OMB mandates coordinates through the CIO council

• Execution Plan
• FDCCI (federated data center consolidation initiative)
• CIO counsel program aligned with OMB requirements
• Four primary goals
  • Reduce costs
  • Increase security
  • Increase efficiency
  • Reduce energy consumption

OMB-11-11

• Requires 20xx IT Budget submission to address logical PIV integration

• Cloud Computing Strategy “Cloud First”
  • Efficiency, agility and innovation
  • Accelerate FDCCI
  • FEDRAMP

• Eliminate
  • Risk of priveleged access through anonymous shared accounts
  • Expensive of redundant administrative access soluitons
  • Complication of ineffective homegrown solutions

• Enable
  • Enterprise PIV Level 4 credial for priveleged access
  • Centralized policy management and compliance reporting for priveleged users
  • New Enterprise, support for legacy IT, Data Center, private and public cloud

• Move Forward
  • Rapid deployment
  • OMB Mandted compliance, DoD policy and FISMA required security controls
  • Support emerging continuous monitoring requirements

• Problem: Consolidate & grant secure access to geographically dispersed data centers
  • Centralize access control across agencies with distint missions
  • Ensure contained and auditable access
  • Meet federal compliance requirements (FDCC / FISMA)

• Results: Control over priveleged users and critical infrastructure and assets
  • Tight control over who gets access to what, when and for how long
  • Contain users from the 21 component agencies to authorized systems only
  • Audit quality logging for compliance
  • Continous monitoring

• Vault & Manage Credentials

• Public Sector Ready
  • FIPs compliant
  • PIV / CAC smart card authenticaton across enterprise systems, AWS management console, EC2 instances
  • AWS Government Cloud Support

Extended Management Plane & Risk Surface Area

• Shared Security and Audit Model
• On demand procurement paradigm
• Federated privileged identity & attribution
• New regulatory mandates & auditor scrutiny
• Highly dynamic, elastic environments

Comprehensive / integrated control set

• Protect systems / application / consoles across hybrid-cloud environments
• Architected specifically for highly dynamic cloud

DoD CIO Instruction 8520.03

• Administrative accounts shall not be accessed from an untrusted or user managed environments
• Administrative accounts both partner and DoD must utilize level 4 credential

US Federal Goverment Requires PIM

• Continuous diagnostics and Mitigation (CDM)

NIST 800-53

• Priveleged users require a broad set of security controls: AC, AU, CA, CM, IA, MA, etc…
  • NIST 800-53 r4
  • FEDRAM v2

2011 FISMA Report

• Priveleged access identified by IG as the area in most need of improvement
• Use of risky shared accounts and no identified policy

HSPD – 12

• Presidential directive to establish trusted identity for physical and logical access

FICAM

• Chaired by CIO’s develops common framework and maintains roadmap

NIST 800-63

• Electronic authentication mechanism guide includes levels 1 to 4.

FIPS 201-2

• Personal identity Verification (PIV) of federal employees and contractors
  • x.509 based federated PKI
  • Revised draft addresses mobility

ICAM Roadmap guidance for Priveleged Users

• Agencies shall use high assurance credentials for administrative users
  • Level 4 Personal Identification Verification (PIV) card
    • Smart cards with embedded PKI Certificate
    • Commonly referred to in DoD as CAC (Common Access Card)
  • Minimize use of password and tokens for all administration
  • Agencies should eliminate duplicative infrastructure to reduce or eliminate the costs associated with expired / forgotten passwords.
  • Eliminate application specific password tokens
    • Enabled application to accept the PIV card for federal employees and contractors