The document discusses the Federal Identity, Credential, and Access Management (FICAM) program. It provides an overview of FICAM, including its goals of complying with laws, facilitating e-government access, improving security, enabling trust and interoperability, and reducing costs. It outlines several FICAM initiatives, such as streamlining the collection and sharing of digital identity data and fully leveraging Personal Identity Verification credentials. The document emphasizes FICAM's mission to align agencies, collaborate with external partners, and enable trust and interoperability across organizational boundaries through common identity management policies and practices.

1. Federal CIO Council
Information Security and Identity Management Committee
IDManagement.gov
US Federal ICAM Roadmap
Overview
Deb Gallagher

2. What is ICAM in the Federal Government?
Processes, Technologies, and
Personnel used to:
Create trusted digital identity
representations of individuals and NPEs
Bind those identities to credentials that
may serve as a proxy for the individual or
NPE in access transactions
Leverage the credentials to provide
authorized access to an agency’s
resources
2

3. FICAM Drivers
Increasing Cybersecurity threats
Need for improved physical security
Lag in providing government services
electronically
Vulnerability of Personally Identifiable
Information (PII)
Lack of interoperability
High costs for duplicative processes and
data management
3

4. FICAM Roadmap and Implementation Guidance v2
 Goals
 Comply with Federal Laws
Relevant to ICAM
 Facilitate E-government by
Streamlining Access to
Services
 Improve security posture across
the Federal Enterprise
 Enable Trust and
Interoperability
 Reduce costs and increase
efficiency
4

5. FICAM Roadmap and Implementation Guidance v2
ICAM represents the intersection of digital identities, credentials, and
access control in one comprehensive approach
Enable Trust and
Interoperability Credential Types
Internal to the PIV
Intra-Agency
Federal Inter-Agency
Community (IEE) Credentials
(No confidence to full confidence)
4 Levels of Identity Assurance
With Other State, Local, Tribal PIV
Governments Interoperable
Physical Access
Allied Partners
Logical Access
Non-Persons
(G2G) Credentials
Persons
With External Trust
Industry
Organizations( Financial Institutions Framework
Healthcare Providers Solutions
G2B)
- OpenID 2.0
- SAML 2.0
With the Taxpayers - IMI 1.0
Grant Recipients
American Medicare/Medicaid -…
People (G2C) Beneficiaries
5

6. OMB Policy on Federal ICAM
OMB M-11-11
The government-wide architecture and completion
of agency transition plans must align as described
in the Federal CIO Council’s “Federal Identity,
Credential, and Access Management Roadmap and
Implementation Guidance”
6

7. Federal ICAM Conceptual View
7

8. ICAM Services Layer
Key ICAM Service
Areas:
•Digital Identity
• Credentialing
• Privilege Management
• Authentication
• Authorization &
Access
• Cryptography
• Auditing & Reporting
The ICAM Roadmap, which includes a segment
architecture, provides a standards based approach for
implementing government-wide ICAM initiatives.
8

9. ICAM Identity Management Services
Assigning Attributes
to a Digital Identity
Connecting Digital
Identity to a Person
Lifecycle
Management of
Authoritative
Attribute Sources
Applies to both
People and NPEs
9

10. ICAM Credential Management Services
Credential “binds
an identity to a
token possessed
and controlled by
a person”
Lifecycle
management of
the Credential
10

11. ICAM Access Management Services
Management and
Control of the ways
entities are granted
access to
resources
Covers both
Logical and
Physical Access
May be internal to
system or
externalized
11

12. ICAM Federation Services
How do you vouch
for Identities of your
people when they
need to collaborate
with external
organizations?
How do you trust
identities of people
from external
organizations who
need access to your
systems?
12

13. ICAM Auditing and Reporting
Auditing and
Reporting
implements Agency
Continuous
Monitoring Capability
Supports FISMA
requirement to apply
IT Risk Management
Framework as
defined in NIST SP-
800-37
13

14. ICAM Roadmap Initiatives
Government-wide Governance Agency-level Implementation
1. Augment policy and 5. Streamline collection and
implementation guidance sharing of digital identity
to agencies data
2. Establish federated 6. Fully leverage PIV and
identity framework for the PIV-I credentials
Federal Government 7. Modernize PACS
3. Enhance performance infrastructure
and accountability within 8. Modernize LACS
ICAM initiatives infrastructure
4. Provide government-wide 9. Implement federated
services for common identity capability
ICAM requirements
14

15. Align Collaborate Enable
http://blog.IDManagement.gov
15

16. Federal CIO Council
Information Security and Identity Management Committee
IDManagement.gov
Initiative 5
Streamline Collection and Sharing
of Digital Identity Data
Anil John

17. Streamline Collection and Sharing of Digital Identity Data
17

18. Core Concepts
 Enterprise Digital Identity
 Core identity attributes and unique person identifiers
 Identifying authoritative sources
 Digital Identity Process Integration
 Business processes for establishing and managing the
digital identity life cycle
 Authoritative Digital Identity Attribute Exchange
 Enables secure electronic sharing of digital identity
attributes
 Leverage data models to support effective sharing
18

19. Elements of Attribute Exchange
 Protocol
 Technical means for
exchanging attributes
 Payload
 Attributes exchanged
Protocol Payload between parties
 Policy
 Governance processes
and mechanisms put
Policy into place to manage
the exchange and
adjudicate issues
19

20. Authoritative Attribute Exchange Services (AAES)
Applications
Web services Mobile Other Apps
Browser application
AAES Infrastructure
Authoritative
Attribute
Distributer
Authoritative
Attribute
Manager
Authoritative
Sources
Databases
LDAP Active Other
Directory 20

21. AAES – Authoritative Attribute Manager
 Correlate attributes
from various
Authoritative authoritative sources
Attribute
Manager
 De-conflict
discrepancies across
attribute sources
Databases
 Implements the person
LDAP Active Other
Directory data model
Authoritative Sources  Provide a consolidated
view of the pieces of a
person gathered from
multiple sources
21

22. AAES – Authoritative Attribute Distributer
Primary point of
Applications query for
applications
Web services Mobile Other Apps
Can provide a
Browser application
customized and
tailored view of data
Authoritative
Attribute
Distributer
Supports requests
for attributes from
both internal and
external to agency
22

23. Implementing an AAES Infrastructure
Agency
Systems &
Applications Browser
Web services
application
Mobile Other Apps
Application Interfaces
HTTP(S), XML or Web Services, LDAP(S)/DSML, ODBC/SQL
Virtual/Meta Directory Engine
Aggregation Mapping Routing Security Local
Join Transformation Load Balancing Audit Storage
Data Connectors
HTTP(S), LDAP(S), AD, Custom…
Agency Identity
and Attribute
Databases
Sources LDAP Active Other
Directory 23

24. Align Collaborate Enable
http://blog.IDManagement.gov
24

25. Federal ICAM Program Mission
 Align federal agencies around
common practices by fostering
effective government-wide
identity, credential and access
management
 Collaborate with federal
government and external
identity management activities
(non-federal, commercial and
Align Collaborate Enable
more) to leverage best practices
and enhance interoperability
 Enable trust and interoperability
in online transactions, through
the application of common
policies and approaches, in
activities that cross
organizational boundaries
25

26. Federal ICAM 2012 Execution Priorities
Drive usage of FICAM Approved Credentials
Support Areas: Operational Pilots / Shared Services
Demonstrate Value of Policy Driven Access Control
Support Area: Attribute Management / Privacy / ISE
Focused Outreach and Collaboration
Support Area: ICAM WG Realignment / Community Engagement
26