Merge pull request #594 from GSA/1002-h1-updates-sprint8

1002-h1-updates-sprint8

_implement/distribute-fcpca.md

@@ -76,7 +76,7 @@ This guide ends by presenting answers to [Frequently Asked Questions](#frequentl
 
 {% include alert-info.html content='**We’re calling for all solutions!** If you’d like to share your agency’s playbook on how to distribute a trusted root CA certificate to an application trust store, create an [issue on GitHub](https://github.com/GSA/idmanagement.gov/issues/new){:target="_blank"}{:rel="noopener noreferrer"} or email us at <[email protected]>.' %}
 
-# Step 1 - Obtain and verify the FCPCA root certificate
+## Step 1 - Obtain and verify the FCPCA root certificate
 
 The first step in this process is to obtain a copy of the FCPCAG2 root certificate, and verify its authenticity.
 
@@ -141,7 +141,7 @@ After you have verified the certificate, you are ready to distribute the FCPCA r
 - [You can distribute it to operating systems in your environment](#step-2---distribute-to-operating-systems), or
 - you can [distribute it to applications within your environment](#step-3---verify-operating-system-distribution).
 
-# Step 2 - Distribute to operating systems
+## Step 2 - Distribute to operating systems
 
 To distribute the Federal Common Policy CA G2 (FCPCAG2) certificate, use one of these options:
 
@@ -534,7 +534,7 @@ You can now successfully navigate to any intranet website whose SSL certificate
 
 Next, verify distribution of the FCPCAG2 certificate as an operating system trusted root.
 
-# Step 3 - Verify operating system distribution
+## Step 3 - Verify operating system distribution
 
 To verify that the Federal Common Policy CA G2 (FCPCAG2) certificate has been distributed to your agency's workstations and devices, use one of these options:
 
@@ -719,7 +719,7 @@ HKLM:\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99
 
 Next, distribute the FCPCA certificate to application trust stores.
 
-# Step 4 - Distribute to applications
+## Step 4 - Distribute to applications
 
 Many, but not all, software applications leverage the underlying operating system [trust store]({{site.baseurl}}/university/fpki#fpki-third-party-trust) to verify whether a certificate should be trusted.
 
@@ -733,7 +733,7 @@ Collaborate across agency teams to identify applications that rely on custom tru
 
 Next, determine if you need to distribute the CA certificates issued by the FCPCAG2 root certificate.
 
-# Step 5 - Distribute intermediate certificates
+## Step 5 - Distribute intermediate certificates
 
 {% include alert-success.html content="**Depending on agency configurations, you might need to distribute these certificates to systems and applications**.  This page will help you understand [when to distribute the intermediate CA certificates](#do-i-need-to-distribute-the-intermediate-ca-certificates), [which certificates to distribute](#which-certificates-do-i-need-to-distribute), and [recommended solutions](#how-do-i-distribute-the-intermediate-ca-certificates).  This page also lists [intermediate CA certificate details](#certificates-issued-by-the-federal-common-policy-ca), including download locations." %}
 
@@ -1016,7 +1016,7 @@ The easiest way to verify your migration to the Federal Common Policy CA G2 (FCP
 
 ![Verify common migration in macOS]({{site.baseurl}}/assets/fpki/verify-migration-macos.png){:style="width:504px;"}
 
-# Frequently Asked Questions
+## Frequently Asked Questions
 
 If your question does not appear in this list, send it to FPKI at gsa.gov.
 

_implement/introduction.md

@@ -29,7 +29,7 @@ ICAM Engineering Guides are for system administrators configuring agency infrast
 
 The majority of engineering guides are focused on helping agencies configure PIV credential authentication in the most common operating systems and applications. A new series of FIDO multi-factor authentication playbooks are also include.
 
-# Configuration Guides
+## Configuration Guides
 
 1. Smart Card Configuration
    1. [Windows Domains]({{site.baseurl}}/implement/scl-windows)
@@ -43,7 +43,7 @@ The majority of engineering guides are focused on helping agencies configure PIV
    1. [Windows Hello for Business]({{site.baseurl}}/implement/whfb)
    2. Security keys (Coming soon!)
 
-# ICAM Troubleshooting Tools
+## ICAM Troubleshooting Tools
 
 ICAM can leverage a number of open source protocols for interoperability and data transfer. The Federal PKI is also a large, distributed ecosystem of over 180 certification authorities. Each certification authority operate independently which presents a challenge in trying to troubleshoot why a PIV card can't validate. This is a list of tools to help troubleshoot ICAM issues.
 
@@ -67,7 +67,7 @@ ICAM can leverage a number of open source protocols for interoperability and dat
 5. Federation Tools
    1. Coming soon!
 
-# Find Additional Guides
+## Find Additional Guides
 
 You can find additional guides across agency websites by using a few simple methods: 
 

_implement/scl-windows.md

@@ -49,7 +49,7 @@ subnav:
   </div>
 </div>
 
-# Introduction
+## Introduction
 
 These Windows Domain configuration guides will help you configure your Windows _network domain_ for smart card logon using PIV credentials.
 
@@ -89,7 +89,7 @@ Submit an [Issue]({{site.repourl}}/issues/new){:target="_blank"}{:rel="noopener
 
 <!-- from https://playbooks.idmanagement.gov/piv/network/ports/  is now an internal page link to here(#ports-and-protocols) instead of its own guilde -->
 
-# Step 1 - Network Ports and Protocols
+## Step 1 - Network Ports and Protocols
 
 Your workstations, servers, network domain controllers, and applications need to validate the [revocation status]({{site.baseurl}}/university/pki/#revocation-checking) of the PIV certificates and all intermediate certificate authority (CA) certificates.  In addition, the [certificate chain]({{site.baseurl}}/university/pki/#establishing-trust) path building may retrieve and download the intermediate CA certificates.
 
@@ -163,7 +163,7 @@ To enable communications with these Federal Common Policy Certificate Authority
 
 You should consider allowing two protocols (ports): HTTP (80) and DNS (53).  Although the web services for publishing CRLs are not currently served over HTTPS (443), you may want to allow HTTPS (443) to future proof for any expansion.
 
-# Step 2 - Domain Controllers
+## Step 2 - Domain Controllers
 
 To use smart cards and PIV credentials for network authentication, all domain controllers need to have domain controller authentication certificates.
 
@@ -209,11 +209,11 @@ Collaborate with your CISO or Information Security Office for a definitive answe
 
 If you do have a local enterprise CA, [here are some tips](#step-7---local-certificate-authority).
 
-# Step 3 - Trust Stores
+## Step 3 - Trust Stores
 
 Follow [Step 3 - Distribute to Operating System from the distribute FCPCA configuration guide]({{site.baseurl}}/implement/trust-fcpca/#step-2---distribute-to-operating-systems).
 
-# Step 4 - Account Linking
+## Step 4 - Account Linking
 
 *Account linking* refers to the process of associating a certificate on a user's PIV credential with their domain account.
 
@@ -373,7 +373,7 @@ It's possible to revert to UPN account linking by removing the registry setting
 
 Use group policy objects or other centralized management options to manage registry options.
 
-# Step 5 - Group Policies and Enforcement
+## Step 5 - Group Policies and Enforcement
 
 The U.S. federal government publishes the [United States Government Configuration Baseline (USGCB)](http://usgcb.nist.gov/usgcb_content.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for use by Executive Branch agencies to promote uniform configurations for commonly used operating systems.  The USGCB configuration guidelines for specific operating systems include references to some configurations related to smart card (PIV) logon and should be referenced first.
 
@@ -429,7 +429,7 @@ These prompts happen when the kerberos ticket lifetime expires and a new authent
 You can find additional information on configuring kerberos policies given the following [reference documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}.
 
 
-# Step 6 - Network Tuning
+## Step 6 - Network Tuning
 
 You can tune the network domain settings to help you and your users have a better experience and reduce errors.  This section highlights some of the _common_ tuning configurations for network domain logon.  There are additional tuning configurations and we encourage you to start with these first and contribute others.
 
@@ -473,7 +473,7 @@ By default, Microsoft Windows will retrieve and cache 50 OCSP Responses for any
 
 Source:&nbsp; [Optimizing the Revocation Experience](https://technet.microsoft.com/en-us/library/ee619783%28v=ws.10%29.aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
 
-#  Step 7 - Local Certification Authority
+##  Step 7 - Local Certification Authority
 
 This page provides some tips for using a local certification authority (CA) to issue a domain controller certificate.  This is for local Microsoft CAs. Other platforms may be used and have different procedures.    
 
@@ -553,7 +553,7 @@ The domain controller(s) certificate must contain valid information. These steps
 
   If successful, you will see a new domain controller certificate in the **_Certificate (Local Computer) -&gt; Personal -&gt; Certificates folder_**. At the **Certificate Template** tab, you will also see a certificate generated with the custom certificate template.
 
-#  Step 8 - Authentication Assurance
+##  Step 8 - Authentication Assurance
 
 When a user authenticates to your network and you've enabled Single Sign-on to applications inside your network domain, you need to know which of these authenticators was used: 
 
@@ -687,7 +687,7 @@ Use the Windows Registry Editor to set the _AMA Priority_ above _Most Recently I
 
 Refer to the [AMA Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to understand the implementation of AMA.
 
-# Troubleshooting PIV Logon
+## Troubleshooting PIV Logon
 
 Within the federal enterprise, Windows smart card logon with a PIV card (PIV logon) is one method to satisfy Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) Risk Management Framework security controls for authentication. A PIV card enables Authenticator Assurance Level 3, two-factor authentication to a Windows desktop. Under normal conditions, this system is simple and easy for an end user to use. However, if this logon mechanism breaks, it can be difficult to troubleshoot logon and authentication errors. This page includes common symptoms and suggested steps to diagnose and solve these issues.
 

_implement/whfb.md

@@ -62,7 +62,7 @@ The available sign-in options for Windows Hello for Business include:
 
 Biometric data is stored locally on the device, and it is never sent to external devices or servers. As stated previously, authentication occurs via the asymmetric key. Users can delete or remove their biometric information by visiting **Settings** \> **Accounts** \> **Sign-in options.**
 
-# Assumptions
+## Assumptions
 This playbook assumes that devices are cloud-only and there is no hybrid device configuration with Active Directory. Deploying Windows Hello for Business in a hybrid environment requires configuring Azure AD Connect, Azure AD Kerberos and deploying either a Cloud Trust Device Configuration Profile in Microsoft Intune (Intune), a Key trust deployment in on-premises Active Directory, or a hybrid certificate trust deployment, which requires Active Directory Federated Services (ADFS). Of these three hybrid options, the Cloud Kerberos trust deployment is recommended. More on that here: [Windows Hello for Business cloud Kerberos trust clients configuration and enrollment | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
 
 This playbook assumes that all devices have a TPM 2.0 module that complies with Federal Information Processing Standards (FIPS). All devices should be on Windows 10 version 1709 (or later) or Windows 11. Preferably, all devices should be Windows 10 version 1903 or later.
@@ -72,14 +72,14 @@ This playbook also assumes that:
 - Devices are equipped with an infrared camera or fingerprint reader to perform biometric authentication.
 - Microsoft Intune (Intune) is the Windows MDM solution.
 
-# Prerequisites
+## Prerequisites
 Devices must be Azure AD registered at minimum, and it's preferable that devices are Azure AD joined.
 
 Users must have a Microsoft Intune license feature as a stand-alone license or as part of a bundled license (Microsoft 365 E3 for GCC High and Microsoft 365 E5 for GCC High).
 
 It's also preferable that all users have an Azure AD Premium P1 or P2 subscription, which is needed for automatic MDM enrollment when the device joins Azure AD. Azure AD Premium P1 licenses also grant access to Azure AD Multi-Factor Authentication (MFA) through Conditional Access policies.
 
-# Technology and terms
+## Technology and terms
 
 [Introduction to device identity and join types](https://learn.microsoft.com/en-us/azure/active-directory/devices/overview){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
 
@@ -122,7 +122,7 @@ Learn more about [hybrid Azure AD joined devices](https://learn.microsoft.com/en
 
 Device management enables organizations to administer and maintain devices, including virtual machines, physical computers, mobile devices, and IoT devices. Microsoft Intune is the mobile device management (MDM) solution for the Microsoft 365 platform.
 
-# Prepare users to use Windows Hello
+## Prepare users to use Windows Hello
 
 ### Using Windows Hello and biometrics
 
@@ -161,7 +161,7 @@ Suppose you sign in on  **Device B**  and change your password for your Microsof
 5. Sign in with new password.
 6. The next time that you sign in, you can select  **Sign-in options \> PIN**  to resume using your PIN.
 
-# WHfB policy configuration
+## WHfB policy configuration
 
 Windows Hello for Business can be enabled multiple ways through Microsoft Intune. The first method is through Windows Device Enrollment. This method can be used for devices that are Azure AD joined but have not yet enrolled in Intune. The second method, Device Configuration Profile, is used for devices already enrolled in Intune.
 
@@ -431,7 +431,7 @@ Select  **Next**  to continue.
 ![Figure 13: Windows Hello for Business Configuration Profile Completion]({{site.baseurl}}/assets/playbooks/whfb/13-Intune-WHfB-ConfigProfile-review.png)
 
 
-# WHfB user experience
+## WHfB user experience
 
 This section details the user experience for setting up Windows Hello for Business. View the [minimum device requirements for fingerprint and facial recognition sensors.](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#has-microsoft-set-any-device-requirements-for-windows-hello){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="The minimum device requirements for fingerprint and facial recognition sensors"}.
 
@@ -734,7 +734,7 @@ Security keys also can be used for Windows Hello for Business authentication. Th
 
 View [additional methods for enabling Windows security keys](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#enable-security-keys-for-windows-sign-in){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="additional methods for enabling Windows security keys"}.
 
-# Windows Hello for Business FAQs
+## Windows Hello for Business FAQs
 
 Some of the most commonly asked questions about WHfB are presented below. View the [full list of common questions](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="full list of common questions"}.
 

_partners/acquisition-professional.md

@@ -22,7 +22,7 @@ Find approved products and services for Federal Identity, Credential, and Access
 
 Other current and planned products and services can be found on the [GSA ICAM Solutions Catalog and GSA ICAM Roadmap]({{site.baseurl}}/icamsolutions/).
 
-# Products
+## Products
 
 The FICAM testing program – also known as the [Federal Information Processing Standard 201 (FIPS 201) Evaluation Program]({{site.baseurl}}/fips201ep/) – tests commercial products used in Personal Identity Verification (PIV) credentialing systems, physical access control systems (PACS), and public key infrastructures (PKI). These products are tested and approved to ensure you're buying products that provide value and work well together.
 
@@ -40,7 +40,7 @@ A product is removed when it has lost its certification due to security concerns
 The FIPS 201 Evaluation Program, in collaboration with the [PACS Modernization Working Group]({{site.baseurl}}/ficam/#icamsc-working-groups){:target="_blank"}, created an operational self-assessment tool. The tool helps PACS implementers assess facility access systems that use PIV credentials. The assessment provides results to show alignment or disparity with FICAM and NIST guidelines.
 - [PACS Assessment Toolkit Version 1.0]({{site.baseurl}}/docs/fips201ep-pacs-self-tool.pdf){:target="_blank"}{:rel="noopener noreferrer"}
 
-# Services
+## Services
 
 The following organizations offer Identity, Credential, and Access Management services to the federal government. If your organization has a relevant Identity, Credential, or Access Management service, [contact us]({{site.baseurl}}/contact-us/) so we can add it to the list.
 
@@ -55,11 +55,11 @@ The following organizations offer Identity, Credential, and Access Management se
 - [FPKI Individual Certificate Providers]({{site.baseurl}}/trust-services/#non-government-pki-trust-framework) – Offers small numbers of digital certificates for business organizations and business persons, which are used to digitally sign documents and authenticate to a small number of government applications.
 - [Trust Services for Businesses]({{site.baseurl}}/trust-services/#business-identity-services) – Approved identity and credentialing services for businesses, and which the government has approved for federated identity services.
 
-# FedRAMP
+## FedRAMP
 
 - The [Federal Risk and Authorization Management Program (FedRAMP)](https://www.fedramp.gov/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} website contains a marketplace with federal workforce and citizen identity products.
 
-# GSA Multiple Award Schedule
+## GSA Multiple Award Schedule
 
 GSA Multiple Award Schedule (MAS) provides access to long-term government-wide contracts. These contacts are with commercial firms that offer millions of commercial products and services at volume discount pricing. The MAS provides tools and expertise to shorten acquisition cycles, ensure compliance, and obtain the best value for innovative technology products, services, and solutions.