New NIST 800-63-3 Assurance Level Attributes

As you may know, NIST recently published a new version of the NIST SP 800-63 specification. To better align with the new levels of assurance that this updated specification defines, NIEF has defined three new assurance level attributes within the NIEF Attribute Registry as a new Assurance Level Attribute Bundle.  NIEF encourages participating Identity Providers to add support for these new attributes.  These attributes do not map precisely to the legacy assurance attributes, but many of the same underlying security principles dictate the appropriate levels of assurance.  If you have any concerns about what levels of assurance are appropriate for your IDP to assert, feel free to reach out to help@nief.org.

Deprecation of TIBO/TIB Support

NIEF has officially deprecated support for the Trusted Identity Broker Organization (TIBO) membership role. A TIBO was a type of NIEF membership through which an agency could operate a Trusted Identity Broker (TIB) software service and thereby act as an identity broker for one or more other, non-NIEF-member agencies, enabling users from those agencies to gain access to resources offered by NIEF Service Provider Organizations (SPOs).

We previously supported the TIBO concept because it appeared to offer an appealing solution to “inter-federation” scenarios, in which users from one identity federation could reuse their identities across federation borders, within a different identity federation. But we discovered that the TIBO/TIB identity brokering model carries unacceptable consequences in terms of legal liability for NIEF and its member agencies. In lieu of the TIBO/TIB model, NIEF now supports a trustmark-based approach that enables many aspects of “inter-federation” connectivity without these legal limitations.

Announcing Availability of TXMAP to NIEF Members

We are pleased to announce the availability of the Texas Department of Public Safety’s TXMAP web mapping application. TXMAP is a multi-faceted data mapping and reporting tool.  It provides users access to a variety of data ranging from secure critical infrastructure and law enforcement data to public data such as registered sex offender home addresses.  TXMAP can provide value to law enforcement agencies, public safety organizations, emergency management groups, and others.

To gain access to TXMAP, your IDP must provide the minimal required set of attributes as per TXMAP auditing requirements. This includes given name, surname, email, employer name, federation id, and identity provider id.  TXMAP grants additional privileges to users that have additional attributes including ORI, identity proofing assurance level, electronic authentication assurance level, PCII Certification Indicator, Sworn LEO, and Public Safety Officer.

If your organization needs to update its local trust stores, you can find the NIEF trust fabric entry for TXMAP within the NIEF Trust Fabric Registry and in the NIEF Trust Fabric file.

If you have any questions about TXMAP and NIEF, or if you encounter any problems while trying to configure your IDP for access to TXMAP, please contact us at help@gfipm.net.

Announcing Availability of Apiary to NIEF Members

GTRI is proud to announce the availability of Apiary as a new service provider on NIEF.

Apiary is an automated framework for malware analysis and threat intelligence that combines “crowd-sourced” data collection with a centralized set of sophisticated analysis tools for the benefit of all its users. Members of the Apiary vetted community can anonymously upload malware, or suspected malware, and benefit from Apiary’s ongoing in-depth malware correlation and behavior analysis algorithms. The results of Apiary’s analysis are delivered automatically within a secure information sharing environment. The Apiary and its community are an ideal resource for analysts and investigators who deal with cyber crime, as well as all companies and agencies that are trying to protect their organization’s IT assets from malware.

Apiary was developed by GTRI’s Cyber Technology and Information Security Laboratory (CTISL), and is now available to all users within NIEF. It is available via the NIEF Portal or directly via SAML Single Sign-On with your NIEF Identity Provider (IDP) at https://nief.apiary.gtri.gatech.edu/.

To gain access to Apiary, your IDP must provide your first name, last name, email address, and employer name for UI customization and account provisioning purposes, but this data is not shared with any other users of Apiary, and therefore preserves the anonymity of both your employer and you as an individual as you use Apiary’s tools and features. Apiary is currently planning to offer additional capabilities and features at a cost, but the core functionality of the Apiary tool is available to NIEF users at no charge.

NIEF Identity Provider Organizations (IDPOs) may need to update their local trust configuration to add Apiary as a new trusted Service Provider (SP). (Those IDPOs that have deployed the Shibboleth IDP software need not take any action, as Shibboleth automatically refreshes its trust configuration based on updates to the NIEF Trust Fabric.) For those who need to update their configuration manually, the NIEF Trust Fabric is available here.

https://nief.org/trust-fabric/nief-trust-fabric.xml

Within the NIEF Trust Fabric, the Apiary entry can be found by searching for the entity ID “https://nief.apiary.gtri.gatech.edu/shibboleth”.

If you have any questions about Apiary and NIEF, or if you encounter any problems while trying to configure your IDP for access to Apiary, please contact us at help@gfipm.net.

Announcing the NIEF QuickStart Program

Together with the Georgia Tech Research Institute (GTRI) and the National Association of State Chief Information Officers (NASCIO), NIEF is pleased to announce the NIEF QuickStart program.

Under this program, GTRI and NASCIO will select a small group of government agencies from among the U.S. State, Local, Tribal, and Territorial (SLTT) government community, and GTRI will assist selected agencies by facilitating and shepherding them through NIEF’s formal on-boarding process. It is expected that the selected on-boarding projects will be completed in approximately twelve (12) months.

Agencies interested in submitting a readiness assessment to be considered for participation in the NIEF QuickStart Program can go to http://www.surveymonkey.com/s/R8Z7CBN and submit an assessment profile online.

For more information, including NASCIO and GTRI contacts who can answer your questions, please download and review the NIEF QuickStart Program Summary.

New NIEF Signing Certificate / Key Pair

The X.509 certificate and key used to sign the NIEF trust fabric has been updated.  During the deployment of new trust fabric management tools for FICAM compliance, the old key was deleted, requiring a new key to be created.  There is no security risk in trusting the old NIEF certificate, but it will no longer be in use.  The new NIEF certificate is available for download from the NIEF Trust Fabric page.  All NIEF members should update their SAML systems to trust the new certificate.

Please contact help@gfipm.net if you have any concerns or need any assistance in updating your SAML systems.

 

Migration to SHA-256

In accordance with NIST SP 800-131A, NIEF will be migrating away from the use of SHA-1 by the end of 2013.  The NIEF trust fabric will no longer be published using SHA-1 digital signatures and members of NIEF will be validated to insure their SAML operations are using SHA-256 as their onboarding is updated for FICAM compliance.

Please direct any questions or concerns to help@gfipm.net.