Federal Identity, Credential, and Access …

1 Federal identity , Credential, and Access Management (FICAM) Roadmap and Implementation Guidance Part B: Implementation Guidance Initial Phase 1 ICAM Public Release Draft February 25, 2011 Powered by the Federal Chief Information Officers Council and the Federal Enterprise Architecture This page is intentionally left blank. Document Note This document represents a partial draft addition to the FICAM Roadmap and Implementation Guidance, Version , published on November 20, 2009. The ICAMSC is developing and publishing the content for Part B: Implementation Guidance of the document in two phases in order to enable agencies to take advantage of this guidance immediately when working to achieve the objectives and initiatives outlined in the ICAM segment architecture.

2 The chapters included in this draft ( , Chapters 6, 9, 10, and 11) have been prioritized for development first because they address general planning guidance and the physical and logical Access modernization initiatives, which have the most aggressive implementation dates in the Transition Roadmap (see Version , Section ). The remaining chapters are currently under development as part of Phase 2 of the Implementation Guidance development effort. They will be included in Version of the FICAM Roadmap and Implementation Guidance, currently scheduled for publication on or around June 24, 2011. Although this document is considered to be in draft form, agencies should not delay in working to incorporate the guidance provided into their respective ICAM programs.

3 The authors of the document anticipate modifying the content to improve the flow and narrative and incorporate additional information as the Phase 2 chapters are developed; however, the general intent and direction of the guidance in the chapters provided is not expected to change. This page is intentionally left blank. FICAM Roadmap and Implementation Guidance Part B: Implementation Guidance, Phase 1 Initial Phase 1 ICAM Public Release Draft February 25, 2011 Page i Table of Contents 6. ICAM Implementation Planning .. 1 Program Organization and Management .. 1 Program Governance .. 1 Program Stakeholders .. 4 Program Management Office (PMO) .. 12 Performance Reporting .. 20 Incorporating ICAM into Existing Agency Processes.

4 20 Management Accountability and Control .. 21 Capital Planning .. 21 Enterprise Architecture .. 24 IT Security and Risk Management .. 24 Privacy Considerations ..28 Applying the FIPPs .. 29 Programmatic Support .. 30 7. Initiative 5: Streamline Collection and Sharing of Digital identity Data ..32 8. Initiative 6: Fully Leverage PIV and PIV-I credentials ..33 9. Access Control Convergence ..34 Resource Attribute Management ..34 Resource Discovery and Inventory .. 34 Collecting and Organizing Resource Information .. 36 Privilege Management ..38 Entitlement Attributes .. 39 Privilege Management Lifecycle .. 40 Automated Provisioning Capability .. 41 Authorization ..46 Access Control Models.

5 47 Policy Management .. 51 Auditing and Reporting ..53 10. Initiative 7: Modernize PACS Infrastructure ..56 Physical Access Implementation Program Governance .. 57 Facility Risk Assessments .. 61 Program Funding .. 63 Schedule Planning .. 65 Physical Access Architecture and Design ..70 Solution Architecture .. 70 Solution Components .. 72 Common Design Characteristics .. 74 Physical Access Technical Implementation ..76 FICAM Roadmap and Implementation Guidance Part B: Implementation Guidance, Phase 1 Initial Phase 1 ICAM Public Release Draft February 25, 2011 Page ii Automated Provisioning to PACS .. 76 Common Physical Access Scenarios .. 78 Local Facility Access ..83 Visitor Access ..84 11.

6 Initiative 8: Modernize LACS Infrastructure ..87 Logical Access Implementation Planning ..88 Program Governance .. 88 Program Funding .. 90 Schedule Planning .. 93 Logical Access Architecture and Design .. 102 Solution Architecture .. 102 Solution Components .. 106 Common Design Characteristics .. 110 Logical Access Technical Implementation .. 111 System Configuration .. 111 LACS Enterprise Solution Integration .. 114 Common Logical Access Scenarios .. 117 12. Initiative 9: Implement Federated identity Capability .. 120 Appendix I Decision Trees for Component Migration Decisions .. 121 FICAM Roadmap and Implementation Guidance Part B: Implementation Guidance, Phase 1 Initial Phase 1 ICAM Public Release Draft February 25, 2011 Page 1 6.

7 ICAM Implementation Planning This chapter provides guidance for planning and establishing an ICAM program within a Federal agency. It is expected that agencies have general life cycle methodologies that they employ to plan and execute programs. The guidance provided in this chapter is intended to supplement these life cycle methodologies and introduce ICAM specific agency-level planning considerations that drive the overall success and adoption of the ICAM segment architecture within the Federal Government. Chapter 6 has been divided into three elements: Program Organization and Management. This section discusses the establishment of ICAM governance bodies to manage and oversee complex ICAM programs within an agency; suggests stakeholder management and communication strategies for engaging and collaborating with the wide array of stakeholders involved in ICAM implementations; and provides risk management guidance proven to successfully mitigate the level of risk to agencies implementing ICAM programs.

8 Incorporating ICAM into Existing Agency Processes. This section discusses how agencies should integrate ICAM into the capital planning, accountability, acquisition, and security processes that are performed for all government programs. Privacy Considerations. This section discusses privacy as one of the key drivers behind the ICAM initiative and introduces guidance for ensuring the privacy of sensitive information that is inherently contained within the various programs that fall under ICAM. Program Organization and Management ICAM is a key enabler across the Federal enterprise and within specific agency programs and mission areas; therefore, it is imperative that Federal agencies properly organize and manage ICAM efforts.

9 This section provides guidance on how an agency can establish effective governance structures, collaborate with stakeholders, provide program management, and report performance to executive leadership to ensure that these programs are implemented successfully across the organization and to minimize any negative impact of ICAM on the agency s mission. Program Governance Goal 1 of the Federal ICAM Initiative, as identified in Section , is to align and coordinate all of the laws, standards, and regulations that ICAM programs must adhere to, and establish and enforce accountability for ICAM implementations within Federal governance bodies. Achieving this goal at the Federal Government level will allow supervisory bodies to evaluate the compliance of agency level programs as a unified ICAM program, as opposed to examining each of the ICAM component projects independently.

10 In order to ensure that ICAM programs at the agency level are compliant, each agency should have a formal governance structure, either by leveraging an existing program structure or by establishing new governance as necessary. This structure is responsible for aligning and consolidating the agency s various ICAM investments, monitoring these programs for alignment with organizational objectives, and ensuring broad awareness and understanding. Program governance should also establish goals, mission priorities, organization, accountability, metrics, and management controls within an agency. FICAM Roadmap and Implementation Guidance Part B: Implementation Guidance, Phase 1 Initial Phase 1 ICAM Public Release Draft February 25, 2011 Page 2 Lesson Learned It is important for an ICAM governance structure to account for the interdependencies between its project management, investment management, and capital planning components.