Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

David,

 

Does the InCommon filled-out TFP application just map Bronze/Silver criteria to each row, or perhaps would there be additional guidance that would be useful for implementers and evaluators/auditors to see?

 

The Assessment Package must build the case that the Applicant’s trust model and practices are comparable at the desired LOA. Applicants are not required to submit their assertions in any particular format, nor are they required to comply strictly with any particular trust criterion. Instead, the Applicant must demonstrate that its trust specifications meet or exceed the trust criteria in NIST SP 800-63. Failure to comply with any particular requirement is not fatal, since alternative mitigation strategies may satisfy trust criteria, especially at LOA 1 and LOA 2.

 

Per Table 8C row 1: Sufficiently protect shared secrets such as passwords.  See Appendix C for definition of “Approved”.

 

Unfortunately, Appendix C was blank.  However, I was able to find the Appendix C definitions in the TFPAP process doc.

http://www.idmanagement.gov/documents/FICAM_TFS_TFPAP_v1.1.0.pdf

 

Some additional interesting notes re: FICAM TFS/TFP/TFPAP.

 

TFPs demonstrate comparability to TFS requirements for security and privacy. Identity Providers demonstrate comparability to a TFP.

 

Subsequent to adoption, a TFP is subject to periodic comparability audits, and possibly discontinuance (i.e., no longer acceptable to the Federal government).

 

The TFS will evolve over time. As the needs of the Program change or become clearer, it is likely that the trust framework adoption process will evolve. Draft revisions of this document will be made available to applicable Federal government agencies and organizations, including TFPs, for comment. Those comments will be provided to the TFS for consideration and possible inclusion before final revision.

 

Jeff

 

From: [mailto:] On Behalf Of David Walker
Sent: Tuesday, May 07, 2013 7:39 PM
To:
Cc: DHW
Subject: Re: [AD-Assurance] Microsoft Strategy / FICAM / Kantara

 

Jeff,

I haven't looked through the FICAM roadmap very critically, but I think we're looking at the issue correctly.  The FICAM tool that we used to demonstrate comparability for InCommon's IAP is the Trust Framework Provider Application Template, which parallels the TFPAP:

http://www.idmanagement.gov/documents/TFP_Application_Template.doc

In particular, see row 1 of Table 8C: Token and Credential Management.

The roadmap seems to be a more inward-facing document for government agencies, and as such it recognizes the need for a transition period.  I think they are viewing identity assertions that we provide as something new that doesn't need a transition period; it just needs to be ready on day one.  The roadmap does, however, indicate that they're aware of the need for transition in many cases, and that may be useful to us.

David