The service architecture provides a functional framework for identifying and evaluating government-wide opportunities to leverage IT investments and assets from a service perspective. This model helps understand the services delivered by the government and assess whether there is an opportunity to group like services and create opportunities for reuse or shared services. The ICAM service architecture consists of the Services Framework, a functional framework that classifies ICAM service components with respect to how they support business and/or performance objectives.
In order to develop the ICAM Services Framework, existing service frameworks from a number of sources were reviewed, including:
- FEA Service Component Reference Model (SRM)
- HSPD-12 Shared Component Architecture v0.1.6
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) JTC 1/SC27 N7237 – IT Security Techniques
- OneVA Identity Services Segment Architecture
- DoD Net-Centric Enterprise Services (NCES)
- DoD Enterprise Services Security Framework (ESSF)
Following the review, several working sessions were conducted to define and gain consensus on the service types and components necessary to support the ICAM segment.
The figure represents two main layers of the Services Framework:
- Service Type. Provides a layer of categorization that defines the context of a specific set of service components. The service types in the diagram are represented by the darker blue, outer boxes.
- Service Component. A self-contained business process or service with predetermined and well-defined functionality that may be exposed through a well-defined and documented business or technology interface. The service components in the diagram are represented by the lighter blue, inner boxes.
It is important to note that while the ICAM Services Framework seeks to provide a common set of services to support common needs across agencies, it is not intended to preclude an agency for augmenting or customizing the framework to provide services to support agency-specific scenarios and to incorporate their mission needs and existing infrastructure.
Digital identity is the representation of identity in a digital environment. Digital Identity Services comprise the processes required to capture and validate information to uniquely identify an individual, determine suitability/fitness, and create and manage a digital identity over the life cycle.
Credentialing is the process of binding an identity to a physical or electronic credential, which can subsequently be used as a proxy for the identity or proof of having particular attributes.
Privilege Management comprises the set of processes for establishing and maintaining the entitlement or privilege attributes that comprise an individual‘s access profile. These attributes are features of an individual that can be used as the basis for determining access decisions to both physical and logical resources. It governs the management of the data that constitutes the user‘s privileges and other attributes, including the storage, organization and access to information.
Authentication is the process of verifying that a claimed identity is genuine and based on valid credentials. Authentication typically leads to a mutually shared level of assurance by the relying parties in the identity. Authentication may occur through a variety of mechanisms including challenge/response, time-based code sequences, biometric comparison, PKI or other techniques.
Authorization and Access
Authorization and Access are the processes of granting or denying specific requests for obtaining and using information processing services or data and to enter specific physical facilities. It ensures individuals can only use those resources they are entitled to use and then only for approved purposes, enforcing security policies that govern access throughout the enterprise.
Cryptography supports the use and management of ciphers including encryption and decryption processes to ensure confidentiality and integrity of data, including necessary functions such as Key History and Key Escrow. Cryptography is often used to secure communications initiated by humans and non-person entities.
Auditing and Reporting
Auditing and Reporting addresses the review and examination of records and activities to assess adequacy of system controls and the presentation of logged data in a meaningful context.