Merge pull request #183 from GSA/staging

Push to production

_config.yml

@@ -1,5 +1,5 @@
 # Site settings
-title: Federal Identity, Credential, and Access Management Architecture
+title: Federal Identity, Credential, and Access Management Architecture v3.1
 name: Federal Identity, Credential, and Access Management Architecture
 email: [email protected]
 author:
@@ -80,7 +80,7 @@ navigation:
   internal: true
   coll: true
   collname: usecases
-- text: Component Examples
+- text: System Component Examples
   url: components
   internal: true
   coll: false

_layouts/default.html

@@ -17,7 +17,6 @@
 			<div class="usa-grid">
 
 				<div class="usa-width-one-whole">
-					{% include alert-preview.html %}
 					<div style="float: right;">
 						<a href="{{site.repo_url}}tree/{{ site.editbranch }}/{{ page.path }}" style="float:right;" class="btn btn-primary" target="_blank" rel="noopener noreferrer" >Edit this page</a>
 					</div>

_services/11_identity.md

@@ -6,22 +6,22 @@ permalink: services/identity/
 ---
 ![A red box with the list of Identity Management services defined later in the body text of this page.]({{site.baseurl}}/img/services/IdentityManagementServices.png){:align="right" style="padding-left:30px"}
 
-Identity Management is how an agency uses attributes to establish and maintain enterprise identities for employees and contractors.
+Identity Management is how an agency collects, verifies, and manages attributes to establish and maintain enterprise identities for federal government employees, contractors, and authorized mission partners. This service does not apply to public or consumer identity management.
 
 An enterprise identity record is the set of attributes, or characteristics, that describe a person within a given context:
 
-- Your identity within your agency’s Human Resources (HR) system is different from your personal identity at your personal bank.
+- Your identity within your agency’s Human Resources (HR) system is different from your personal identity at your bank.
 - A person’s identity as a government contractor is different from their identity as an Army Reservist.
 
-Identities change and evolve over time, but they do not expire. You may get a promotion, change your name, receive additional training, or even retire, but your identity remains the same.
+Your identity remains the same over time, though it evolves as your attributes change, such as when you get a promotion, change your name, receive additional training, or retire.
 
 Agencies should manage identity attributes as centrally as possible and distribute them as needed. The following are some examples of identity attributes:
 
 - *Core identity attributes* - First name, last name, and address of record.
 - *Contact attributes* - Physical location, government phone number, and government email address.
 - *Authorization attributes* - Clearance, training, and job codes.
 
-Identity proofing is how an agency verifies an enterprise identity. The complexity of this process depends on the Identity Assurance Level (IAL) you require for an identity. Federal agencies require a minimum IAL3 for employees and contractors. For example, a federal employee or contractor must provide core identity attributes via a driver’s license or utility bill, and the agency must verify these identity documents and the individual’s biometrics.
+Identity proofing is how an agency verifies an enterprise identity. The complexity of this process depends on the Identity Assurance Level (IAL) you require for an identity. Federal agencies require a minimum IAL3 for employees and contractors. For example, a federal employee or contractor presents identity attributes via a driver's licesne or utility bill. The agency verifies the identity documents and the individual's photo (biometric).
 
 An identifier is a unique attribute used to locate an identity in a system:
 
@@ -42,7 +42,7 @@ The Identity Management services in the Federal ICAM architecture include Creati
 
 ### Identity Proofing
 
-> Verify an identity’s attributes in order to issue a credential. 
+> Use identity attributes to connect a digital identity to a real-world entity.
 
 > *Keywords*: Source Document Validation, Remote Proofing, In-Person Proofing
 
@@ -66,6 +66,6 @@ The Identity Management services in the Federal ICAM architecture include Creati
 
 ### Deactivation
 
-> Deactivate or remove identity records.  
+> Deactivate or remove enterprise identity records. 
 
 > *Keywords*: Identity Lifecycle Management, Suspension, Archiving, Deletion

_services/12_credential.md

@@ -8,7 +8,7 @@ permalink: services/credentials/
 
 Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities.
 
-A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers. An employee or contractor uses an authenticator with a password or cryptographic module to assert their identity.
+A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers. 
 
 The following are types of authenticators:
 
@@ -21,7 +21,7 @@ Level 2 for employees and contractors.
 
 The following are some examples of credentials:
 
-- You might use a PIV credential that includes a picture, the issuing agency logo, and cryptographic key pairs to assert your identity at a federal facility.
+- You might use an agency-issued smart card, such as a PIV or CAC, that includes a picture and cryptographic key pairs to assert your identity at a federal facility.
 - You might use a combination of credentials, like a username/password with a one-time password generated by a mobile application, to assert your identity to a federal web 
 application.
 
@@ -45,11 +45,11 @@ The Credential Management services in the Federal ICAM architecture include Spon
 
 > *Keyword*: Enrollment
 
-### Issuance
+### Generation & Issuance
 
 > Assign a credential to a person or entity.
 
-> *Keywords*: Activation, Token
+> *Keywords*: Activation, Token, Authenticator
 
 ### Maintenance
 
@@ -59,6 +59,6 @@ The Credential Management services in the Federal ICAM architecture include Spon
 
 ### Revocation
 
-> Withdraw a credential from a person or entity, or deactivate an authenticator.
+> Revoke a credential from a person or entity, or deactivate an authenticator.
 
-> *Keywords*: Termination
+> *Keyword*: Termination

_services/13_access.md

@@ -26,7 +26,10 @@ Authentication is generally a two-step process:
 - Has the credential expired?
 - Has the credential been revoked, voided, or tampered?
 
-> *Step 2.* Use an authenticator mentioned in Credential Management to validate the credential holder.
+> *Step 2.* Ensure the individual that the credential was issued to is the same individual that is presenting it:
+- Do the photo and attributes on the credential match the person who presented it?
+- Does the person know the PIN for the credential?
+- Does the person have the private key on the smart card for the certificate presented to a website?
 
 ### Authorization
 
@@ -38,6 +41,15 @@ Authorization is how you decide whether you should allow someone to access an ag
 
 Usually, authorization occurs immediately after authentication. When you log in to a service, you present your credentials, and the service confirms your credentials are valid (authentication) and grants or denies you access based on your assigned permissions (authorization).
 
+Authorizations are based on four models:
+
+- Access Control Lists (ACLs)
+- Role-Based Access Control (RBAC)
+- Policy-Based Access Control (PBAC)
+- Attribute-Based Access Control (ABAC)
+
+Each of these authorization models has benefits and limitations. The policies and access requirements defined by agency business owners help inform the model used to best suit their needs. More robust access control models, such as ABAC, can help agencies with improved automation and are increasingly adopted by cloud-native and cloud-friendly services.
+
 Identity proofing is how you establish an identity. Authentication is how you confirm the identity. Authorization is how you use the identity.
 
 ## Access Management Services
@@ -46,7 +58,7 @@ The Access Management services in the Federal ICAM architecture include Policy A
 
 ![A blue box with the Access Management service definitions, which are listed in the following body text.]({{site.baseurl}}/img/services/AccessManagementServiceDefinitions.png){:align="center"}
 
-### Policy Administration
+### Digital Policy Administration
 
 > Create and maintain the technical access requirements that govern access to protected agency services.
 

_services/14_federation.md

@@ -9,15 +9,13 @@ permalink: services/federation/
 
 Federation is the technology, policies, standards, and processes that allow an agency to accept digital identities, attributes, and credentials managed by other agencies.
 
-Federation has many different applications, including:
+Federation has many different uses, including:
 
-*Accepting an authentication transaction from another organization:*
+- Accepting an authentication transaction from another organization:
+  - Agency A authenticates one of its users and passes identity attributes and transaction details to Agency B. Agency B grants access to an application        for that identity.
 
-> Agency A authenticates one of its users and passes identity attributes and transaction details to Agency B. Agency B grants access to an application for that identity.
-
-*Accepting specific characteristics (i.e., attributes such as identifiers) describing an individual from another organization:*
-
-> An individual can use their agency-issued credential containing an internal identifier(s) to directly log in to a different agency’s online service. The online service registers the identifier(s) in their system for future use.
+- Accepting specific characteristics (i.e., attributes such as identifiers) describing an individual from another organization:
+  - An individual can use their agency-issued credential containing an internal identifier(s) to directly log in to a different agency’s online service. The    online service registers the identifier(s) in their system for future use.
 
 ## Federation Services
 The Federation services in the Federal ICAM architecture include Policy Alignment, Authentication Broker, and Attribute Exchange.
@@ -28,7 +26,7 @@ The Federation services in the Federal ICAM architecture include Policy Alignmen
 
 > Develop relationships and a common understanding between parties by establishing authorities, policies, standards, and principles.
 
-> *Keywords*: Trust Relationship
+> *Keyword*: Trust Relationship
 
 ### Authentication Broker
 
@@ -40,4 +38,4 @@ The Federation services in the Federal ICAM architecture include Policy Alignmen
 
 > Discover and acquire identity or other attributes between different systems to promote access decisions and interoperability.
 
-> *Keywords*: Attribute Definition, ARS
+> *Keyword*: Attribute Definition

_services/15_governance.md

@@ -23,9 +23,9 @@ The Governance services in the Federal ICAM architecture include Identity Govern
 
 ### Identity Governance
 
-> The systems, solutions, and rules that link enterprise personnel, applications, and data to help agencies manage access, risk, and mitigation needs.
+> The systems, solutions, and rules that link enterprise personnel, applications, and data to help agencies manage access and risk.
 
-> *Keywords*: Management Framework, Rules and Procedures
+> *Keywords*: Management Framework, Rules and Procedures, Access Reviews and Recertifications
 
 ### Analytics
 

_services/overview_services.md

@@ -7,7 +7,7 @@ permalink: /services/
 
 The Services Framework identifies the services that provide functionality within the scope of ICAM. The Services Framework is a tool for you to help translate between business requirements and technical solutions.
 
-The Services Framework is designed for ICAM Program Managers and Information Technology Enterprise Architects.
+The Services Framework is designed for ICAM program managers and information technology enterprise architects.
 
 This page describes the services that support each ICAM practice area and supporting element, with descriptions and simple graphics for you to use:
 

_usecases/1_createidentity.md

@@ -29,11 +29,11 @@ td {
 <table>
   <tr>
     <td style="width:250px;border:0px;"><strong>1. Collect information</strong> <br> <img src="../../img/usecases/1-1.png" width="250" alt="A diagram showing an employee or contractor providing identity information to an administrator with the authoritative source."></td>
-    <td style="border:0px;">The administrator collects identity information from the employee or contractor, and adds this information to the authoritative source.<i>This identity information may come from the individual, onboarding documents, or HR systems.</i></td>
+    <td style="border:0px;">The administrator collects identity information from the employee or contractor.<br><br><i>This identity information may come from the individual, onboarding documents, or HR systems.</i></td>
   </tr>
   <tr>
     <td style="width:250px;border:0px;"><strong>2. Create an enterprise identity</strong> <br> <img src="../../img/usecases/1-2.png" width="250" alt="A diagram showing the authoritative source populating the identity information into a data repository, creating an enterprise identity in the authoritative source."></td>
-    <td style="border:0px;">The authoritative source sends the information to the system’s data repository. <br><br> Result: An enterprise identity in the authoritative source for the employee or contractor.</td>
+    <td style="border:0px;">The administrator adds the identity information to the authoritative source, a data repository. <br><br> Result: An enterprise identity in the authoritative source for the employee or contractor.</td>
   </tr>
   <tr>
     <td style="width:250px;border:0px;"><strong>3. Maintain the enterprise identity</strong></td>
@@ -45,21 +45,14 @@ td {
   </tr>
   <tr>
     <td style="width:250px;border:0px;"><strong>3b. Update the enterprise identity</strong> <br> <img src="../../img/usecases/1-3b.png" width="250" alt="A diagram showing two paths to update an identity. Path 1 is the administrator updating the enterprise identity directly in the authoritative source. Path 2 is the employee or contractor updating their personal information in an agency application, and the application updating the enterprise identity in the authoritative source."></td>
-    <td style="border:0px;">If an individual has updated personal information, there are two ways to update the enterprise identity: <ol> <li> The administrator updates the individual’s enterprise identity attributes directly in the authoritative sources.</li> <li>The individual uses an agency application to update their personal information, and the application updates the individual’s enterprise identity attributes in the authoritative sources.</li></ol></td>
+    <td style="border:0px;">If an individual has updated personal information, there are two ways to update the enterprise identity: <br> <br> <ul> <li> The administrator updates the individual’s enterprise identity attributes directly in the authoritative sources.</li> <li>The individual uses an agency application to update their personal information, and the application updates the individual’s enterprise identity attributes in the authoritative sources.</li></ul></td>
   </tr>
   <tr>
     <td style="width:250px;border:0px;"><strong>3c. Delete the enterprise identity</strong> <br> <img src="../../img/usecases/1-3c.png" width="250" alt="A diagram showing an administrator deleting an enterprise identity."></td>
     <td style="border:0px;">When you need to delete an enterprise identity, delete the identity attributes in the authoritative source.</td>
   </tr>
 </table>
 
-
-
-
 ## Example
 
-I want to create a new enterprise identity, so that an individual may be established as a federal employee or contractor that will need to be identity proofed, credentialed, and granted access to agency services.
-
-## Next Steps
-
-[Proof the identity](../proofidentity) and [assign appropriate access entitlements](../manageaccess).
+I want to create a new enterprise identity, so that an individual may be established as a federal employee or contractor who will need to be identity proofed, credentialed, and granted access to agency services.

_usecases/2_proofidentity.md

@@ -9,14 +9,14 @@ permalink: usecases/proofidentity/
 
 Before you can create a credential and assign it to an individual, that person must provide proof of their claimed identity. Identity proofing is the process by which a federal agency collects and verifies information about a person to establish an enterprise identity.
 
-The location or information that a person needs to access informs the Identity Assurance Level (IAL), which informs the elements you should require from that person for identity proofing. There are three IALs; however, federal agencies require a minimum of IAL3 for employees or contractors with recurring access to government resources, so these use cases do not include IAL1.
+The location or information that a person needs to access informs the Identity Assurance Level (IAL), which determines the elements you should require from that person for identity proofing. There are three IALs; however, federal agencies require a minimum of IAL2 for employees or contractors with recurring access to government resources, so these use cases do not include IAL1.
 
 This use case describes the high-level steps to proof an identity at IAL2 or IAL3. Depending on the required IAL, you may require increasingly more information from an employee or contractor or partner along with additional verification steps. The information provided by the employee or contractor is also known as identity evidence. Identity evidence may be physical, such as passports, driver’s licenses, and birth certificates.
 
 - **IAL2** - first and last name, email address, and address of record, supported by appropriate identity documentation and verified as strong.
 - **IAL3** - first and last name, email address, address of record, and fingerprints, supported by appropriate identity documentation and verified as superior.
 
-For more information about identity proofing and IALs, see <a href="https://pages.nist.gov/800-63-3/" target="_blank">NIST SP 800-63-A</a> (Table 4-1).
+For more information about identity proofing and IALs, see <a href="https://pages.nist.gov/800-63-3/" target="_blank">NIST SP 800-63-A</a> (Section 2.2).
 
 ---
 
@@ -51,7 +51,3 @@ td {
 
 - I want to proof the identity of an employee or contractor to verify that the individual is who she says she is, so that she can be issued a unique enterprise credential.
 - Prospective employee or contractor has filled out their information in an HR system and requires IAL3 proofing, and minimum background investigations. The prospective employee/contractor is then scheduled for in-person proofing. The prospective employee/contractor brings required identity documentation, where the information is verified using approved documentation and biometrics are captured.
-
-## Next Steps
-
-[Create and issue a credential](../credential) and [manage access entitlements](../manageaccess).