SlideShare a Scribd company logo

FICAM Trust Framework Solutions 11/11/2013

Anil John
Anil John

The Federal ICAM Trust Framework Solutions (TFS) Program Update 11/11/2013

Government & Nonprofit
1 of 31
Download to read offline
Federal CIO Council Information Security and Identity Management Committee IDManagement.gov IDManagement.gov FICAM Trust Framework Solutions Update 11/11/13 Anil John FICAM TFS PM TFS.EAO@gsa.gov
2 Scope and Components of FICAM TFS Program What’s new in the 11/11/13 Update? Component Identity Services Federation and Identity Resolution FICAM TFS Program Approval Factors Next steps for currently Adopted Trust Framework Providers and Approved “Identity Providers” Overview
3 FICAM TFS Program is focused on securing C2G and B2G Online Services US Fed G2G == HSPD-12
4 Supports the Security, Privacy, and Interoperability Needs of Citizen and Business Facing Government Services Supports Government-wide Policy and National Strategy Implementation Leverages Industry Capabilities that may already be in use by Citizens and Businesses to Interoperate with Government Online Services Federated Identity Framework for US Gov
5  Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance  Authority to Offer Services (ATOS) for FICAM TFS Approved Identity Services  Identity Scheme and Protocol Adoption Process  Relying Party Guidance for Accepting Externally Issued Credentials  E-Government Trust Services CA  E-Government Trust Services Metadata Service Components of the FICAM TFS Program http://info.idmanagement.gov/2013/11/ficam-trust-framework-solutions-tfs.html
6  Fast-Track Program for Financial Institutions to become Approved CSPs or Token Managers  Interoperability Verification + Annual Follow-Up of Identity Services for FICAM TFS Approval  Simplification of LOA 1 Requirements  Support for Component Identity Services  Incorporation of Privacy as a Trust Criteria  Introduction of Ongoing Verification as an OPTIONAL Trust Criteria  Identity Resolution Attribute Requirements for FICAM TFS CSP and Identity Manager Approval  Relationship with the FICAM Testing Program to verify FICAM Protocol Profile Support in On-Premise Vendor Products What’s New?
7 “Current government systems do not separate the functions of authentication and attribute providers. In some applications, these functions are provided by different parties. While a combined authentication and attribute provider model is used in this document, it does not preclude agencies from separating these functions” Component Identity Services
8  Token: Something that an individual possesses and controls that is used to authenticate the individual  Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are)  Identity: A set of attributes that uniquely describe an individual within a given context  Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual Component Identity Services: Terminology
9 Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Validation Service Authentication Service
10 RP uses External Credential RP delegates Authentication, Identity Management and Binding Credential Service Provider Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
11 RP delegates Authentication RP manages Identity and Binding RP uses External Token Token Manager Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
12 RP manages Authentication and Binding RP uses External Identity RP delegates Identity Management Identity Manager Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
13  Credential Service Provider  Token Management Services  Authentication Services  Identity Proofing Services  Attribute Validation Services  Token Manager  Token Management Services  Authentication Services  Identity Manager  Identity Proofing Services  Attribute Validation Services FICAM TFS Program Service Terminology Consent Services are implementation specific & driven by policy
14 Stand-alone FICAM SAML Metadata Profile  Metadata portions of Web SSO Profile  Metadata profile of BAE AttributeConsumingServiceIndex to convey Attribute Bundle Requests Standardized URIs for conveying Assurance Account Fraud Signaling Capability Updated Guidance on Holder-of-Key Usage Federation: FICAM SAML Profile for Web SSO Update to Profile Coming Soon
15  The degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and  The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued  LOA  Level 2 - Some confidence in the asserted identity’s validity  Level 3 - High confidence in the asserted identity’s validity  Level 4 – Very High confidence in the asserted identity’s validity  The ability to resolve a set of identity attributes to a unique individual  No other individual has the same set of attributes  For our federation use cases, the ability to map an identity on the RP front door to an existing person, in our jurisdiction, is critical  Online benefits delivery  Citizen transactions Federation: Assurance & Resolution Credential Assurance (LOA) Identity Resolution
16  The degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and  The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued  LOA  Level 2 - Some confidence in the asserted identity’s validity  Level 3 - High confidence in the asserted identity’s validity  Level 4 – Very High confidence in the asserted identity’s validity  The ability to resolve a set of identity attributes to a unique individual  No other individual has the same set of attributes  For our federation use cases, the ability to map an identity on the RP front door to an existing person, in our jurisdiction, is critical  Online benefits delivery  Citizen transactions Federation: Assurance & Resolution Credential Assurance (LOA) Identity Resolution Tokens, Identity Proofing and Credentials are about Asserting Assurance Verified Identity Attributes are about enabling Identity Resolution
17 Are there studies or standards we can use as a starting point for determining the minimal attributes for resolution? Can the approach accommodate Agency specific data analysis regarding resolution? Can the implementation infrastructure support the approach that incorporates data minimization? Identity Resolution Considerations
18 Are the attributes chosen EFFECTIVE at resolving to a single US Person? Do you have data, studies, analysis and results you can share that shows the effectiveness of the attributes needed for identity resolution? No secret, magic or proprietary sauce please!
19 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes
20 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes Core Attribute Bundles Provide 96%+ Identity Resolution (1 == 2 == 3 == 4 == 5)
21 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes Core Attribute Bundles Provide 96%+ Identity Resolution + Specific Supplemental Attributes from Available Listing = 100% Identity Resolution
22 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes These attributes have been nominated to the Government-wide FICAM Attribute Registry via the FICAM ACAG TT
23 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes “ Do not let perfect be the enemy of the good ” This is a starting point for FICAM TFS; Expect this to be revised as our understanding matures
24  Assurance and Identity are in the eye of the RP  To be a FICAM TFS Approved CSP  Need to meet Government needs for Assurance  Need to meet Government needs for Identity Proofing  Need to meet Government needs for Identity Resolution  To be a FICAM TFS Approved TM  Need to meet Government needs for Assurance  To be a FICAM TFS Approved IM  Need to meet Government needs for Identity Proofing  Need to meet Government needs for Identity Resolution FICAM TFS Program Approval Factors
25 FICAM TFS Program Approval Factors Trust Framework Provider Assurance Processes Privacy Policy Audit & Certification Processes Auditor Qualifications Organizational Maturity CSP / TM / IM Organizational Maturity Registration & Identity Proofing Processes Credential & Issuance Processes Privacy Policies Approval Assessment US Government Relying Party Citizen Comparability Assessment OMB Requirements NIST Requirements GSA Requirements Privacy & Security
26 FICAM TFS Program Approval Factors Trust Framework Provider Assurance Processes Privacy Policy Audit & Certification Processes Auditor Qualifications Organizational Maturity CSP / TM / IM Organizational Maturity Registration & Identity Proofing Processes Credential & Issuance Processes Privacy Policies Approval Assessment US Government Relying Party Citizen Comparability Assessment OMB Requirements NIST Requirements GSA Requirements Privacy & Security “Trust”/Policy Comparability
27  The technical ability of an Identity Service to convey assurances of Identity  Using protocols and profiles approved by the FICAM TFS Program – FICAM SAML 2 Profile of Web SSO  Using semantics that ensure common understanding – http://idmanagement.gov/ns/assurance/loa/1 – http://idmanagement.gov/ns/assurance/loa/2 – http://idmanagement.gov/ns/assurance/loa/3 – http://idmanagement.gov/ns/assurance/loa/4 – Other FICAM TFS Approved URIs  The technical ability of an Identity Service to convey attributes  Using protocols and profiles approved by the FICAM TFS Program  That allow a Government RP to resolve the attributes to a unique individual – On request – With consent in accordance with policy  Using attribute names and bundles that ensure common understanding FICAM TFS Program Approval Factors Credential Assurance (LOA) Identity Resolution
28  The technical ability of an Identity Service to convey assurances of Identity  Using protocols and profiles approved by the FICAM TFS Program – FICAM SAML 2 Profile of Web SSO  Using semantics that ensure common understanding – http://idmanagement.gov/ns/assurance/loa/1 – http://idmanagement.gov/ns/assurance/loa/2 – http://idmanagement.gov/ns/assurance/loa/3 – http://idmanagement.gov/ns/assurance/loa/4  The technical ability of an Identity Service to convey attributes  Using protocols and profiles approved by the FICAM TFS Program  That allow a Government RP to resolve the attributes to a unique individual – On request – With consent in accordance with policy  Using attribute names and bundles that ensure common understanding FICAM TFS Program Approval Factors Credential Assurance (LOA) Identity Resolution Technical Interoperability. We Will Verify. Annually.
29 FICAM TFS Program Approval Factors Core Identity Attributes Supplemental Identity Attributes Name: (Legal First Name and Legal Last Name) Current Address: (Postal Code) Current Address: (City and State) Partial Date of Birth: (Month and Day) Partial Date of Birth: (Year) Full Date of Birth Partial SSN: (Last 4 digits) Full SSN: (All 9 digits) Place of Birth: (City) Place of Birth: (County) Place of Birth: (State) Place of Birth: (Country) Mother’s Name: (At Birth) Mother’s Name: (Prior to first marriage) Middle Name Middle Initial Current Address: (Street) Partial Past Address: (Previous City) Partial SSN: (First 5 digits) Sex “Applicant must be capable of technically providing, upon RP request via approved protocols and profiles, dynamic combinations of available attributes from the above listing” http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_ATOS_v1.0.0_DRAFT.pdf
30  Trust Framework Provider (TFP) Implementation of FICAM TFS v2  MUST happen with 6 months of FICAM TFS v2 final approval  Trust Framework Provider should initiate discussion with the FICAM TFS Program regarding any concerns or issues  Provide information as documented in ATOS to FICAM TFS Program for capability verification  Very minimal at LOA 1 (POCs, Endpoints, TFP Approval, Change Management Notification Process)  More complete at LOA 2+  If successful, sign MOA with FICAM TFS Program which is valid for a year; Lightweight annual renewal  As a courtesy to existing “IdPs”, and pending available resources, the FICAM TFS Program will prioritize and fast track their capability verification Way Forward for Currently Approved “IdPs”
31 Align Collaborat e Enable http://www.IDManagement.gov

Recommended

Who Are You, Really?
Who Are You, Really?Who Are You, Really?
Who Are You, Really?Anil John
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accuratelyDavid Kelts, CIPT
 
Liberty Data Solutions, Know your Client
Liberty Data Solutions, Know your ClientLiberty Data Solutions, Know your Client
Liberty Data Solutions, Know your ClientStevenDendrinos
 
Lynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events CopyLynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events Copyllangit
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
 
Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?sorenpeter
 
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...PayPalX Developer Network
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...PECB
 

Recommended

Who Are You, Really?
Who Are You, Really?Who Are You, Really?
Who Are You, Really?Anil John
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accuratelyDavid Kelts, CIPT
 
Liberty Data Solutions, Know your Client
Liberty Data Solutions, Know your ClientLiberty Data Solutions, Know your Client
Liberty Data Solutions, Know your ClientStevenDendrinos
 
Lynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events CopyLynn Fy07 Q4 Msdn Events Copy
Lynn Fy07 Q4 Msdn Events Copyllangit
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
 
Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?sorenpeter
 
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...
Maximizing PayPal's New Identity Services to Create Seamless and Safe User Ex...PayPalX Developer Network
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...PECB
 
Empire Consulting Background Check 2016
Empire Consulting Background Check 2016Empire Consulting Background Check 2016
Empire Consulting Background Check 2016Michael Kennedy
 
Empire Background Check Info 2016
Empire Background Check Info 2016Empire Background Check Info 2016
Empire Background Check Info 2016Michael Kennedy
 
Refcheck upload
Refcheck uploadRefcheck upload
Refcheck uploadpriyagup
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Background check misconceptions 5 12 15
Background check misconceptions 5 12 15Background check misconceptions 5 12 15
Background check misconceptions 5 12 15wbrownsureid
 
Transforming services through identity & eligibility checking | Ian Litton | ...
Transforming services through identity & eligibility checking | Ian Litton | ...Transforming services through identity & eligibility checking | Ian Litton | ...
Transforming services through identity & eligibility checking | Ian Litton | ...Department for Communities and Local Government Local Digital Campaign
 
Appol™ Presentation
Appol™ PresentationAppol™ Presentation
Appol™ Presentationryancowsert
 
Metadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin PresentationMetadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin PresentationEmbarcadero Technologies
 
ClearDil - Service.pdf
ClearDil - Service.pdfClearDil - Service.pdf
ClearDil - Service.pdfClear Dil
 
Fighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of dutyFighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of dutyWhitepages Pro
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Jean-François LOMBARDO
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffDucAnhLe56
 
Background verification services
Background verification servicesBackground verification services
Background verification servicesicrederity info services pvt ltd
 
Access management
Access managementAccess management
Access managementVenkatesh Jambulingam
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAMAdam Lewis
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
Issa fi xs briefing
Issa fi xs briefingIssa fi xs briefing
Issa fi xs briefingFederation for Identity and Cross-Credentialing Systems (FiXs)
 
Employees Background Check
Employees Background CheckEmployees Background Check
Employees Background CheckQamar Sir Nawaz
 
Electronic credential authentication_standard
Electronic credential authentication_standardElectronic credential authentication_standard
Electronic credential authentication_standardHai Nguyen
 
Climate change and safety and health at work
Climate change and safety and health at workClimate change and safety and health at work
Climate change and safety and health at workChristina Parmionova
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escortssonatiwari757
 

More Related Content

Similar to FICAM Trust Framework Solutions 11/11/2013

Empire Consulting Background Check 2016
Empire Consulting Background Check 2016Empire Consulting Background Check 2016
Empire Consulting Background Check 2016Michael Kennedy
 
Empire Background Check Info 2016
Empire Background Check Info 2016Empire Background Check Info 2016
Empire Background Check Info 2016Michael Kennedy
 
Refcheck upload
Refcheck uploadRefcheck upload
Refcheck uploadpriyagup
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
Background check misconceptions 5 12 15
Background check misconceptions 5 12 15Background check misconceptions 5 12 15
Background check misconceptions 5 12 15wbrownsureid
 
Appol™ Presentation
Appol™ PresentationAppol™ Presentation
Appol™ Presentationryancowsert
 
Metadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin PresentationMetadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin PresentationEmbarcadero Technologies
 
ClearDil - Service.pdf
ClearDil - Service.pdfClearDil - Service.pdf
ClearDil - Service.pdfClear Dil
 
Fighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of dutyFighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of dutyWhitepages Pro
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Jean-François LOMBARDO
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffDucAnhLe56
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101Dasith Wijesiriwardena
 
Employees Background Check
Employees Background CheckEmployees Background Check
Employees Background CheckQamar Sir Nawaz
 
Electronic credential authentication_standard
Electronic credential authentication_standardElectronic credential authentication_standard
Electronic credential authentication_standardHai Nguyen
 

Similar to FICAM Trust Framework Solutions 11/11/2013 (20)

Empire Consulting Background Check 2016
Empire Consulting Background Check 2016Empire Consulting Background Check 2016
Empire Consulting Background Check 2016
 
Empire Background Check Info 2016
Empire Background Check Info 2016Empire Background Check Info 2016
Empire Background Check Info 2016
 
Refcheck upload
Refcheck uploadRefcheck upload
Refcheck upload
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebello
 
Background check misconceptions 5 12 15
Background check misconceptions 5 12 15Background check misconceptions 5 12 15
Background check misconceptions 5 12 15
 
Transforming services through identity & eligibility checking | Ian Litton | ...
Transforming services through identity & eligibility checking | Ian Litton | ...Transforming services through identity & eligibility checking | Ian Litton | ...
Transforming services through identity & eligibility checking | Ian Litton | ...
 
Appol™ Presentation
Appol™ PresentationAppol™ Presentation
Appol™ Presentation
 
Metadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin PresentationMetadata Melodies Webinar with David Loshin Presentation
Metadata Melodies Webinar with David Loshin Presentation
 
ClearDil - Service.pdf
ClearDil - Service.pdfClearDil - Service.pdf
ClearDil - Service.pdf
 
Fighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of dutyFighting Fraud: How GameStop rose to the call of duty
Fighting Fraud: How GameStop rose to the call of duty
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
 
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffffapi-security-Jan23.pptxsdfffffffffffffffffffffffffffff
api-security-Jan23.pptxsdfffffffffffffffffffffffffffff
 
Background verification services
Background verification servicesBackground verification services
Background verification services
 
Access management
Access managementAccess management
Access management
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101DDD Melbourne 2019 : Modern Authentication 101
DDD Melbourne 2019 : Modern Authentication 101
 
Issa fi xs briefing
Issa fi xs briefingIssa fi xs briefing
Issa fi xs briefing
 
Employees Background Check
Employees Background CheckEmployees Background Check
Employees Background Check
 
Electronic credential authentication_standard
Electronic credential authentication_standardElectronic credential authentication_standard
Electronic credential authentication_standard
 

Recently uploaded

Climate change and safety and health at work
Climate change and safety and health at workClimate change and safety and health at work
Climate change and safety and health at workChristina Parmionova
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escortssonatiwari757
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...Suhani Kapoor
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...Suhani Kapoor
 
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxaaryamanorathofficia
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersCongressional Budget Office
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024Energy for One World
 
Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Christina Parmionova
 
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxPeter Miles
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginningsinfo695895
 
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore EscortsVIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escortsaditipandeya
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Hemant Purohit
 
2024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 272024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 27JSchaus & Associates
 
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 

Recently uploaded (20)

Climate change and safety and health at work
Climate change and safety and health at workClimate change and safety and health at work
Climate change and safety and health at work
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
 
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
9953330565 Low Rate Call Girls In Adarsh Nagar Delhi NCR
 
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
VIP Call Girls Service Bikaner Aishwarya 8250192130 Independent Escort Servic...
 
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(NEHA) Bhosari Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptx
 
How the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists LawmakersHow the Congressional Budget Office Assists Lawmakers
How the Congressional Budget Office Assists Lawmakers
 
DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024DNV publication: China Energy Transition Outlook 2024
DNV publication: China Energy Transition Outlook 2024
 
Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.
 
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service
(SUHANI) Call Girls Pimple Saudagar ( 7001035870 ) HI-Fi Pune Escorts Service
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
 
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore EscortsVIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
Delhi Russian Call Girls In Connaught Place ➡️9999965857 India's Finest Model...
 
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
Human-AI Collaboration for Virtual Capacity in Emergency Operation Centers (E...
 
2024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 272024: The FAR, Federal Acquisition Regulations - Part 27
2024: The FAR, Federal Acquisition Regulations - Part 27
 
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
 

FICAM Trust Framework Solutions 11/11/2013

  • 1. Federal CIO Council Information Security and Identity Management Committee IDManagement.gov IDManagement.gov FICAM Trust Framework Solutions Update 11/11/13 Anil John FICAM TFS PM TFS.EAO@gsa.gov
  • 2. 2 Scope and Components of FICAM TFS Program What’s new in the 11/11/13 Update? Component Identity Services Federation and Identity Resolution FICAM TFS Program Approval Factors Next steps for currently Adopted Trust Framework Providers and Approved “Identity Providers” Overview
  • 3. 3 FICAM TFS Program is focused on securing C2G and B2G Online Services US Fed G2G == HSPD-12
  • 4. 4 Supports the Security, Privacy, and Interoperability Needs of Citizen and Business Facing Government Services Supports Government-wide Policy and National Strategy Implementation Leverages Industry Capabilities that may already be in use by Citizens and Businesses to Interoperate with Government Online Services Federated Identity Framework for US Gov
  • 5. 5  Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance  Authority to Offer Services (ATOS) for FICAM TFS Approved Identity Services  Identity Scheme and Protocol Adoption Process  Relying Party Guidance for Accepting Externally Issued Credentials  E-Government Trust Services CA  E-Government Trust Services Metadata Service Components of the FICAM TFS Program http://info.idmanagement.gov/2013/11/ficam-trust-framework-solutions-tfs.html
  • 6. 6  Fast-Track Program for Financial Institutions to become Approved CSPs or Token Managers  Interoperability Verification + Annual Follow-Up of Identity Services for FICAM TFS Approval  Simplification of LOA 1 Requirements  Support for Component Identity Services  Incorporation of Privacy as a Trust Criteria  Introduction of Ongoing Verification as an OPTIONAL Trust Criteria  Identity Resolution Attribute Requirements for FICAM TFS CSP and Identity Manager Approval  Relationship with the FICAM Testing Program to verify FICAM Protocol Profile Support in On-Premise Vendor Products What’s New?
  • 7. 7 “Current government systems do not separate the functions of authentication and attribute providers. In some applications, these functions are provided by different parties. While a combined authentication and attribute provider model is used in this document, it does not preclude agencies from separating these functions” Component Identity Services
  • 8. 8  Token: Something that an individual possesses and controls that is used to authenticate the individual  Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are)  Identity: A set of attributes that uniquely describe an individual within a given context  Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual Component Identity Services: Terminology
  • 9. 9 Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Validation Service Authentication Service
  • 10. 10 RP uses External Credential RP delegates Authentication, Identity Management and Binding Credential Service Provider Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
  • 11. 11 RP delegates Authentication RP manages Identity and Binding RP uses External Token Token Manager Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
  • 12. 12 RP manages Authentication and Binding RP uses External Identity RP delegates Identity Management Identity Manager Binding Attribute Authority Authentication Person Relying Party Binding Manager manages Token-Identity Link Record Validation Service Authentication Service Consent Service Token Token Manager manages Token Management Service Identity Record Identity Manager manages Identity Proofing Service Binding Manager manages Token-Identity Link Record Validation Service Authentication Service
  • 13. 13  Credential Service Provider  Token Management Services  Authentication Services  Identity Proofing Services  Attribute Validation Services  Token Manager  Token Management Services  Authentication Services  Identity Manager  Identity Proofing Services  Attribute Validation Services FICAM TFS Program Service Terminology Consent Services are implementation specific & driven by policy
  • 14. 14 Stand-alone FICAM SAML Metadata Profile  Metadata portions of Web SSO Profile  Metadata profile of BAE AttributeConsumingServiceIndex to convey Attribute Bundle Requests Standardized URIs for conveying Assurance Account Fraud Signaling Capability Updated Guidance on Holder-of-Key Usage Federation: FICAM SAML Profile for Web SSO Update to Profile Coming Soon
  • 15. 15  The degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and  The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued  LOA  Level 2 - Some confidence in the asserted identity’s validity  Level 3 - High confidence in the asserted identity’s validity  Level 4 – Very High confidence in the asserted identity’s validity  The ability to resolve a set of identity attributes to a unique individual  No other individual has the same set of attributes  For our federation use cases, the ability to map an identity on the RP front door to an existing person, in our jurisdiction, is critical  Online benefits delivery  Citizen transactions Federation: Assurance & Resolution Credential Assurance (LOA) Identity Resolution
  • 16. 16  The degree of confidence in the vetting process used to establish the identity of an individual to whom the credential was issued, and  The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued  LOA  Level 2 - Some confidence in the asserted identity’s validity  Level 3 - High confidence in the asserted identity’s validity  Level 4 – Very High confidence in the asserted identity’s validity  The ability to resolve a set of identity attributes to a unique individual  No other individual has the same set of attributes  For our federation use cases, the ability to map an identity on the RP front door to an existing person, in our jurisdiction, is critical  Online benefits delivery  Citizen transactions Federation: Assurance & Resolution Credential Assurance (LOA) Identity Resolution Tokens, Identity Proofing and Credentials are about Asserting Assurance Verified Identity Attributes are about enabling Identity Resolution
  • 17. 17 Are there studies or standards we can use as a starting point for determining the minimal attributes for resolution? Can the approach accommodate Agency specific data analysis regarding resolution? Can the implementation infrastructure support the approach that incorporates data minimization? Identity Resolution Considerations
  • 18. 18 Are the attributes chosen EFFECTIVE at resolving to a single US Person? Do you have data, studies, analysis and results you can share that shows the effectiveness of the attributes needed for identity resolution? No secret, magic or proprietary sauce please!
  • 19. 19 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes
  • 20. 20 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes Core Attribute Bundles Provide 96%+ Identity Resolution (1 == 2 == 3 == 4 == 5)
  • 21. 21 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes Core Attribute Bundles Provide 96%+ Identity Resolution + Specific Supplemental Attributes from Available Listing = 100% Identity Resolution
  • 22. 22 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes These attributes have been nominated to the Government-wide FICAM Attribute Registry via the FICAM ACAG TT
  • 23. 23 Category Attribute Description Attribute Bundle 1 2 3 4 5 Name Name (First Name) AND (Last Name) Location Partial Address Postal Code OR (City and State) Place of Birth (City or County) AND (State or Foreign Country) Time Partial Date of Birth (Month and Day) OR Year Full Date of Birth Identifier Partial Social Security Number Last 4 Digits Full Social Security Number Full 9 Digits Available Supplemental Attributes Mother’s Name (At Birth or Prior to First Marriage) Middle Name or Initial Partial Place of Birth Country NA Partial Place of Birth State NA Partial Place of Birth City NA Partial Current Address State NA Partial Current Address City NA Partial Current Address Street Previous City Full Date of Birth NA Full SSN All 9 Digits NA Partial SSN First 5 Digits NA Partial SSN Last 4 Digits NA NA Sex “Core” + “Supplemental” Identity Attributes “ Do not let perfect be the enemy of the good ” This is a starting point for FICAM TFS; Expect this to be revised as our understanding matures
  • 24. 24  Assurance and Identity are in the eye of the RP  To be a FICAM TFS Approved CSP  Need to meet Government needs for Assurance  Need to meet Government needs for Identity Proofing  Need to meet Government needs for Identity Resolution  To be a FICAM TFS Approved TM  Need to meet Government needs for Assurance  To be a FICAM TFS Approved IM  Need to meet Government needs for Identity Proofing  Need to meet Government needs for Identity Resolution FICAM TFS Program Approval Factors
  • 25. 25 FICAM TFS Program Approval Factors Trust Framework Provider Assurance Processes Privacy Policy Audit & Certification Processes Auditor Qualifications Organizational Maturity CSP / TM / IM Organizational Maturity Registration & Identity Proofing Processes Credential & Issuance Processes Privacy Policies Approval Assessment US Government Relying Party Citizen Comparability Assessment OMB Requirements NIST Requirements GSA Requirements Privacy & Security
  • 26. 26 FICAM TFS Program Approval Factors Trust Framework Provider Assurance Processes Privacy Policy Audit & Certification Processes Auditor Qualifications Organizational Maturity CSP / TM / IM Organizational Maturity Registration & Identity Proofing Processes Credential & Issuance Processes Privacy Policies Approval Assessment US Government Relying Party Citizen Comparability Assessment OMB Requirements NIST Requirements GSA Requirements Privacy & Security “Trust”/Policy Comparability
  • 27. 27  The technical ability of an Identity Service to convey assurances of Identity  Using protocols and profiles approved by the FICAM TFS Program – FICAM SAML 2 Profile of Web SSO  Using semantics that ensure common understanding – http://idmanagement.gov/ns/assurance/loa/1 – http://idmanagement.gov/ns/assurance/loa/2 – http://idmanagement.gov/ns/assurance/loa/3 – http://idmanagement.gov/ns/assurance/loa/4 – Other FICAM TFS Approved URIs  The technical ability of an Identity Service to convey attributes  Using protocols and profiles approved by the FICAM TFS Program  That allow a Government RP to resolve the attributes to a unique individual – On request – With consent in accordance with policy  Using attribute names and bundles that ensure common understanding FICAM TFS Program Approval Factors Credential Assurance (LOA) Identity Resolution
  • 28. 28  The technical ability of an Identity Service to convey assurances of Identity  Using protocols and profiles approved by the FICAM TFS Program – FICAM SAML 2 Profile of Web SSO  Using semantics that ensure common understanding – http://idmanagement.gov/ns/assurance/loa/1 – http://idmanagement.gov/ns/assurance/loa/2 – http://idmanagement.gov/ns/assurance/loa/3 – http://idmanagement.gov/ns/assurance/loa/4  The technical ability of an Identity Service to convey attributes  Using protocols and profiles approved by the FICAM TFS Program  That allow a Government RP to resolve the attributes to a unique individual – On request – With consent in accordance with policy  Using attribute names and bundles that ensure common understanding FICAM TFS Program Approval Factors Credential Assurance (LOA) Identity Resolution Technical Interoperability. We Will Verify. Annually.
  • 29. 29 FICAM TFS Program Approval Factors Core Identity Attributes Supplemental Identity Attributes Name: (Legal First Name and Legal Last Name) Current Address: (Postal Code) Current Address: (City and State) Partial Date of Birth: (Month and Day) Partial Date of Birth: (Year) Full Date of Birth Partial SSN: (Last 4 digits) Full SSN: (All 9 digits) Place of Birth: (City) Place of Birth: (County) Place of Birth: (State) Place of Birth: (Country) Mother’s Name: (At Birth) Mother’s Name: (Prior to first marriage) Middle Name Middle Initial Current Address: (Street) Partial Past Address: (Previous City) Partial SSN: (First 5 digits) Sex “Applicant must be capable of technically providing, upon RP request via approved protocols and profiles, dynamic combinations of available attributes from the above listing” http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_ATOS_v1.0.0_DRAFT.pdf
  • 30. 30  Trust Framework Provider (TFP) Implementation of FICAM TFS v2  MUST happen with 6 months of FICAM TFS v2 final approval  Trust Framework Provider should initiate discussion with the FICAM TFS Program regarding any concerns or issues  Provide information as documented in ATOS to FICAM TFS Program for capability verification  Very minimal at LOA 1 (POCs, Endpoints, TFP Approval, Change Management Notification Process)  More complete at LOA 2+  If successful, sign MOA with FICAM TFS Program which is valid for a year; Lightweight annual renewal  As a courtesy to existing “IdPs”, and pending available resources, the FICAM TFS Program will prioritize and fast track their capability verification Way Forward for Currently Approved “IdPs”