Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0815-link-check-final #469

Merged
merged 3 commits into from
Aug 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions _implement/scl-macos.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Agencies may additionally choose a machine or user-based enforcement which disab
1. Machine-Based Enforcement (MBE): This implementation removes the option for password-based authentication in favor of smart card-only authentication for any account accessible by the macOS device (local or network).
2. User-Based Enforcement (UBE): This implementation creates an exception to smart card-only authentication for specific users or groups of users (e.g., network admins, device admins, and individuals waived from smart card requirements).

This [Apple Platform Deployment guide](https://support.apple.com/guide/deployment/configure-macos-smart-cardonly-authentication-depfce8de48b/1/web/1.0){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} provides some additional detail on MBE vs. UBE. Additional details on [Windows authentication enforcement models]({{site.baseurl}}/implement/group-policies/){:target="_blank"}{:rel="noopener noreferrer"} can be found here.
This [Apple Platform Deployment guide](https://support.apple.com/guide/deployment/configure-macos-smart-cardonly-authentication-depfce8de48b/1/web/1.0){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} provides some additional detail on MBE vs. UBE. Additional details on [Windows authentication enforcement models]({{site.baseurl}}/implement/scl-windows/#step-5---group-policies-and-enforcement){:target="_blank"}{:rel="noopener noreferrer"} can be found here.

## Local Account Pairing
Local Account Pairing is a user-prompted process.
Expand All @@ -45,7 +45,7 @@ Local Account Pairing is a user-prompted process.
See [this Apple Platform Deployment guide](https://support.apple.com/guide/deployment/use-a-smart-card-depc705651a9/web){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for more information on local account pairing.

## Windows Domain Account Pairing
Most departments and agencies already maintain processes to map PIV attributes to Active Directory domain accounts. This playbook also provides guidance on the different models that can be used to [link domain accounts to PIV certificate attributes]({{site.baseurl}}/implement/account-linking/){:target="_blank"}.
Most departments and agencies already maintain processes to map PIV attributes to Active Directory domain accounts. This playbook also provides guidance on the different models that can be used to [link domain accounts to PIV certificate attributes]({{site.baseurl}}/implement/scl-windows/#step-4---account-linking){:target="_blank"}.

Ensure the following prerequisites are complete or ready:
1. The person completing this process has administrative privileges on the macOS device.
Expand Down
2 changes: 1 addition & 1 deletion _partners/fips201-apl.md
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ The Physical Access Control System (PACS) products listed under the “Approved
| 5 | AMAG Symmetry Professional + HID Global Validation System | 10047 & 10048 | Update | In queue |
| 6 | AMAG Symmetry Professional + Identity One Validation System | 10143 & 10144 | Update | In queue |
| 7 | Genetec Security Center – Synergis with HID Global Validation System | 10061 & 10062 | Update | In queue |
| 8 | Identiv Velocity Security Management System 13.02 | 10103 | New Reader add | In queue |
| 8 | Identiv Velocity Security Management System 13.02 | 10103 | Update | In queue |
| 9 | LenelS2 OnGuard with Embedded Authentication (TI Entry Point) + uTrust Reader addition | 10126 & 10127 | New Reader add | In queue |


Expand Down
2 changes: 1 addition & 1 deletion _playbooks/playbook-autopen.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ This playbook outlines the process for an agency to implement a Digital Autopen
2. [Define controls](#step-2-define-controls) to ensure the certificate and associated key are used only for the intended purpose.
3. [Obtain a role-based digital signature certificate](#step-3-obtain-a-digital-autopen-certificate) from a Federal Public Key Infrastructure (PKI) Shared Service Provider.

This playbook recommends using a role-based signature certificate issued to a hardware device (e.g., smart card, USB hardware device, or other FIPS–140 Level 2 certified hardware) from a [Federal PKI Certification Authority]({{site.baseurl}}/trust-services/#government-identity-services){:target="_blank"}{:rel="noopener noreferrer"}. [Federal Agency Certification Authorities]({{site.baseurl}}/fpki/ca/#all-federal-pki-certification-authorities){:target="_blank"}{:rel="noopener noreferrer"} may also issue this certificate on their own. The digital autopen certificate can only digitally sign documents. An agency should consider additional controls to limit its use only to sign *Federal Register* documents. This playbook supports [OMB Circular A-130 goals](https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, including developing and implementing processes to support employee digital signatures.
This playbook recommends using a role-based signature certificate issued to a hardware device (e.g., smart card, USB hardware device, or other FIPS–140 Level 2 certified hardware) from a [Federal PKI Certification Authority]({{site.baseurl}}/trust-services/#government-identity-services){:target="_blank"}{:rel="noopener noreferrer"}. [Federal Agency Certification Authorities]({{site.baseurl}}/fpki/#annual-review-requirements-for-all-certification-authorities){:target="_blank"}{:rel="noopener noreferrer"} may also issue this certificate on their own. The digital autopen certificate can only digitally sign documents. An agency should consider additional controls to limit its use only to sign *Federal Register* documents. This playbook supports [OMB Circular A-130 goals](https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, including developing and implementing processes to support employee digital signatures.

Send any questions on the process to ICAM at gsa.gov.

Expand Down
2 changes: 1 addition & 1 deletion _playbooks/playbook-dw.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ Ensure digital worker identity management has proper governance, score the funct

## 1.1 Ensure Proper Oversight

The ICAM governance structure ensures enterprise identity management policies are updated to include digital worker management and use. For ICAM oversight and program management examples, see the [ICAM Program Management Playbook]({{site.baseurl}}/playbooks/pm/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}.
The ICAM governance structure ensures enterprise identity management policies are updated to include digital worker management and use. For ICAM oversight and program management examples, see the [ICAM Program Management Playbook]({{site.baseurl}}/university/pm/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}.

<p align="center"><b>Update the agency enterprise identity management policies to include digital worker identity management.</b></p>

Expand Down
6 changes: 3 additions & 3 deletions _playbooks/playbook-ilm.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,11 +204,11 @@ The most common way to integrate non-PKI-derived credentials is through a modern

## Shift From Managing Credentials to Managing Identities

This playbook intends to help agencies achieve OMB Memo 19-17 outcomes to shift the focus operating model from managing access based solely on credentials to managing the lifecycle of identities and the appropriate job functions and roles as they evolve over time in an agency or the federal government. The [Identity Management services in the Federal ICAM architecture]({{site.baseurl}}/arch/servicesframework/#identity-management){:target="_blank"}{:rel="noopener noreferrer"} include Creation, Identity Proofing, Provisioning, Maintenance, Identity Aggregation, and Deactivation. These services are collectively known as Identity Lifecycle Management (ILM).
This playbook intends to help agencies achieve OMB Memo 19-17 outcomes to shift the focus operating model from managing access based solely on credentials to managing the lifecycle of identities and the appropriate job functions and roles as they evolve over time in an agency or the federal government. The [Identity Management services in the Federal ICAM architecture]({{site.baseurl}}/arch/#services-framework-and-service-descriptions){:target="_blank"}{:rel="noopener noreferrer"} include Creation, Identity Proofing, Provisioning, Maintenance, Identity Aggregation, and Deactivation. These services are collectively known as Identity Lifecycle Management (ILM).

### Step 1. Document the Process in an Agency Policy

Document an agency policy to identify the roles and responsibilities required to implement an identity lifecycle management process. It is a good practice to coordinate the document through the agency’s ICAM governance body to ensure all interested stakeholders are aware of the initiative and their respective responsibilities. This document should complement or be included in the agency’s existing ICAM policy. For more information on ICAM program management or the ICAM governance body, see the [ICAM Program Management Playbook]({{site.baseurl}}/pm/governance/){:target="_blank"}{:rel="noopener noreferrer"} or the [ICAM Governance Framework]({{site.baseurl}}/docs/playbook-identity-governance-framework.pdf){:target="_blank"}{:rel="noopener noreferrer"}. The agency policy should include the following elements.
Document an agency policy to identify the roles and responsibilities required to implement an identity lifecycle management process. It is a good practice to coordinate the document through the agency’s ICAM governance body to ensure all interested stakeholders are aware of the initiative and their respective responsibilities. This document should complement or be included in the agency’s existing ICAM policy. For more information on ICAM program management or the ICAM governance body, see the [ICAM Program Management Playbook]({{site.baseurl}}/university/pm/#program-governance-and-leadership){:target="_blank"}{:rel="noopener noreferrer"} or the [ICAM Governance Framework]({{site.baseurl}}/docs/playbook-identity-governance-framework.pdf){:target="_blank"}{:rel="noopener noreferrer"}. The agency policy should include the following elements.
1. Outline the purpose of implementing ILM.
2. The roles and responsibilities are mapped to the authoritative attribute source. Such as:
1. Training Office to gather security training status.
Expand Down Expand Up @@ -318,5 +318,5 @@ The ILM playbook outlined an identity lifecycle process and four steps to create
1. [Department of Defense ICAM Reference Design](https://dodcio.defense.gov/Portals/0/Documents/Cyber/DoD_Enterprise_ICAM_Reference_Design.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
2. [DHS CDM Max.gov Page](https://community.max.gov/download/attachments/1843519190/CDM-ARCH-2017-01.1.1-MUR-FUNCT-DESCR%2012082017.pdf?version=1&modificationDate=1568732697362&api=v2){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
3. [IDPro Body of Knowledge - An Overview of Digital Identity Lifecycle](https://bok.idpro.org/article/id/31/){:target="_blank"}{:rel="noopener noreferrer"}
4. [System for Cross-domain Identity Management (SCIM)](http://www.simplecloud.info/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
4. [System for Cross-domain Identity Management (SCIM)](https://scim.cloud/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}

4 changes: 2 additions & 2 deletions _playbooks/playbook-pam.md
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ A privileged user policy interacts with multiple initiatives across an agency. E

- **High Value Asset (HVA)** - [OMB Memo 19-03](https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} outlines requirements to identify, track, and manage an agency's most critical assets. [Guidance from CISA](https://www.cisa.gov/sites/default/files/publications/Securing%20High%20Value%20Assets_Version%201.1_July%202018_508c.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} recommends using individual accounts, logging key security events, and implementing multi-factor authentication for all HVA users, particularly privileged users.
- **Insider threat** - Includes programs to detect and prevent unauthorized disclosure of sensitive information. An insider threat program provides, access to information, centralized information integration, analysis, response, insider threat awareness training, and user activity monitoring on government computers.
- **Cybersecurity/ICAM** - Responsible for identity, credential, and access management services and coordination. Privileged Access Management is a service area under [Access Management]({{siate.baseurl}}arch/services/#access-management).
- **Cybersecurity/ICAM** - Responsible for identity, credential, and access management services and coordination. Privileged Access Management is a service area under [Access Management]({{site.baseurl}}/arch/#access-management).
- **Continuous Diagnostic and Mitigation (CDM)** - Cybersecurity tools, integration services, and dashboards to help agencies reduce the attack surface, increase visibility into cybersecurity posture, improve response, and streamline FISMA reporting.
- **Risk Management** - Identify and track the implementation and operation of security controls.

Expand Down Expand Up @@ -408,7 +408,7 @@ The following documentation references help inform the development and direction
6. [NIST Interagency Report 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)](https://csrc.nist.gov/publications/detail/nistir/7966/final){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
- This publication assists organizations in understanding the basics of SSH interactive and automated access management in an enterprise, focusing on the management of SSH user keys.

7. [Federal Identity, Credentials, and Access Management (FICAM) Architecture - Access Management]({{site.baseurl}}/arch/servicesframework/#access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
7. [Federal Identity, Credentials, and Access Management (FICAM) Architecture - Access Management]({{site.baseurl}}/arch/#access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
- The FICAM Architecture is a framework for an agency to use in ICAM program and solution roadmap planning. Privileged Access Management is identified as a distinct service within the access management portion of the ICAM services framework.

8. [Common Sense Guide to Mitigating Insider Threats (6th Edition), February 2019](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=540644){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
Expand Down
2 changes: 1 addition & 1 deletion _playbooks/playbook-sso.md
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ With any project, a business case is used to capture the strategic, business, an

{% include alert-success.html heading="Best Practice - Building the Business Case" content="When building a business case, include qualitative aspects on how Enterprise SSO can improve user experience and security, a return on investment, and a cost-benefit analysis. Combining cost analysis (quantitative justification) and qualitative aspects may help obtain leadership support and funding." %}

Coordinate the business case development with your agency ICAM governance structure. The ICAM governance structure should oversee your ICAM projects and work streams and align ICAM services and management with your agency’s mission. For ICAM oversight and program management examples, see the [FICAM Program Management Guide]({{site.baseurl}}/pm/){:target="_blank"}{:rel="noopener noreferrer"}.
Coordinate the business case development with your agency ICAM governance structure. The ICAM governance structure should oversee your ICAM projects and work streams and align ICAM services and management with your agency’s mission. For ICAM oversight and program management examples, see the [FICAM Program Management Guide]({{site.baseurl}}/university/pm/){:target="_blank"}{:rel="noopener noreferrer"}.

### 1.4 Identify the Target State
Establish a realistic and achievable “to be” target state for your agency at key intervals (such as at one, three, and five years). Sometimes system impact level, access or credential requirements, or other factors can affect whether applications can integrate with your service. All applications are written differently, in different languages, at different times, for different purposes. Not all agency applications may support an assertion protocol. Your agency implementation should provide a range of compatible options, which will help realize the highest return on investment from the start.
Expand Down
Loading