diff --git a/_arch/architecture.md b/_arch/architecture.md index 0f9cb2a2..f454ff24 100644 --- a/_arch/architecture.md +++ b/_arch/architecture.md @@ -425,6 +425,7 @@ You can combine or build upon the ICAM use cases to support your agency’s scen

Three hexagons with the letters I, C, and A. The I is highlighted in red for Identity Management, with a red banner for the Creation service.

When you onboard an employee or contractor at your agency, you collect identity information from the individual and store parts of that information as identity attributes. These attributes serve as a digital proxy for the individual’s identity, also known as an enterprise identity.

+

Use Case

In this use case, an administrator needs to collect or manage identity data for an employee or contractor for the purpose of creating an enterprise identity record and maintaining it throughout its lifecycle.

@@ -511,6 +512,7 @@ You can combine or build upon the ICAM use cases to support your agency’s scen

Three hexagons with the letters I, C, and A. The I is highlighted in orange for Identity Management, with an orange banner for the Provisioning service.

You can assign access entitlements to individuals, roles, and groups. These entitlements define an employee or contractor’s access to agency services, so you’ll need to assign entitlements before an employee or contractor can access an agency service.

+

Use Case

In this use case, an administrator needs to assign entitlements to an employee or contractor.

@@ -548,6 +550,7 @@ You can combine or build upon the ICAM use cases to support your agency’s scen

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Issuance service.

After you identity proof an individual, you’ll issue some proof of that individual’s claimed identity. A credential (like a physical card) is a type of authenticator that serves as a tool for an employee or contractor to gain access to agency services.

+

Use Case

In this use case, an administrator needs to issue a credential to an employee or contractor.

diff --git a/_data/fpkidocs.yml b/_data/fpkidocs.yml index cef6d7bc..e6f4afbc 100644 --- a/_data/fpkidocs.yml +++ b/_data/fpkidocs.yml @@ -4,6 +4,8 @@ # Status Post - Post it to the website; # Status Archive - Document is three years old or no longer valid. The document is actually retained in this repository, but not posted to the website. # Remove - Date to change status from post to archive. This could be three years for change proposals or three years from when a document was replaced. +# +# Used on: https://www.idmanagement.gov/fpki/ - category: FPKIMA Audit Letter numberProposal: 2023 @@ -325,14 +327,6 @@ status: post remove: 05/06/2025 -- category: Supplementary Guidance - numberProposal: 1.01 - name: FPKI Annual Audit Review Guidelines v1.01 - date: 09/29/2021 - url: /docs/archived/fpki-annual-review-requirements_v1.01_20210929.pdf - status: post - remove: 09/29/2024 - - category: Supplementary Guidance numberProposal: 2.0.1 name: Personal Identity Verification Interoperability for Issuers v2.0.1 @@ -951,14 +945,6 @@ status: post remove: 06/28/2024 -- category: Supplementary Guidance - numberProposal: 1.0 - name: FPKI Annual Audit Review Guidelines v1.0 - date: 04/11/2017 - url: /docs/archived/fpki-annual-review-requirements-v1-20170411.pdf - status: post - remove: 09/30/2024 - - category: Supplementary Guidance numberProposal: 2.0 name: NIST SP 800-53 Security Controls Overlay for PKI Systems v2.0 @@ -1014,3 +1000,27 @@ url: /docs/archived/us-federal-public-trust-tls-cp-v1-0-final.pdf status: post remove: 02/06/2026 + +- category: Annual Review Guidance + numberProposal: 1.2 + name: FPKI Annual Review Requirements v1.2 + date: 05/06/2022 + url: /docs/archived/fpki-annual-review-requirements_v1.2_20240913.pdf + status: post + remove: 09/13/2027 + +- category: Annual Review Guidance + numberProposal: 1.01 + name: FPKI Annual Review Requirements v1.01 + date: 09/29/2021 + url: /docs/archived/fpki-annual-review-requirements_v1.01_20210929.pdf + status: post + remove: 09/29/2024 + +- category: Annual Review Guidance + numberProposal: 1.0 + name: FPKI Annual Review Requirements v1.0 + date: 04/11/2017 + url: /docs/archived/fpki-annual-review-requirements_v1.0_20170411.pdf + status: post + remove: 09/30/2024 diff --git a/_ficampmo/fpki.md b/_ficampmo/fpki.md index c0022ea6..67c5e7ce 100644 --- a/_ficampmo/fpki.md +++ b/_ficampmo/fpki.md @@ -50,6 +50,8 @@ The [FPKI Policy Authority (FPKIPA)]({{site.baseurl}}/ficam/#federal-public-key- The FPKI has the following supplementary guidance: - [Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021)]({{site.baseurl}}/docs/fpki-overlay-sp-800-53.pdf){:target="_blank"}{:rel="noopener noreferrer"} – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a CA that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control. +- [FBCA: Cross-Certification Evaluation Framework v5.0 (PDF, September 2024)]({{site.baseurl}}/docs/fbca-cross-certification-eval-fw.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides a general framework for conducting FPKI cross-certification. This framework includes pre-conditions for being considered as an applicant, the cross-certification process, maintenance of the cross-certified status, and circumstances for terminating the +cross-certification relationship. - [Registration Authority Agreement Template v1.0 (Word, April 2017)]({{site.baseurl}}/docs/fpki-ssp-raa.docx){:target="_blank"}{:rel="noopener noreferrer"} - The purpose of this document is to identify and explain the roles and responsibilities of an enrollment/registration agent under the Federal PKI COMMON Policy Framework. - [FPKI Incident Management Plan (PDF, September 2020)]({{site.baseurl}}/docs/fpki-imp.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance on the roles and responsibilities applicable to the FPKI Policy Authority (FPKIPA), FPKI Management Authority (FPKIMA), and FPKI affiliates in the event of an incident. - [Archived copies of Certificate Policies, Profiles, and other FPKI-related documents]({{site.baseurl}}/fpki/#federal-pki-document-archive) - This page contains three years of FPKI-related documents. @@ -62,7 +64,7 @@ Independent compliance audits are the primary way that the Federal Public Key In Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to [fpki@gsa.gov](mailto:fpki@gsa.gov). -- [FPKI Annual Review Requirements (PDF, May 2022)]({{site.baseurl}}/docs/fpki-annual-review-requirements.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This document includes requirements for performing and reporting annual compliance audits. +- [FPKI Annual Review Requirements (PDF, September 2024)]({{site.baseurl}}/docs/fpki-annual-review-requirements.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This document includes requirements for performing and reporting annual compliance audits. - [RA Audit Guidance Memorandum (PDF, October 2022]({{site.baseurl}}/docs/fpki-ra-audit-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers. - Annual PIV and PIV-I Credential Issuer (PCI) Test Report: This test report supports the FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 lab or remotely by the package submitter. Further details related to the Annual PCI Testing are located [here]({{site.baseurl}}/fips201ep/#personal-identity-verification-credentials). - [Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016)]({{site.baseurl}}/docs/fpki-nmf.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations. diff --git a/_implement/fpki_notifications.md b/_implement/fpki_notifications.md index 555e5ee4..51afdb30 100644 --- a/_implement/fpki_notifications.md +++ b/_implement/fpki_notifications.md @@ -74,7 +74,7 @@ These announcements and hot topics concern Federal Public Key Infrastructure cha -**Last Update**: September 26, 2024 +**Last Update**: September 30, 2024 {% include graph.html %} diff --git a/_implement/tools/crawler-lastrun.json b/_implement/tools/crawler-lastrun.json index 4e365234..5af1dcee 100644 --- a/_implement/tools/crawler-lastrun.json +++ b/_implement/tools/crawler-lastrun.json @@ -4032,10 +4032,15 @@ "serial-number": "175567204229783743591458183087529700129959", "akid": "09 e4 78 56 41 02 a4 6b 20 da 93 e8 45 f6 31 e1 4c c4 c4 fc", "skid": "b8 51 62 66 30 45 be e5 0c 57 1c 23 68 7e e6 4f f7 0b 3e f7", - "status": "Certificate Valid, but no Path to Common", + "status": "Certificate Invalid", "pathbuilder-result": { "result": "false", - "details": "Unable to build Path" + "details": "End Entity Cert expired or not valid" + }, + "parent_path_identifier": "common_name:Carillon Federal Services PIV-I CA2,organizational_unit_name:Certification Authorities,organization_name:Carillon Federal Services Inc.,country_name:US:09e478564102a46b20da93e845f631e14cc4c4fc", + "validity-dates": { + "not-before": "2023-09-26 14:12:18+00:00", + "not-after": "2024-09-30 14:12:18+00:00" } }, { diff --git a/_implement/tools/fpki-certs.gexf b/_implement/tools/fpki-certs.gexf index e125b7e0..e993c74a 100644 --- a/_implement/tools/fpki-certs.gexf +++ b/_implement/tools/fpki-certs.gexf @@ -1,8 +1,8 @@ - + py-crawler - Created by Py-Crawler on 2024-09-26 + Created by Py-Crawler on 2024-09-30 diff --git a/_partners/acquisition-professional.md b/_partners/acquisition-professional.md index ccf00ec4..1d7c99da 100644 --- a/_partners/acquisition-professional.md +++ b/_partners/acquisition-professional.md @@ -68,9 +68,9 @@ GSA Multiple Award Schedule (MAS) provides access to long-term government-wide c - [541519ICAM](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it/identity-credentialing-and-access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – ICAM Solutions - [541519PKI](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it/pki-shared-service-providers-program){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – PKI Shared Service Providers (SSP) - [541519PIV](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it/hspd12-product-and-service-components){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – HSPD-12 Products and Service Components - - [541519CSP]({{site.baseurl}}/docs/credential-service-provider-capabilities-template-may-2024.docx){:target="_blank"}{:rel="noopener noreferrer"} - Credential Service Provider: The CSP SIN offers a centralized list of vendors providing Credential Services for the federal government. The CSP Capabilities Template provides a framework for CSPs to describe what services they provide in a standardized way. The filled out and submitted document will be used to ensure that vendors listed on the SIN are providing credential services that meet the needs of the government, and to help categorize them as component or full service providers. The filled out documents will also be available to Federal Acquisition staff to assist in making informed decisions about which CSP vendors will meet the specific needs of their applications. + - [541519CSP]({{site.baseurl}}/docs/credential-service-provider-capabilities-template-may-2024.docx){:target="_blank"}{:rel="noopener noreferrer"} - Credential Service Provider: The CSP SIN offers a centralized list of vendors providing Credential Services for the federal government. The CSP Capabilities Template provides a framework for CSPs to describe what services they provide in a standardized way. The filled-out and submitted document will be used to ensure that vendors listed on the SIN are providing credential services that meet the needs of the government and to help categorize them as component or full-service providers. The filled-out documents will also be available to Federal Acquisition staff to assist in making informed decisions about which CSP vendors will meet the specific needs of their applications. - [334290PACS](https://www.gsaelibrary.gsa.gov/ElibMain/sinDetails.do?scheduleNumber=MAS&specialItemNumber=334290L&executeQuery=YES){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – Legacy PACS (non-FIPS 201) - [541330SEC](https://www.gsaelibrary.gsa.gov/ElibMain/sinDetails.do?scheduleNumber=MAS&specialItemNumber=334290PACS&executeQuery=YES){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – PACS integrator vendor - [Multiple Award Schedule IT Special Item Numbers (SINs)](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – Scroll down to “IT SINs” for links to specific items -Note that the purchasing process may differ, depending on the particular product or service you want. If you need help, please contact icam at gsa dot gov. +Note that the purchasing process may differ depending on the particular product or service you want. If you need help, please contact icam at gsa dot gov. diff --git a/_partners/fibf.md b/_partners/fibf.md index f4f97976..c13946fa 100644 --- a/_partners/fibf.md +++ b/_partners/fibf.md @@ -29,7 +29,7 @@ All five ICAM FIBF components are drafted and establish the ICAM baseline for in The project timeline is as follows: -[icam fibf comment timeline.]({{site.baseurl}}/assets/fibf/framework-timeline.png){:target="_blank"}{:rel="noopener noreferrer"} +[icam fibf comment timeline.]({{site.baseurl}}/assets/fibf/framework-timeline.png){:target="_blank"}{:rel="noopener noreferrer"} Please download **DRAFT ICAM FIBF Components 4 & 5** below to review: - **[DRAFT ICAM FIBF Components 4 & 5]({{site.baseurl}}/docs/icam-fibf-workforce-identity-focused-excel-spreadsheet.xlsx){:target="_blank"}{:rel="noopener noreferrer"}** diff --git a/_partners/program-managers.md b/_partners/program-managers.md index f7b2396b..76518fa2 100644 --- a/_partners/program-managers.md +++ b/_partners/program-managers.md @@ -24,14 +24,14 @@ The Federal ICAM (FICAM) program helps federal agencies plan and manage enterpri ## ICAM Program Management 101 -The [ICAM Program Management 101]({{site.baseurl}}/university/pm/) explains how to plan, implement, and manage an ICAM Program. Here, you’ll find content for ICAM program managers who need agency-level planning guides and templates to drive adoption of ICAM services within their organizations as well as information on how to govern the program, identify and communicate with stakeholders, manage risk, and other related topics. +The [ICAM Program Management 101]({{site.baseurl}}/university/pm/) explains how to plan, implement, and manage an ICAM Program. Here, you’ll find content for ICAM program managers who need agency-level planning guides and templates to drive adoption of ICAM services within their organizations, as well as information on how to govern the program, identify and communicate with stakeholders, manage risk, and other related topics. This 101 guide answers the most common ICAM program organization and management questions, including: - How can I establish governance to ensure ICAM alignment at the agency level? - Who are my key ICAM stakeholders? - What best practices support ICAM implementation? -The guide is organized by sections, each of which describes an essential feature of ICAM program management, including recommendations and lessons learned from agencies who have implemented ICAM programs. +The guide is organized into sections, each of which describes an essential feature of ICAM program management, including recommendations and lessons learned from agencies that have implemented ICAM programs. ## FICAM Architecture and Playbooks @@ -55,5 +55,4 @@ These playbooks are hosted on GitHub and provide common policy interpretations a ## Related Information - [National Cybersecurity Center of Excellence (NCCoE)](https://nccoe.nist.gov/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – The NCCoE works with experts from industry, government, and academia to address businesses’ most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. -- [NIST Identity & Access Management](https://www.nist.gov/identity-access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – the NIST Identity & Access Management Resource Center, -share efforts that strengthen the security, privacy, usability, and interoperability of solutions that meet an organization’s identity and access management needs throughout the system lifecycle. +- [NIST Identity & Access Management](https://www.nist.gov/identity-access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} – the NIST Identity & Access Management Resource Center shares efforts that strengthen the security, privacy, usability, and interoperability of solutions that meet an organization’s identity and access management needs throughout the system lifecycle. diff --git a/_partners/vendors.md b/_partners/vendors.md index 346a646d..07f8c225 100644 --- a/_partners/vendors.md +++ b/_partners/vendors.md @@ -15,7 +15,7 @@ subnav: --- Federal agencies require systems and services to be functional, secure, and compatible with other products. The General Services Administration (GSA) supports these requirements through testing and identifying products and services. -- The GSA Federal Acquisition Service issues long-term governmentwide contracts that provide federal, state, and local government buyers access to commercial products, services and solutions at pre-negotiated pricing. +- The GSA Federal Acquisition Service issues long-term government-wide contracts that provide federal, state, and local government buyers access to commercial products, services, and solutions at pre-negotiated pricing. - The GSA Office of Government-wide Policy provides testing and certification services for specific product categories. In most cases, vendors who wish to sell Identity, Credentialing, and Access Management products or services to the federal government must apply to a Multiple Award Schedule (MAS) Special Item Number (SIN). All ICAM-related SINs require a technical evaluation. In the case of [SIN 541519CSP - Credential Service Provider (CSP)]({{site.baseurl}}/docs/credential-service-provider-capabilities-template-may-2024.docx){:target="_blank"}{:rel="noopener noreferrer"}, the provided capabilities template must be thoroughly completed. @@ -25,7 +25,7 @@ In most cases, vendors who wish to sell Identity, Credentialing, and Access Mana Two product categories require additional testing at a testing facility before applying to the Multiple Award Schedule. 1. Smart card credentials require testing by GSA or an approved lab. Products are listed on the [GSA FIPS 201 Approved Products List - PIV Cards]({{site.baseurl}}/fips201/#approved-products---piv-smart-cards ) category. -2. Physical Access Control Systems (PACS) for buildings, including readers and infrastructure require testing by GSA. Products are listed on the [GSA FIPS 201 Approved Products List - Physical Access Control System Components]({{site.baseurl}}/fips201/#approved-products---physical-access-control-systems) category. +2. Physical Access Control Systems (PACS) for buildings, including readers and infrastructure, require testing by GSA. Products are listed on the [GSA FIPS 201 Approved Products List - Physical Access Control System Components]({{site.baseurl}}/fips201/#approved-products---physical-access-control-systems) category. Please get in touch with fips201ep at gsa dot gov if you have product approval questions. @@ -48,7 +48,7 @@ The GSA [FIPS 201 Evaluation Program]({{site.baseurl}}/fips201ep/), tests [comme Once you have reviewed the testing documents, contact one of the Testing Labs listed below. The lab will walk you through the application and testing process. Three approved testing labs test PIV card stock: -- [atsec information security corporation](http://www.atsec.com/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- [Atsec Information Security Corporation](http://www.atsec.com/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - Contact: Andreas Fabis - Phone: (512) 615-7300 - [Booz Allen Hamilton Cyber Assurance Testing Laboratory](http://csrc.nist.gov/groups/STM/testing_labs/#24){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} @@ -70,7 +70,7 @@ After testing and approval, apply to have your product or service listed on the ## Step 3 – Get on a GSA Schedule -The GSA MAS Program also referred to as the "Schedule," is the premier contract vehicle for the federal government. The MAS Program is a long-term government-wide contract between commercial suppliers and the federal government. Holding a Schedule contract can open doors for a business, but it requires effort and commitment to succeed. [See if the Schedule is a good fit for your business first.](https://www.gsa.gov/buy-through-us/purchasing-programs/multiple-award-schedule/help-with-mas-contracts-to-sell-to-government/team-up-with-other-mas-contractors){:target= "_blank"}{:rel= "noopener noreferrer"}{:class="usa-link usa-link--external"} +The GSA MAS Program, also referred to as the "Schedule," is the premier contract vehicle for the federal government. The MAS Program is a long-term government-wide contract between commercial suppliers and the federal government. Holding a Schedule contract can open doors for a business, but it requires effort and commitment to succeed. [See if the Schedule is a good fit for your business first.](https://www.gsa.gov/buy-through-us/purchasing-programs/multiple-award-schedule/help-with-mas-contracts-to-sell-to-government/team-up-with-other-mas-contractors){:target= "_blank"}{:rel= "noopener noreferrer"}{:class="usa-link usa-link--external"} - [Sell through GSA MAS](https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/multiple-award-schedule-it/sell-through-mas-information-technology){:target="_blank"}{:rel= "noopener noreferrer"}{:class="usa-link usa-link--external"} – Agencies use the MAS to fulfill their technology products and services needs. diff --git a/docs/archived/fpki-annual-review-requirements-v1-20170411.pdf b/docs/archived/fpki-annual-review-requirements_v1.0_20170411.pdf similarity index 100% rename from docs/archived/fpki-annual-review-requirements-v1-20170411.pdf rename to docs/archived/fpki-annual-review-requirements_v1.0_20170411.pdf diff --git a/docs/archived/fpki-annual-review-requirements_v1.2_20240913.pdf b/docs/archived/fpki-annual-review-requirements_v1.2_20240913.pdf new file mode 100644 index 00000000..8997f696 Binary files /dev/null and b/docs/archived/fpki-annual-review-requirements_v1.2_20240913.pdf differ diff --git a/docs/fbca-cross-certification-eval-fw.pdf b/docs/fbca-cross-certification-eval-fw.pdf new file mode 100644 index 00000000..8998ac70 Binary files /dev/null and b/docs/fbca-cross-certification-eval-fw.pdf differ diff --git a/docs/fpki-annual-review-requirements.pdf b/docs/fpki-annual-review-requirements.pdf index 5f86aaca..f84ead06 100644 Binary files a/docs/fpki-annual-review-requirements.pdf and b/docs/fpki-annual-review-requirements.pdf differ