Bill at NIST recommends PIV termination process

Ron Martin recently published a power point presentation that Bill MacGregor gave a few weeks back. It is a good read and has very important recommendations.

Before we dig into one of his recommendations, I should note that Bill and I were colleagues in a past life. We worked together after 9/11 as a tiger team within SchlumbergerSema to define an approach to information sharing which we ultimately presented to Rumsfeld. We thought alike back then, and it seems we still do.

Now, let's dig through one of his recommendations. Let me draw your attention to one of the slides entitled "Green Lights." Green light activities are those which Bill suggests are important for agencies to consider:His second recommendation is, "Develop and Coordinate a PIV termination process." Bill knows that agencies must work out their termination processes and it is important.

We agree. Termination processes are a hole right now and until it is fixed we will have "Orphaned Credentials." You can read our blog post about orphaned credentials here. To summarize the post:

1. Orphaned Credentials are those that are still active AFTER an identity (person) is no longer affiliated with the agency
2. Unless we continue to modernize our identity management capability, we, as a community will have many FIPS 201 Orphaned Credentials.
3. The root cause is that our identity management processes are NOT FUSED to our credential management processes

As usual Bill, we agree. To follow Bill's advice, we offer agencies the following recommendations:

1. Consider the termination process in the bigger picture of the offboarding processes. Ask your HR, IT Service Desk, Physical Security, and Information Security staff what they do when someone leaves. Terminating a FIPS 201 smart card is a single thread of many threads that all happen manually today for to offboard an identity. As an example, you might find that the IT service desk reclaims corporate issued laptops and blackberries, and reclaims copies of limited use software (e.g. Visio). This is one of many examples I could give, but you can see that automating as many of the offboarding threads as possible will drive a better ROI and also allows you to avoid the cost of figuring out how to integrate the PIV termination thread with your other offboarding threads at a later date.
   
   
2. To get good identity termination processes, we should start with good onboarding processes. Consider this. A contractor is sponsored for a FIPS 201 credential. Who sponsored him? Is that same person held accountable for notifying the proper persons when the contractor separates? Was and is the sponsor intimate enough with why the contractor is there to determine if the contractor has now left? You see, a good onboarding process will have a rich workflow which tracks who approved the credential and hold this person/people accountable for triggering the separation processes (which in turn trigger then PIV termination thread). Cream of the crop onboarding workflows will avoid orphaned identities--identities that no longer have sponsors that are accountable for triggering the separation processes.
   
   
3. Consider events other than separation for termination. For example, conversion from a contractor to an employee. This conversion process will include the termination process as well a process for creating a new credential. Lost, damaged, or stolen cards also trigger the termination process.
   
   
4. Consider your reporting requirements. Every year the IG comes into your agency and asks for a list of people who left and then they determine if the accounts were terminated or not. By properly automating your onboarding/offboarding processes, you will be collecting this very data and you will be able to prepare this report for the IG in real time. This is a giant leap in Compliance Automation, and it will save the agency time and money each and every year.
   

We will refer to Bill's other recommendations in future posts. For those that don't have a copy of his PPT, here is a link for your convenience.

Who will take care of the orphans?

If physical security isn't informed when a person leaves an agency, then what are the chances that their FIPS 201 smart card will be revoked? You are right, the chances are not good. We call these cards "orphaned credentials." The credential is still operational but doesn't belong to a valid identity within the enterprise. The credential, has, in fact, lost its parent.

As things stand today, we as a community, will have many FIPS 201 Orphans. HSPD-12, FIPS 201, and the Federal Common Policy are brilliant. But if we stop now, we stop short in modernizing identity management.

One of the key concepts that we (Litmus, NASA, EDS) present in our IDM Reference Architecture is the need to FUSE identity management and credential management processes. This fusion ensures that valid cards will never become orphans.

Here is a concept diagram which explains the "ideal" case. The outer arrow represents the identity management processes. These processes are responsible for managing identities through their lifecycle to include identity onboarding and offboarding, and identity changes (e.g. change of legal name, roles, positions, duties, clearances, ...).

In the ideal case, Identity Management processes will trigger Credential Management processes (inner arrow) because the two capabilities are FUSED.

Wouldn't it be great if for each person (identity) that separates from an agency, the identity management processes automatically trigger the credentialing processes in an automated and reliable manner and the credential is terminated within minutes?

Yes. This is possible and necessary to make our FIPS 201 smart cards "fit for use."

If you aren't sure if orphaned credentials will be a challenge at your agency, ask your physical security department or your IT service desk. Ask them how they find out when a person leaves the agency. You will be shocked with number of manual tasks they remember to do and only if they are notified of the separation. Ask them in sequence for employees, contractors, and then consultants/on-loan staff/temps/interns. As you progress your questions through the sequence, the problem will become more and more apparent.

To prevent orphaned credentials, we, as a community, need to FUSE our identity management processes and credential management processes. We need to do so in a consistent and rigorous manner across the entire federal enterprise. We will increase the reliability of our smart cards and make them fit for use, no matter which agency happens to be managing the identity.

Clever Ideas at FEAC from Litmus, EDS, and NASA

For those of you who sent in email over the past two months, you knew that I was heads down at the FEAC Institute (http://www.feacinstitute.org/). Many of you may have already learned that FEAC is the cream of the crop for Enterprise Architecture certifications.

While I was attending FEAC, I poured every ounce of time and energy I had into it. The results were bigger and better than I could have ever expected.

At FEAC, Litmus took our identity management expertise and joined up with some great talent from EDS (Paul Kavitz) and NASA (Greg Black) to develop our thesis. Our topic; Leveraging an Identity Management Reference Architecture to get real and consistent results across the entire Federal Enterprise.

I really enjoy getting a bunch of smart folks together in a forum where innovation is acceptable and expected. The results are always amazing. This time was no exception. Our team produced an 80 page thesis which puts a well defined scope and method for modernizing agency identity management capabilities. As it turns out, our "reference architecture" concept also defined (according to our professors) a missing component of the Federal Enterprise Architecture.

So, enterprise architecture met identity management, and some really clever ideas were spawned. The concept of a "reference architecture" is new in the Enterprise Architecture community. As such, it is ripe with opportunity for people to contribute, improve upon the concept, and apply it to the challenge du jour. Our thesis team is putting together a community web site where you can offer up your insights and learn more about reference architectures.

Stay tuned. When the community web site is available, I will post a link on this blog. The FEAC will be publishing our Identity Management thesis soon as well. I will also post a link for this 80 page document as soon as it is up.