Download:
pdf |
pdfUnited States
Department of
Agriculture
Office of
the Chief
Information
Officer
DR 3610-001
USDA eAuthentication Service
USDA eAuthentication Service
TABLE OF CONTENTS
Page
Table of Contents
i
1
Purpose
1
2
Policy
1
3
USDA eAuthentication Service
1
4
Authorities and Reference
6
5
Roles and Responsibilities
7
i
U.S. Department of Agriculture
Washington, D.C.
DEPARTMENTAL REGULATION
SUBJECT: USDA eAuthentication Service
NUMBER:
3610-001
DATE: November 4, 2004
OPI: Office of the Chief Information Officer
1
PURPOSE
The USDA eAuthentication Service is a strategic component of USDA’s
eGovernment vision and USDA’s Enterprise Architecture to provide common
authentication and authorization services for Web-based applications. This
Departmental Regulation documents USDA’s eAuthentication policy, framework,
roles and responsibilities. Policies in this Departmental Regulation are defined
around USDA’s enterprise architecture and investment strategies.
2
POLICY
The USDA eAuthentication Service provides authentication and authorization
services for USDA Web-based applications. Authentication confirms a person’s
identity, based on the reliability of his or her credential; authorization identifies
the person’s user permissions.
USDA agencies will use the USDA eAuthentication Service to implement
authentication and authorization capabilities for all Web-based applications. This
policy applies only to web-based applications. It does not apply to client/server,
mainframe, desktop, network or other legacy application architectures.
3
USDA eAUTHENTICATION SERVICE
The USDA eAuthentication Service supports the following concepts: Credential
Assurance Levels; Authentication Risk Assessment; Credential Management; Site
Protection; Records Management; Privacy Protection; Training; and Waivers.
1
DR 3610-001
a
November 4, 2004
Credential Assurance Levels:
Four identity authentication assurance levels, as defined by OMB and
NIST, shall be used for USDA electronic government services. These are:
(1)
(2)
(3)
(4)
b
Level 1 – Single-factor, login and password. User is not identityproofed and there is no assurance that the user is who he/she claims
to be.
Level 2 – Single-factor, login and password. User must be identityproofed through the presentation of identifying materials or
information. Identity-proofing may occur either through approved
“in-person” or “on-line” methods that are approved by the Office of
the Chief Information Officer (OCIO).
Level 3 - Multi-factor Public Key Infrastructure (PKI) soft or hard
tokens. User must be identity-proofed through the presentation of
identifying materials or information. Identity-proofing may occur
only through approved “in-person” methods approved by the OCIO.
Level 4 - Multi-factor PKI hard tokens. User must be identityproofed through the presentation of identifying materials or
information. Identity-proofing may occur only through approved
“in-person” methods approved by the OCIO.
Authentication Risk Assessment:
USDA agencies are responsible for determining the required level of
assurance for authentication for each business transaction. Authentication
risks with potentially higher consequences require higher levels of
assurance. This determination is accomplished through an authentication
risk assessment for the system or transaction. Agencies shall conduct this
risk assessment through:
(1)
(2)
(3)
The USDA Integrated Reporting Tool to determine risks and tie
the outcomes to an authentication level, and/or
A risk-mitigation process to determine whether mitigating controls
(management, operational or technical) can offset risks and thus
lower the authentication assurance level,
Completing a system Certification and Accreditation (C&A), as
appropriate.
Within the process defined above, final decisions on the appropriate level
of assurance to be used for a business transaction are delegated as follows:
•
Agency specific applications - the required authentication
assurance level will be the sole decision of the Agency that owns
the business process.
2
November 4, 2005
•
c
DR 3610-001
Department-wide or multi-agency applications – the required
assurance level will be a joint decision between the agency that
owns the business process and the USDA Office of the Chief
Information Officer (OCIO.)
Credential Management:
The USDA eAuthentication Service will adhere to credential management
processes that have been assessed at a particular Assurance Level as
described in the Office and Management and Budget (OMB) and the
National Institute of Standards and Technology (NIST) guidance.
Accordingly, for all USDA Web-based applications, users will utilize the
credentials provided and/or approved by the USDA eAuthentication
Service. These credentials include:
(1)
(2)
(3)
Levels 1 & 2 UserIDs and passwords for employees, customers
and affiliated users.
Levels 3 & 4 PKI credentials for employees issued by NFC.
Levels 3 & 4 PKI credentials for customers and affiliated users
issued by credential service providers that are approved by the
General Services Administration and the OCIO.
Management of credentials will include all “end-to-end” activities for the
credential including registration, issuance, use, modification, and
revocation. The USDA eAuthentication Service is responsible for
establishing procedures to ensure continued compliance with the OMB
and NIST guidance. Additionally, USDA agencies will be responsible for
implementing the procedures to ensure currency and accuracy of user
information.
The E-Authentication Presidential Initiative has adopted a Federated
Architecture for authentication. This architecture will allow for trusted
credentials from trusted Credential Services from other Federal Agencies
and external Industry Credential Services to be used at any participating
application. USDA’s eAuthentication Service will be an important part of
the Federal government’s architecture for authentication. Once integrated,
USDA credentials will be valid at integrated agency applications across
the government. Conversely, external credentials which have been
approved by the General Services Administration (GSA) may be used to
access USDA applications.
Integration with the Federated Architecture will be handled centrally
through USDA’s eAuthentication service. Agencies shall not perform any
integration with the Federated Architecture, but should integrate their
applications with eAuthentication.
3
DR 3610-001
d
November 4, 2004
Site Protection:
As stated above, authentication is the process for confirming a person’s
identity, while authorization is the process for identifying the person’s
user permissions. The USDA eAuthentication Service addresses coarsegrained authorization services based on user attributes and roles stored in
the USDA eAuthentication Service (e.g., the user is authorized to access
the application if “agency = FNS”). Fine-grained authorization, usually
business-specific information, will need to be addressed by the agency
application (e.g., the user is authorized to access the application if “loan
role=FSA loan approver”).
Accordingly, USDA agencies will:
(1)
(2)
(3)
Integrate web-based applications requiring authentication with the
USDA eAuthentication Service to provide user authentication
functionality,
Leverage the USDA eAuthentication Service to provide coarsegrained authorization when appropriate attributes/roles exist,
Create fine-grained authorization controls in the agency
application when required by the business function.
Roles implemented as part of bullet (2) above will be documented and
implemented according to approved USDA eAuthentication Service
procedures. The procedures include data definitions, administration of the
role and auditing of the role.
e
Records Management:
The USDA eAuthentication Service is responsible for maintaining a
record of the facts of registration and logons of users for a period beyond
expiration or revocation of a user’s credential. This time period varies
with the assurance level of the credential and is as follows:
(1)
(2)
(3)
Level 1 credentials – no minimum retention period,
Levels 2 and 3 credentials – seven years and six months, and
Level 4 – ten years and six months.
Agencies are responsible for maintaining a record of the application access
and transactions conducted (data entered, modified or deleted) through
their applications. Agency applications will use the USDA
eAuthentication Service’s “eAuth Internal ID” to identify the user in the
application’s audit trail.
Agency applications are also responsible for ensuring that the user
explicitly confirms his/her intent to commit a transaction. This may be
4
November 4, 2005
DR 3610-001
accomplished by directing the user to a “confirm and submit” type
function that is time-stamped and recorded by the application.
f
Privacy Protection:
The USDA eAuthentication Service will use credential information only
in the manner in which individuals have been notified it will be used (as
stated in the system’s Privacy Statement). This information includes user
credentials, personal information regarding the user, logon information
and audit log information.
USDA agencies are responsible for complying with the Privacy Act with
respect to transaction information associated with the user.
g
Training:
The USDA eAuthentication Service will be responsible for the
development of USDA eAuthentication Service specific training (and in
some situations, certification) curriculums for agency personnel
interfacing with the service, including program managers, application
developers, registration authorities and others. USDA agencies are
responsible to ensure that the training is delivered and completed as
intended.
h
Waivers:
This regulation directs all applications requiring authentication to integrate
with USDA’s eAuthentication Service. However, in some cases Agencies
may request a waiver for ephemeral or low impact internal applications.
In order to be considered for a waiver, an application must meet all of the
following requirements:
(1)
(2)
(3)
Results of a Risk Assessment must show that the application
requires only Level 1 authentication assurance:
The application is accessible only through the USDA Intranet: and
The application supports internal users only.
In addition, the application should fall into one or more of the following
categories:
•
•
•
A very small user population accesses the system.
The application has a short life span (e.g., a pilot or demonstration
system).
The application has a pre-existing authentication method (a waiver
granted for a pre-existing authentication method will only be valid
5
DR 3610-001
November 4, 2004
for a short time, the application will be expected to create and
implement an eAuthentication integration plan.)
If an application meets these requirements, the Agency may submit a
waiver request form to OCIO. The request will be reviewed for its
validity and adherence to the requirements of this Regulation. In instances
where a waiver is granted, it will have an expiration date. Extensions to
the waiver must repeat the process.
4
AUTHORITIES AND REFERENCES
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
USDA Strategic Plan and USDA eGovernment Strategic Plan;
H.R. 2458, E-Government Act of 2002, December 17, 2002;
Public Law 99-508, Electronic Communications Privacy Act of 1986,
October 21, 1986;
Public Law 100-235, H.R. 145, Computer Security Act of 1987, January 8,
1988;
Public Law 105-277, Title XVII, Government Paperwork Elimination Act
(GPEA), October 21 1998;
Public Law 106-222, Freedom to E-File Act, June 20, 2000 Public Law
106-229,
Electronic Signatures in Global & National Commerce Act, June 30,
2000;
H.R. 3802, Electronic Freedom of Information Act Amendments of 1996,
January 3, 1996;
U.S.C. § 552a, The Privacy Act of 1974;
29 U.S.C. § 794(d), Section 508 of the Rehabilitation Act of 1973, August
7, 1998;
Office of Management and Budget (OMB) Circular A-123, Management
Accountability and Control, June 21, 1995;
Office of Management and Budget (OMB) Circular A-127, Financial
Management Systems, July 23, 1993;
Office of Management and Budget (OMB) Circular A-130, Management
of Federal Information Resources, November 28, 2000;
Office of Management and Budget (OMB) Memo 00-10, Implementation
of the Government Paperwork Elimination Act, April 25, 2000;
National Institute of Standards and Technology (NIST) Special
Publication 800-9, Good Security Practices for Electronic Commerce,
Including Electronic Data Interchange, December 1993;
National Institute of Standards and Technology (NIST) Special
Publication 800-14, Guide for Developing Security Plans for Information
Technology Systems, September 1996;
National Institute of Standards and Technology (NIST) Special
Publication 800-25, Federal Agency Use of Public Key Technology for
Digital Signatures and Authentication, October 2000;
6
November 4, 2005
r
s
t
u
v
w
x
5
DR 3610-001
National Institute of Standards and Technology (NIST) Special
Publication 800-26, Security Self-Assessment Guide for Information
Technology Systems, August 2001;
Federal Information Processing Standards (FIPS) 102, Guidelines for
Computer Security Certification and Accreditation, September 1983;
National Security Telecommunications and Information Systems Security
Committee (NSTISSI) 4009, National Information Systems Security
(INFOSEC) Glossary, September 2000;
NIST Federal Information Processing Standards Publication 199,
“Standards for Security Categorization of Federal Information and
Information Systems” promulgated under the E-Government Act of 2002;
National Institute of Standards and Technology (NIST) Special
Publication 800-63, Electronic Authentication Guideline, June, 2004;
Office of Management and Budget (OMB) Memo 04-04, E-Authentication
Guidance for Federal Agencies, December 16, 2003; and
Homeland Security Presidential Directive HSPD-12, August 27, 2004.
ROLES AND RESPONSIBILITIES
a
Chief Information Officer (CIO), Deputy CIO, and Associate CIOs
will provide leadership for the implementation, enhancement, and
maintenance of the eAuthentication Service, including:
(1) The management and operations of the USDA eAuthentication
Service.
(2) The review of agency domain name requests for applications that are
best served using eAuthentication services by:
(a)
(b)
The coordination of the agency domain name requestor and the
OCIO evaluation of the agency application; and
The approval of domain names only after eAuthentication
evaluation has been completed.
(3) The creation and facilitation of a project-level Change Control Review
Board to advise OCIO on USDA eAuthentication Service functional
and technical issues.
b
Agency and Staff Office Executives, CIOs, DAMs and Agency
Contracting Officials. USDA agencies are responsible for supporting
USDA’s eAuthentication Initiative for Department and Government-wide
authentication and authorization. Agencies are responsible for
implementing procedures necessary to ensure compliance with this
Departmental Regulation.
7
DR 3610-001
c
November 4, 2004
USDA eAuthentication Service Change Control Review Board
The eAuthentication Service Change Control Review Board is responsible
for advising OCIO on eAuthentication functional and technical issues. It
is constituted of various USDA stakeholders that have decision authority
from their respective agencies.
End
8
File Type | application/pdf |
Author | USDA |
File Modified | 2004-11-05 |
File Created | 2004-11-05 |