Upload
aamir97
View
671
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1 / March 2008 /
Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
2 / March 2008 /
Agenda
• Introductions
• Present the Practicum
• Recommendations & Lessons Learned
3 / March 2008 /
Team Members
• Greg Black, Paul Kavitz, Jay Ryan • Recognizing culture as a leading risk factor,
the IDM team sought after areas of personal growth that added value toward an overall problem statement.
• Experience, both professional and personal, were contributed by each member through their work ethics and desire to embrace and employ enterprise architecture.
• Capitalized on individualism, experience, education, and leadership to provide perspectives.
• Diverse backgrounds and individual work ethics of each team member helped create a rich, cohesive approach to gap analysis and problem solving.
Paul Kavitz, MSP
Greg Black, Government
Jay Ryan, IDM & PKI Consultancy
4 / March 2008 /
Identity Management Reference Architecture Defining a reference enterprise architecture for Federal identity management
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
5 March 2008 Identity Management Reference Architecture
Executive Summary
Audience • Government policy and decision makers concerned with the Federal
Enterprise Architecture (FEA) and Identity Management (IDM) architectures
Motivation and Intent • To define an extension to the FEA Framework that facilitates
alignment of agency identity management architectures and improves benefits case realization.
Structure and Scope • This presents a reference architecture designed to provide a
standard pattern baseline for identity management architecture implementations government wide.
• The core components are scoping and contextual artifacts common to identity management architectures
• The summary also includes architecture governance, transition, communication, and maintenance plans.
6 March 2008 Identity Management Reference Architecture
What do we mean by IDM Reference Architecture?
7 March 2008 Identity Management Reference Architecture
What is the business scenario that grounds this effort?
8 March 2008 Identity Management Reference Architecture
Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope
THE ENTERPRISE
INVENTORY IDENTIFICATION
INVENTORY TYPES
PROCESS IDENTIFICATION
PROCESS TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
TIMING DEFINITION
BUSINESS CYCLE BUSINESS MOMENT
INVENTORY REPRESENTATION
SYSTEM ENTITY SYSTEM RELATIONSHIP
NETWORK REPRESENTATION
SYSTEM LOCATION SYSTEM CONNECTION
ORGANIZATION REPRESENTATION
SYSTEM ROLE SYSTEM WORK
TIMING REPRESENTATION
SYSTEM CYCLE SYSTEM MOMENT
MOTIVATION REPRESENTATION
SYSTEM END SYSTEM MEANS
INVENTORY SPECIFICATION
TECHNOLOGY ENTITY TECHNOLOGY RELATIONSHIP
PROCESS SPECIFICATION
TECHNOLOGY TRANSFORM TECNOLOGY INPUT
NETWORK SPECIFICATION
TECHNOLOGY LOCATION TECHNOLOGY CONNECTION
ORGANIZATION SPECIFICATION
TECHNOLOGY ROLE TECHNOLOGY WORK
TIMING SPECIFICATION
TECHNOLOGY CYCLE TECHNOLOGY MOMENT
MOTIVATION SPECIFICATION
TECHNOLOGY END TECHNOLOGY MEANS
INVENTORY CONFIGURATION
COMPONENT ENTITY COMPONENT RELATIONSHIP
PROCESS CONFIGURATION
COMPONENT TRANSFORM COMPONENT INPUT
NETWORK CONFIGURATION
COMPONENT LOCATION COMPONENT CONNECTION
ORGANIZATION CONFIGURATION
COMPONENT ROLE COMPONENT WORK
TIMING CONFIGURATION
COMPONENT CYCLE COMPONENT MOMENT
MOTIVATION CONFIGURATION
COMPONMENT END COMPONENT MEANS
INVENTORY INSTANTIATION
OPERATIONS ENTITY OPERATIONS RELATIONSHIP
PROCESS INSTANTIATION
OPERATIONS TRANSFORM OPERATIONS INPUT
NETWORK INSTANTIATION
OPERATIONS LOCATION OPERATIONS CONNECTION
ORGANIZATION INSTANTIATION
OPERATIONS ROLE OPERATIONS WORK
TIMING INSTANTIATION
OPERATIONS CYCLE OPERATIONS MOMENT
MOTIVATION INSTANTIATION
OPERATIONS END OPERATIONS MEAN
STRATEGISTS
EXECUTIVE LEADERS
DESIGNERS
ENGINEERS
TECHNICIANS
WORKERS
SCOPE
BUSINESS
SYSTEM
TECHNOLOGY
COMPONENT
OPERATIONS
WHAT HOW WHERE WHO WHEN WHY
INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION
PROCESS IDENTIFICATION
PROCESS TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
INVENTORY IDENTIFICATION
INVENTORY TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
ORGANIZATION IDENTIFICATION
ORGANIZATION TYPES
TIMING IDENTIFICATION
TIMING TYPES
NETWORK DEFINITION
BUSINESS LOCATION BUSINESS CONNECTION
MOTIVATION DEFINITION
BUSINESS END BUSINESS MEANS
ORGANIZATION DEFINITION
BUSINESS ROLE BUSINESS WORK
INVENTORY DEFINITION
BUSINESS ENTITY BUSINESS RELATIONSHIP
PROCESS REPRESENTATION
SYSTEM TRANSFORM SYSTEM INPUT
PROCESS DEFINITION
BUSINESS TRANSFORM BUSINESS INPUT
Problem Def.
Business Concept Graphic
AFM
Guidance
Indicators Inventory
Missions Dictionary Event List BNC
Line of Sight
Mission Distribution
Map BNC
Context
Data
Performance
Network
Process
CDM
L of S
9 March 2008 Identity Management Reference Architecture
Identity Management Reference Architecture Artifact Inventory
Short Name
Deliverable Name Description
Problem Def. Architectural Problem Statement Complete statement of purpose of the Identity Management Reference Architecture
Guidance Guidance summary A summary list of relevant directives, regulation, and guidance constraining the implementation of personal identity verification.
Dictionary Integrated Data Dictionary An inventory of data types that define the scope of personal identity verification.
Event List Operational Information Cycles A composite artifact showing the relationship of [reference] business cycles to the state of information in the Integrated Data Dictionary.
BNC Business Node Connectivity Model Scoping artifact showing the information relationships between organizations collaborating on the implementation of Personal Identity Verification.
CDM Concept Data Model Conceptual Data Model using Object Relational Modeling conventions to describe the semantic relationships of the primary data entities pertaining the identity management.
AFM Activity Flow Model Design artifact using IDEF0 describing a example (model) process implementation of Personal identity Verification in the adjacent suprasystem of processes necessary to operate this function. Framed by the Federal Enterprise Architecture Service Component Reference Model
BCG Business Concept Graphic Graphic describing multiple functional relationships between processes and business missions related to personal identity verification.
Missions Related Federal Missions A list of missions and supporting business functions, framed by the FEA Business Reference Model, that have some role in personal identity verification.
Indicator Inventory
Candidate Performance Measurement Indicators
A list of potential measurement indicators across technical, process, and citizen-service measurement areas relevant to assessing performance of personal identity verification.
Line of Sight Line of Sight Example Example artifact demonstrating application of a set of performance measurement indicators across a specific service component relevant to personal identity verification.
Map Geographic Distribution of Network Types
A global map identifying different types of countries with shared high-level characteristics relevant to the implementation of personal identity verification.
Mission Distribution
Organizational Mission Distribution Composite artifact integrating Organization (Agency), Network (Geography) and Process (Business Sub-function missions) relevant to assessing scope for personal identity verification.
Context
Data
Performance
Network
Process
10 March 2008 Identity Management Reference Architecture
Appendix A: Artifact Summary Identity Management Reference Architecture
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
11 March 2008 Identity Management Reference Architecture
Architecture Problem Statement
Core Problem Statement • Define a Reference Architecture
that aligns the motivations and objectives of the acquirers and providers of credentialing systems in the US Federal Enterprise (see table below)
Extended Problem Statement • Interpret the ‘US Federal
Enterprise’ above and shared objective #1 below in terms of the public-private interactions required to fulfill the homeland security mission objectives predicated by credentialing requirements.
# IT MSP Enterprise Objective Federal Enterprise Objective Primary artifacts
1 What is the total addressable market in the US government for identity management?
Where can identity management be reused across government? Missions, Line of Sight, Mission Distribution
2 What are the cross-sell opportunities for a credentialing solution?
What is the integrated suprasystem surrounding a credentialing service required to realize the projected benefits?
Dictionary, Event List, BNC, AFM, BCG, Map
3 What is the market value proposition for the identity management solution?
What are the citizen-centric benefits and performance measures for identity management investments? (eGovernment)
Indicator Inventory, Line of Sight
Federal Policy
Identity Management Reference Architecture
IT MSP Enterprise
(IT MSP EA)
Market System (Commercial Sector operators
Driven primarily by investor priorities)
US Federal Enterprise
(FEAF)
Market Policy (Market Interventions)
Operational Policy (Government-wide policy)
US Defense Enterprise
(DODAF)
A
A Critical Sector (Industry EA)
Critical Sector (e.g. Electricity EA)
Critical Sector (e.g. Transportation EA)
Critical Sector (e.g. Defense-
Industrial Base EA)
Industry-specific Policy (Industry Regulation)
B
B
B B
B
A
12 March 2008 Identity Management Reference Architecture
Business Concept Graphic
IDM Reference Architecture
Valid Person
Credential
Physical Access
Logical Access
Invalid Person
Managed Service
Credentialing
Identity
Information Technology & Communications Sectors
Facilities Sector
Elec
tric
ity
Tran
spor
tation
D
efen
se-I
ndus
tria
l Bas
e Ban
king
& F
inan
ce
Nuc
lear
O
il &
Gas
Fo
od
Management
Agencies accountable for their own and external
critical infrastructure sectors
Critical Infrastructure Sectors
(from HSPD-7 and NIPP)
Agencies accountable for only their own
critical IT & facilities
IDM Reference Architecture can be used by Agencies
IDM Reference Architecture can be used by Critical Sectors
Credential Standards Defined by HSPD-12
And FIPS201
13 March 2008 Identity Management Reference Architecture
Guidance Map
14 March 2008 Identity Management Reference Architecture
Federal Missions Related to Identity Management
15 March 2008 Identity Management Reference Architecture
Business Node Connectivity Model
Agency’s have NOT outsourced IDM in total
BI Largely Outsourced Credential Mfg. Largely
Outsourced
Key “Virtual” Node is often Hiring Managers
Collaboration is INTENSE
Often Forgotten Nodes
• Help Desk • Information & Technology Mgmt • Contractor
Sponsors
16 March 2008 Identity Management Reference Architecture
Activity Flow Model
17 March 2008 Identity Management Reference Architecture
Operational Event List Identity
Management Operational
Events
Identity On/Off Boarding
Events
Identity Change Events
Credential Management
Events
Infrastructure Management
Events
Bullet Proofing the Identity Management Capability
• Event Handling
• Event Linkage
18 March 2008 Identity Management Reference Architecture
Conceptual Data Model
Artifact Summary • Provides semantic information
relationships for business stakeholder communications
• Key entities include person, credential, permission, portal, and assets (information, system, and physical)
Artifact Alignment • Information entities support the
Activity Flow Model • Entities defined in the Dictionary
Artifact Use • Used to bridge CIO Council Data
Sub-committee and Universal Core efforts with logical data models in reference agencies.
19 March 2008 Identity Management Reference Architecture
Integrated Data Dictionary – Subset Snapshot
Artifact Summary • Defines key terms used in architecture,
primarily at scoping perspective Artifact Alignment
• Dictionary to Business Node Connectivity (BNC) All business nodes (organization) and need lines (data) displayed in the BNC are defined.
• Dictionary to Activity Flow Model (AFM) All processes, inputs, and outputs displayed in the AFM are defined.
• Dictionary to Conceptual Data Model (CDM) All semantic data objects displayed in the CDM are defined.
• Dictionary to the Related Federal Missions All business reference model topics that are in scope of the assignment are defined.
Artifact Use • Should be used to understand terms used
within the IDM-RA • This artifact seeks alignment with other
governmental data definition workgroups, and should be maintained as standard federal information definitions evolve.
• Architects using this reference architecture to define identity management implementations can use this dictionary as one source of standard definitions for identity-related information.
Artifact Term Definition
Activity Flow Model Conceptual Data Model BNC Model
Person A person is a human that has a context within the enterprise which requires access to digital or physical assets.
Conceptual Data Model Clearance A label or set of labels about a Person that identifies a level of trust in that Person
Activity Flow Model Conceptual Data Model
Position The job description (e.g. title, manager/staff, organization) describing an expected set of behaviors and corresponding activities and rights for a person
Conceptual Data Model Gender Sex of the person
Conceptual Data Model Name Legal labeling of person based on birth record or other legal assignment.
Conceptual Data Model Birth The act of being born or establishing an existence. Conceptual Data Model Birthplace The location where a person is born usually identified as city and state or
geospatial key number.
Conceptual Data Model Party A collection of persons or other parties that share a common goal or interest. This would cover collections that are inside or outside the enterprise and that are persistent or temporary.
Activity Flow Model Conceptual Data Model BNC Model
Credential A physical or logical token representing the identity of a person.
Activity Flow Model Conceptual Data Model BNC Model
Certificate A structured set of information uniquely authenticating a person.
Conceptual Data Model Facility A physical asset that is temporarily or permanently immobile physical structure encompassing a physical space which can be occupied by human beings
Conceptual Data Model Jurisdiction The legal context and authority governing activity in a physical space. Conceptual Data Model Compound A collection of one or more facilities with a common perimeter serving some
shared purpose
Conceptual Data Model Boundary A physical perimeter bounding a space
Activity Flow Model Conceptual Data Model
Control The physical and logical controls governing human passage across a portal.
Conceptual Data Model Portal Audit The survey conducted by a human being assessing the access controls of a portal.
Conceptual Data Model Portal Audit Findings
The discrete, individual representations of an auditor's survey of the state of a portal's access controls.
Activity Flow Model Conceptual Data Model
Portal An access control point where human beings are able to cross a physical or logical boundary
20 March 2008 Identity Management Reference Architecture
Distribution of Organization Mission
90% or greater
70-89%
50-69%
30-49%
<30%
No Birth Registration System
Country Birth Registration Rate
21 March 2008 Identity Management Reference Architecture
Distribution of Network Types
90% or greater
70-89%
50-69%
30-49%
<30%
No Birth Registration System
Country Birth Registration Rate
22 March 2008 Identity Management Reference Architecture
Candidate Performance Measurement Indicators
23 March 2008 Identity Management Reference Architecture
Line of Sight Example
24 March 2008 Identity Management Reference Architecture
Next Steps & Key Observations
Next Steps • Find way to ensure Managed Service
Providers (MSPs) are aligned to this reference model
• The National Infrastructure Protection Plan (NIPP) is managed through a collection of committees. This committee structure, with the Critical Infrastructure Partnership Advisory Council (CIPAC) at its apex, could be adapted to form the governance for cross-industry alignment
• This reference architecture could be extended to include a reference transition plan for an implementing agency. This might describe means by which agencies would prioritize and group identity management improvements.
Key Observations • Identity document verification challenges
overseas • Federal data architecture activities • U.S. missions overseas • Activity Flow Model responsibility • Need to “fill the gap” beyond what the
FEA profile provides • Relationship between IDM and
governmental mission of CIP in commercial enterprises
25 March 2008 Identity Management Reference Architecture
Implementation Strategy Rollout Target Architecture
• The end state for the IDM-RA is the acceptance and standardization of this reference architecture as a baseline upon which implementing agencies draw to establish their enterprise architectures pertaining to identity management.
Socialize with Stakeholders • Socialization of this RA with the target client
community, specifically the FICC and the leading federal credentialing managed services providers.
• Identify groups working, including existing groups working on standardization of ‘Person’ data types.
FEA Addendum • Extend the FEAF with a new type of reference
model exemplified by the IDM-RA. • Build upon the current RA primitives with a set of
composite RAs relevant to a particular government imperative and common to multiple agencies.
Establish IDM Reference Architecture Community
• Integrate RA into the CPIC process, maintenance of a website and possibly a wiki and collaboration forums to incorporate best-practice feedback from pervasive agency implementations.
• This forum and governance would provide the means to measure the performance of the IDM-RA effort and tune the model and the approach to be responsive to community needs and feedback.
Summary 1. Progressive diffusion and adoption of this RA as a baseline input for each agency’s EA artifacts that pertain to IDM. (Referred to as the IDM-RA Transition Strategy. 2. The “as-is” and “to-be” target architectures of each agency will differ widely, as will their transition plan. Therefore, the second level of implementation strategy is the iterative transition of each agency’s operational architecture (the instantiation of IDM in that agency) in ways that progressively improve the benefits case realization and ability to interoperate with other agency’s IDM architecture. Each agency is expected to have an “as-is” and “to-be” and will define its own contextual transition strategy relevant to its priorities and goals. This transition is important, and must be governed effectively government-wide to realize the overall objectives of IDM.
Phase 2 Phase 3 Phase 1
Stakeholder Socialization
Reference Architecture Community
FEA Addendum
26 March 2008 Identity Management Reference Architecture
Implementation Strategy Assurance
Governance • Governance of the Federal Enterprise-Wide
Identity Management Capability • Governance of the Agency Identity
Management Capability • Governance of the Identity Management
Reference Architecture
Maintenance • Should evolve as the many different agencies
incorporate it within their specific EA. • Changes should be captured and
documented, justified on the basis of costs, benefits, and risks.
• Changes should be processed through established change control processes and board authority.
• The change documentation should characterize the problem, solution, and alternatives chosen and rejected in light of established priorities.
Communications • Create materials describing the scope of the
EA and the value, benefits, and importance of EA and the IDM-RA.
• One-page briefing or brochure, key concept map, Frequently-Asked Questions (FAQ) document, and PowerPoint presentation.
• Post on an EA website, SharePoint, Wiki, or other collaboration tool.
Performance Management • Performance of an agency in meeting the stated performance indicators • Performance of the reference architecture as a tool to meet the end goal
Capital Planning Integration • Each agency implementing the IDM model designs its own CPIC process for
structuring budget formulation and execution to ensure that investments consistently support strategic goals.
• All IT projects should align with the agency mission and support business needs. The target architecture and the sequencing plan provide information for the three phases of the CPIC process.
Compliance • Compliance will be implemented according to the Federal CIO Council’s EA
Alignment and Assessment guide (AAG). • Business Performance and Technical Standards will be evaluated
27 March 2008 Identity Management Reference Architecture
Recommendations and Lessons Learned
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
28 March 2008 Identity Management Reference Architecture
Lessons Learned & Recommendations
• Choose a Good Topic – Domain Expertise – Choose a REAL Challenge – Get Interests Aligned
• Handle the Practicum Like a Project – Nail the Statement of Work, BCG, and Problem Definition – Communication, Collaboration, and Workload Sharing – Gold in the professor feedback
• Leverage Homework Assignments – Really understand your assignment scope – Really understand your assignment schedule – Really confirm your understanding of EA
• Leverage your Team – 80% of what you learn will be cemented by your team
collaboration
29 March 2008 Identity Management Reference Architecture
Reference Enterprise Architecture Scope Mapped to Deliverables – Assignment Scope
THE ENTERPRISE
INVENTORY IDENTIFICATION
INVENTORY TYPES
PROCESS IDENTIFICATION
PROCESS TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
TIMING DEFINITION
BUSINESS CYCLE BUSINESS MOMENT
INVENTORY REPRESENTATION
SYSTEM ENTITY SYSTEM RELATIONSHIP
NETWORK REPRESENTATION
SYSTEM LOCATION SYSTEM CONNECTION
ORGANIZATION REPRESENTATION
SYSTEM ROLE SYSTEM WORK
TIMING REPRESENTATION
SYSTEM CYCLE SYSTEM MOMENT
MOTIVATION REPRESENTATION
SYSTEM END SYSTEM MEANS
INVENTORY SPECIFICATION
TECHNOLOGY ENTITY TECHNOLOGY RELATIONSHIP
PROCESS SPECIFICATION
TECHNOLOGY TRANSFORM TECNOLOGY INPUT
NETWORK SPECIFICATION
TECHNOLOGY LOCATION TECHNOLOGY CONNECTION
ORGANIZATION SPECIFICATION
TECHNOLOGY ROLE TECHNOLOGY WORK
TIMING SPECIFICATION
TECHNOLOGY CYCLE TECHNOLOGY MOMENT
MOTIVATION SPECIFICATION
TECHNOLOGY END TECHNOLOGY MEANS
INVENTORY CONFIGURATION
COMPONENT ENTITY COMPONENT RELATIONSHIP
PROCESS CONFIGURATION
COMPONENT TRANSFORM COMPONENT INPUT
NETWORK CONFIGURATION
COMPONENT LOCATION COMPONENT CONNECTION
ORGANIZATION CONFIGURATION
COMPONENT ROLE COMPONENT WORK
TIMING CONFIGURATION
COMPONENT CYCLE COMPONENT MOMENT
MOTIVATION CONFIGURATION
COMPONMENT END COMPONENT MEANS
INVENTORY INSTANTIATION
OPERATIONS ENTITY OPERATIONS RELATIONSHIP
PROCESS INSTANTIATION
OPERATIONS TRANSFORM OPERATIONS INPUT
NETWORK INSTANTIATION
OPERATIONS LOCATION OPERATIONS CONNECTION
ORGANIZATION INSTANTIATION
OPERATIONS ROLE OPERATIONS WORK
TIMING INSTANTIATION
OPERATIONS CYCLE OPERATIONS MOMENT
MOTIVATION INSTANTIATION
OPERATIONS END OPERATIONS MEAN
STRATEGISTS
EXECUTIVE LEADERS
DESIGNERS
ENGINEERS
TECHNICIANS
WORKERS
SCOPE
BUSINESS
SYSTEM
TECHNOLOGY
COMPONENT
OPERATIONS
WHAT HOW WHERE WHO WHEN WHY
INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION
PROCESS IDENTIFICATION
PROCESS TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
INVENTORY IDENTIFICATION
INVENTORY TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
ORGANIZATION IDENTIFICATION
ORGANIZATION TYPES
TIMING IDENTIFICATION
TIMING TYPES
NETWORK DEFINITION
BUSINESS LOCATION BUSINESS CONNECTION
MOTIVATION DEFINITION
BUSINESS END BUSINESS MEANS
ORGANIZATION DEFINITION
BUSINESS ROLE BUSINESS WORK
INVENTORY DEFINITION
BUSINESS ENTITY BUSINESS RELATIONSHIP
PROCESS REPRESENTATION
SYSTEM TRANSFORM SYSTEM INPUT
PROCESS DEFINITION
BUSINESS TRANSFORM BUSINESS INPUT
5.1
5.7
5.6
5.2
5.9
5.8 5.3 5.4
5.5 5.10
5.10
5.12
5.11 5.5
Context
Data
Performance
Network
Process
30 March 2008 Identity Management Reference Architecture
Appendix B: Supporting Detail
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
31 March 2008 Identity Management Reference Architecture
5.2 Guidance Summary # Document Title Notes
6.1 Homeland Security Presidential Directive-12 Designed to increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees. http://csrc.nist.gov/drivers/documents/Presidential-Directive-Hspd-12.html
Strategic Directive Level
6.2 Federal Information Processing Standard (FIPS) 201: “Personal Identity Verification of Federal Employees and Contractors “
This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. developed to satisfy the requirements of HSPD 12, approved by the Secretary of Commerce, and issued on February 25, 2005
Strategic Directive Level
Pub. L. 107-347, E-Government Act of 2002. To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.
Law Executive/Legislative Level
Pub. L. 107-347, E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA) of 2002.
Enacted to streamline—while at the same time strengthening—the requirements of its predecessor, the Government Information Security Reform Act (GISRA). FISMA compliance is a matter of national security, and therefore is scrutinized at the highest level of government. Yet FISMA compliance presents significant challenges for federal agencies, and for any organization that deals with federal information.
Law Executive/Legislative Level
Pub. L. 101-576, The Chief Financial Officers (CFO) Act of 1990
intended to improve the government's financial management, outlining standards of financial performance and disclosure. Among other measures, the Office of Management and Budget (OMB) was given greater authority over federal financial management.
Law Executive/Legislative Level
32 March 2008 Identity Management Reference Architecture
5.2 Guidance Summary (cont’d) # Document Title Notes
President's Management Agenda of 2002 An aggressive strategy for improving the management of the Federal government. It focuses on five areas of management weakness across the government where improvements and the most progress can be made.
Strategic Directive Level
Government Performance and Results Act of 1993. Seeks to shift the focus of government decision-making and accountability away from a preoccupation with the activities that are undertaken - such as grants dispensed or inspections made - to a focus on the results of those activities, such as real gains in employability, safety, responsiveness, or program quality. Under the Act, agencies are to develop multiyear strategic plans, annual performance plans, and annual performance reports.
Law Executive/Legislative Level
44 U.S.C. 3501, et seq., Paperwork Reduction Act of 1995, Pub. L. 104-13, as amended.
Minimize the paperwork burden for individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government.
Law Executive/Legislative Level
40 U.S.C. 1401, et seq., Chapter 808 of Pub. L 104-208, the Clinger-Cohen Act of 1996 [renaming, in pertinent part, the Information Technology Management Reform Act (ITMRA), Division E of Pub. L 104-106].
Provides that the government information technology shop be operated exactly as an efficient and profitable business would be operated. Acquisition, planning and management of technology must be treated as a "capital investment." While the law is complex, all consumers of hardware and software in the Department should be aware of the Chief Information Officer's leadership in implementing this statute.
Law Executive/Legislative Level
OMB Circular No. A-123, Management Accountability and Control, dated June 21, 1995.
Requires Federal employees to design management structures that help ensure accountability for results, and include appropriate, cost-effective controls and provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls.
Strategic Directive Level
33 March 2008 Identity Management Reference Architecture
5.2 Guidance Summary (cont’d) # Document Title Notes
OMB Circular No. A-130, Appendix III Management of Federal Information Resources dated November 28, 2000.
This Circular establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices.
Strategic Directive Level
M04-04 Presidential memorandum: E-Authentication Guidance for Federal Agencies
Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. It establishes and describes four levels of identity assurance for electronic transactions requiring authentication. Assurance levels also provide a basis for assessing Credential Service Providers (CSPs) on behalf of Federal agencies. This document will assist agencies in determining their e-government authentication needs. Agency business-process owners bear the primary responsibility to identify assurance levels and strategies for providing them. This responsibility extends to electronic authentication systems http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf
Homeland Security Presidential Directive-7 This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.
Strategic Directive Level
National Infrastructure Protection Plan The National Infrastructure Protection Plan (NIPP) and supporting Sector-Specific Plans (SSPs) provide a coordinated approach to critical infrastructure and key resources (CI/KR) protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. The NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster.
Strategic Directive Level
34 March 2008 Identity Management Reference Architecture
Appendix X: Arguments Clarifications, assumptions, and defense of artifacts
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
35 March 2008 Identity Management Reference Architecture
5.5 Business Node Connectivity Diagram
From Slide 19, Overview of
Architecture Views
From Slide 9, Overview of Architecture Views
From Slide 20, FEAF
Architecture Products
36 March 2008 Identity Management Reference Architecture
Reference Enterprise Architecture Scope Mapped to Deliverables – Utility of FEA RMs
THE ENTERPRISE
INVENTORY IDENTIFICATION
INVENTORY TYPES
PROCESS IDENTIFICATION
PROCESS TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
TIMING DEFINITION
BUSINESS CYCLE BUSINESS MOMENT
INVENTORY REPRESENTATION
SYSTEM ENTITY SYSTEM RELATIONSHIP
NETWORK REPRESENTATION
SYSTEM LOCATION SYSTEM CONNECTION
ORGANIZATION REPRESENTATION
SYSTEM ROLE SYSTEM WORK
TIMING REPRESENTATION
SYSTEM CYCLE SYSTEM MOMENT
MOTIVATION REPRESENTATION
SYSTEM END SYSTEM MEANS
INVENTORY SPECIFICATION
TECHNOLOGY ENTITY TECHNOLOGY RELATIONSHIP
PROCESS SPECIFICATION
TECHNOLOGY TRANSFORM TECNOLOGY INPUT
NETWORK SPECIFICATION
TECHNOLOGY LOCATION TECHNOLOGY CONNECTION
ORGANIZATION SPECIFICATION
TECHNOLOGY ROLE TECHNOLOGY WORK
TIMING SPECIFICATION
TECHNOLOGY CYCLE TECHNOLOGY MOMENT
MOTIVATION SPECIFICATION
TECHNOLOGY END TECHNOLOGY MEANS
INVENTORY CONFIGURATION
COMPONENT ENTITY COMPONENT RELATIONSHIP
PROCESS CONFIGURATION
COMPONENT TRANSFORM COMPONENT INPUT
NETWORK CONFIGURATION
COMPONENT LOCATION COMPONENT CONNECTION
ORGANIZATION CONFIGURATION
COMPONENT ROLE COMPONENT WORK
TIMING CONFIGURATION
COMPONENT CYCLE COMPONENT MOMENT
MOTIVATION CONFIGURATION
COMPONMENT END COMPONENT MEANS
INVENTORY INSTANTIATION
OPERATIONS ENTITY OPERATIONS RELATIONSHIP
PROCESS INSTANTIATION
OPERATIONS TRANSFORM OPERATIONS INPUT
NETWORK INSTANTIATION
OPERATIONS LOCATION OPERATIONS CONNECTION
ORGANIZATION INSTANTIATION
OPERATIONS ROLE OPERATIONS WORK
TIMING INSTANTIATION
OPERATIONS CYCLE OPERATIONS MOMENT
MOTIVATION INSTANTIATION
OPERATIONS END OPERATIONS MEAN
STRATEGISTS
EXECUTIVE LEADERS
DESIGNERS
ENGINEERS
TECHNICIANS
WORKERS
SCOPE
BUSINESS
SYSTEM
TECHNOLOGY
COMPONENT
OPERATIONS
WHAT HOW WHERE WHO WHEN WHY
INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION
PROCESS IDENTIFICATION
PROCESS TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
INVENTORY IDENTIFICATION
INVENTORY TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
ORGANIZATION IDENTIFICATION
ORGANIZATION TYPES
TIMING IDENTIFICATION
TIMING TYPES
NETWORK DEFINITION
BUSINESS LOCATION BUSINESS CONNECTION
MOTIVATION DEFINITION
BUSINESS END BUSINESS MEANS
ORGANIZATION DEFINITION
BUSINESS ROLE BUSINESS WORK
INVENTORY DEFINITION
BUSINESS ENTITY BUSINESS RELATIONSHIP
PROCESS REPRESENTATION
SYSTEM TRANSFORM SYSTEM INPUT
PROCESS DEFINITION
BUSINESS TRANSFORM BUSINESS INPUT
5.1
5.7
5.6
5.2
5.9
5.8 5.3 5.4
5.5 5.10
5.10
5.12
5.11 5.5
Context
Data
Performance
Network
Process
BRM
SRM
PRM
37 March 2008 Identity Management Reference Architecture
Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors
Energy (oil, gas, and electric power, not nuclear) Department of Energy
Public Health and Healthcare Department of Health and Human Services
National Monuments and Icons Department of the Interior
Banking and Finance Department of the Treasury
Chemical Commercial Facilities Dams, Locks, and Levees Department of Homeland Security Emergency Services Commercial Nuclear Reactors, Materials, and Waste
Information Technology Department of Homeland Security Telecommunications
Postal and Shipping Department of Homeland Security
Transportation Systems Department of Homeland Security
Defense Industrial Base Department of Defense
Agriculture & Food Department of Agriculture (meat, poultry, and egg foods) Food and Drug Administration (other foods)
Drinking Water and Water Treatment Systems Environmental Protection Agency
Government Facilities Department of Homeland Security
Critical Infrastructure Sector Sector-Specific Agency
38 March 2008 Identity Management Reference Architecture
Government/Market framework for Identity Management Reference Architecture
Identity Management Reference Architecture
IT MSP Enterprise
(IT MSP EA)
US Federal Enterprise
(FEAF)
US Defense Enterprise
(DODAF)
39 March 2008 Identity Management Reference Architecture
Federal Policy
Market System framework for Identity Management Reference Architecture
Identity Management Reference Architecture
IT MSP Enterprise
(IT MSP EA)
Market System (Commercial Sector operators
Driven primarily by investor priorities)
Critical Sector (Industry EA)
Critical Sector (e.g. Electricity EA)
Critical Sector (e.g. Transportation EA)
US Federal Enterprise
(FEAF)
Critical Sector (e.g. Defense-
Industrial Base EA)
Market Policy (Market Interventions)
EA Policy (Government-wide policy)
Industry-specific Policy (Industry Regulation)
US Defense Enterprise
(DODAF)
A
B
B
B B
40 March 2008 Identity Management Reference Architecture
Identity Management Reference Architecture Statement of Work
Identity Management Architecture Team Greg Black, James Ryan, Paul Kavitz
41 March 2008 Identity Management Reference Architecture
1. Introduction Background
1. Introduction • This project defines a reference enterprise architecture for the personal identity
verification (PIV) managed service and its surrounding identity management suprasystem as guided by Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standard (FIPS) 201.
2. Background • Homeland Security Presidential Directive-12 (HSPD-12) mandates implementation of
personal identity verification smart card credentials for all employees and contractors of the US Federal government
• The GSA Schedule for HSPD-12 has identified a number of managed service providers qualified to deliver credentialing services to agencies required to comply with the directive.
• Beyond the narrow implementation of this directive, a credentialing service must be integrated within the larger Enterprise Architecture of each agency across the Federal Government and their facilities distributed across the world.
• Furthermore, many Federal missions require the ability for government to assure the identity of various public communities including alien visitors and immigrants, operators of critical infrastructures (i.e. transportation), etc. These all have other means to credential individuals that are regulated by other various, non-integrated standards.
• With multiple identity management implementations already underway, GSA seeks an enterprise architecture as a decision support tool to inform the governance of the identity management implementations across government. The intent is to promote realization of the anticipated security benefits these credentials afford and to minimize the variety of implementations.
42 March 2008 Identity Management Reference Architecture
3. Scope • This project will define an enterprise reference architecture that places the HSPD-12
personal identity verification (PIV) credential managed service in the context of the broader Federal Enterprise Architecture. – As such, it intends to identity opportunities for GSA, each implementing agency, and
the managed service providers – to identify reuse opportunities, improve integration, and realize business benefits of
common personal identity verification (PIV) services across all of government. • Bounds and magnitudes
– The Personal Identity Verification Enterprise Reference Architecture (PIV-ERA) shall define multiple architectural perspectives limited to descriptive representations of the PIV function and its immediately adjacent systems (the proximate suprasystem). At the business and system level, the PIV-ERA shall a reference model only, and as such shall be neutral with regards to any particular agency, however it will be specific to the US Federal Government.
– The Zachman Enterprise Architecture Framework v2.01 (Ref. 6.4) serves to further clarify the boundary for this SOW (see fig. 3.1) As follows:
• Scoping identification (Zachman Row 1) for Personal Identity Verification shall be developed for all focus areas (Inventory, Process, Network, Organization, and Motivation).
• Business conceptual definitions (Zachman Row 2) for Personal Identity Verification shall be developed for the Inventory, Process, and Motivation focus areas. (Cells 2,1; 2,2; and 2,6).
• A reference System Process Representation (Zachman Cell 3,2) shall be developed for Personal Identity Verification
– Estimated total effort for development of PIV-ERA is approximately a three person effort over 8 weeks for a total of about 300 person-hours effort.
43 March 2008 Identity Management Reference Architecture
Fig. 3.1 Identity Management Scope Enterprise View
THE ENTERPRISE
INVENTORY IDENTIFICATION
INVENTORY TYPES
PROCESS IDENTIFICATION
PROCESS TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
TIMING DEFINITION
BUSINESS CYCLE BUSINESS MOMENT
INVENTORY REPRESENTATION
SYSTEM ENTITY SYSTEM RELATIONSHIP
NETWORK REPRESENTATION
SYSTEM LOCATION SYSTEM CONNECTION
ORGANIZATION REPRESENTATION
SYSTEM ROLE SYSTEM WORK
TIMING REPRESENTATION
SYSTEM CYCLE SYSTEM MOMENT
MOTIVATION REPRESENTATION
SYSTEM END SYSTEM MEANS
INVENTORY SPECIFICATION
TECHNOLOGY ENTITY TECHNOLOGY RELATIONSHIP
PROCESS SPECIFICATION
TECHNOLOGY TRANSFORM TECNOLOGY INPUT
NETWORK SPECIFICATION
TECHNOLOGY LOCATION TECHNOLOGY CONNECTION
ORGANIZATION SPECIFICATION
TECHNOLOGY ROLE TECHNOLOGY WORK
TIMING SPECIFICATION
TECHNOLOGY CYCLE TECHNOLOGY MOMENT
MOTIVATION SPECIFICATION
TECHNOLOGY END TECHNOLOGY MEANS
INVENTORY CONFIGURATION
COMPONENT ENTITY COMPONENT RELATIONSHIP
PROCESS CONFIGURATION
COMPONENT TRANSFORM COMPONENT INPUT
NETWORK CONFIGURATION
COMPONENT LOCATION COMPONENT CONNECTION
ORGANIZATION CONFIGURATION
COMPONENT ROLE COMPONENT WORK
TIMING CONFIGURATION
COMPONENT CYCLE COMPONENT MOMENT
MOTIVATION CONFIGURATION
COMPONMENT END COMPONENT MEANS
INVENTORY INSTANTIATION
OPERATIONS ENTITY OPERATIONS RELATIONSHIP
PROCESS INSTANTIATION
OPERATIONS TRANSFORM OPERATIONS INPUT
NETWORK INSTANTIATION
OPERATIONS LOCATION OPERATIONS CONNECTION
ORGANIZATION INSTANTIATION
OPERATIONS ROLE OPERATIONS WORK
TIMING INSTANTIATION
OPERATIONS CYCLE OPERATIONS MOMENT
MOTIVATION INSTANTIATION
OPERATIONS END OPERATIONS MEAN
STRATEGISTS
EXECUTIVE LEADERS
DESIGNERS
ENGINEERS
TECHNICIANS
WORKERS
SCOPE
BUSINESS
SYSTEM
TECHNOLOGY
COMPONENT
OPERATIONS
WHAT HOW WHERE WHO WHEN WHY
INVENTORY PROCESS NETWORK ORGANIZATION TIMING MOTIVATION
PROCESS IDENTIFICATION
PROCESS TYPES
MOTIVATION IDENTIFICATION
MOTIVATION TYPES
INVENTORY IDENTIFICATION
INVENTORY TYPES
NETWORK IDENTIFICATION
NETWORK TYPES
ORGANIZATION IDENTIFICATION
ORGANIZATION TYPES
TIMING IDENTIFICATION
TIMING TYPES
NETWORK DEFINITION
BUSINESS LOCATION BUSINESS CONNECTION
MOTIVATION DEFINITION
BUSINESS END BUSINESS MEANS
ORGANIZATION DEFINITION
BUSINESS ROLE BUSINESS WORK
INVENTORY DEFINITION
BUSINESS ENTITY BUSINESS RELATIONSHIP
PROCESS REPRESENTATION
SYSTEM TRANSFORM SYSTEM INPUT
PROCESS DEFINITION
BUSINESS TRANSFORM BUSINESS INPUT
44 March 2008 Identity Management Reference Architecture
Task 3
Task 2 Task 1 Input Documents
4.Deliverable Schedule & Dependencies
6.1
6.2
6.3
5.1
5.2
5.3
5.4
5.5
5.8
5.6
5.7
Task 4
5.9
5.10
Task 5
5.11
5.12
Task Award
Task 1 Signoff
Task 2,3 Signoff
Task 4,5 Signoff
SOW
Final Presentation
Grades Awarded
Data Artifacts
Context Artifacts Process Artifacts
Performance Artifacts
6.4
Network Artifacts Context Artifacts