity verification. Line of Sight Line of Sight Example Example artifact demonstrating application of a set of performance measurement indicators across a specific Process service component relevant to personal identity verification. Map Geographic Distribution of Network A global map identifying different types of countries with shared high-level characteristics relevant to the Performance Types implementation of personal identity verification. Mission Organizational Mission Distribution Composite artifact integrating Organization (Agency), Network (Geography) and Process (Business Sub- Network Distribution function missions) relevant to assessing scope for personal identity verification. Identity Management Reference Architecture 9 March 2008
  10. 10. Appendix A: Artifact Summary Identity Management Reference Architecture Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz Identity Management Reference Architecture 10 March 2008
  11. 11. Architecture Problem Statement Market System Market Policy (Market Interventions) Core Problem Statement (Commercial Sector operators Driven primarily by investor priorities) •  Define a Reference Architecture Identity Management that aligns the motivations and Reference Architecture A objectives of the acquirers and Critical Sector providers of credentialing systems (Industry EA) Federal US Federal Policy in the US Federal Enterprise (see B Enterprise table below) (FEAF) Extended Problem Statement Operational Policy (Government-wide policy) IT MSP •  Interpret the ‘US Federal Enterprise Enterprise’ above and shared B (IT MSP EA) A B objective #1 below in terms of the Critical Sector public-private interactions (e.g. Electricity EA) US Defense required to fulfill the homeland Enterprise (DODAF) security mission objectives predicated by credentialing B B requirements. Critical Sector (e.g. Defense- Critical Sector Industrial Base EA) (e.g. Transportation EA) Industry-specific Policy (Industry Regulation) # A IT MSP Enterprise Objective Federal Enterprise Objective Primary artifacts 1 What is the total addressable market in the US government for identity management? Where can identity management be reused across government? Missions, Line of Sight, Mission Distribution 2 What are the cross-sell opportunities for a credentialing solution? What is the integrated suprasystem surrounding a credentialing service required to realize the projected benefits? Dictionary, Event List, BNC, AFM, BCG, Map 3 What is the market value proposition for the identity management solution? What are the citizen-centric benefits and performance measures for identity management investments? (eGovernment) Indicator Inventory, Line of Sight Identity Management Reference Architecture 11 March 2008
  12. 12. Business Concept Graphic IDM Reference Architecture IDM Reference Architecture can be used by Agencies Identity Agencies accountable Agencies accountable for only their own for their own Credentialing critical IT & facilities and external critical infrastructure Credential Standards sectors Defined by HSPD-12 And FIPS201 Managed Service Management Credential Logical Access Information Technology & Communications Sectors Facilities Sector Invalid Critical Infrastructure Physical Person Sectors Access Defense-Industrial Base Banking & Finance (from HSPD-7 Oil & Gas Food and NIPP) Nuclear Valid Transportation Person Electricity IDM Reference Architecture can be used by Critical Sectors Identity Management Reference Architecture 12 March 2008
  13. 13. Guidance Map Identity Management Reference Architecture 13 March 2008
  14. 14. Federal Missions Related to Identity Management Identity Management Reference Architecture 14 March 2008
  15. 15. Business Node Connectivity Model Collaboration is INTENSE Often Forgotten Key “Virtual” Node Nodes is often Hiring Managers •  Help Desk •  Information & Technology Mgmt •  Contractor Sponsors Agency’s have NOT outsourced IDM in total BI Largely Outsourced Credential Mfg. Largely Outsourced Identity Management Reference Architecture 15 March 2008
  16. 16. Activity Flow Model Identity Management Reference Architecture 16 March 2008
  17. 17. Bullet Proofing the Identity Operational Event List Management Capability Identity Management • Event Handling Operational Events • Event Linkage Identity Credential Infrastructure Identity Change On/Off Boarding Management Management Events Events Events Events Identity Management Reference Architecture 17 March 2008
  18. 18. Conceptual Data Model Artifact Summary •  Provides semantic information relationships for business stakeholder communications •  Key entities include person, credential, permission, portal, and assets (information, system, and physical) Artifact Alignment •  Information entities support the Activity Flow Model •  Entities defined in the Dictionary Artifact Use •  Used to bridge CIO Council Data Sub-committee and Universal Core efforts with logical data models in reference agencies. Identity Management Reference Architecture 18 March 2008
  19. 19. Integrated Data Dictionary – Subset Snapshot Artifact Summary Artifact Term Definition •  Defines key terms used in architecture, Activity Flow Model Conceptual Data Model Person A person is a human that has a context within the enterprise which requires access to digital or physical assets. primarily at scoping perspective BNC Model Artifact Alignment Conceptual Data Model Clearance A label or set of labels about a Person that identifies a level of trust in that Person •  Dictionary to Business Node Connectivity Activity Flow Model Position The job description (e.g. title, manager/staff, organization) describing an (BNC) Conceptual Data Model expected set of behaviors and corresponding activities and rights for a All business nodes (organization) and need person lines (data) displayed in the BNC are defined. Conceptual Data Model Gender Sex of the person •  Dictionary to Activity Flow Model (AFM) Conceptual Data Model Name Legal labeling of person based on birth record or other legal assignment. All processes, inputs, and outputs displayed in Conceptual Data Model Birth The act of being born or establishing an existence. the AFM are defined. Conceptual Data Model Birthplace The location where a person is born usually identified as city and state or •  Dictionary to Conceptual Data Model geospatial key number. (CDM) Conceptual Data Model Party A collection of persons or other parties that share a common goal or interest. All semantic data objects displayed in the CDM This would cover collections that are inside or outside the enterprise and that are persistent or temporary. are defined. Activity Flow Model Credential A physical or logical token representing the identity of a person. •  Dictionary to the Related Federal Missions Conceptual Data Model All business reference model topics that are in BNC Model scope of the assignment are defined. Activity Flow Model Certificate A structured set of information uniquely authenticating a person. Conceptual Data Model Artifact Use BNC Model •  Should be used to understand terms used Conceptual Data Model Facility A physical asset that is temporarily or permanently immobile physical structure encompassing a physical space which can be occupied by human within the IDM-RA beings •  This artifact seeks alignment with other Conceptual Data Model Jurisdiction The legal context and authority governing activity in a physical space. governmental data definition workgroups, and Conceptual Data Model Compound A collection of one or more facilities with a common perimeter serving some should be maintained as standard federal shared purpose information definitions evolve. Conceptual Data Model Boundary A physical perimeter bounding a space •  Architects using this reference architecture to Activity Flow Model Control The physical and logical controls governing human passage across a portal. define identity management implementations Conceptual Data Model can use this dictionary as one source of Conceptual Data Model Portal Audit The survey conducted by a human being assessing the access controls of a standard definitions for identity-related portal. information. Conceptual Data Model Portal Audit The discrete, individual representations of an auditor's survey of the state of a Findings portal's access controls. Activity Flow Model Portal An access control point where human beings are able to cross a physical or Conceptual Data Model logical boundary Identity Management Reference Architecture 19 March 2008
  20. 20. Distribution of Organization Mission Country Birth Registration Rate 90% or greater 50-69% <30% 70-89% No Birth 30-49% Registration System Identity Management Reference Architecture 20 March 2008
  21. 21. Distribution of Network Types Country Birth Registration Rate 90% or greater 50-69% <30% 70-89% No Birth 30-49% Registration System Identity Management Reference Architecture 21 March 2008
  22. 22. Candidate Performance Measurement Indicators Identity Management Reference Architecture 22 March 2008
  23. 23. Line of Sight Example Identity Management Reference Architecture 23 March 2008
  24. 24. Next Steps & Key Observations Next Steps Key Observations •  Find way to ensure Managed Service •  Identity document verification challenges Providers (MSPs) are aligned to this overseas reference model •  Federal data architecture activities •  The National Infrastructure Protection •  U.S. missions overseas Plan (NIPP) is managed through a collection of committees. This •  Activity Flow Model responsibility committee structure, with the Critical •  Need to “fill the gap” beyond what the Infrastructure Partnership Advisory FEA profile provides Council (CIPAC) at its apex, could be adapted to form the governance for •  Relationship between IDM and cross-industry alignment governmental mission of CIP in commercial enterprises •  This reference architecture could be extended to include a reference transition plan for an implementing agency. This might describe means by which agencies would prioritize and group identity management improvements. Identity Management Reference Architecture 24 March 2008
  25. 25. Implementation Strategy Rollout Target Architecture Phase 1 Phase 2 Phase 3 •  The end state for the IDM-RA is the acceptance and standardization of this reference architecture as a baseline upon which implementing agencies draw Reference Stakeholder to establish their enterprise architectures Architecture Socialization pertaining to identity management. Community Socialize with Stakeholders •  Socialization of this RA with the target client community, specifically the FICC and the leading FEA Addendum federal credentialing managed services providers. •  Identify groups working, including existing groups working on standardization of ‘Person’ data types. FEA Addendum •  Extend the FEAF with a new type of reference Summary model exemplified by the IDM-RA. 1. Progressive diffusion and adoption of this RA as a baseline input for each agency’s EA artifacts that pertain to IDM. •  Build upon the current RA primitives with a set of (Referred to as the IDM-RA Transition Strategy. composite RAs relevant to a particular government 2. The “as-is” and “to-be” target architectures of each agency imperative and common to multiple agencies. will differ widely, as will their transition plan. Therefore, the Establish IDM Reference Architecture second level of implementation strategy is the iterative Community transition of each agency’s operational architecture (the instantiation of IDM in that agency) in ways that •  Integrate RA into the CPIC process, maintenance of progressively improve the benefits case realization and a website and possibly a wiki and collaboration ability to interoperate with other agency’s IDM architecture. forums to incorporate best-practice feedback from Each agency is expected to have an “as-is” and “to-be” and pervasive agency implementations. will define its own contextual transition strategy relevant to its priorities and goals. This transition is important, and •  This forum and governance would provide the must be governed effectively government-wide to realize the means to measure the performance of the IDM-RA overall objectives of IDM. effort and tune the model and the approach to be responsive to community needs and feedback. Identity Management Reference Architecture 25 March 2008
  26. 26. Implementation Strategy Assurance Governance •  Governance of the Federal Enterprise-Wide Identity Management Capability •  Governance of the Agency Identity Management Capability •  Governance of the Identity Management Reference Architecture Maintenance •  Should evolve as the many different agencies incorporate it within their specific EA. •  Changes should be captured and documented, justified on the basis of costs, benefits, and risks. •  Changes should be processed through established change control processes and board authority. •  The change documentation should Performance Management characterize the problem, solution, and •  Performance of an agency in meeting the stated performance indicators alternatives chosen and rejected in light of established priorities. •  Performance of the reference architecture as a tool to meet the end goal Capital Planning Integration Communications •  Each agency implementing the IDM model designs its own CPIC process for •  Create materials describing the scope of the structuring budget formulation and execution to ensure that investments EA and the value, benefits, and importance consistently support strategic goals. of EA and the IDM-RA. •  All IT projects should align with the agency mission and support business needs. •  One-page briefing or brochure, key concept The target architecture and the sequencing plan provide information for the three map, Frequently-Asked Questions (FAQ) phases of the CPIC process. document, and PowerPoint presentation. Compliance •  Post on an EA website, SharePoint, Wiki, or •  Compliance will be implemented according to the Federal CIO Council’s EA other collaboration tool. Alignment and Assessment guide (AAG). •  Business Performance and Technical Standards will be evaluated Identity Management Reference Architecture 26 March 2008
  27. 27. Recommendations and Lessons Learned Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz Identity Management Reference Architecture 27 March 2008
  28. 28. Lessons Learned & Recommendations •  Choose a Good Topic – Domain Expertise – Choose a REAL Challenge – Get Interests Aligned •  Handle the Practicum Like a Project – Nail the Statement of Work, BCG, and Problem Definition – Communication, Collaboration, and Workload Sharing – Gold in the professor feedback •  Leverage Homework Assignments – Really understand your assignment scope – Really understand your assignment schedule – Really confirm your understanding of EA •  Leverage your Team – 80% of what you learn will be cemented by your team collaboration Identity Management Reference Architecture 28 March 2008
  29. 29. Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope WHAT HOW WHERE WHO WHEN WHY INVENTORY IDENTIFICATION PROCESS IDENTIFICATION NETWORK IDENTIFICATION ORGANIZATION IDENTIFICATION TIMING IDENTIFICATION MOTIVATION IDENTIFICATION 5.3 5.8 5.12 5.4 5.1 5.2 SCOPE STRATEGISTS 5.5 5.10 5.11 5.5 5.9 INVENTORY TYPES PROCESS TYPES NETWORK TYPES ORGANIZATION TYPES TIMING TYPES MOTIVATION TYPES INVENTORY DEFINITION PROCESS DEFINITION NETWORK DEFINITION ORGANIZATION DEFINITION TIMING DEFINITION 5.10 MOTIVATION DEFINITION EXECUTIVE BUSINESS 5.7 LEADERS BUSINESS ENTITY BUSINESS TRANSFORM BUSINESS LOCATION BUSINESS ROLE BUSINESS CYCLE BUSINESS END BUSINESS RELATIONSHIP BUSINESS INPUT BUSINESS CONNECTION BUSINESS WORK BUSINESS MOMENT BUSINESS MEANS INVENTORY REPRESENTATION PROCESS REPRESENTATION NETWORK REPRESENTATION ORGANIZATION REPRESENTATION TIMING REPRESENTATION MOTIVATION REPRESENTATION SYSTEM 5.6 DESIGNERS SYSTEM ENTITY SYSTEM TRANSFORM SYSTEM LOCATION SYSTEM ROLE SYSTEM CYCLE SYSTEM END SYSTEM RELATIONSHIP SYSTEM INPUT SYSTEM CONNECTION SYSTEM WORK SYSTEM MOMENT SYSTEM MEANS INVENTORY SPECIFICATION PROCESS SPECIFICATION NETWORK SPECIFICATION ORGANIZATION SPECIFICATION TIMING SPECIFICATION MOTIVATION SPECIFICATION TECHNOLOGY ENGINEERS TECHNOLOGY ENTITY TECHNOLOGY TRANSFORM TECHNOLOGY LOCATION TECHNOLOGY ROLE TECHNOLOGY CYCLE TECHNOLOGY END TECHNOLOGY RELATIONSHIP TECNOLOGY INPUT TECHNOLOGY CONNECTION TECHNOLOGY WORK TECHNOLOGY MOMENT TECHNOLOGY MEANS INVENTORY CONFIGURATION PROCESS CONFIGURATION NETWORK CONFIGURATION ORGANIZATION CONFIGURATION TIMING CONFIGURATION MOTIVATION CONFIGURATION Context Data COMPONENT TECHNICIANS COMPONENT ENTITY COMPONENT TRANSFORM COMPONENT LOCATION COMPONENT ROLE COMPONENT CYCLE COMPONMENT END Process COMPONENT RELATIONSHIP COMPONENT INPUT COMPONENT CONNECTION COMPONENT WORK COMPONENT MOMENT COMPONENT MEANS INVENTORY INSTANTIATION PROCESS INSTANTIATION NETWORK INSTANTIATION ORGANIZATION INSTANTIATION TIMING INSTANTIATION MOTIVATION INSTANTIATION THE ENTERPRISE Performance OPERATIONS WORKERS Network OPERATIONS ENTITY OPERATIONS TRANSFORM OPERATIONS LOCATION OPERATIONS ROLE OPERATIONS CYCLE OPERATIONS END OPERATIONS RELATIONSHIP OPERATIONS INPUT OPERATIONS CONNECTION OPERATIONS WORK OPERATIONS MOMENT OPERATIONS MEAN INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION Identity Management Reference Architecture 29 March 2008
  30. 30. Appendix B: Supporting Detail Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz Identity Management Reference Architecture 30 March 2008
  31. 31. 5.2 Guidance Summary # Document Title Notes 6.1 Homeland Security Presidential Directive-12 Designed to increase Government efficiency, Strategic Directive Level reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees. http://csrc.nist.gov/drivers/documents/ Presidential-Directive-Hspd-12.html 6.2 Federal Information Processing Standard (FIPS) This standard specifies the architecture and Strategic Directive Level 201: technical requirements for a common “Personal Identity Verification of Federal Employees identification standard for Federal employees and Contractors “ and contractors. developed to satisfy the requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005 Pub. L. 107-347, E-Government Act of 2002. To enhance the management and promotion Law Executive/Legislative Level of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes. Pub. L. 107-347, E-Government Act of 2002, Title Enacted to streamline—while at the same Law Executive/Legislative Level III, Federal Information Security Management Act time strengthening—the requirements of its (FISMA) of 2002. predecessor, the Government Information Security Reform Act (GISRA). FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. Yet FISMA compliance presents significant challenges for federal agencies, and for any organization that deals with federal information. Pub. L. 101-576, The Chief Financial Officers (CFO) intended to improve the government's Law Executive/Legislative Level Act of 1990 financial management, outlining standards of financial performance and disclosure. Among other measures, the Office of Management and Budget (OMB) was given greater authority over federal financial management. Identity Management Reference Architecture 31 March 2008
  32. 32. 5.2 Guidance Summary (cont’d) # Document Title Notes President's Management Agenda of 2002 An aggressive strategy for improving the Strategic Directive Level management of the Federal government. It focuses on five areas of management weakness across the government where improvements and the most progress can be made. Government Performance and Results Act of 1993. Seeks to shift the focus of government Law Executive/Legislative Level decision-making and accountability away from a preoccupation with the activities that are undertaken - such as grants dispensed or inspections made - to a focus on the results of those activities, such as real gains in employability, safety, responsiveness, or program quality. Under the Act, agencies are to develop multiyear strategic plans, annual performance plans, and annual performance reports. 44 U.S.C. 3501, et seq., Paperwork Reduction Act of Minimize the paperwork burden for Law Executive/Legislative Level 1995, Pub. L. 104-13, as amended. individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government. 40 U.S.C. 1401, et seq., Chapter 808 of Pub. L Provides that the government information Law Executive/Legislative Level 104-208, the Clinger-Cohen Act of 1996 [renaming, technology shop be operated exactly as an in pertinent part, the Information Technology efficient and profitable business would be Management Reform Act (ITMRA), Division E of Pub. operated. Acquisition, planning and L 104-106]. management of technology must be treated as a "capital investment." While the law is complex, all consumers of hardware and software in the Department should be aware of the Chief Information Officer's leadership in implementing this statute. OMB Circular No. A-123, Management Requires Federal employees to design Strategic Directive Level Accountability and Control, dated June 21, 1995. management structures that help ensure accountability for results, and include appropriate, cost-effective controls and provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls. Identity Management Reference Architecture 32 March 2008
  33. 33. 5.2 Guidance Summary (cont’d) # Document Title Notes OMB Circular No. A-130, Appendix III Management This Circular establishes policy for the Strategic Directive Level of Federal Information Resources dated November management of Federal information 28, 2000. resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices. M04-04 Presidential memorandum: E-Authentication Requires agencies to review new and existing Guidance for Federal Agencies electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing Credential Service Providers (CSPs) on behalf of Federal agencies. This document will assist agencies in determining their e-government authentication needs. Agency business- process owners bear the primary responsibility to identify assurance levels and strategies for providing them. This responsibility extends to electronic authentication systems http://www.whitehouse.gov/omb/ memoranda/fy04/m04-04.pdf Homeland Security Presidential Directive-7 This directive establishes a national policy for Strategic Directive Level Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. National Infrastructure Protection Plan The National Infrastructure Protection Plan Strategic Directive Level (NIPP) and supporting Sector-Specific Plans (SSPs) provide a coordinated approach to critical infrastructure and key resources (CI/ KR) protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. The NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster. Identity Management Reference Architecture 33 March 2008
  34. 34. Appendix X: Arguments Clarifications, assumptions, and defense of artifacts Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz Identity Management Reference Architecture 34 March 2008
  35. 35. 5.5 Business Node Connectivity Diagram From Slide 20, FEAF Architecture Products From Slide 9, Overview of Architecture Views From Slide 19, Overview of Architecture Views Identity Management Reference Architecture 35 March 2008
  36. 36. Reference Enterprise Architecture Scope Mapped to Deliverables – Utility of FEA RMs WHAT HOW WHERE WHO WHEN WHY INVENTORY IDENTIFICATION PROCESS IDENTIFICATION NETWORK IDENTIFICATION ORGANIZATION IDENTIFICATION TIMING IDENTIFICATION MOTIVATION IDENTIFICATION 5.3 5.8 5.12 5.4 5.1 5.2 SCOPE BRM 5.11 5.5 5.9 STRATEGISTS 5.5 5.10 INVENTORY TYPES PROCESS TYPES NETWORK TYPES ORGANIZATION TYPES TIMING TYPES PRM MOTIVATION TYPES INVENTORY DEFINITION PROCESS DEFINITION NETWORK DEFINITION ORGANIZATION DEFINITION TIMING DEFINITION 5.10 MOTIVATION DEFINITION EXECUTIVE BUSINESS 5.7 LEADERS BUSINESS ENTITY BUSINESS TRANSFORM BUSINESS LOCATION BUSINESS ROLE BUSINESS CYCLE BUSINESS END SRM BUSINESS RELATIONSHIP BUSINESS INPUT BUSINESS CONNECTION BUSINESS WORK BUSINESS MOMENT BUSINESS MEANS INVENTORY REPRESENTATION PROCESS REPRESENTATION NETWORK REPRESENTATION ORGANIZATION REPRESENTATION TIMING REPRESENTATION MOTIVATION REPRESENTATION SYSTEM 5.6 DESIGNERS SYSTEM ENTITY SYSTEM TRANSFORM SYSTEM LOCATION SYSTEM ROLE SYSTEM CYCLE SYSTEM END SYSTEM RELATIONSHIP SYSTEM INPUT SYSTEM CONNECTION SYSTEM WORK SYSTEM MOMENT SYSTEM MEANS INVENTORY SPECIFICATION PROCESS SPECIFICATION NETWORK SPECIFICATION ORGANIZATION SPECIFICATION TIMING SPECIFICATION MOTIVATION SPECIFICATION TECHNOLOGY ENGINEERS TECHNOLOGY ENTITY TECHNOLOGY TRANSFORM TECHNOLOGY LOCATION TECHNOLOGY ROLE TECHNOLOGY CYCLE TECHNOLOGY END TECHNOLOGY RELATIONSHIP TECNOLOGY INPUT TECHNOLOGY CONNECTION TECHNOLOGY WORK TECHNOLOGY MOMENT TECHNOLOGY MEANS INVENTORY CONFIGURATION PROCESS CONFIGURATION NETWORK CONFIGURATION ORGANIZATION CONFIGURATION TIMING CONFIGURATION MOTIVATION CONFIGURATION Context Data COMPONENT TECHNICIANS COMPONENT ENTITY COMPONENT TRANSFORM COMPONENT LOCATION COMPONENT ROLE COMPONENT CYCLE COMPONMENT END Process COMPONENT RELATIONSHIP COMPONENT INPUT COMPONENT CONNECTION COMPONENT WORK COMPONENT MOMENT COMPONENT MEANS INVENTORY INSTANTIATION PROCESS INSTANTIATION NETWORK INSTANTIATION ORGANIZATION INSTANTIATION TIMING INSTANTIATION MOTIVATION INSTANTIATION THE ENTERPRISE Performance OPERATIONS WORKERS Network OPERATIONS ENTITY OPERATIONS TRANSFORM OPERATIONS LOCATION OPERATIONS ROLE OPERATIONS CYCLE OPERATIONS END OPERATIONS RELATIONSHIP OPERATIONS INPUT OPERATIONS CONNECTION OPERATIONS WORK OPERATIONS MOMENT OPERATIONS MEAN INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION Identity Management Reference Architecture 36 March 2008
  37. 37. Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors Critical Infrastructure Sector Sector-Specific Agency Agriculture & Food Department of Agriculture (meat, poultry, and egg foods) Food and Drug Administration (other foods) Defense Industrial Base Department of Defense Energy (oil, gas, and electric power, not nuclear) Department of Energy Public Health and Healthcare Department of Health and Human Services National Monuments and Icons Department of the Interior Banking and Finance Department of the Treasury Drinking Water and Water Treatment Systems Environmental Protection Agency Chemical Commercial Facilities Dams, Locks, and Levees Department of Homeland Security Emergency Services Commercial Nuclear Reactors, Materials, and Waste Information Technology Department of Homeland Security Telecommunications Postal and Shipping Department of Homeland Security Transportation Systems Department of Homeland Security Government Facilities Department of Homeland Security Identity Management Reference Architecture 37 March 2008
  38. 38. Government/Market framework for Identity Management Reference Architecture Identity Management Reference Architecture US Federal Enterprise (FEAF) IT MSP Enterprise (IT MSP EA) US Defense Enterprise (DODAF) Identity Management Reference Architecture 38 March 2008
  39. 39. Market System framework for Identity Management Reference Architecture Market System Market Policy (Commercial Sector operators (Market Interventions) Driven primarily by investor priorities) Identity Management Reference Architecture Federal Critical Sector (Industry EA) Policy US Federal B Enterprise (FEAF) EA Policy (Government-wide policy) IT MSP B Enterprise (IT MSP EA) A Critical Sector (e.g. Electricity EA) US Defense Enterprise (DODAF) B B Critical Sector (e.g. Defense- Critical Sector Industrial Base EA) (e.g. Transportation EA) Industry-specific Policy (Industry Regulation) Identity Management Reference Architecture 39 March 2008
  40. 40. Identity Management Reference Architecture Statement of Work Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz Identity Management Reference Architecture 40 March 2008
  41. 41. 1.  Introduction Background 1. Introduction •  This project defines a reference enterprise architecture for the personal identity verification (PIV) managed service and its surrounding identity management suprasystem as guided by Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standard (FIPS) 201. 2. Background •  Homeland Security Presidential Directive-12 (HSPD-12) mandates implementation of personal identity verification smart card credentials for all employees and contractors of the US Federal government •  The GSA Schedule for HSPD-12 has identified a number of managed service providers qualified to deliver credentialing services to agencies required to comply with the directive. •  Beyond the narrow implementation of this directive, a credentialing service must be integrated within the larger Enterprise Architecture of each agency across the Federal Government and their facilities distributed across the world. •  Furthermore, many Federal missions require the ability for government to assure the identity of various public communities including alien visitors and immigrants, operators of critical infrastructures (i.e. transportation), etc. These all have other means to credential individuals that are regulated by other various, non-integrated standards. •  With multiple identity management implementations already underway, GSA seeks an enterprise architecture as a decision support tool to inform the governance of the identity management implementations across government. The intent is to promote realization of the anticipated security benefits these credentials afford and to minimize the variety of implementations. Identity Management Reference Architecture 41 March 2008
  42. 42. 3. Scope •  This project will define an enterprise reference architecture that places the HSPD-12 personal identity verification (PIV) credential managed service in the context of the broader Federal Enterprise Architecture. –  As such, it intends to identity opportunities for GSA, each implementing agency, and the managed service providers –  to identify reuse opportunities, improve integration, and realize business benefits of common personal identity verification (PIV) services across all of government. •  Bounds and magnitudes –  The Personal Identity Verification Enterprise Reference Architecture (PIV-ERA) shall define multiple architectural perspectives limited to descriptive representations of the PIV function and its immediately adjacent systems (the proximate suprasystem). At the business and system level, the PIV-ERA shall a reference model only, and as such shall be neutral with regards to any particular agency, however it will be specific to the US Federal Government. –  The Zachman Enterprise Architecture Framework v2.01 (Ref. 6.4) serves to further clarify the boundary for this SOW (see fig. 3.1) As follows: •  Scoping identification (Zachman Row 1) for Personal Identity Verification shall be developed for all focus areas (Inventory, Process, Network, Organization, and Motivation). •  Business conceptual definitions (Zachman Row 2) for Personal Identity Verification shall be developed for the Inventory, Process, and Motivation focus areas. (Cells 2,1; 2,2; and 2,6). •  A reference System Process Representation (Zachman Cell 3,2) shall be developed for Personal Identity Verification –  Estimated total effort for development of PIV-ERA is approximately a three person effort over 8 weeks for a total of about 300 person-hours effort. Identity Management Reference Architecture 42 March 2008
  43. 43. Fig. 3.1 Identity Management Scope Enterprise View WHAT HOW WHERE WHO WHEN WHY INVENTORY IDENTIFICATION PROCESS IDENTIFICATION NETWORK IDENTIFICATION ORGANIZATION IDENTIFICATION TIMING IDENTIFICATION MOTIVATION IDENTIFICATION SCOPE STRATEGISTS INVENTORY TYPES PROCESS TYPES NETWORK TYPES ORGANIZATION TYPES TIMING TYPES MOTIVATION TYPES INVENTORY DEFINITION PROCESS DEFINITION NETWORK DEFINITION ORGANIZATION DEFINITION TIMING DEFINITION MOTIVATION DEFINITION EXECUTIVE BUSINESS LEADERS BUSINESS ENTITY BUSINESS TRANSFORM BUSINESS LOCATION BUSINESS ROLE BUSINESS CYCLE BUSINESS END BUSINESS RELATIONSHIP BUSINESS INPUT BUSINESS CONNECTION BUSINESS WORK BUSINESS MOMENT BUSINESS MEANS INVENTORY REPRESENTATION PROCESS REPRESENTATION NETWORK REPRESENTATION ORGANIZATION REPRESENTATION TIMING REPRESENTATION MOTIVATION REPRESENTATION SYSTEM DESIGNERS SYSTEM ENTITY SYSTEM TRANSFORM SYSTEM LOCATION SYSTEM ROLE SYSTEM CYCLE SYSTEM END SYSTEM RELATIONSHIP SYSTEM INPUT SYSTEM CONNECTION SYSTEM WORK SYSTEM MOMENT SYSTEM MEANS INVENTORY SPECIFICATION PROCESS SPECIFICATION NETWORK SPECIFICATION ORGANIZATION SPECIFICATION TIMING SPECIFICATION MOTIVATION SPECIFICATION TECHNOLOGY ENGINEERS TECHNOLOGY ENTITY TECHNOLOGY TRANSFORM TECHNOLOGY LOCATION TECHNOLOGY ROLE TECHNOLOGY CYCLE TECHNOLOGY END TECHNOLOGY RELATIONSHIP TECNOLOGY INPUT TECHNOLOGY CONNECTION TECHNOLOGY WORK TECHNOLOGY MOMENT TECHNOLOGY MEANS INVENTORY CONFIGURATION PROCESS CONFIGURATION NETWORK CONFIGURATION ORGANIZATION CONFIGURATION TIMING CONFIGURATION MOTIVATION CONFIGURATION COMPONENT TECHNICIANS COMPONENT ENTITY COMPONENT TRANSFORM COMPONENT LOCATION COMPONENT ROLE COMPONENT CYCLE COMPONMENT END COMPONENT RELATIONSHIP COMPONENT INPUT COMPONENT CONNECTION COMPONENT WORK COMPONENT MOMENT COMPONENT MEANS INVENTORY INSTANTIATION PROCESS INSTANTIATION NETWORK INSTANTIATION ORGANIZATION INSTANTIATION TIMING INSTANTIATION MOTIVATION INSTANTIATION OPERATIONS OPERATIONS ENTITY OPERATIONS RELATIONSHIP THE ENTERPRISE OPERATIONS TRANSFORM OPERATIONS INPUT OPERATIONS LOCATION OPERATIONS CONNECTION OPERATIONS ROLE OPERATIONS WORK OPERATIONS CYCLE OPERATIONS MOMENT OPERATIONS END OPERATIONS MEAN WORKERS INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION Identity Management Reference Architecture 43 March 2008
  44. 44. 4.Deliverable Schedule & Dependencies Input Task 1 Task 2 Task 4 Documents SOW 5.1 5.3 5.9 6.1 5.2 5.4 5.10 Final Presentation 6.2 5.5 Performance Data Artifacts Artifacts 6.3 6.4 Task 3 Task 5 5.6 5.11 5.7 5.12 5.8 Context Artifacts Context Artifacts Process Artifacts Network Artifacts Task Task 1 Task 2,3 Task 4,5 Grades Award Signoff Signoff Signoff Awarded Identity Management Reference Architecture 44 March 2008

×