Business and Systems Aligned. Business Empowered. TM Federal Identity Management Handbook May 5,...

Business and Systems Aligned. Business Empowered.TM

Federal Identity Management Handbook

May 5, 2005

© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary

2

Introduction

Guidance for credentialing managers, their leadership, implementation teams, and other stakeholders as they pursue compliance with HSPD 12.

Provides specific implementation direction on course of action, business & policy, schedule requirements, acquisition planning, migration planning, lessons learned, and case studies and implementation tools.

A collaborative effort: The Federal Identity Credentialing Committee (FICC) Smart Card Interagency Advisory Board (IAB) Federal PKI Authority (FPKIA) Office of Management and Budget (OMB) National Institute for Standards and Technology (NIST) U.S. Department of Defense Smart Card Alliance Many other contributors


3

Organization

Information Flow is similar to FIPS 201 with some key differences

Major Sections Include 1.0 Introduction 2.0 PIV I – Common Identification, Security and Privacy Requirements 3.0 PIV - Validation Certification & Accreditation 4.0 PIV II – Front End Sub-System 5.0 Implementation Planning Appendix – Tools and References

Primary Flow of PIV I and PIV II Sections Description Mandatory Requirements Optional Items Implementation Recommendations Idea and Suggestions Summary


4

Organization (Continued)

Additional Guidance Meant to be all-inclusive and informative – but not too technical

A “living” document with plans for regular update

OMB Guidance & FAQ’s

Agency Plan Template

Implementation Roadmap

Migration Planning

Acquisition Planning

Lesson’s Learned

Case Studies

Tools & Illustrations

Useful Index

Common Thread – Education, Training & Awareness


5

Implementation Plan Template

HSPD-12 IMPEMENTATION PLAN TEMPLATE I. General Information Submission Date: Agency/Department Name: Agency HSPD-12 Point of Contact: Phone Number: Email: II. Timeline Agency’s planned date for compliance with Part 1, PIV I Date to begin implementation of Part 2, PIV II (i.e. starting to issue compliant cards): Date for full compliance with HSPD-12 (All employees/contractors using a compliant card): III. Agency Implementation

Part 1: PIV I Scale: 1 – Not started 2 – Planning in progress 3 – Planning complete, acquisition underway

4 – Implementation in progress 5 – Implementation complete Control Objective: Identification that is issued based on sound criteria for verifying an individuals identity

Instructions: Place an “x” in the column that corresponds to your agency’s current environment.

1 2 3 4 5 Planned

completion date

1) Approved credential issuance and maintenance process, as defined in FIPS 201 section 2.0.

2) A National Agency Check (NAC) or equivalent is completed prior to credential issuance.


6

Implementation Roadmap

Making the best use of the information

Recognizes that all Agencies are at different starting points

Provides a sample implementation path (how to get started)

1. Gain a clear understanding of your agency’s current access control policies

2. Reach agreement on future policy as it pertains to HSPD-12. This is key because these policies will drive your requirements

3. Involve the primary Agency Stakeholders in the process

4. Establish a list of objectives your agency wants to achieve while meeting the directive

5. Using the policy decisions develop an initial list of requirements.

6. Communication, Training & Awareness


7

Migration Planning

FIPS 201 Migration Plan Roadmap

Activities

End User Training End User

Production Support

Go-Live Decision Pilot Implementation

Phase Out Migration Management Roles

Assess Organizational & Technology Change Implications

Submit OMB Agency Plan

Conduct Certification & Accreditation

Plan Legacy Transition to PIV Card

Plan End User Training

Monitor Physical and Logical Access Use Cases

User Acceptance Test

Lessons Learned & Best Practices

Execute Audit Plan

End User Support Success Metrics

Define Current Credentialing Model

Future Process Model

Quality and Risk Management Plan

Implementation Handbook

Project Status Reports Update Design

Documentation

System Interfaces FIPS 201 Compliant

Development

Test Software Execute FIPS 201

Development

Data Conversion

Assess Threats and Vulnerabilities

Evaluate Conformance Testing

FIPS 201 and International Standards Compliance

Specify Hardware, Software, and Network Components

Performance Tuning

Technical & Process Documentation

Design Review Sessions Support Plan End User Training

System Documentation

Maintenance Manual Support Desk

Migration Team Training

Team Roles & Responsibilities

Communications Plan Define Critical

Implementation Issues Define Core Processes

Define Physical and Logical Access Policies

Analyze FIPS 201 Requirements

Future Technology Architecture

Hardware/Software Evaluation

Change Control Procedure

Review Internal Security Requirements

Workstream CIO, HR, PACS Project Governance Migration Roadmap

ProgramManagement

ChangeManagement

Businessand

Policy

TechnicalInfrastructure

ApplicationsDevelopment

KnowledgeTransfer

PrepareValidateSolution

Train and Deploy

Transitionand Control

PrepareValidateSolution

Train and Deploy

Transitionand Control

Compare with NIST Reference Implementation

Present October 27, 2006

Design, Developand Test


8

Sample Organization


9

Acquisition Planning

Identifying Resource Requirements

Change Management

Identifying Potential Funding Streams

Current Procurement Methods GSA Smart Card Contract Vehicle

GSA Schedules

Aggregated buy

Acquisition Stakeholders


10

Acquisition Planning (Continued)

Major Components of an Identity Management System


11

Anticipating Costs


12

Acquisition Planning (Continued)

Agency Sponsorship

Shared Service Providers

Acquisition Planning Template (Appendix A) Statement of Need

Background

Acquisition Alternatives

Life Cycle Costs

Delivery Requirements

Performance Period

Risks as Identified in the OMB Agency Plan


13

Lessons Learned & Case Studies

Lesson’s Learned Implementation Management

Stakeholder Involvement

System Design

User Training

Pre-Issuance

Post-Issuance

Case Studies Department of State

Department of Interior

Department of Homeland Security


14

Tools

Sample PIV Request FormSample PIV Request Form

Section I: Applicant Information First Name: Last Name: DOB: Position / Job Title: Organization Currently Assigned to: Home Address: Home Phone Number: Home E-mail: Work Address: Work Phone Number: Work E-mail: Section II: PIV Sponsor Information. Sponsor must sign in Section V First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section III: PIV Registrar. First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section IV: PIV Issuer First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section V: Signature of PIV Sponsor Sign Here:


15

Tools

Implementation Checklist

ID# Task Applicable FIPS 201 Section

Status (Not Started, In-progress, Complete)

Completion or Scheduled Completion Date

Responsible Organization

Responsible Individual/phone #

PIV I – Compliance by October 27, 2005 Identity Proofing 2.2 1 Identity proofing and

registration process is accredited by department or agency Inspector General

2 Identity proofing and registration process is approved in writing by the head of department or agency

3 A NACI has been initiated or a completed NACI is on record for all employees and contractors


16

Tools

5 All credential applicants have appeared in-person at least once to an individual responsible for credential issuance in your department or agency

6 All applicants have provided 2 forms of original documentation included in the Form I-9, OMB No. 1115-0136, Employment Eligibility Verification

7 At least one of the documents listed in ID # 6 above is a valid State or Federal Government issued picture ID

8 Agency’s identity proofing, registration, and issuance processes does not allow one individual to issue a credential without the cooperation of at least one other approved individual

ID# Task Applicable FIPS 201 Section

Status (Not Started, In-progress, Complete)

Completion or Scheduled Completion Date

Responsible Organization

Responsible Individual/phone #


17

Schedule

Released for Public Comment Feb

Comment Period Closed Mar

Comments Incorporated Apr

Revision submitted to FICC for Review & Comment

Addition of OMB Guidance & Revised Agency Plan Template

Planned Updates Conformance Testing

Certification & Accreditation

Reference Implementation

End-User Training

GSA Acquisition Services

Agency Sponsorship

NIST Special Technical Pubs

Section 508 (Disabilities Act)


18

References

Supporting Publications SP 800-73 – Interfaces for Personal Identity Verification (card interface commands

and responses) SP 800-76 – Biometric Data Specification for Personal Identity Verification SP 800-78 –Cryptographic Algorithms and Key Sizes for Personal Identity Verification

NIST PIV Website (http://csrc.nist.gov/piv-project/) Documents Frequently Asked Questions (FAQs) Comments Received in Original Format

FICC Website (CIO.Gov/FICC) Identity Management Handbook Smart Card Handbook


19

Contact

Ralph BilleriBearingPoint Inc.1725 Duke St.Suite 700Alexandria, VA [email protected] 519-2314

Date post:	02-Jan-2016
Category:	Documents
Upload:	rudolph-little
View:	214 times
Download:	0 times