Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates-and-misc #461

Merged
merged 5 commits into from
Aug 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions _arch/zero-trust.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,23 @@ subnav:

---

FICAM is the foundation for U.S. Government agencies to mature towards Zero Trust cyber security architecture. Implementing identity credentials and access management concepts, policies, procedures and playbooks provides agencies a Zero Trust implementation strategy framework. The FICAM Key ICAM components directly help implement Zero Trust Architecture with:
FICAM is the foundation for U.S. Government agencies to mature towards Zero Trust cyber security architecture. Implementing identity credentials and access management concepts, policies, procedures and playbooks provides agencies with a Zero Trust implementation strategy framework. The FICAM Key ICAM components directly help implement Zero Trust Architecture with:

- Person and non-person entities - authenticate all users before providing access. Managing identities and providing secure MFA credentials is the first step in knowing who is requesting access.
- Endpoints - in addition to authenticating users, Zero Trust requires authenticating and approving endpoints, such as workstations, mobile devices, or internet of things devices.
- Person and non-person entities - authenticate all users before providing access. Managing identities and providing secure MFA credentials is the first step in knowing who requests access.
- Endpoints - in addition to authenticating users, Zero Trust requires authenticating and approving endpoints, such as workstations, mobile devices, or Internet of Things devices.
- Data, assets, applications, and services - definition and implementation of access policies are needed to implement the continuous evaluation aspect of Zero Trust.

Zero Trust cannot be achieved without strong identity management and mature ICAM capabilities for person and non person entities. OMB M-22-09, the Federal Zero Trust Strategy and CISA Zero Trust Maturity Model version 2.0 are a comprehensive set of access control policies and guidelines, setting the foundation for agencies to implement a Zero Trust architecture and related initiatives for your agency.
Zero Trust cannot be achieved without strong identity management and mature ICAM capabilities for person and non-person entities. OMB M-22-09, the Federal Zero Trust Strategy and CISA Zero Trust Maturity Model version 2.0 are a comprehensive set of access control policies and guidelines, setting the foundation for agencies to implement a Zero Trust architecture and related initiatives for your agency.

## Definition
Zero Trust concepts assume there is no implicit trust granted to assets or user accounts based on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.
Zero Trust concepts assume there is no implicit trust granted to assets or user accounts based on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (subject and device) are discrete functions performed before a session to an enterprise resource is established.

## FICAM areas aligned to M-22-09
**Privileged user** is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users cannot perform—also known as a privileged IT user, privileged network user, or superuser. FICAM [Privileged Identity Playbook]({{site.baseurl}}/playbooks/pam/){:target="_blank"}{:rel="noopener noreferrer"} is a great place to start with ensuring robust management of privileged users and identities.

**Phishing resistant authenticator** is a form of authentication that is not susceptible to interception or replay attacks. The FICAM team has created a [Phishing Resistant Authenticator Criteria]({{site.baseurl}}/phish-criteria/) to help agencies accelerate adoption of phishing resistant authenticators. This criteria is a starting point for agencies to get started in their journey towards phishing resistant authenticators as they enhance their identity management systems. In addition, phishing resistant playbook helps agencies get a head start in implementing the concepts, saving agencies time and money.
**Phishing resistant authenticator** is a form of authentication that is not susceptible to interception or replay attacks. In addition, the ICAM Subcommittee is drafting a phishing-resistant playbook to help agencies get a head start in implementing the concepts, saving agencies time and money.

**Single Sign On** centralizes application access for agency employees and contractors, or federate access with other federal executive agencies. Leveraging the [Enterprise Single Sign On Playbook]({{site.baseurl}}/playbooks/sso/) will help agencies with enhanced management control of identities in a consolidated manner. Agencies are encouraged to use this playbook to centralize application access for agency employees and contractors, or federate access with other federal executive agencies.
**Single Sign On** centralizes application access for agency employees and contractors or federates access with other federal executive agencies. Leveraging the [Enterprise Single Sign On Playbook]({{site.baseurl}}/playbooks/sso/) will help agencies with enhanced management control of identities in a consolidated manner. Agencies are encouraged to use this playbook to centralize application access for agency employees and contractors or federate access with other federal executive agencies.

**User authorization** is a decision whether to grant access to a user or machine account following authentication. Authorization to resources can be fine grained to help achieve attribute based access vs the traditional role based access. FICAM has resources to help agencies with user authorization management activities as part of their ICAM solutions. Agencies can get started by leveraging [Cloud Identity Playbook]({{site.baseurl}}/playbooks/cloud/){:target="_blank"}{:rel="noopener noreferrer"} as a starting point. This playbook provides practical guidance to assist federal agencies startor further expand their use of workforce identity credential, and access management services in a cloud operating model.

Expand Down Expand Up @@ -123,4 +123,4 @@ The [CISA Zero Trust Maturity Model](https://www.cisa.gov/sites/default/files/20
</ul>
</td>
</tr>
</table>
</table>
4 changes: 2 additions & 2 deletions _data/navigation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ partners:
href: /program-managers/
- text: FIPS 201 - Approved Product List
href: /fips201/#approved-products---physical-access-control-systems # url updated to list everywhere?
- text: Phishing-Resistant Product Criteria
href: /phish-criteria/
# - text: Phishing-Resistant Product Criteria
# href: /phish-criteria/
- text: Federal Workforce Identity Services
href: /trust-services/

Expand Down
2 changes: 1 addition & 1 deletion _ficampmo/gsapkissp.md
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,7 @@ A derived PIV certificate is either a software or hardware certificate issued

### PIV-I Certificates

PIV Interoperable(PIV-I) is a hardware-based smart card that follows the same technical standard as the PIV card, can interoperate with the PIV infrastructure, but does not require a favorably adjudicated Tier 1 or higher federal background investigation. A PIV-I card is issued to individuals who do not qualify for a PIV card. See the [PIV-I playbook]({{site.baseurl}}/playbooks/pivi/){:target="_blank"}{:rel="noopener noreferrer"} for more details.
PIV Interoperable(PIV-I) is a hardware-based smart card that follows the same technical standard as the PIV card, can interoperate with the PIV infrastructure, but does not require a favorably adjudicated Tier 1 or higher federal background investigation. A PIV-I card is issued to individuals who do not qualify for a PIV card. See the [PIV-I playbook]({{site.baseurl}}/university/pivi/){:target="_blank"}{:rel="noopener noreferrer"} for more details.

|**Type**|**COMMON OID**|
|--------|--------------|
Expand Down
4 changes: 2 additions & 2 deletions _implement/announcements/09_test_tools.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ sidenav: fpkiannouncements

GSA has created two tools to streamline Federal PKI Annual Review testing with remote evaluation capabilities.

- [**Card Conformance Tool (CCT)**]({{site.baseurl}}/fpki/tools/cct/) - a GSA managed Java tool which validates that Personal Identity Verification (PIV) and PIV-Interoperable (PIV-I) smart cards are compliant with key standards.
- [**Certificate Profile Conformance Tool (CPCT)**]({{site.baseurl}}/fpki/tools/cpct/) - a web site application that analyzes certificates for conformance to a specific Federal PKI profile document version and certificate profile.
- [**Card Conformance Tool (CCT)**](https://github.com/GSA/piv-conformance/releases) - a GSA managed Java tool which validates that Personal Identity Verification (PIV) and PIV-Interoperable (PIV-I) smart cards are compliant with key standards.
- [**Certificate Profile Conformance Tool (CPCT)**](https://github.com/GSA/cpct-tool/releases/) - a web site application that analyzes certificates for conformance to a specific Federal PKI profile document version and certificate profile.

The tools enable entity representatives to perform testing directly, with results verified by the GSA FIPS 201 Evaluation Program support team. Benefits include:
- Preemptive identification of possible issues during development and maintenance, and
Expand Down
4 changes: 2 additions & 2 deletions _implement/scl-windows.md
Original file line number Diff line number Diff line change
Expand Up @@ -748,7 +748,7 @@ For our use, this complex process is simplified into the following workflows:
<p>The PIV is damaged.</p>
<h3>Diagnosis</h3>
<p>If faulty workstation hardware or software is ruled out, and the card does not work on other readers, the PIV may need to be replaced.</p>
<p>To confirm that the card is functional, you can use the <a class="usa-link usa-link--external" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil" target="_blank" rel="noopener noreferrer">Certutil Tool</a>, listed on the <a href="{{site.baseurl}}/fpki/tools/" target="_blank" rel="noopener noreferrer">Useful Tools page</a>, on a known working Windows workstation.</p>
<p>To confirm that the card is functional, you can use the <a class="usa-link usa-link--external" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil" target="_blank" rel="noopener noreferrer">Certutil Tool</a>, listed on the <a href="{{site.baseurl}}/implement/#fpki-troubleshooting-tools" target="_blank" rel="noopener noreferrer">Useful Tools page</a>, on a known working Windows workstation.</p>
<p><strong>On the client:</strong></p>
<ol type="1">
<li>Log in to Windows using a password.</li>
Expand Down Expand Up @@ -932,7 +932,7 @@ For our use, this complex process is simplified into the following workflows:
<img src="{{site.baseurl}}/assets/piv/pivauth-operational-event30.png" alt="A screenshot of an Operational window labeled Event 30, CAPI2. Near the top of the screenshot, a row labeled Error is highlighted with yellow. Elsewhere in the screenshot, the subjectName and user name and the Result details are highlighted with yellow." width="766" height="652">
</ol>
<h3>Resolution</h3>
<p>Follow the steps in the <a href="{{site.baseurl}}/implement/trust-stores/" target="_blank" rel="noopener noreferrer">Trust Stores Playbook</a> to add the appropriate issuing CA for the PIV card to the Enterprise NTAuth trust store.</p>
<p>Follow the steps in the <a href="{{site.baseurl}}/implement/scl-windows/#step-3---trust-stores " target="_blank" rel="noopener noreferrer">Trust Stores Playbook</a> to add the appropriate issuing CA for the PIV card to the Enterprise NTAuth trust store.</p>
<hr />
<h2>Symptom</h2>
<p>During smart card logon attempt, the following error is displayed on the logon screen: <br><strong>The system could not log you on. Your credentials could not be verified.</strong></p>
Expand Down
148 changes: 0 additions & 148 deletions _partners/criteria-phishing.md

This file was deleted.

Loading
Loading