Transcription
UNCLASSIFIEDDoD Enterprise Identity, Credential, and AccessManagement (ICAM)CLEARED AS AMENDEDReference DesignFor Open PublicationAug 07, 2020Version 1.0June 2020Department of DefenseOFFICE OF PREPUBLICATION AND SECURITY REVIEWPrepared by Department of Defense, Office of the ChiefInformation Officer (DoD CIO)DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors(Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS.UNCLASSIFIED
UNCLASSIFIEDDocument ApprovalsPrepared By:LAM.NGOAN.THOMAS.1229438960Digitally signed byLAM.NGOAN.THOMAS.1229438960Date: 2020.07.16 11:22:39 -04'00'N. Thomas LamIE/Architecture and EngineeringDepartment of Defense, Office of the Chief Information Officer (DoD CIO)CLANCY.THOMAS.JEROME.JR.1022639923Digitally signed byCLANCY.THOMAS.JEROME.JR.1022639923Date: 2020.07.16 11:29:55 -04'00'Thomas J Clancy, COL US ArmyCS/Architecture and Capability Oversight, DoD ICAM LeadDepartment of Defense, Office of the Chief Information Officer (DoD CIO)Approved By:RANKS.PETER.THOMAS.1284616665Digitally signed byRANKS.PETER.THOMAS.1284616665Date: 2020.07.16 17:25:42 -04'00'Peter T. RanksDeputy Chief Information Officer for Information Enterprise (DCIO IE)Department of Defense, Office of the Chief Information Officer (DoD CIO)Digitally signed byWILMER.JOHN.W.III.1267975430Date: 2020.07.17 11:07:35 -04'00'John (Jack) W. Wilmer IIIDeputy Chief Information Officer for Cyber Security (DCIO CS)Department of Defense, Office of the Chief Information Officer (DoD CIO)iiUNCLASSIFIED
UNCLASSIFIEDVersion HistoryVersion1.0DateTBDApproved BySummary of ChangesTBDRenames and replaces the IdAM PortfolioDescription dated August 2015 and the IdAMReference Architecture dated April 2014. (ExistingIdAM SDs and TADs will remain valid until updatedversions are established.) Updates name from Identity and AccessManagement (IdAM) to Identity, Credential,and Access Management (ICAM) to align withFederal government terminology Removes and cancels the list of formal ICAMrelated requirements Restructures document for clarity Updates ICAM Taxonomy to better conform toFederal ICAM Architecture Updates descriptions and data flows of ICAMcapabilities Summarizes current DoD enterprise ICAMservices Defines ICAM roles and responsibilitiesiiiUNCLASSIFIED
UNCLASSIFIEDExecutive SummaryThe purpose of this Identity, Credential, and Access Management (ICAM) Reference Design (RD) is toprovide a high-level description of ICAM from a capability perspective, including transformational goalsfor ICAM in accordance with the Department of Defense (DoD) Digital Modernization Strategy. Asdescribed in Goal 3, Objective 2 of the DoD Digital Modernization Strategy, ICAM “creates a secure andtrusted environment where any user can access all authorized resources (including [services,information systems], and data) to have a successful mission, while also letting the Department ofDefense (DoD) know who is on the network at any given time.” This objective focuses on managingaccess to DoD resources while balancing the responsibility to share with the need to protect. ICAM is nota single process or technology, but is a complex set of systems and services that operate under varyingpolicies and organizations.There are significant advantages to the DoD in providing ICAM services at the DoD enterprise level,including consistency in how services are implemented, improved security, cost savings, and attributionby having a discrete defined digital identity for a single entity. ICAM is also fundamental for thetransformation to a modern data-centric identity-based access management architecture that isrequired in a future-state Zero Trust (ZT) Architecture. To gain these advantages, DoD enterprise ICAMservices must support functionality for both the DoD internal community and DoD mission partners,must provide interfaces that are usable by Component information systems, and must minimize oreliminate gaps in supporting ICAM capabilities.The ICAM RD promotes centralization of identity and credential management, including attributemanagement and credential issuance and revocation. The ICAM RD also establishes standardizedprocesses and protocols for authentication and authorization. Access decisions must be fundamentallymanaged by local administrators who understand the context and mission relevance for person entitiesand Non-Person Entities (NPE) who require access to resources.The RD defines an ICAM taxonomy that is based on the core elements of the Federal ICAM (FICAM)Architecture, and describes data flow patterns for each of the capabilities defined in the ICAMtaxonomy. Systems and services shown in these data flows may be operated at the DoD enterprise, DoDComponent, Community of Interest (COI), or local level. In addition to generic data flow patterns, the RDprovides a set of implementation patterns and their related use cases for ICAM capabilities. Thesepatterns are intended to demonstrate how capabilities may be implemented to meet a broad set ofmission and other needs. They are not intended to be prescriptive for how a given information systemconsumes ICAM capabilities, nor are they intended to describe all possible ICAM use cases. Finally, theRD describes existing and planned DoD Enterprise ICAM services, and roles and responsibilities for ICAMservice providers and for DoD Components in deploying ICAM.This document is not intended to mandate specific technologies, processes, or procedures. Instead, it isintended to: Aid mission owners in understanding ICAM requirements and describing current and plannedDoD enterprise ICAM services to enable them to make decisions ICAM implementation so that itmeets the needs of the mission, including enabling authorized access by mission partners. Support the owners and operators of DoD enterprise ICAM services so that these services caneffectively interface with each other to support ICAM capabilities.ivUNCLASSIFIED
UNCLASSIFIED Support DoD Components in understanding how to consume DoD enterprise ICAM services andhow to operate DoD Component, COI, or local level ICAM services when DoD enterprise servicesdo not meet mission needs.Each mission owner is responsible for ensuring ICAM is implemented in a secure manner consistent withmission requirements. Conducting operational, threat representative cybersecurity testing as part ofICAM implementation efforts is a mechanism that needs to be used to check secure implementation.vUNCLASSIFIED
UNCLASSIFIEDContents1.Introduction .11.1.Purpose . 21.2.Applicability . 31.3.DoD Community . 4DoD Internal Community . 4External Mission Partner Community . 5Beneficiaries . 5Other Entities . 62.1.4.DoD Computing Environment . 61.5.References . 6ICAM Capability Overview .92.1.Transformational Goals . 102.2.ICAM Capability Taxonomy Overview (DoDAF CV-2) . 11Core ICAM Capabilities. 122.2.1.1 Identity Management . 132.2.1.2 Credential Management . 162.2.1.3 Access Management . 19Access Accountability Capabilities . 232.2.2.1 Log Collection and Consolidation. 232.2.2.2 Access Review . 242.2.2.3 Identity Resolution . 25Contact Data Capabilities . 252.2.3.1 Contact Data Collection . 262.2.3.2 Contact Data Lookup. 262.3.Using DoD Enterprise ICAM Services . 26DoD Enterprise Benefits from Use of DoD Enterprise ICAM Services . 26Information System Benefits from Using DoD Enterprise ICAM Services . 27Mitigating Challenges to Using DoD Enterprise ICAM Services . 273.ICAM Data Flows . 293.1.Core ICAM Capabilities . 32Identity Management . 323.1.1.1 Person Entity . 333.1.1.2 NPE . 353.1.1.3 Federated Entity. 35Credential Management . 363.1.2.1 Internal Credential Management . 363.1.2.2 External Credential Registration . 38Access Management . 39viUNCLASSIFIED
ce Access Management . 39Provisioning . 40Authentication . 42Authorization . 45Access Accountability Capabilities . 47Log Collection and Consolidation. 47Access Review . 48Identity Resolution . 493.3.4.Contact Data Capabilities . 50ICAM Patterns and Associated Use Cases . 514.1.Identity and Credential Patterns . 51Unclassified Enterprise DoD Internal Initial Registration. 51Unclassified Enterprise Mission Partner Entity Registration . 53Community of Interest User Registration . 54Community of Interest Person Entity Identity Provider Registration . 56Secret Enterprise Registration for DoD and Federal Agencies . 57Secret Enterprise Registration for Non-Federal Agency Mission Partner Entities . 58Short-Lived NPE Registration . 59DoD Beneficiary Registration . 60DoD Applicant Registration . 614.2.Access Management Patterns . 62Access to DoD Managed Resources . 62Access for Unanticipated Entities . 63Privileged User Access. 65Zero Trust . 66Access to Software as a Service (SaaS) Cloud Managed System . 664.3.Access Accountability Patterns . 68Logging and Monitoring . 68Access Review . 69Identity Resolution . 704.4.5.Contact Data Lookup . 70DoD Enterprise ICAM Services . 725.1.DoD ICAM Enterprise Services Summary . 725.2.Production DoD ICAM Enterprise Services. 74Person Data Repository (PDR) . 74Identity Resolution Service . 75Trusted Associate Sponsorship System (TASS) . 75DoD Public Key Infrastructure (PKI) . 75Real-Time Automated Personnel Identification System (RAPIDS) . 75viiUNCLASSIFIED
UNCLASSIFIEDNIPRNet Enterprise Alternate Token System (NEATS) / Alternate Token Issuance andManagement System (ATIMS) . 76Purebred . 76DoD Self-service (DS) Logon . 76Enterprise Identity Attribute Service (EIAS) . 77Identity Synchronization Service (IdSS). 77milConnect . 77Enterprise Directory Services (EDS) . 77Global Directory Service (GDS). 785.3.Planned DoD ICAM Enterprise Services . 78Mission Partner Registration (MPR) . 78Identity Provider (IdP) . 78Multi-Factor Authentication (MFA) Registration Service . 79EIAS (Enhanced) . 79Backend Attribute Exchange (BAE) . 79DS Logon (Enhanced) . 79Automated Account Provisioning (AAP) . 79Master User Record (MUR) . 806.ICAM Implementation Responsibilities . 816.1.DoD ICAM Joint Program Integration Office (JPIO) Responsibilities . 816.2.DoD Enterprise ICAM Service Provider Responsibilities . 816.3.DoD Component Responsibilities . 81Establish DoD Component Level ICAM Governance . 81Support DoD Enterprise ICAM Services . 82Use DoD Enterprise ICAM Services . 82Operate COI and Local ICAM Services. 826.4.7.Responsibilities Related to External Federated ICAM Service Providers . 83Summary of ICAM Service Gaps . 84Mapping ICAM Capabilities to the FICAM Architecture . 88ICAM and the Risk Management Framework . 90Case Study: Moving Beyond CAC Authentication and Authorization . 97DoD Internal Community Persona Type Codes . 100Non-Person Entity Type Codes. 101Core Authorization Attributes . 102Glossary of Terms . 103Acronyms . 110viiiUNCLASSIFIED
UNCLASSIFIEDFiguresFigure 1 – DoD ICAM Vision Capability Viewpoint (CV-1) . 9Figure 2 – Core ICAM High-Level Operational Concept Graphic (OV-1) . 10Figure 3 – ICAM Capability Taxonomy (CV-2) . 12Figure 4 – Person Entity Identity Creation (C1.1.1) . 33Figure 5 – Modify Identity Attributes (C1.1.1) . 33Figure 6 – Modify Attributes (C.1.1.1) . 34Figure 7 – Deactivate Identity (C1.1.1) . 34Figure 8 – Create and Maintain NPE Identity (C1.1.2) . 35Figure 9 – Decommission NPE Identity (C1.1.2) . 35Figure 10 – Modify Federated Identity Attributes (C1.1.3) . 36Figure 11 – Credential Issuance (C1.2.1). 37Figure 12 – Derived Credential Issuance (C1.2.1) . 37Figure 13 – Credential Revocation (C1.2.1) . 38Figure 14 – Credential Registration (C1.2.2) . 39Figure 15 – Resource Access Management via Hosting Information System (C1.3.1) . 39Figure 16 – Resource Access Management via Data Tagging (C1.3.1) . 40Figure 17 – Manual Provisioning (C1.3.2) . 40Figure 18 – Dynamic Provisioning (C1.3.2) . 41Figure 19 – Direct Authentication (C1.3.3) . 42Figure 20 – Authentication using a Reverse Proxy IdP (C1.3.3) . 43Figure 21 – Authentication using an IdP (C1.3.3). 44Figure 22 – Authentication of an External Entity using an External IdP (C1.3.3) . 45Figure 23 – Direct Authorization (C1.3.4) . 45Figure 24 – Authorization using Reverse Proxy IdP (C1.3.4). 46Figure 25 – Dynamic Access using ABAC (C1.3.4) . 47Figure 26 – Log Collection and Consolidation (C2.1) . 48Figure 27 – Person Entity Centric Access Review (C2.2) . 48Figure 28 – Resource Centric Access Review . 49Figure 29 – NPE Centric Access Review . 49Figure 30 – Identity Resolution (C2.3) . 50Figure 31 – Contact Data Collection and Lookup (C3.1, C3.2) . 50Figure 32 – Unclassified DoD Internal Initial Registration . 51Figure 33 – Unclassified Mission Partner Entity Registration . 53Figure 34 – COI User Registration . 54Figure 35 – COI IdP Registration . 56Figure 36 – Secret Network Initial Registration . 57Figure 37 – Secret Registration for Mission Partners . 58Figure 38 – Cloud Elasticity Registration. 59Figure 39 – DoD Beneficiary Registration . 60Figure 40 – Applicant Registration . 61Figure 41 – ICAM Service View (SvcV-1) . 72ixUNCLASSIFIED
UNCLASSIFIEDTablesTable 1 – ICAM Strategy Goals and Objectives . 10Table 2 – Mitigating Challenges with Use of Enterprise ICAM . 27Table 3 – ICAM Data Flow Entities and Services . 29Table 4 – ICAM Enterprise Services . 73Table 5 – Summary of DoD ICAM Enterprise Capability Gaps . 84Table 6 – Mapping of ICAM Capabilities to FICAM Architecture Services . 88Table 7– Mapping NIST SP 800-53 Controls to ICAM. 90Table 8 – Sample Modifications to Support Mission Partner Entity Access . 98Table 9 – Persona Type Codes . 100Table 10 – Glossary . 103xUNCLASSIFIED
UNCLASSIFIEDIdentity, Credential, and Access Management (ICAM)Reference Design (RD)1. IntroductionAs described in Goal 3 Objective 2 of the Department of Defense (DoD) Digital Modernization Strategy,Identity, Credential, and Access Management (ICAM) “creates a secure and trusted environment whereany user can access all authorized resources (including [services, information systems], and data) tohave a successful mission, while also letting DoD know who is on the network at any given time.” Torealize this objective, the DoD must support capabilities that: Provide identity, credential and access management services to protect DoD informationsystems and DoD electronic Physical Access Control Systems (PACS) resources Provide accessaccountabilityEnable entities to look up contact data for person entities and Non-Person Entities (NPE)ICAM is not new to the DoD. ICAM capabilities are already pervasive throughout the DoD becauseInformation Technology (IT) devices, systems, applications and services are in use throughout the DoD.All of this DoD IT has some form of ICAM capability implemented to protect the full range of DoDinformation systems and DoD PACS resources, from the least restricted and public to the most restrictedand protected. In addition, current ICAM capabilities enable DoD personnel to find and contact eachother and enable accountability of user behavior when accessing DoD resources.Even though DoD ICAM capabilities already exist, these ICAM capabilities need to evolve, and additionalICAM systems and services need to be implemented to meet the DoD ICAM objective and to better alignthe DoD with the Federal ICAM (FICAM) Architecture. Additionally, DoD ICAM is evolving to support newoperating environments such as cloud and the transformation to a modern identity-based accessmanagement architecture that is required in a future-state Zero Trust (ZT) Architecture.DoD ICAM is not a single process or technology but is a complex set of systems and services that operateunder var
UNCLASSIFIED UNCLASSIFIED DoD Enterprise Identity, Credential, and Access Management (ICAM) Reference Design Version 1.0 June 2020 Prepared by Department of Defense, Office of the Chief
