Background
On October 6, 2011, Steven VanRoekel, the Federal Chief Information Officer, issued a memorandum (http://www.howto.gov/sites/default/files/omb-req-externally-issued-cred_0.pdf), specifying a timetable for federal agencies to begin leveraging externally-issued credentials. The Federal Identity, Credential, and Access Management Subcommittee (FICAM - http://www.idmanagement.gov/pages.cfm/page/ICAM) is named as responsible for certifying the entities that may issue such credentials.
InCommon (http://www.incommon.org) is a Trust Framework Provider, certified by FICAM under the Trust Frame Provider Adoption Process (TFPAP - http://www.idmanagement.gov/documents/FICAM_TFS_TFPAP_v1.1.0.pdf) at assurance levels 1 (InCommon Bronze) and 2 (InCommon Silver). As a certified trust framework provider, InCommon is authorized to certify campuses to issue identity assertions over the Internet to government agency service providers at assurance levels 1 and 2. The documents governing InCommon's trust framework are available at http://www.incommon.org/assurance/components.html.
The InCommon Assurance Program is currently sponsoring a group of university representatives who are exploring means that can be used to certify for InCommon Silver when the password credentials used for Silver-level authentication are stored in an Active Directory instance. "IAP Requirements and Gaps for Active Directory Domain Services" (https://spaces.at.internet2.edu/x/BA8wAg) is a summary of that work.
Questions
- When BitLocker full disk encryption is used are disk sectors decrypted only as they are read? What is the recommended/supported BitLocker configuration for use with AD-DS?
- Does Microsoft have a strategy for supporting compliance with the Federal Identity, Credential, and Access Management (FICAM) requirements at LoA-2? If so, what is the time frame?
- Does Microsoft have a strategy for AD integration of non-Windows and old-Windows client platforms that will use NIST/FIPS approved algorithms for transport of passwords over a network? If so, what is the time frame?
- Is it possible to configure AD so that the NetUserChangePassword and NetUserSetInfo protocols use only NIST approved algorithms for encryption?
- Protected Channels - 4.2.3.6.1b - Gaps
- What encryption algorithms does Windows Secure Channel use?
- What's the impact of turning on the FIPS setting on all Domain Clients? What's the impact on Domain Controllers?
- RC4 HMAC encryption is not NIST or FIPS approved, and we would like to determine if it's comparable to those methodlogies that are. Can you help with this? (See http://www.incommon.org/assurance/alternativemeans.html for the criteria we will consider.)
- Review "IAP Requirements and Gaps for Active Directory Domain Services" for verification.