Agency requests for patterns for office automation migrations, including step by step for Office 365

• Reference GSA/ficam-playbooks#84 for sample explanation and two use cases
• PR GSA/piv-guides#51 being pulled out into separate branch

Currently allowed scenario is:

1. Authentication happens on premise
2. Assume user outside the network (not VPN into network as is - the harder scenario)
3. federated to O365
4. settings for using Alternate Login ID (and why, govt specific - related to Principal Names versus email addresses / mail, and how credentials may be used in network authentication, agencies do not need to reissue their credentials, can use as-is, etc)
5. If this works using the AltSecID mapping options for certificate based authentication, and what the settings are to configure trust for ANY certificate authority in FPKI (users crossing boundaries and not specific to one CA)

No redo of vendor specific information. Need to clarify, govt agency focused, and all steps referenced.

Change Favicon to US flag.

Description of Issue:

Search results page "browse site" menu has links to 404 pages

Details of Issue:

the "i want to", "topics" and "community" options on the search result menu result in 404

References (Docs, Links, Files):

Possible Solution

update links to common pages (e.g. top page navigation items)

Additional context
The FPKIPA approved change proposals 2021-02 and 2021-03 on November 30, 2021.

Common Policy was updated to v2.2 provided these changes.

Both change proposals and updated policy need to be published to idmanagement.gov.

The search icon displays on main page, but broken on internal pages.

Description of Issue:

A message was posted to the ICAM-COMMUNITY-TECH listserv related to PIV Authentication to Linux systems.

"Has anyone implemented PIV authentication for RedHat Linux using something other than PuTTY-CAC or WinSCP with Pageant? Does not necessarily have to be freeware, just looking for better options. Please email me back if so."

Conversation Highlights:
"I can send you a write up of our solution for smartcard required via PAM and for SSH." (note: I requested a copy of this information)

"We've implemented PIV on Linux on a small scale here, but with local binding only - not with LDAP/AD + Kerberos - and it would be helpful to have access to implementation information from other agencies."

Details of Issue:

[See above]

References (Docs, Links, Files):

N/A

If a New Page or Content is Needed, Expected Outcomes:

New page, focused on PIV Authentication for Linux

Link to the Content Page for Contributors:

Add configurations and lessons learned regarding the caching behavior and workarounds for:

• Performing "run as" functions to escalate privileges to a privileged account
• one cached credential stored for certificates
• user switches back to normal account after disconnect from network
• locked out because cache is privileged account

Include:

• Cached credentials limit (2 to 5)
• bug reports
• Workarounds
• VPN configurations

ICAM Use Cases.pdf

Description of Issue:

Attached is my cut at PE and NPE Use Cases. It provides an ICAM information model that spans and aligns PE and NPE use cases over enterprise, federated and hybrid architectures based on nine conceptual ICAM processes. Four Digital Policy Management (DPM) use cases are also included.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

jquery-ui vulnerability

https://snyk.io/vuln/npm:jquery-ui

In updating the archived documents page, I noticed not all PDFs have a tombstone page.

Review all pdfs in https://github.com/GSA/idmanagement.gov/tree/staging/docs/archived to make sure they have a tombstone page.

Description of Issue:

Missing pdf change proposals for the following:

Details of Issue:

• common 1808,
• Common 1807,
• Bridge 1705
• Bridge 1603

Additionally Common v2.0 needs to be updated with the tombstone version.

References (Docs, Links, Files):

https://www.idmanagement.gov/governance/fpkiarchive/

Possible Solution

find in shared drive and update

Description of Issue:

The only way to get FPKI Guide updates is by watching the repo. This provides all commit and issue updates, but what if users only want to get updates for system notifications or other specific types of updates. Not all users have or want a github account and an option outside of Github should be considered.

Details of Issue:

The only guide update method is watching the repo and getting updates for all changes. There should be a method to subscribe to changes on specific pages outside of github.

References (Docs, Links, Files):

https://help.github.com/en/articles/atom-rss-feeds-for-github-pages

If a New Page or Content is Needed, Expected Outcomes:

An rss or atom feed on each or specific pages. If it is already available, a write-up on how to subscribe to it.

We believe we tracked the problem down to a known issue with Microsoft Group Policy Administrative Templates. We were using those to deploy the CA certificates to all Windows systems (Domain Controllers, Servers, and Workstations). The issue comes with how GPO was deploying the certificates in that it deletes the CA certificates and adds them back every time Group Policies are run on a system. Sometimes it may not fully apply the certificates which then means the DC or workstation loses trust with the smart card certificate. If the DC loses trust then Kerberos will tell the workstation to delete the cached credentials on the workstation. We are now deploying certificates in another manor within Group Policy as recommended by Microsoft and testing is underway.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/valid-root-ca-certificates-untrusted

Description of Issue:

Subnav is manually set in the front matter. This could be time-consuming to update or maintain and potentially easily overlooked if a page is updated. The current subnav doesn't support multiple levels. On a long page, it is hard for a user to differentiate between header levels.

Details of Issue:

It is possible to automate subnav to decrease maintenance and potential errors.

References (Docs, Links, Files):

https://www.honeybadger.io/blog/multiple-levels-of-subnavigation-with-jekyll/
https://jekyllrb.com/tutorials/navigation/#scenario-3-two-level-navigation-list

Possible Solution

1. Update the subnav.html to automate up to two or three levels of header.

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Common Policy v2.1 in archive requires a tombstone page.

Common change proposals 2102 and 2103 are not appearing in the archive document section as was previously submitted.

Publish the PACS Self-Assessment Tool

Fortior Solutions no longer issues PIV-I cards

https://qa.idmanagement.gov/buy/trust-services/#business-identity-services

Description of Issue:

A new FPKI MA Audit letter is available for the 2021 audit.

Details of Issue:

Document needs to be updated from 2020 to 2021 audit letter.

Possible Solution

replace the existing audit letter with 2021 version.

Add FPKIMA Newsletter 73.

Please contact each vendor or agency on the trust services page to verify contact information.

https://www.idmanagement.gov/buy/trust-services/

Publish new FPKIMA Newsletter volume 8, issue 1.

Add contact information or a issue to the 404 page to help identify potential
Issues.

I would love to see some additional discussion and guidance for services that are intended to follow federal employees between agencies.

The basic concern, as far as I can see, is that if a person has multiple PIV cards, or transitions from one PIV card to another PIV card (which will happen with any transfer between agencies), there is no identifier that allows services to implicitly associate one with the other. Further, for the case of an employee moving between agencies, the old PIV card will likely be unavailable at the time the new PIV card is issued, so there must be some additional credential that the user uses to claim the identity linked to the old PIV card in order to associate it with the new one.

This would seem to suggest, to me, that services such as this would also have to maintain an entirely independent traditional username/password scheme in addition to PIV. Is this the best option? Can we improve on this?

Description of Issue:

I did not see any use cases for citizens who access government systems. Examples could be:

• accessing tax information

• accessing SSA information

• a parent filling out FAFSA student financial aid application

• an external partner required to provide information to a regulator, yet that partner is not an employee, contractor, or representative of the government and the most suitable description would be consumer, customer, or regulated entity.

Details of Issue:

What are the requirements for non-government entities to access government systems if the workflow determines IAL2 level? Can we enforce security requirements multifactor? If so, how do we identity proof thousands of citizens in accordance with NIST 800-63-3 / FIPS 199?

References (Docs, Links, Files):

NIST 800-63-3 / FIPS 199

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

I've written a few libraries helpful to my use of PIV tokens and PIV-like tokens. Is there a good place to leave links to those libraries in case they're helpful to others?

References (Docs, Links, Files):

I've written a few libraries, for example. Here's some of the ones I find most helpful:

• Go extension to x509.Certificates
• Go extractor for x.509 SAN OtherNames (I added FASC and UPN, which are missing from standard Go)
• Go bindings to the ykpiv Yubikey PIV applet

Not all Target Blank has a No Referrer.

Describe the bug
A clear and concise description of what the bug is.
Old Safe Identity contact information remains on Trust Services Page

Additional context
Add any other context about the problem here.
Should be updated to:
info at makeidentitysafe dot com

On https://www.idmanagement.gov/buy/#products
Under GSA Multiple Award Schedule
Update from this: 334290L– PACS vendors
to this: 334290PACS - Legacy PACS systems (non-FIPS 201)

Update page to include description of all working groups in the image file. Update the image file so it is current.

Consider not including working groups in the image file and only include in text.

There are some archived documents not in the archived folder. Move archived documents to the archived folder.

USWDS is currently on 2.12.1 and this repo is on 2.9.1.

The Annual Review Requirements Process document has been updated to include a new email address for submission of packages.

Remove duplicate and update links.

Description of Issue:

Trust services page has some significant differences from the current content on identitymanagement.gov; additionally consumer identity and credentials sub-section does not exist.

Details of Issue:

https://federalist-cf03235f-a054-4178-aafb-4e1e61e0d42c.app.cloud.gov/demo/gsa/idmanagement.gov/buy/trust-services/#trust-and-auditing-of-services

has significant differences from

https://www.idmanagement.gov/buy/trust-services/#identity-services

Possible Solution

Recommend aligning sub-titles to existing idmanagement source page.

Recommend removing the section on consumer identity and credentials (not sure the USG as a whole has an acceptable standard for this category)

If a New Page or Content is Needed, Expected Outcomes:

Could we please look into the broken links on IdManagement.gov? I sent the broken links report via email to Jill requesting assistance.

Description of Issue:

A user needs to build a certificate bundle for trust store management. How do they identify what paths they need?

There are multiple pages in FPKI guide that show a separate process to figure out a path, but nothing on how to build a bundle.

1. PIV CAs and Agencies - This page shows which agencies use which issuer and specifically which issuer certificate. Someone would need to manually connect the issuer's name back to either FCPCA G2 or a certificate under FCPCAG2.
2. FPKI Graph - This page shows a generic path using the subject name. A user could take the issuer subject name and find a complete path. The graph doesn't share the specific certificate they need, just a generic path.
3. FCPCA G2 - This page shows which specific certificates are issued under the Federal Common Policy.

Once they know what certificates they need, they need to figure out how to make a bundle. This is only for PIV. With agencies issuing PIV-I, there is no guidance on how to identify or build a path for PIV-I.

One practical example is if an agency is presented as a PIV or PIV-I their existing configuration builds a path. How can an agency verify that path is correct?

Suggestions

Create a new page on how to identify a path and then build a bundle for both PIV or PIV-I

Update USWDS to 2.12.2.

a11y was used for accessibility testing, but it is not actively maintained. It was removed from this repo.

Look at using Axe or wait for an update from Federalist.

Description of Issue:

FPKI supplementary guidance has some document descriptions, others do not.

Details of Issue:

inconsistent look/feel

Possible Solution

Expand to include document descriptions.

If a New Page or Content is Needed, Expected Outcomes:

detailed descriptions of supplemental guidance documents (e.g. incident management plan and RA agreement template)

Link to the Content Page for Contributors:

https://www.idmanagement.gov/governance/fpkiaudit/

MVP

1. Review FICAM Roadmap federation section. Make sure all relevant points are included in SSO Federation section.
2. Incorporate open issues related to Federation or SSO.

Nice to have

1. Overview of FALs and existing methods on how to meet each.

The header says only three years of documents are displayed, but more than 3 years is displayed. Create a filter in the table to filter out documents older than three years and add a date of when a document is removed from this page.

Description of Issue:

Add Windows 2016 setting for group policies
https://piv.idmanagement.gov/networkconfig/grouppolicies/

Submitted by DoD colleagues. Reference to STIGs below.

Details of Issue:

DISA STIG ID AD.0016 for Active Directory Domain states the following for Windows Server 2016:

"Windows Server 2016 includes a built-in feature for SCRIL hash rolling that will automatically reset NT hashes in accordance with the existing maximum password age policy. This requires the domain functional level to be Windows Server 2016."
It therefore appears that setting the "DONT_EXPIRE_PASSWORD attribute is set to true" is not warranted for Windows server 2016.

Active Directory Domain Security Technical Implementation Guide (STIG) ::
Version 2, Release: 13 Benchmark Date: 26 Apr 2019
Vul ID: V-72821
Rule ID: SV-87467r1_rule
STIG ID: AD.0016
Severity: CAT II
Group Title: AD.0016
Rule Title: All accounts, privileged and unprivileged, that require smart cards must have the underlying NT hash rotated at least every 60 days.

Discussion: When a smart card is required for a domain account, a long password, unknown to the user, is generated. This password and associated NT hash are not changed as are accounts with passwords controlled by the maximum password age. Disabling and re-enabling the "Smart card is required for interactive logon" (SCRIL) replaces the NT hash of the account with a newly randomized hash. Otherwise, the existing NT hash could be reused for Pass-the-Hash in the future.

Windows Server 2016 includes a built-in feature for SCRIL hash rolling that will automatically reset NT hashes in accordance with the existing maximum password age policy. This requires the domain functional level to be Windows Server 2016.

In Active Directory with a domain functional level below Windows Server 2016, scripts can be used to reset the NT hashes of all domain accounts. Associated documentation should be reviewed for potential issues.

Check Text: Windows Server 2016 with a domain functional level of Windows Server 2016:

• Open "Active Directory Administrative Center".
• Right-click on the domain name and select "Properties".
• If the "Domain functional level:" is not "Windows Server 2016", another method must be used to reset the NT hashes. See below for other options.

Fix Text: Windows Server 2016 with domain functional levels of Windows Server 2016:

• Open "Active Directory Administrative Center".
• Right-click on the domain name and select "Properties".
• Select "Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive sign on".

Active Directory domains with a domain functional level below Windows Server 2016:

• Verify the organization rotates the NT hash for smart card-enforced accounts every 60 days.
• This can be accomplished with the use of scripts.
• DoD PKI-PKE has provided a script under PKI and PKE Tools at http://iase.disa.mil/pki-pke/Pages/tools.aspx. See the User Guide for additional information.
• NSA has also provided a PowerShell script with Pass-the-Hash guidance at https://github.com/iadgov/Pass-the-Hash-Guidance. Running the "Invoke-SmartcardHashRefresh" cmdlet in the "PtHTools" module will trigger a change of the underlying NT hash. See the site for additional information.

Manually rolling the NT hash requires disabling and re-enabling the "Smart Card required for interactive logon" option for each smart card-enforced account, which is not practical for large groups of users.

If NT hashes for smart card-enforced accounts are not rotated every 60 days, this is a finding.

References (Docs, Links, Files):

https://piv.idmanagement.gov/networkconfig/grouppolicies/

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Description of Issue:

Expand 2002 and 2101 change proposals to include redline versions of the policy changes to prior versions.

Details of Issue:

This was requested from the PA and ratified in the September 2021 meeting.

Description of Issue:

Architecture, PACS, and PM playbook all have laws, policies, and standards pages. They are in different formats with different levels of descriptions.

Details of Issue:

Potential solution could be a data yml with all laws, policies, and standards. Create dynamic tables for each playbook based on tags in the data yml.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

The navigation doesn't highlight based on the section.

Nice to have a filterable selection on the FPKI doc archive.

https://github.com/GSA/idmanagement.gov/blob/staging/_governance/fpkiarchive.md

Ruby 2.6 is EOL. Need to update.

https://www.ruby-lang.org/en/downloads/

Description of Issue:

Several posted PDF documents retain the metadata of the original document that was edited to create the pdf (e.g., original filename.docx). Need to sanitize original metadata in these docs and reupload.

References (Docs, Links, Files):

Possible Solution

download, edit pdf to sanitize and reupload documents in the repository.

It could improve user experience to add a sorting or filter option to these tables.

• https://qa.idmanagement.gov/buy/removed-products-list/
• https://qa.idmanagement.gov/sell/fipsannouncements/
• https://qa.idmanagement.gov/governance/fpkiarchive/