Title

The application must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles. (Cat II impact)

Discussion

FICAM establishes a federated identity framework for the federal government. FICAM provides government-wide services for common Identity, Credential, and Access Management (ICAM) requirements. The FICAM Trust Framework Solutions (TFS) is the federated identity framework for the U.S. federal government. The TFS is a process by which Industry Trust Frameworks (The codification of requirements for credentials and their issuance, privacy and security requirements, as well as auditing qualifications and processes) are evaluated and assessed for potential use by the government. This requirement only applies to applications that are intended to be accessible to nonfederal government agencies and other partners or nonorganizational (non-DOD) users. Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0, OpenID 2.0 or other protocols such as the FICAM backend Attribute Exchange. This requirement addresses open identity management standards. More information regarding these standards is available here: info.idmanagement.gov/2012/10/what-are-ficam-technical-profiles-and.html

Check Content

Review the application documentation and interview the application administrator to identify application access methods. If the application is not PKI-enabled due to the hosted data being publicly releasable, this check is Not Applicable. If the application is only deployed to SIPRnet, this requirement is Not Applicable. If the application is not intended to be available to federal government partners this requirement is Not Applicable. This requirement applies to DOD service providers who are relying parties of external (federal government) identity providers. Ask the application administrator to demonstrate how the application conforms to FICAM issued profiles such as SAML or OPENID. If the application is designed to be a service provider utilizing an external identify provider and doesn't conform to FICAM-issued profiles, this is a finding.

Fix Text

Configure the application to conform to FICAM-issued technical profiles when providing services that rely on external (federal government) identity providers.

Additional Identifiers

Rule ID: SV-222560r1015709_rule

Vulnerability ID: V-222560

Group Title: SRG-APP-000405

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.