Business and Systems Aligned. Business Empowered.TM
Federal Identity Management Handbook
May 5, 2005
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
2
Introduction
Guidance for credentialing managers, their leadership, implementation teams, and other stakeholders as they pursue compliance with HSPD 12.
Provides specific implementation direction on course of action, business & policy, schedule requirements, acquisition planning, migration planning, lessons learned, and case studies and implementation tools.
A collaborative effort: The Federal Identity Credentialing Committee (FICC) Smart Card Interagency Advisory Board (IAB) Federal PKI Authority (FPKIA) Office of Management and Budget (OMB) National Institute for Standards and Technology (NIST) U.S. Department of Defense Smart Card Alliance Many other contributors
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
3
Organization
Information Flow is similar to FIPS 201 with some key differences
Major Sections Include 1.0 Introduction 2.0 PIV I – Common Identification, Security and Privacy Requirements 3.0 PIV - Validation Certification & Accreditation 4.0 PIV II – Front End Sub-System 5.0 Implementation Planning Appendix – Tools and References
Primary Flow of PIV I and PIV II Sections Description Mandatory Requirements Optional Items Implementation Recommendations Idea and Suggestions Summary
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
4
Organization (Continued)
Additional Guidance Meant to be all-inclusive and informative – but not too technical
A “living” document with plans for regular update
OMB Guidance & FAQ’s
Agency Plan Template
Implementation Roadmap
Migration Planning
Acquisition Planning
Lesson’s Learned
Case Studies
Tools & Illustrations
Useful Index
Common Thread – Education, Training & Awareness
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
5
Implementation Plan Template
HSPD-12 IMPEMENTATION PLAN TEMPLATE I. General Information Submission Date: Agency/Department Name: Agency HSPD-12 Point of Contact: Phone Number: Email: II. Timeline Agency’s planned date for compliance with Part 1, PIV I Date to begin implementation of Part 2, PIV II (i.e. starting to issue compliant cards): Date for full compliance with HSPD-12 (All employees/contractors using a compliant card): III. Agency Implementation
Part 1: PIV I Scale: 1 – Not started 2 – Planning in progress 3 – Planning complete, acquisition underway
4 – Implementation in progress 5 – Implementation complete Control Objective: Identification that is issued based on sound criteria for verifying an individuals identity
Instructions: Place an “x” in the column that corresponds to your agency’s current environment.
1 2 3 4 5 Planned
completion date
1) Approved credential issuance and maintenance process, as defined in FIPS 201 section 2.0.
2) A National Agency Check (NAC) or equivalent is completed prior to credential issuance.
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
6
Implementation Roadmap
Making the best use of the information
Recognizes that all Agencies are at different starting points
Provides a sample implementation path (how to get started)
1. Gain a clear understanding of your agency’s current access control policies
2. Reach agreement on future policy as it pertains to HSPD-12. This is key because these policies will drive your requirements
3. Involve the primary Agency Stakeholders in the process
4. Establish a list of objectives your agency wants to achieve while meeting the directive
5. Using the policy decisions develop an initial list of requirements.
6. Communication, Training & Awareness
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
7
Migration Planning
FIPS 201 Migration Plan Roadmap
Activities
End User Training End User
Production Support
Go-Live Decision Pilot Implementation
Phase Out Migration Management Roles
Assess Organizational & Technology Change Implications
Submit OMB Agency Plan
Conduct Certification & Accreditation
Plan Legacy Transition to PIV Card
Plan End User Training
Monitor Physical and Logical Access Use Cases
User Acceptance Test
Lessons Learned & Best Practices
Execute Audit Plan
End User Support Success Metrics
Define Current Credentialing Model
Future Process Model
Quality and Risk Management Plan
Implementation Handbook
Project Status Reports Update Design
Documentation
System Interfaces FIPS 201 Compliant
Development
Test Software Execute FIPS 201
Development
Data Conversion
Assess Threats and Vulnerabilities
Evaluate Conformance Testing
FIPS 201 and International Standards Compliance
Specify Hardware, Software, and Network Components
Performance Tuning
Technical & Process Documentation
Design Review Sessions Support Plan End User Training
System Documentation
Maintenance Manual Support Desk
Migration Team Training
Team Roles & Responsibilities
Communications Plan Define Critical
Implementation Issues Define Core Processes
Define Physical and Logical Access Policies
Analyze FIPS 201 Requirements
Future Technology Architecture
Hardware/Software Evaluation
Change Control Procedure
Review Internal Security Requirements
Workstream CIO, HR, PACS Project Governance Migration Roadmap
ProgramManagement
ChangeManagement
Businessand
Policy
TechnicalInfrastructure
ApplicationsDevelopment
KnowledgeTransfer
PrepareValidateSolution
Train and Deploy
Transitionand Control
PrepareValidateSolution
Train and Deploy
Transitionand Control
Compare with NIST Reference Implementation
Present October 27, 2006
Design, Developand Test
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
8
Sample Organization
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
9
Acquisition Planning
Identifying Resource Requirements
Change Management
Identifying Potential Funding Streams
Current Procurement Methods GSA Smart Card Contract Vehicle
GSA Schedules
Aggregated buy
Acquisition Stakeholders
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
10
Acquisition Planning (Continued)
Major Components of an Identity Management System
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
11
Anticipating Costs
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
12
Acquisition Planning (Continued)
Agency Sponsorship
Shared Service Providers
Acquisition Planning Template (Appendix A) Statement of Need
Background
Acquisition Alternatives
Life Cycle Costs
Delivery Requirements
Performance Period
Risks as Identified in the OMB Agency Plan
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
13
Lessons Learned & Case Studies
Lesson’s Learned Implementation Management
Stakeholder Involvement
System Design
User Training
Pre-Issuance
Post-Issuance
Case Studies Department of State
Department of Interior
Department of Homeland Security
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
14
Tools
Sample PIV Request FormSample PIV Request Form
Section I: Applicant Information First Name: Last Name: DOB: Position / Job Title: Organization Currently Assigned to: Home Address: Home Phone Number: Home E-mail: Work Address: Work Phone Number: Work E-mail: Section II: PIV Sponsor Information. Sponsor must sign in Section V First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section III: PIV Registrar. First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section IV: PIV Issuer First Name: Last Name: Position / Job Title Organization: Work Address: Work Phone Number: Work E-mail: Section V: Signature of PIV Sponsor Sign Here:
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
15
Tools
Implementation Checklist
ID# Task Applicable FIPS 201 Section
Status (Not Started, In-progress, Complete)
Completion or Scheduled Completion Date
Responsible Organization
Responsible Individual/phone #
PIV I – Compliance by October 27, 2005 Identity Proofing 2.2 1 Identity proofing and
registration process is accredited by department or agency Inspector General
2 Identity proofing and registration process is approved in writing by the head of department or agency
3 A NACI has been initiated or a completed NACI is on record for all employees and contractors
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
16
Tools
5 All credential applicants have appeared in-person at least once to an individual responsible for credential issuance in your department or agency
6 All applicants have provided 2 forms of original documentation included in the Form I-9, OMB No. 1115-0136, Employment Eligibility Verification
7 At least one of the documents listed in ID # 6 above is a valid State or Federal Government issued picture ID
8 Agency’s identity proofing, registration, and issuance processes does not allow one individual to issue a credential without the cooperation of at least one other approved individual
ID# Task Applicable FIPS 201 Section
Status (Not Started, In-progress, Complete)
Completion or Scheduled Completion Date
Responsible Organization
Responsible Individual/phone #
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
17
Schedule
Released for Public Comment Feb
Comment Period Closed Mar
Comments Incorporated Apr
Revision submitted to FICC for Review & Comment
Addition of OMB Guidance & Revised Agency Plan Template
Planned Updates Conformance Testing
Certification & Accreditation
Reference Implementation
End-User Training
GSA Acquisition Services
Agency Sponsorship
NIST Special Technical Pubs
Section 508 (Disabilities Act)
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
18
References
Supporting Publications SP 800-73 – Interfaces for Personal Identity Verification (card interface commands
and responses) SP 800-76 – Biometric Data Specification for Personal Identity Verification SP 800-78 –Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST PIV Website (http://csrc.nist.gov/piv-project/) Documents Frequently Asked Questions (FAQs) Comments Received in Original Format
FICC Website (CIO.Gov/FICC) Identity Management Handbook Smart Card Handbook
© 2005 BearingPoint, Inc.All trademarks are property of their respective owners.Confidential and Proprietary
19
Contact
Ralph BilleriBearingPoint Inc.1725 Duke St.Suite 700Alexandria, VA [email protected] 519-2314
Top Related