"Requirements for Accepting Externally-Issued Identity Credentials" (PDF) has been signed and delivered.

What are some of the potential implications to some of the stakeholders impacted by this Memo?

Users of Government Web Sites

" /> "Requirements for Accepting Externally-Issued Identity Credentials" (PDF) has been signed and delivered.

What are some of the potential implications to some of the stakeholders impacted by this Memo?

Users of Government Web Sites

" /> "Requirements for Accepting Externally-Issued Identity Credentials" (PDF) has been signed and delivered.

What are some of the potential implications to some of the stakeholders impacted by this Memo?

Users of Government Web Sites

" />
Anil John
Making Digital Services Secure and Trustworthy

Anil John

Implications of US Gov Accepting Externally-Issued Credentials

 Tweet  Share  Share  Comment  Print  Email

The OMB Memo to US Government Departments and Agencies on "Requirements for Accepting Externally-Issued Identity Credentials" (PDF) has been signed and delivered.

What are some of the potential implications to some of the stakeholders impacted by this Memo?

Users of Government Web Sites

via the White House Blog:

"This memorandum marks a new day for Federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has - a university-issued credential for example - across sites hosted by the Departments of Veterans Affairs, Education and Treasury. Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts. Moreover, by using accredited identity providers, Federal agencies see to it that Americans' information is treated with privacy and security online."

Government Public Web Site Owners

Identity/Credential Providers

  • Are you an OpenID 2.0 IdP? Are you a SAML 2.0 IdP? If so, do you implement support for the FICAM Protocol Profiles for OpenID 2.0 and SAML 2.0?
  • Explore what it takes to get certified as an IdP, whose credentials can be used on Government web sites, by one of the FICAM Approved Trust Framework Providers
  • What will it take for you to offer Credentials at LOA 2? 3? 4? Is there a need for it? Is there a market for it?
  • Are you a PKI Vendor who can offer a PIV-I (LOA 4) credential? Currently there is a gap in the commercial offerings that are available in offering high assurance credentials. Who are the communities of interest that need to inter-operate with the federal government, who need your services? Health Care? Emergency Responders? State and Local Governments?

Federation Technology Vendors

  • Build in explicit support for FICAM Approved Protocol Profiles on the IdP side and especially the RP side
  • Expect to see RFP and Acquisition language that explicitly requires support for approved FICAM Protocol Profiles in your product portfolio
  • (Thinking out loud: Remember how back in the day, the Liberty Alliance used to do SAML Interoperability Testing? Would it not be interesting and useful if Vendors or a Consortium stood up and did the same thing around FICAM Protocol Profiles? So that when you are having a conversation with a Government Agency or Department, you could point to the results for your product to verify compliance with what they are looking for)

External Authorization Management (a.k.a Fine Grained Authorization) Vendors

  • Currently the majority of Government Agencies and Departments are focused almost exclusively on Authentication (HSPD-12, PIV, CAC, PIV-I and now OpenID 2.0 and SAML 2.0)
  • This memo will, for better or worse, change that mind-set for one particular reason. As agencies and departments go through and do the risk assessment on their sites, they may very well come to the realization that they need to provide information at varying levels of sensitivity to a variety of customers, and that a one size fits all Authentication = = Authorization strategy is limiting at best.
  • That will in turn trigger a need to implement an Authorization strategy in tandem with the Federation approach to make sure that the Agencies and Departments have the ability to provide the right data to the right people based on the authorities, roles and privileges of the those people.
  • Expect to see changes in Acquisitions and RFPs to incorporate Attribute Based Access Control (ABAC) capabilities.
  • If you don't already, explicitly start building in the capabilities to consume and act on attributes passed to you in the "front-channel" by a Federation Server, and the ability to retrieve attributes via the "back-channel" using the FICAM Backend Attribute Exchange.

Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone