The Department of Homeland Security (DHS) is establishing what it calls the DHS Trusted Identity Exchange (TIE) in coordination with DHS components to “fill a major gap” in the department’s current ability to effectively control and manage identity, credential and access-management data (DHS ICAM data) about DHS employees and contractors.
TIE is a privacy-enhancing DHS Enterprise Service that enables and manages the digital flow of identity, credential and access-management data for DHS employees and contractors. It does so by establishing connections to various internal authoritative data sources and provides a secure, digital interface to other internal DHS consuming applications.
According to DHS, “TIE is a key enabler to many important DHS initiatives, including the DHS Data Framework, fine-grain authorization (known as Attribute Based Access Control), Personal Identity Verification (PIV) Smart Card usage and Single Sign-On (SSO).
A consuming application is any DHS system that requires some form of identity, credential and access-management data in order to grant logical or physical access to a DHS protected resource.
The TIE program is being managed by DHS’s Office of the Chief Information Officer (OCIO) Information Sharing Environment Office (ISEO) Identity, Credential, & Access Management Program Management Office (ICAM PMO) at DHS headquarters.
According to the TIE Privacy Impact Assessment — required because TIE accesses and disseminates personally identifiable information (PII) — “Every internal DHS system, or ‘consuming’ application, uses a unique collection of the user’s digital identity and credential data to manage access to protected resources, such as federally managed facilities, information systems and data.”
Consequently, a “consuming application is any DHS system that requires some form of identity, credential and access-management data in order to grant logical or physical access to a DHS protected resource. Consuming applications may range from a physical building door reader to a computer connected to the DHS network, or to any application that resides on the DHS technical environment.
According to the TIE PII, “Digital identity data is often described as either ‘account’ or ‘entitlement’ information. Account information is used to authenticate (i.e., log-on) end users to verify they are who they say they are, and entitlement information is used to authorize the actions each user is allowed to perform on a given system. Individual components of a user’s digital identity, called data attributes, reside in multiple systems across the enterprise, called ‘authoritative source’ systems. Each data attribute resides in an authoritative source system, and may include personally identifiable information.”
According to the PII, “The technology behind TIE is essentially a virtual directory. TIE establishes secure connections with authoritative systems, and then generates a secure, composite ‘view’ of data attributes based on a combination of data fields from the source systems. TIE then provides these composite views to the consuming applications in a variety of system-to-system interfaces.”