TSCP Early Work on Trust Framework Agreement

Developing a Flexible Trust Agreement

PAGE 1 | TSCP

Early TSCP Work on Bilateral Trust Framework Agreement

• TSCP started the concept of the flexible trust agreement with a bilateral agreement that its members were interested in using between themselves

PAGE 2 | CONFIDENTIAL | TSCP

• Flexibility to change technical requirements without changing the business and legal terms of the agreement was a key need of the parties

• Flexibility is achieved by putting the technical requirements in an Appendix which the parties can change over time

• Greg Roecker will discuss this work later this afternoon

TSCP Work on Multilateral Agreement

• Once the Bilateral Agreement was sent to the members for their consideration, TSCP began work on a Multilateral Agreement

• The Multilateral Agreement allows a matrix of technical requirements that fosters trust amongst parties at varying levels of assurance with flexibility to bolster trust through the use of attributes

PAGE 3 | CONFIDENTIAL | TSCP

Critical Infrastructure – All Hazards Consortium

Developing a Flexible Data Sharing Trust Agreement

PAGE 4 | TSCP

DHS Contract – Agreement for Data Sharing By Use Cases

• Use Case #1 - Regional Fleet Movement– Provider:

• Electric Sector Regional Mutual Assistance Groups (RMAGs)

– Consumers: • Specific private and public sector members of the FWG and EC3 work groups

– Level of Assurance: Minimum LoA 2 for read access– Process: Use username/password or PIV-I cards on TSCP portal– Results

• Draft agreement• Demo PIV-I Cards • Educate to build trust

PAGE 5 | TSCP

Focus On Use Cases

• Use Case #2 - Access to Open/Closed Data App– Provider:

• Hughes Network System’s Satellite Dish Status Database

– Consumers: • Specific private and public sector members of the FWG and EC3 work groups

– Level of Assurance: LoA 4– Process: Use PIV-I cards on TSCP portal to link to Hughes Data

Portal on FWG site– Results

• Provide regional/national situation awareness on private sector businesses• Demo PIV-I Cards • Educate to build trust

• Tom Moran will discuss this in more detailPAGE 6 | TSCP

Scope of Trust for Data Sharing

PAGE 7 | TSCP

 

• The TSCP Trust Framework provides a set of rules around identity & access management

• Some rules are imposed technically and others by policy (i.e., by agreement)

• By following the rules, parties are able to create a trusted environment where the information is shared with only vetted and authorized individuals who have agreed to the limitations on use of data specified in the agreement

• Again, some limitations can be controlled technically and others by the agreement

From the Critical Infrastructure agreement: Scope of the Trust. The Parties to this agreement intend to voluntarily facilitate the sharing of certain critical information for operational purposes only during periods of emergency response, e.g. information concerning where there is available gas, working ATMs, hotels, where supplies can be obtained. Controlling access to the shared information is of paramount concern to the Parties because of the nature of the data and the limitations on use. Data will be shared for the agreed use cases specified in Appendix A of this Agreement. The Transglobal Secure Collaboration Participation, Inc. (TSCP) has developed a Federation Trust Framework that includes an information labeling and handling specification that the Parties desire to leverage to achieve their data sharing objectives. Relying on the requirements of TSCP’s Federation Trust Framework infrastructure and the terms of this Agreement, authorized users of the TSCP Secure Information Sharing Environment (SISE), a cloud-based situational data repository, are able to share and access data. Access to data is limited by the controls and restrictions applied to the data by policy. Specifically, data is uploaded and used solely to support operational need during regional emergency response. The system allows for: Multi-layered Identity Authentication of users accessing the system with trusted credentials; Policy labeling of data by users based on the type of data uploaded; Enforced access control (upload, edit, view, download) to data based on the policy labels applied to data; and a single sign-on cloud environment.

Status of the Critical Infrastructure Agreement

PAGE 8 | TSCP

• Agreement covers all aspects of governance - business, technical, legal, and policy

• But the minimum technical requirements are included in an Appendix which can be changed without changing the rest of the agreement allowing maximum flexibility

• Use Cases are also in an Appendix to the agreement so the parties can add use cases without changing the rest of the agreement

• TSCP has been working on the agreement between AHC, TSCP and Data Consumers (an Appendix to the Data Provider Agreement)

• The Agreement is modeled on the AHC agreements in place today but they impose the TSCP Trust Framework to increase the identity assurance and access management rules to increase the trust

NSTIC Pilots

Changing Paradigms

PAGE 9 | TSCP

NSTIC Grant – Challenges to Sharing Information and Lessons Learned

• TSCP explored an agreement for the use of employer-issued trusted identity credentials for employee personal transactions

• While there was serious interest, resistance to changing the current legal and privacy paradigms was an impediment to near-term success– Employer permission for use – Distinguishing personal vs. professional use– Managing personal information

PAGE 10 | CONFIDENTIAL | TSCP

PAGE 11 | TSCP11 CONFIDENTIAL

Questions?TSCP Inc.

Keith Ward | President and CEO 8000 Towers Crescent Drive, Suite 1350, Vienna, VA 22182(M):  (703) 945-9875| (F):  (703) 760-7899 | Email:   keith.ward@tscp.org  | www.tscp.org

Steve RaceVice President Operations 8000 Towers Crescent Drive, Suite 1350, Vienna, VA 22182(M):  (703) 980-8915 | (F):  (703) 760-7899 Email:   steve.race@tscp.org  | www.tscp.org

Shauna Russell, cipp/us Vice President for Legal, Privacy, and Policy8000 Towers Crescent Drive, Suite 1350, Vienna, VA 22182(M):  (202) 769-9114 | (F):  (703) 760-7899 Email:   shauna.russell@tscp.org  | www.tscp.org