Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

The part that I found interesting was where the new REV4 includes a requirement that non-organizational users must use approved authentication by either accepting the PIV cards from other agencies, accepting 3^rd party credentials, or using FICAM issued profiles. 

 

That would lead right to the main point of Federated Identity, which is that if any of our institutions become certified for InCommon Silver (an approved profile by FICAM), then Government Agencies (NSF, NIH, etc.) will be able to comply with FISMA/SP-800-53 while allowing users authenticated outside of their system to use selected information systems.

 

This new revision doesn’t make Silver have to comply with SP-800-53.  Rather, it says that if FICAM approved Silver, then any federal government agencies using Silver would be in compliance with requirement IA-8 for those users authenticated under Silver (and same for Bronze).

 

So maybe now it is clear why InCommon Bronze and Silver needed FICAM review and approval with the V1.2 changes?

 

In considering the intent of the specs, perhaps some of the wording in IA-8 and other FISMA requirements can be used to help formulate alternative means.

·         Balance ease of use for access with need to protect and ADEQUATELY mitigate risk

·         Consider PRACTICALITY and security in balancing (above)

·         The organization employs cryptographic mechanisms to prevent unauthorized disclosure/modification of information at rest unless otherwise protected by alternative physical measures

·         The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by organization-defined alternative physical measures

 

See below for where this is in the final release.

-Jeff

 

(CONTEXT: FEDERAL GOVERNMENT AGENCIES NEED TO BE IN COMPLIANCE WITH FISMA/SP-800-53)

IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)

 

Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

 

In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk.

 

Control Enhancements:

(4) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES

The information system conforms to FICAM-issued profiles.

Supplemental Guidance: This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).

 

 

From: [mailto:] On Behalf Of David Walker
Sent: Wednesday, May 01, 2013 8:14 AM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Fwd: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations

 

I'm not trying to derail our discussion, but I thought this might of interest to some of you.

David

---------- Forwarded message ----------
From: "NIST Computer Security Resource Center" <>
Date: Apr 30, 2013 12:49 PM
Subject: NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
To: <>

NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations

To view the full announcement of this document and the updates made to improve this document, please visit the Computer Security Resource Center (CSRC) News/Announcement page:
http://csrc.nist.gov/news_events/#apr30

Here is the link to the Special Publications page on CSRC to view/download the document:
http://csrc.nist.gov/publications/PubsSPs.html#800-53

**Please note – when clicking link to the PDF file, you will notice the link as dx.doi.org/……., the link does point to a NIST webserver. – see note at top of Special Publications page. All new approved NIST documents are going to be using the dx.doi.org link.

__________
To update your user profile click the Subscriber Preferences Page - link below. You can have your email address removed from this topic, or you can add other topics that we currently offer - those can be seen and chosen in user preferences. If you wish to unsubscribe from all topics, you can do so within your user profile. Any questions regarding our list, send email directly to Pat O'Reilly (address below). For technical issues regarding GovDelivery, contact their support team (address below). NOTE - do NOT reply back to this email for I will not receive it.

Pat O'Reilly
NIST Computer Security Division

---

Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your e-mail address to log in. If you have questions or problems with the subscription service, please contact . All other inquiries can be directed to .

This service is provided to you at no charge by the National Institute of Standards and Technology (NIST).

 

---

 

This email was sent to using GovDelivery, on behalf of: NIST Computer Security Resource Center · 100 Bureau Drive · Gaithersburg, MD 20899 · (301) 975-6478