DoD Enterprise Identity, Credential, And Access Management .
UNCLASSIFIEDDoD Enterprise Identity, Credential, and AccessManagement (ICAM)CLEARED AS AMENDEDReference DesignFor Open PublicationAug 07, 2020Version 1.0June 2020Department of DefenseOFFICE OF PREPUBLICATION AND SECURITY REVIEWPrepared by Department of Defense, Office of the ChiefInformation Officer (DoD CIO)DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors(Administrative or Operational Use). Other requests for this document shall be referred to the DCIO-CS.UNCLASSIFIED
UNCLASSIFIEDDocument ApprovalsPrepared By:LAM.NGOAN.THOMAS.1229438960Digitally signed byLAM.NGOAN.THOMAS.1229438960Date: 2020.07.16 11:22:39 -04'00'N. Thomas LamIE/Architecture and EngineeringDepartment of Defense, Office of the Chief Information Officer (DoD CIO)CLANCY.THOMAS.JEROME.JR.1022639923Digitally signed byCLANCY.THOMAS.JEROME.JR.1022639923Date: 2020.07.16 11:29:55 -04'00'Thomas J Clancy, COL US ArmyCS/Architecture and Capability Oversight, DoD ICAM LeadDepartment of Defense, Office of the Chief Information Officer (DoD CIO)Approved By:RANKS.PETER.THOMAS.1284616665Digitally signed byRANKS.PETER.THOMAS.1284616665Date: 2020.07.16 17:25:42 -04'00'Peter T. RanksDeputy Chief Information Officer for Information Enterprise (DCIO IE)Department of Defense, Office of the Chief Information Officer (DoD CIO)Digitally signed byWILMER.JOHN.W.III.1267975430Date: 2020.07.17 11:07:35 -04'00'John (Jack) W. Wilmer IIIDeputy Chief Information Officer for Cyber Security (DCIO CS)Department of Defense, Office of the Chief Information Officer (DoD CIO)iiUNCLASSIFIED
UNCLASSIFIEDVersion HistoryVersion1.0DateTBDApproved BySummary of ChangesTBDRenames and replaces the IdAM PortfolioDescription dated August 2015 and the IdAMReference Architecture dated April 2014. (ExistingIdAM SDs and TADs will remain valid until updatedversions are established.) Updates name from Identity and AccessManagement (IdAM) to Identity, Credential,and Access Management (ICAM) to align withFederal government terminology Removes and cancels the list of formal ICAMrelated requirements Restructures document for clarity Updates ICAM Taxonomy to better conform toFederal ICAM Architecture Updates descriptions and data flows of ICAMcapabilities Summarizes current DoD enterprise ICAMservices Defines ICAM roles and responsibilitiesiiiUNCLASSIFIED
UNCLASSIFIEDExecutive SummaryThe purpose of this Identity, Credential, and Access Management (ICAM) Reference Design (RD) is toprovide a high-level description of ICAM from a capability perspective, including transformational goalsfor ICAM in accordance with the Department of Defense (DoD) Digital Modernization Strategy. Asdescribed in Goal 3, Objective 2 of the DoD Digital Modernization Strategy, ICAM “creates a secure andtrusted environment where any user can access all authorized resources (including [services,information systems], and data) to have a successful mission, while also letting the Department ofDefense (DoD) know who is on the network at any given time.” This objective focuses on managingaccess to DoD resources while balancing the responsibility to share with the need to protect. ICAM is nota single process or technology, but is a complex set of systems and services that operate under varyingpolicies and organizations.There are significant advantages to the DoD in providing ICAM services at the DoD enterprise level,including consistency in how services are implemented, improved security, cost savings, and attributionby having a discrete defined digital identity for a single entity. ICAM is also fundamental for thetransformation to a modern data-centric identity-based access management architecture that isrequired in a future-state Zero Trust (ZT) Architecture. To gain these advantages, DoD enterprise ICAMservices must support functionality for both the DoD internal community and DoD mission partners,must provide interfaces that are usable by Component information systems, and must minimize oreliminate gaps in supporting ICAM capabilities.The ICAM RD promotes centralization of identity and credential management, including attributemanagement and credential issuance and revocation. The ICAM RD also establishes standardizedprocesses and protocols for authentication and authorization. Access decisions must be fundamentallymanaged by local administrators who understand the context and mission relevance for person entitiesand Non-Person Entities (NPE) who require access to resources.The RD defines an ICAM taxonomy that is based on the core elements of the Federal ICAM (FICAM)Architecture, and describes data flow patterns for each of the capabilities defined in the ICAMtaxonomy. Systems and services shown in these data flows may be operated at the DoD enterprise, DoDComponent, Community of Interest (COI), or local level. In addition to generic data flow patterns, the RDprovides a set of implementation patterns and their related use cases for ICAM capabilities. Thesepatterns are intended to demonstrate how capabilities may be implemented to meet a broad set ofmission and other needs. They are not intended to be prescriptive for how a given information systemconsumes ICAM capabilities, nor are they intended to describe all possible ICAM use cases. Finally, theRD describes existing and planned DoD Enterprise ICAM services, and roles and responsibilities for ICAMservice providers and for DoD Components in deploying ICAM.This document is not intended to mandate specific technologies, processes, or procedures. Instead, it isintended to: Aid mission owners in understanding ICAM requirements and describing current and plannedDoD enterprise ICAM services to enable them to make decisions ICAM implementation so that itmeets the needs of the mission, including enabling authorized access by mission partners. Support the owners and operators of DoD enterprise ICAM services so that these services caneffectively interface with each other to support ICAM capabilities.ivUNCLASSIFIED
UNCLASSIFIED Support DoD Components in understanding how to consume DoD enterprise ICAM services andhow to operate DoD Component, COI, or local level ICAM services when DoD enterprise servicesdo not meet mission needs.Each mission owner is responsible for ensuring ICAM is implemented in a secure manner consistent withmission requirements. Conducting operational, threat representative cybersecurity testing as part ofICAM implementation efforts is a mechanism that needs to be used to check secure implementation.vUNCLASSIFIED
UNCLASSIFIEDContents1.Introduction .11.1.Purpose . 21.2.Applicability . 31.3.DoD Community . 4DoD Internal Community . 4External Mission Partner Community . 5Beneficiaries . 5Other Entities . 62.1.4.DoD Computing Environment . 61.5.References . 6ICAM Capability Overview .92.1.Transformational Goals . 102.2.ICAM Capability Taxonomy Overview (DoDAF CV-2) . 11Core ICAM Capabilities. 122.2.1.1 Identity Management . 132.2.1.2 Credential Management . 162.2.1.3 Access Management . 19Access Accountability Capabilities . 232.2.2.1 Log Collection and Consolidation. 232.2.2.2 Access Review . 242.2.2.3 Identity Resolution . 25Contact Data Capabilities . 252.2.3.1 Contact Data Collection . 262.2.3.2 Contact Data Lookup. 262.3.Using DoD Enterprise ICAM Services . 26DoD Enterprise Benefits from Use of DoD Enterprise ICAM Services . 26Information System Benefits from Using DoD Enterprise ICAM Services . 27Mitigating Challenges to Using DoD Enterprise ICAM Services . 273.ICAM Data Flows . 293.1.Core ICAM Capabilities . 32Identity Management . 323.1.1.1 Person Entity . 333.1.1.2 NPE . 353.1.1.3 Federated Entity. 35Credential Management . 363.1.2.1 Internal Credential Management . 363.1.2.2 External Credential Registration . 38Access Management . 39viUNCLASSIFIED
ce Access Management . 39Provisioning . 40Authentication . 42Authorization . 45Access Accountability Capabilities . 47Log Collection and Consolidation. 47Access Review . 48Identity Resolution . 493.3.4.Contact Data Capabilities . 50ICAM Patterns and Associated Use Cases . 514.1.Identity and Credential Patterns . 51Unclassified Enterprise DoD Internal Initial Registration. 51Unclassified Enterprise Mission Partner Entity Registration . 53Community of Interest User Registration . 54Community of Interest Person Entity Identity Provider Registration . 56Secret Enterprise Registration for DoD and Federal Agencies . 57Secret Enterprise Registration for Non-Federal Agency Mission Partner Entities . 58Short-Lived NPE Registration . 59DoD Beneficiary Registration . 60DoD Applicant Registration . 614.2.Access Management Patterns . 62Access to DoD Managed Resources . 62Access for Unanticipated Entities . 63Privileged User Access. 65Zero Trust . 66Access to Software as a Service (SaaS) Cloud Managed System . 664.3.Access Accountability Patterns . 68Logging and Monitoring . 68Access Review . 69Identity Resolution . 704.4.5.Contact Data Lookup . 70DoD Enterprise ICAM Services . 725.1.DoD ICAM Enterprise Services Summary . 725.2.Production DoD ICAM Enterprise Services. 74Person Data Repository (PDR) . 74Identity Resolution Service . 75Trusted Associate Sponsorship System (TASS) . 75DoD Public Key Infrastructure (PKI) . 75Real-Time Automated Personnel Identification System (RAPIDS) . 75viiUNCLASSIFIED
UNCLASSIFIEDNIPRNet Enterprise Alternate Token System (NEATS) / Alternate Token Issuance andManagement System (ATIMS) . 76Purebred . 76DoD Self-service (DS) Logon . 76Enterprise Identity Attribute Service (EIAS) . 77Identity Synchronization Service (IdSS). 77milConnect . 77Enterprise Directory Services (EDS) . 77Global Directory Service (GDS). 785.3.Planned DoD ICAM Enterprise Services . 78Mission Partner Registration (MPR) . 78Identity Provider (IdP) . 78Multi-Factor Authentication (MFA) Registration Service . 79EIAS (Enhanced) . 79Backend Attribute Exchange (BAE) . 79DS Logon (Enhanced) . 79Automated Account Provisioning (AAP) . 79Master User Record (MUR) . 806.ICAM Implementation Responsibilities . 816.1.DoD ICAM Joint Program Integration Office (JPIO) Responsibilities . 816.2.DoD Enterprise ICAM Service Provider Responsibilities . 816.3.DoD Component Responsibilities . 81Establish DoD Component Level ICAM Governance . 81Support DoD Enterprise ICAM Services . 82Use DoD Enterprise ICAM Services . 82Operate COI and Local ICAM Services. 826.4.7.Responsibilities Related to External Federated ICAM Service Providers . 83Summary of ICAM Service Gaps . 84Mappi
Reference Architecture dated April 2014. (Existing IdAM SDs and TADs will remain valid until updated versions are established.) Updates name from Identity and Access Management (IdAM) to Identity, Credential, and Access Management (ICAM) to align with Federal government terminology Removes and cancels the list of formal ICAM
The US DoD has two PKI: DoD PKI is their internal PKI; DoD ECA PKI is the PKI for people outside of the DoD [External Certification Authority] who need to communicate with the DoD [i.e. you]. Fortunately, the DoD has created a tool for Microsoft to Trust the DoD PKI and ECA PKI; the DoD PKE InstallRoot tool.File Size: 1MBPage Count: 10
The DoD PKI consists of the US DoD issuing certificates internally to US DoD end entities (like DoD employees and DoD web sites). The ECA PKI consists of vendors that are authorized by the US DoD to issue certificates to end entities outside of the US DoD that need to communicate with the DoD. You probably need to trust both the DoD PKI and ECA .
Option B – PMP credential and PgMP credential will share PDUs including those earned for the PgMP before obtaining the PMP and any PDUs earned after receiving the PMP. The PMP renewal date will be set equal to the existing PgMP renewal date. Therefore, renewal of the PMP credential will need to occur with the renewal of the PgMP credential.File Size: 549KBPage Count: 9Explore furtherHow to fill PMP Application form: Here's PMP Sample .www.izenbridge.comYour PMP Application Checklist - Project Management Institutewww.pmi.orgAre you stressing out over completing the application to .www.margaretmeloni.comRecommended to you b
CLEAR CREDENTIAL 2 years job embedded coaching Inquiry Project Online Preliminary Credential 15, 750 Clear Credential 7,500. We are an INTERN program . Program Elements You will earn a CLEAR Education Specialist Credential Hybrid of Online and Face to Face Classes
Your Credential Document. SB 2042 . Preliminary Single Subject Teaching Credential includes: ELAS, SDAIE and ELD within content being taught. If asked for additional documents indicating these requirements, reiterate that you hold an . SB 2042 . Credential (or attach an additional copy of your credential).
As a result of successful completion of the credential program, Teacher-Candidates will earn a Preliminary Teaching Credential. Within five years of receiving a Preliminary Teaching Credential, new teachers must complete additional work in order to obtain a Professional Clear Teaching Credential. SDSU offers such a
CLEAR CREDENTIAL To earn a Clear Credential, completion of an induction program is required Induction programs are offered by: Districts County Offices of Education Universities When completed, you apply for the Clear Credential through the induction program sponsor You are earning 2 credentials, but you only need to do 1
aware of fraud, bribery and corruption and understand the importanceof protecting the organisation from it. Managers must report any instances of actual or suspected fraud, bribery or corruption brought to their attention to the LCFS immediately. 4.9 All employees . Through the normal working day, those providing SCAS services (employees, regardless of position held, as well as Non- Executive .
