Implications of US Gov Accepting Externally-Issued Credentials
The OMB Memo to US Government Departments and Agencies on “Requirements for Accepting Externally-Issued Identity Credentials” (PDF) has been signed and delivered.
What are some of the potential implications to some of the stakeholders impacted by this Memo?
Users of Government Web Sites
“This memorandum marks a new day for Federal efficiency: a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has - a university-issued credential for example - across sites hosted by the Departments of Veterans Affairs, Education and Treasury. Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts. Moreover, by using accredited identity providers, Federal agencies see to it that Americans’ information is treated with privacy and security online.”
Government Public Web Site Owners
- You are the primary target audience for this memo; Any enhancements to existing sites or development of a new site triggers this requirement
- Update/Initiate a Risk Assessment to determine acceptable credentials for the web site
- Go through some variation of “HOW-TO: Fast Track to Federation for Web Sites”
- Update your Acquisition and RFP language for Federation Technology to require support for approved FICAM Protocol Profiles
- Think hard about how you will implement an Authorization strategy on your web site
- Have questions? Need clarification on a specific point? Contact ICAM@gsa.gov. That will get you to the authoritative source of information about what you need to do, and what help is available for you.
Identity/Credential Providers
- Are you an OpenID 2.0 IdP? Are you a SAML 2.0 IdP? If so, do you implement support for the FICAM Protocol Profiles for OpenID 2.0 and SAML 2.0?
- Explore what it takes to get certified as an IdP, whose credentials can be used on Government web sites, by one of the FICAM Approved Trust Framework Providers
- What will it take for you to offer Credentials at LOA 2? 3? 4? Is there a need for it? Is there a market for it?
- Are you a PKI Vendor who can offer a PIV-I (LOA 4) credential? Currently there is a gap in the commercial offerings that are available in offering high assurance credentials. Who are the communities of interest that need to inter-operate with the federal government, who need your services? Health Care? Emergency Responders? State and Local Governments?
Federation Technology Vendors
- Build in explicit support for FICAM Approved Protocol Profiles on the IdP side and especially the RP side
- Expect to see RFP and Acquisition language that explicitly requires support for approved FICAM Protocol Profiles in your product portfolio
- (Thinking out loud: Remember how back in the day, the Liberty Alliance used to do SAML Interoperability Testing? Would it not be interesting and useful if Vendors or a Consortium stood up and did the same thing around FICAM Protocol Profiles? So that when you are having a conversation with a Government Agency or Department, you could point to the results for your product to verify compliance with what they are looking for)
External Authorization Management (a.k.a Fine Grained Authorization) Vendors
- Currently the majority of Government Agencies and Departments are focused almost exclusively on Authentication (HSPD-12, PIV, CAC, PIV-I and now OpenID 2.0 and SAML 2.0)
- This memo will, for better or worse, change that mind-set for one particular reason. As agencies and departments go through and do the risk assessment on their sites, they may very well come to the realization that they need to provide information at varying levels of sensitivity to a variety of customers, and that a one size fits all Authentication = = Authorization strategy is limiting at best.
- That will in turn trigger a need to implement an Authorization strategy in tandem with the Federation approach to make sure that the Agencies and Departments have the ability to provide the right data to the right people based on the authorities, roles and privileges of the those people.
- Expect to see changes in Acquisitions and RFPs to incorporate Attribute Based Access Control (ABAC) capabilities.
- If you don’t already, explicitly start building in the capabilities to consume and act on attributes passed to you in the “front-channel” by a Federation Server, and the ability to retrieve attributes via the “back-channel” using the FICAM Backend Attribute Exchange.
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.