Merge pull request #607 from GSA/1004-h1-updates-sprint9

1004-h1-updates-sprint9

_arch/architecture.md

@@ -95,7 +95,7 @@ June 30, 2023 -->
 </div>
 
 
-# Introduction
+## Introduction
 
 FICAM is the federal government’s implementation of Identity, Credential, and Access Management (ICAM).
 
@@ -181,7 +181,7 @@ In 2015, ICAM experts from across the federal government collaborated on an upda
 
 This site contains the current version for the FICAM Architecture.  The FICAM Roadmap and Implementation Guidance v2.0 is superseded by both the FICAM Architecture updates and other complementary modernized playbooks developed by ICAM committees across government. 
 
-# Goals and Objectives
+## Goals and Objectives
 
 The Goals and Objectives identify the aims and outcomes of a federal agency enterprise ICAM program. The goals and objectives align with ICAM functions and map to government-wide policies, cross-agency priorities, and strategic government initiatives.
 
@@ -212,7 +212,7 @@ The visual below presents the three goals, each with its own objectives.
 - 3.2 Evaluate, rationalize, and migrate to modern, cloud-smart solutions for ICAM services.
 - 3.3 Promote interoperability and efficiency across the federal government by buying and building ICAM solutions that use open, commercially adopted standards.
 
-# Services Framework and Service Descriptions
+## Services Framework and Service Descriptions
 
 The Services Framework is a tool designed for ICAM program managers and information technology enterprise architects. It identifies the services that provide functionality within the scope of ICAM and assists in distinguishing between business requirements and technical solutions. The services framework includes the five practice areas and services within.
 
@@ -413,7 +413,7 @@ The Governance services in the FICAM architecture include Identity Governance, A
 | Analytics | Leverage continuous analytics data to identify if someone has entitlements that conflict with access requirements. | Data collection, Monitoring, Review, Data Certification, Auditing and Reporting | 
 | Mitigation | Correct the problems and address risks, discovered by analysis, that may occur during standard operations. | Redress, Remediation |
 
-# Use Cases
+## Use Cases
 
 These use cases are designed for ICAM Enterprise Architects and business owners and describe some of the most common ICAM business processes.
 
@@ -801,7 +801,7 @@ You can combine or build upon the ICAM use cases to support your agency’s scen
 </div>
 <hr>
 
-# Reference Example
+## Reference Example
 
 This reference example include sample enterprise ICAM tools (e.g., solutions, applications, and software) aligned with ICAM service areas that illustrate ICAM functionality at an agency. The reference examples are designed for enterprise architects, security engineers, and solution architects to facilitate discussions regarding the technology solutions to integrate with enterprise applications and the business requirements.
 
@@ -883,7 +883,7 @@ Agency endpoints may include:
 - Government cloud email services
 - Government facilities
 
-# Policies and Standards
+## Policies and Standards
 
 See the [ICAM Policy Matrix]({{site.baseurl}}/university/policymatrix/) for the latest set of ICAM policies and standards.
 

_ficampmo/ficampmo.md

@@ -19,13 +19,13 @@ subnav:
     href: '#federal-public-key-infrastructure-policy-authority'
 ---
 
-# Introduction
+## Introduction
 
 The GSA Federal ICAM (FICAM) program helps federal agencies plan and manage enterprise identity, credentialing, and access management (ICAM) through collaboration opportunities and guidance on IT policy, standards, implementation, and architecture. Most of the guidance and best practices found on this website are developed through interagency working groups. The FICAM Program is a Federal CIO Council initiative managed by the GSA Office of Government-wide Policy.
 
 The main difference between the GSA OGP FICAM program and an agency ICAM program (including GSA's own enterprise ICAM program) is the GSA OGP FICAM program focuses on government-wide initiatives that support interoperability between organizations.
 
-# Federal Workforce Identity Framework
+## Federal Workforce Identity Framework
 
 The FICAM Program governs through a four-part framework for identity federations.
 
@@ -51,7 +51,7 @@ Through this four-part framework, the GSA FICAM Program leads or coordinates the
    1. [FIPS 201 Evaluation Program]({{site.baseurl}}/fips201ep/) - Tests and certify services and commercial products used in PIV credentialing systems and physical access control systems.
    2. [Federal PKI Annual Review Process]({{site.baseurl}}/fpki/#annual-review-requirements-for-all-certification-authorities) - Independent compliance audit requirement and schedule of Federal PKI Certification Authorities.
 
-# ICAM Governance Bodies
+## ICAM Governance Bodies
 
 The GSA FICAM Program coordinates and oversees governmentwide ICAM initiatives as directed by the Federal CISO Council and the Office of Management and Budget. It accomplishes this mission through various governance bodies outlined below.
 

_ficampmo/fips201ep.md

@@ -97,7 +97,7 @@ Review the testing agreements, and sign and submit the appropriate agreement wit
 - [Approved Product List Application Guidance Document (PDF, April 2022)]({{site.baseurl}}/docs/fips201ep-Application-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Provides a checklist of which documents are required when submitting a new or upgraded solution. 
 - [Removed Products List (RPL) Process Document (PDF, April 2022)]({{site.baseurl}}/docs/fips201ep-rplprocess.pdf){:target="_blank"}{:rel="noopener noreferrer"} – If your product has been removed from the APL, review this document for the procedures.
 
-# Personal Identity Verification Credentials
+## Personal Identity Verification Credentials
 
 - [Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020)]({{site.baseurl}}/docs/fips201ep-pcitestform.pdf){:target="_blank"}{:rel="noopener noreferrer"} – If you are an agency or organization applying for your Annual Review Audit for the Federal Public Key Infrastructure (FPKI), submit this form to fips201ep at gsa.gov; two testing options are available:
   - In-person Lab Testing - testing organizations can provide available dates and times to visit the GSA FIPS 201 lab when sending in their application form, or
@@ -124,7 +124,7 @@ Agencies that wish to issue D-PIV credentials should follow these steps:
 
 Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials.
 
-# Physical Access Control System
+## Physical Access Control System
 
 GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities. 
 

_ficampmo/fpki.md

@@ -32,7 +32,7 @@ This page contains information to help Federal Public Key Infrastructure (FPKI)
 
 For any questions, please contact fpki at gsa.gov.
 
-# Federal PKI Policies and Profiles
+## Federal PKI Policies and Profiles
 
 The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI,  PIV, and PIV-I visit the following links:
 - [FPKI 101]({{site.baseurl}}/university/fpki/)
@@ -56,7 +56,7 @@ The FPKI has the following supplementary guidance:
 - [Archived copies of Certificate Polices, Profiles, and other FPKI-related documents]({{site.baseurl}}/fpki/#federal-pki-document-archive) - This pages contains three years of FPKI-related documents.
 
 
-# Annual Review Requirements for All Certification Authorities
+## Annual Review Requirements for All Certification Authorities
 
 Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.
 
@@ -92,7 +92,7 @@ Audits are required annually for supporting functions and elements of each entit
 | WidePoint NFI	| Affiliate PKI	| May 31 |
 | WidePoint SSP	| SSP	| May 31 |
 
-# Compliance Test Tools for Annual Reviews
+## Compliance Test Tools for Annual Reviews
 
 The FPKI Program support two remote PIV, PIV-I and digital certificate test tools to support FPKI annual reviews.
 
@@ -119,7 +119,7 @@ If you are running the Card Conformance Tool as part of the annual requirement t
 
 {% include alert-warning.html heading="Note" content="Failure to submit a complete CCT Package may delay review of your testing results and completion of your annual FPKI PIV/PIV-I testing requirement." %}
 
-# Audit Information for the FPKI Management Authority
+## Audit Information for the FPKI Management Authority
 
 This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.
 
@@ -132,7 +132,7 @@ The FPKIMA Certification Practice Statement (CPS) documents the operational prac
 - [U.S. FPKI Audit Letter of Compliance (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-audit-letter.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Results of the 2020-2021 Compliance Audit for the FPKI Trust Infrastructure Systems.
 - [FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-sitemap.pdf){:target="_blank"}{:rel="noopener noreferrer"}
 
-# Report an Incident
+## Report an Incident
 FPKI affiliates include federal agencies and commercial service providers operating a certification authority certified by the Federal PKI Policy Authority. FPKI affiliate responsibilities related to the incident management process include:
 1. Communicating security incidents involving infrastructures or services to the FPKI Authorities, users/customers, and known relying parties.
 2. Providing additional investigation support and/or information about incidents to the FPKI Authorities as they become known, and
@@ -210,7 +210,7 @@ Repository availability is an uptime metric for Certificate Revocation List avai
 | Verizon SSP CA A2 | FCPCA	| 100 |
 | WidePoint ORC SSP 5	| FCPCA	| 100 | -->
 
-# Federal PKI Document Archive
+## Federal PKI Document Archive
 
 {% assign categories = "" | split: "" %}
 {% for docs in site.data.fpkidocs %}

_implement/fpki_notifications.md

@@ -31,7 +31,7 @@ This page contains information that is helpful in identifying changes in the Fed
 3. [PIV Issuer Information](#piv-issuer-information) - List of active PIV issuing CAs with end entity certificate distribution points.
 4. [FPKI System Change and Notification](#notifications) - List of changes to FPKI CA endpoint URL such as Certificate Revocation List Distribution Points, Online Certificate Status Protocol (OCSP) endpoints and other CA certificate activity.
 
-# FPKI Announcements
+## FPKI Announcements
 
 These announcements and hot topics concern Federal Public Key Infrastructure changes that may affect your agency's operations. Announcements are removed after three years.
 
@@ -57,7 +57,7 @@ These announcements and hot topics concern Federal Public Key Infrastructure cha
   </tbody>
 </table>
 
-# FPKI Graph
+## FPKI Graph
 
 <link rel="stylesheet" type="text/css" href="{{ site.baseurl }}/assets/css/gexfjs.css" />
 <link rel="stylesheet" type="text/css" href="{{ site.baseurl }}/assets/css/jquery-ui-1.13.min.css" />
@@ -106,7 +106,7 @@ Most CA certificates will also have an SIA extension with a URI to the CA certif
 
 The FPKI Graph was built by using the same tools and code as the [Berkley ICSI SSL Notary](https://www.icsi.berkeley.edu/icsi/node/5065){:target="_blank"}{:rel="noopener noreferrer"}. 
 
-# PIV Issuer Information
+## PIV Issuer Information
 
 {% assign branches = "" | split: "" %}
 {% for piv in site.data.fpkicustomers %}
@@ -642,7 +642,7 @@ These CA certificates have issued PIV, PIV-I and/or Derived PIV authentication c
 - SHA-1 Hash: dc5b590800765864587902af983c21a7209be320
 - CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"}
 
-# FPKI System Changes and Notifications
+## FPKI System Changes and Notifications
 
 This page lists the changes to certification authorities and supporting systems operating within the Federal PKI community.  
 

_playbooks/playbook-cloud.md

@@ -95,7 +95,7 @@ This playbook is a collaboration between the Federal Chief Information Security
 | 1.1 | 10/11/22 | Updated federation section for trust framework examples. |
 | 1.0 | 01/20/22 | Initial draft. | -->
 
-# Executive Summary
+## Executive Summary
 
 This Cloud Identity Playbook is a practical guide to assist federal agencies as they start to or further expand the use of workforce Identity, Credential, and Access Management (ICAM) services in a cloud operating model. Workforce identities are digital identities or accounts owned and managed by the agency, including employees and contractors. The most common Cloud Identity example is Identity as a Service (IDaaS). An IDaaS is typically an Identity Provider that offers Single Sign-on, multifactor authentication, and directory services in a single platform as a core set. It also may provide additional features.
 
@@ -149,7 +149,7 @@ The primary audience for this playbook is agency Identity, Credential, and Acces
 The Cloud Identity Working Group of the Federal Chief Information Security Officer Council ICAM Subcommittee, in collaboration with the Federal Chief Information Officer Council Cloud & Infrastructure Community of Practice, developed this playbook. U.S. Federal Executive Branch agencies can use this playbook to plan Cloud Identity services related to the [FICAM Architecture Services Framework]({{site.baseurl}}/arch/#services-framework-and-service-descriptions){:target="_blank"}{:rel="noopener noreferrer"}. This playbook is not official policy or mandated action, and it does not provide authoritative information technology terms. It includes best practices to supplement existing federal policies and builds upon [Executive Order 14028](https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, [Office of Management and Budget Memorandum M-19-17](https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, and existing Federal ICAM (FICAM) guidance and playbooks. Subject areas with intersecting scopes, such as cloud operating models, Federal Risk and Authorization Management Program (FedRAMP), and enterprise governance, are considered only to the extent that they relate to ICAM services delivered in a cloud service model. Privileged access management (e.g., superusers, domain administrators) is outside the scope of this playbook.
 
 
-# Cloud Identity 101
+## Cloud Identity 101
 
 Identity is foundational to security both on-premises and within cloud environments. It is the first touchpoint to access data and impact user experience. In cloud environments, application access acts as a perimeter to protect applications and workloads. Traditionally, network-based defenses perform this function. In this playbook, on-premises refers to an agency operating identity services on agency-owned and -maintained infrastructure.
 
@@ -179,7 +179,7 @@ The adoption of cloud services adds challenges. Cloud services operate on a shar
 
 See the [Data Center and Cloud OptimizationInitiative Cloud Strategy Guide](https://community.max.gov/display/Egov/Agency%2BIT%2BModernization%3A%2BEducational%2BResources%2BBuilding%2BBlocks){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for a holistic cloud strategy. Additionally, read the [OMB Cloud Smart Strategy](https://cloud.cio.gov/strategy/){:target="_blank"}{:rel="noopener noreferrer"} to understand the federal government's overarching strategic guidance on cloud adoption.
 
-# Cloud Identity Journey Steps
+## Cloud Identity Journey Steps
 
 Any journey has a map, but not all are the same. Use these four steps to plan your Cloud Identity Journey. Your agency may already support and encourage cloud services while others do not.
 
@@ -514,7 +514,7 @@ IDaaS products may vary in configuration and operation. This section provides te
    5. Testing.
 4. **Test and Implement Workflow.** After finding an optimal workflow, it is time to test and implement it. If possible, test in a non-production environment. If testing is only available in production, limit the impact to a small community of users or a non-mission critical task.
 
-# Emerging Topics
+## Emerging Topics
 
 The Cloud Identity Working Group discussed two emerging topics: Cloud Infrastructure Entitlement Management and DevSecOps Identity.
 
@@ -541,7 +541,7 @@ Since the goal of the DevOps team is to get software operating in production qui
 
 See the [GSA Guide](https://tech.gsa.gov/guides/dev_sec_ops_guide/){:target="_blank"}{:rel="noopener noreferrer"} on DevSecOps for more information.
 
-# Appendix A. Policies, Standards, and Guidance
+## Appendix A. Policies, Standards, and Guidance
 
 ## Policies
 
@@ -578,7 +578,7 @@ See the [GSA Guide](https://tech.gsa.gov/guides/dev_sec_ops_guide/){:target="_bl
 16. [Open Authorization (OAuth)](https://oauth.net/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
 17. [System for Cross-Domain Identity Management (SCIM)](https://scim.cloud){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}
 
-# Appendix B. Acronyms
+## Appendix B. Acronyms
 
 | Acronym | Definition |
 | --- | --- |