Federal Identity Management Handbook May 5 2005 Business

Federal Identity Management Handbook May 5, 2005 Business and Systems Aligned. Business Empowered. TM

Introduction n Guidance for credentialing managers, their leadership, implementation teams, and other stakeholders as they pursue compliance with HSPD 12. n Provides specific implementation direction on course of action, business & policy, schedule requirements, acquisition planning, migration planning, lessons learned, and case studies and implementation tools. n A collaborative effort: l l l l The Federal Identity Credentialing Committee (FICC) Smart Card Interagency Advisory Board (IAB) Federal PKI Authority (FPKIA) Office of Management and Budget (OMB) National Institute for Standards and Technology (NIST) U. S. Department of Defense Smart Card Alliance Many other contributors Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 1

Organization n Information Flow is similar to FIPS 201 with some key differences n Major Sections Include l l l 1. 0 Introduction 2. 0 PIV I – Common Identification, Security and Privacy Requirements 3. 0 PIV - Validation Certification & Accreditation 4. 0 PIV II – Front End Sub-System 5. 0 Implementation Planning Appendix – Tools and References n Primary Flow of PIV I and PIV II Sections l l l Description Mandatory Requirements Optional Items Implementation Recommendations Idea and Suggestions Summary Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 2

Organization (Continued) Additional Guidance l Meant to be all-inclusive and informative – but not too technical l A “living” document with plans for regular update l OMB Guidance & FAQ’s l Agency Plan Template l Implementation Roadmap l Migration Planning l Acquisition Planning l Lesson’s Learned l Case Studies l Tools & Illustrations l Useful Index l Common Thread – Education, Training & Awareness Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 3

Implementation Plan Template Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 4

Implementation Roadmap n Making the best use of the information n Recognizes that all Agencies are at different starting points n Provides a sample implementation path (how to get started) 1. Gain a clear understanding of your agency’s current access control policies 2. Reach agreement on future policy as it pertains to HSPD-12. This is key because these policies will drive your requirements 3. Involve the primary Agency Stakeholders in the process 4. Establish a list of objectives your agency wants to achieve while meeting the directive 5. Using the policy decisions develop an initial list of requirements. 6. Communication, Training & Awareness Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 5

Migration Planning Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 6

Sample Organization Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 7

Acquisition Planning n Identifying Resource Requirements n Change Management n Identifying Potential Funding Streams n Current Procurement Methods l GSA Smart Card Contract Vehicle l GSA Schedules l Aggregated buy n Acquisition Stakeholders Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 8

Acquisition Planning (Continued) n Major Components of an Identity Management System Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 9

Anticipating Costs Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 10

Acquisition Planning (Continued) n Agency Sponsorship n Shared Service Providers n Acquisition Planning Template (Appendix A) l Statement of Need l Background l Acquisition Alternatives l Life Cycle Costs l Delivery Requirements l Performance Period l Risks as Identified in the OMB Agency Plan Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 11

Lessons Learned & Case Studies n Lesson’s Learned l Implementation Management l Stakeholder Involvement l System Design l User Training l Pre-Issuance l Post-Issuance n Case Studies l Department of State l Department of Interior l Department of Homeland Security Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 12

Tools n Sample PIV Request Form Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 13

Tools n Implementation Checklist Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 14

Tools Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 15

Schedule n Released for Public Comment Feb n Comment Period Closed Mar n Comments Incorporated Apr n Revision submitted to FICC for Review & Comment n Addition of OMB Guidance & Revised Agency Plan Template n Planned Updates l Conformance Testing l GSA Acquisition Services l Certification & Accreditation l Agency Sponsorship l Reference Implementation l NIST Special Technical Pubs l End-User Training l Section 508 (Disabilities Act) Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 16

References q Supporting Publications q q NIST PIV Website (http: //csrc. nist. gov/piv-project/) q q SP 800 -73 – Interfaces for Personal Identity Verification (card interface commands and responses) SP 800 -76 – Biometric Data Specification for Personal Identity Verification SP 800 -78 –Cryptographic Algorithms and Key Sizes for Personal Identity Verification Documents Frequently Asked Questions (FAQs) Comments Received in Original Format FICC Website (CIO. Gov/FICC) q Identity Management Handbook q Smart Card Handbook Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 17

Contact Ralph Billeri Bearing. Point Inc. 1725 Duke St. Suite 700 Alexandria, VA 22314 ralph. billeri@bearingpoint. com 703 519 -2314 Confidential and Proprietary © 2005 Bearing. Point, Inc. All trademarks are property of their respective owners. 18