Entrust Inc. will provide the unified security infrastructure for the U.S. Department of Homeland Security. This agreement helps DHS enable cost-savings, meet HSPD-12 requirements, encrypt communications and data, and deploy secure credentials for both physical and logical access.

Facilitated by partner XTec Inc., who is the HSPD-12 solution provider for DHS, the Entrust deployment will provide PKI services and digital certificates for all DHS components and their employees. The two-year implementation will leverage Entrust’s PKI architecture, Entrust Authority, as well as Entrust Entelligence Security Provider and XTec’s AuthentX platform for the management and secure distribution of the agency’s internal digital certificates. These certificates will provide DHS proven smart card login, network authentication, as well as encryption for e-mail and desktop environments.

Entrust’s PKI solution has been implemented to perform security tasks in various U.S. federal agencies, including the U.S. Department of State for e-passports and the shared service provider PKI for the U.S. Department of Treasury. Entrust’s hosted PKI service is also identified by the U.S. General Services Administration as an approved shared service provider for use within federal environments.

Additional state and federal PKI deployments include the State of Illinois, State of Virginia, the Departments of Energy and Justice, NASA, the Government Printing Office, U.S. Department of Labor, U.S. Patent and Trademark Office and the Federal Bureau of Investigation.

XTec provides the experience to help federal agencies deploy solutions to comply with HSPD-12 and PIV requirements, as defined in FIPS 201 and related NIST standards. The specific solution, XTec’s AuthentX Identity Management System, includes components for an HSPD-12 PIV II solution.

Codebench Inc., a provider of TWIC/HSPD-12/FIPS-201 authentication software, announced that its Server-based Certificate Verification Protocol client is now listed on the General Services Administration Approved Product List (APL).

The use of Server-based Certificate Verification Protocol as part of a FIPS 201-compliant physical access control solution improves the credential validation process by simplifying the certificate path discovery between the client and multiple certificate validation authorities.

This is especially important in a situation where PIV cards from multiple agencies need to be validated at a variety of different facilities.

Codebench’s PIVCheck software suite is an card validation and PACS registration solution for HSPD-12 compliance. Its desktop and mobile clients verify PIV, TWIC, Next Gen CAC, and CAC, matching the cardholder’s stored biometric against a live sample, and validating the card’s digital certificates. For all FIPS 201 credentials, the CHUID signature is verified and the card is authenticated using PKI or CAK authentication protocol.

atsec information security announced it has performed the first PIV middleware validation testing under the NIST PIV Program for the recently released SP800-73-2 giving the interfaces for Personal Identity Verification.

The certificate for the successful validation – of the charismathics Smart Security Interface PIV, Version 2.1.0.9 (certificate no. 12) – was issued Oct. 23 and can be found on the middleware validation list on the NPIVP website.

“atsec succeeded to complete successfully the first PIV middleware validation testing according to NIST’s SP800-73-2. Being the first laboratory to work under this new standard carries a lot of challenges and hidden costs resulting from the changes in the scope of testing and the corresponding tools,” said Apostol Vassilev, laboratory manager for atsec’s CST lab. “We were able to not only deliver a great return of investment to our client but also to support NIST in improving the overall validation process for the SP800-73-2 standard.”

The new special publication is an updated technical specification for PIV cards that are being phased in by U.S. agencies for use by their employees and contractors and is the first major update since 2006.

By Zack Martin, Editor, Avisian Publications

There’s been a lot of discussion about using the Personal Identity Verification credential outside of the federal government. First responders are the biggest group to discuss issuance of an interoperable credential, but other jurisdictions also want to issue the ID to employees.

The problem was that the PIV/FIPS 201 specification was for federal employees and contractors and didn’t translate seamlessly to other areas. One of the primary differences is the required identity vetting processes, but there were some technical challenges too. This changed in May when a new Personal Identity Verification Interoperability For Non-Federal Issuers standard was released.

The new specification enables states and others to issue interoperable PIV credentials and clears up any concern that states could start issuing credentials to one standard and then have it changed. “States and others felt that without clear guidance they were at risk because if the specification changed they would have to redo things,” says John Bys, executive vice president at CoreStreet. “This wipes that fear away.”

CoreStreet is working with a number of states and first responders on PIV I projects, Bys says. Colorado, Hawaii and Illinois are starting to issue credentials along with Washington DC.

Colorado invokes a two-tiered credential system

Colorado will use the PIV I spec but will also have another tier of credentials for first responders, says Micheline Casey, director of identity management at Colorado’s Office of Information Technology. The state wanted to be interoperable with the federal government and U.S. Department of Defense because it has the second largest concentration of federal government employees and military installations in the country.

But Colorado’s governance poses an interesting challenge. The state is a commonwealth and it cannot force local jurisdictions to use a specific technology, says Casey, stressing that the local government must choose to adopt it. When the state first decided it wanted to go with a FIPS 201 credential the Information Technology Office spent nine months working with different groups across the state reviewing policy and standards before coming to an agreement.

“Those local agencies are the ultimate determining factor in how it will be used,” Casey says. “A lot of this is monetary-based. When they are able to replace existing physical access control systems with FIPS 201 products they may. We are a very rural state and have a lot of volunteer forces that don’t have a lot of money to do this sort of thing.”

Because some of these smaller agencies don’t have the funds, the state is recommending that first responders issue one of two credentials, Casey says. One will use the PIV I spec that will have a contact and contactless smart card chip. The other will use a two-dimensional bar code, Casey says.

Both credentials will include the bar code but the smart card will be issued to the first responders who cross jurisdictions while the other ID will be distributed to those who do not, Casey says. The non-PIV cards will be able to be validated using the bar code, which will act as a pointer to information stored in a database.

The North Central Region around Denver will be the first of Colorado’s nine regional homeland security areas to issue credentials, Casey says. While the credential will be a statewide ID, it will also serve as an employee ID badge for access where agencies have a physical access control system in place.

Areas are also looking at uses beyond the typical first responder applications, Casey says. There’s a city that hosts a major music festival in July and first responders from other jurisdictions help staff the event. The city hosting the event reimburses the other areas for staff time and hours will be logged using the first responder credential.

DC to badge city workers as well as first responders

Washington D.C. wants to issue first responder credentials too, but the district may take it a step further and issue IDs to city workers as well, says Chris Wiley, Washington D.C.’s chief technology officer. They are calling the proposed credential the DC One Card.

The district is taking a similar approach to Colorado, issuing different tier credentials to different employees, Wiley says. The primary difference is that all the DC One cards will be smart cards and the cards will be issued to city employees as well as first responders.

The district is planning to issue the cards to 5,000 first responders and then possibly add 10,000 to 20,000 city employees over the next couple of years, Wiley says.

One tier will follow the PIV I specification with third-party verification of identity, Wiley says. “PIV I will be important for us,” he says. “We don’t have to reinvent the wheel, look to those types of standards and it saves us a lot of energy.” The other will be a card that’s issued by the city agency and goes to city employees who need smart cards to bridge the physical and logical worlds.

Wiley has been working with the first responder program in Washington to set up the back end system and but he is thinking ahead to how city employees will use it.

The first application Washington will enable with the smart cards is single sign-on, Wiley says. The card will be a second factor of authentication that enables access to the different applications an employee uses. File encryption and email digital signatures will be the next applications the district considers after single-sign on.

Anticipating the use of smart cards Wiley has already been purchasing laptops that have built in smart card readers. On the physical access control side, he has been working with the district’s property managers to install dual proximity and contactless smart card physical access control readers as older readers are phased out.

From its inception, the DC One Card also was expected to serve as the employees’ transit card for the Washington’s Metro public transportation system. “One of the clearest benefits to this is having a Metro card built in,” Wiley says.

Unfortunately, this has held up the project because the Metro uses a proprietary contactless technology from fare collection system operator Cubic. It’s been difficult to get the Cubic chip put into a card with the other smart card technology.

Eventually the plan is to have one city employee badge instead of the dozen or more currently issued. Eventually it could be pushed out to citizens as well, who could use it for identification to different city services, such as the library and the Metro.

The DC One card is still in the capital phase, Wiley says. “We’re trying to make operating costs lower. If you look at all the different carding operations in place and how this will consolidate those,” he says, “it will save us some money.”

---

‘Spring Ahead’ demonstrates many technologies

FEMA’s ‘Spring Ahead’ demonstration showcased many different technologies and use cases. The purpose of the demonstration was to showcase FIPS 201 interoperability, with credentials issued from multiple private sector, federal, state and local jurisdictions utilizing the same technology as recommended in the draft National Incident Management System Credentialing Guideline.

The demonstration included the electronic validation of federal agency-issued FIPS 201 compliant and state/local government issued FIPS 201 interoperable credentials for risk mitigation and human resource situational awareness across more than 30 organizations in 20 locations throughout the United States.

The Illinois Terrorism Task Force was a key participant in the trial. A representative sample of Illinois-based emergency response officials from the emergency management, fire rescue, law enforcement, and critical infrastructure sectors reported to a simulated emergency operations center and presented smart credentials for electronic authentication and entry to the scene. The task force’s credentials used public key infrastructure from Entrust Inc.

Business consulting firm, CGN & Associates, provided program management for the State of Illinois FIPS 201 Interoperable Secure Credentialing Project. CoreStreet’s PIVMAN Solution was used to control access to the sites by authenticating and validating the identities and privileges Spring Ahead participants.

Spring Ahead consisted of:

• Eight scenarios that demonstrated the relocation of government personnel via air, water, and land assets
• The issuance of “just-in-time” credentials for emergency response officials who deploy to the scene of an incident without their credentials
• Smart phone application proof-of-concept: routine and emergency access to seaports using the Transportation Worker Identification Credential
• Federal and mutual aid out-of-area ingress for disaster response
• FIPS 201 migration technology
• Citizen evacuation, post-disaster re-entry, and sheltering-in-place.

The October meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

---

• Opening Remarks

  MP3: click here

• FICAM Overview
  Judy Spencer, GSA

  PDF: click here

  MP3: click here

• USDA – Identity, Credential and Access Management Why the FICAM Roadmap is Important!
  Owen Unangst, USDA

  PDF: click here

  MP3: click here

• ICAM AWG
  Tim Baldridge, NASA & AWG Chair

  PDF: click here

  MP3: click here

• FIPS 201 and SP’s Update
  Bill MacGregor, NIST

  MP3: click here

• SP 800-76 Update
  Patrick Grother, NIST

  PDF: click here

  MP3: click here

• PIV-I FAQs
  Tom Lockwood, DHS

  PDF: click here

  MP3: click here

Gemalto has announced the availability of a 144-kilobyte PIV card. The product is available and already on the GSA’s approved products list. The new card doubles the memory capacity of the previous card. Gemalto sees the new cards being used to add application to the card, such as e-purse.

The Gemalto PIV Card is dual contact/contactless technology built on the JavaCard platform. It doubles the storage capacity of today’s PIV cards, a highly demanded feature in the government sector.

The Gemalto PIV card allows the identities of government employees and contractors to be verified electronically quickly, while resisting any fraud, tampering or counterfeiting. Already capable of secure storage of cardholder fingerprints, the card also supports, through its open platform, adding new applications, such as biometric match-on-card, if desired.

Datacard Group, a provider of secure ID and card personalization solutions, announced the launch of Datacard Secura identification software. The system is designed to help governments issue secure credentials and minimize fraudulent identity.

This software enables agencies to enroll applicants and authenticate identities in passport, national ID, driver’s license and government employee ID programs.

It is a suite of applications that enables role-based identity management, allowing government agencies to establish a trusted source for validating identities and credentials. It provides strong authentication across a range of activities from secure enrollment to credential issuance to post-issuance management of secure IDs.

Secura software optimizes security with the latest multi-modal biometric matching technology, and supports secure transmission and storage of identity and credential data. It also helps agencies improve efficiency with a modular design and configurable workflows that can be tailored to specific customer requirements.

Datacard states that the system can be used with programs, such as the U.S. governments FIPS 201 and international passport standards from the International Civil Aviation Organization.

Charismathics, a provider of IT security components and smart card middleware, announced that the National Institute of Standards and Technology has certified the Charismathics CSSI PIV Middleware as FIPS 201 compliant.

CSSI is PIV middleware that’s validated to the new NIST SP 800-73-2 specification rather than the older PIV specification, ensuring interoperability and compliance with existing as well as future PIV cards. CSSI PIV middleware supports the interoperability of PIV cards at the middleware level, but we also support PIV cards at the application level.

The Charismathics Smart Security Interface middleware supports smart cards from all vendors, and provides support for multiple computer platforms including Windows, Mac OS X, Linux and Solaris. In addition, CSSI provides support for a variety of computer applications including computer logon, disk encryption, SSO, pre-boot authentication, email security and digital signature applications.

CSSI provides support for Microsoft CryptoAPI, PKCS11 and Apple TokenD. Charismathics CSSI also offers an optional TSS component for TPM chips integrated in notebooks and desktop computers that enables the TPM to be utilized just like a smart card.

MaxID, a manufacturer of biometric handheld equipment, and CoreStreet, a provider of credential validation solutions, announced the sale of ten iDLMaxG TWIC handheld biometric reader devices to the United States Coast Guard.

The iDLMaxG units delivered to the Coast Guard are bundled with the CoreStreet PIVMAN software, which provides a TWIC-compatible solution.

The iDLMaxG is a multi-modal, ruggedized mobile computer that includes a QWERTY keyboard, bar code, contact and contactless card readers, optical fingerprint scanner and optional magnetic swipe and MRZ readers with a digital camera, GPS, and communications capabilities.

The Smart Card Alliance Physical Access Council has released a white paper detailing the types of authentication mechanisms available for physical access control systems to identify people entering different areas.

With Personal Identity Verification credentials being issued by government agencies for both physical and logical access, many agencies are working on upgrading or replacing their installed physical access control systems to meet new PIV requirements.

The new white paper, Authentication Mechanisms for Physical Access Control, details authentication mechanisms beyond those in the NIST Special Publication 800-116, The paper, published in November 2008, provides useful guidance on where to deploy various PIV authentication mechanisms. However, not all possible authentication mechanisms are included in the NIST publication. The new white paper describes additional methods, their use, and the regulations or requirements that drive their implementation.

Some of the alternative authentication mechanisms described in the white paper include: mutual authentication protocol (MAP); mutual registration; and widely deployed mechanisms such as a combination of cards, PINs, and operational or reference biometrics. The white paper also details example implementations using alternative authentication mechanisms, including the Transportation Worker Identification Credential (TWIC) and the Aviation Credential Interoperability Solution (ACIS) program.

The paper can be downloaded here.

MXI Security announced the availability of USB drive authentication technology leveraging Common Access Card and Personal Identity Verification cards. Used in conjunction with secure portable storage devices from the two companies, the new technology provides the U.S. government protection for portable data.

MXI Security’s new technology, available as a module for McAfee’s ePolicy Orchestrator, enables organizations to use existing or planned CAC/PIV infrastructure as a way of identifying their users to MXI Security or McAfee encrypted USB drives using their government issued smart cards.

Aside from the new CAC/PIV technology, McAfee’s offers organizations a central network management solution that enables government IT departments full control over their secure portable storage devices.

Other MXI Security modules deliver features such as granular security policies, user self-provisioning, and user self-rescue that greatly enhance deployability and scalability. In addition, the ability to restrict devices to trusted networks, remotely kill rogue devices, and have USB drives perform antivirus self-scans provides additional security.

Cherry E4lectronic’s new SR-4300 ExpressCard reader and ST-1210 stand-alone smart card readers are now FIPS 201 certified by the General Services Administration for use with Personal Identification Verification smart cards.

The ST-1210 is a CCID-compliant, low-profile USB contacting reader, designed for one-hand operation. At just 105mm x 70mm x 12mm high, it is easily transportable and fits in even small workspaces.

The SR-4300 ExpressCard reader is being bundled with notebooks for applications in federal government agencies. The reader is also suitable for a range of non-government applications, and it is being adopted widely, as the ExpressCard interface displaces PC Cards in new laptop and notebook computers.

Cherry’s new smart card readers are also PC/SC compliant and compatible with ISO7816 (Class A, B, C), so they are suitable for typical smart card applications in single sign-on (SSO) and logical access control. Both SR-4300 and ST-1210 carry 2 year warranties and have a typical operating life of 100,000 card swipes.

By Salvatore D’Agostino, IDmachines

IDmachines spent time with dozens of vendors of physical access control products, systems and related system integrators at the recent ASIS 2009 event in Anaheim, Calif.

This is an ongoing exercise that IDmachines conducts several times a year and has been doing so for nearly four years–or as long as the standard has existed. In a nutshell, FIPS 201 and HSPD-12 are now mainstream requirements that drive the solutions being developed in the marketplace.

I’ve pointed out that there exists a wide range of performance provided by vendors who claim they meet the FIPS 201 specification. As the number of vendors who support the standard grows this remains the case.

The big difference is the number of vendors and integrators that finally realize that supporting the standard matters. And as a result there exists a wide range of conformity to the specification and the related security and assurance levels and interoperability and trust that are described in the related NIST special publications.

When I first started asking the physical access control world about how they support HSDP-12 and FIPS 201 several years ago most of them looked at me as if I was from Mars. A year ago there still existed many vendors who thought IDmachines’ was focused on an edge issue.

The big deal at this ASIS conference was that every single vendor knew something about the question being asked. Even those that did not support the standard knew about it and in most of these cases intended to support it.

This is not surprising since millions of credentials that leverage this standard have been issued in the last year. And a number of commercial sectors have adopted the standard in the last year. I am sure that a year from now there will be even greater breadth and depth to the standard’s adoption.

Two other things for now

First, it is still incredibly surprising that some major vendors of access control systems and reader technology either still do not support the standard at anything other than a basic (read dangerously low) level of assurance and/or still lack the domain expertise to understand how to meet/address the recommendations for the use of PIV credentials. In some cases the “second tier” of providers has passed the major players in the extent of their solutions and knowledge.

Second, there still exists a lack of understanding of the differences between, PIV, TWIC and PIV-I among major vendors.

IDmachines ran into multiple cases–including major vendors–where claims that TWIC solutions address the needs of PIV cards and that because they can implement the higher TWIC assurance levels that they can do the same for PIV. In most cases those making false and broad claims about the applicability of their solutions also failed to understand the difference in establishing trust among credential issuers.

There is a failure to understand the difference between a TWIC solution–which is monolithic–and PIV and PIV-I, which are at times federated. A future entry will drill down on this subject matter.

Oberthur Technologies announced the availability of its dual interface ID-ONE Cosmo card to the corporate market at the ASIS International Seminar, September 21-24 at the Anaheim Convention Center in Anaheim, Calif.

The ID-ONE Cosmo card is a dual interface smart card that offers an open platform for multiple secure applications, providing companies with a single card solution with two communication interfaces - contactless for physical access and contact for logical access, based upon open, interoperable standards.

The ID-One Cosmo card is compliant with HSPD-12 mandates for identification standards, including FIPS 201 the baseline requirements for a Personal Identification Verification system.

The ID-ONE Cosmo card offers the corporate market a tested, federally compliant ID card with a profile that supports both physical and logical access with the addition of cashless payment, or other applications of your choosing, on one card.

How can a U.S. government report on identity not mentioned FIPS 201?

By Salvatore D’Agostino, IDmachines

IDmachines recently had the opportunity to go through the National Security Telecommunications Advisory Committee (NSTAC) report to the President on Identity Management. This is an encouraging document in that it calls out:

1. Cabinet level position for identity
2. Funding
3. Interoperability, trust and choice as basis for implementation.

What is confusing is the document’s miss on the efforts to date that address most of these needs. The following analysis provides further details on what’s in and out of the document andIDmachines’ interpretation.

To reinforce a couple of major points, power in DC and the federal government is all about budget. Other countries are making serious identity investments. The U.S. government, with the President’s leadership and Congress’ backing, needs to step up and fund these recommendations.

NSTAC meet NIST!

Where are the acknowledgments of Federal Information Processing Standard 201 and the related efforts of the National Institute of Standards and Technology and the U.S. Department of Commerce as required by HSPD-12. FIPS 201 provides architecture to meet the NSTAC recommendations.

Finally, look at and leverage how FIPS 201 has grown into Personal Identity Verification - Interoperability (PIV-I). Look at how other critical infrastructure sectors and other industries that interact with the Federal government have leveraged FIPS 201 and the Federal Bridge Certificate Authority to achieve these goals.

I know I am repeating things here but I am a little surprised that those involved in these recommendations could not make this connection. In fact we are very close to being able to achieve the goals, industry and government have partnered to make real progress. Significant sums have been invested. State and local governments and commercial enterprises are on board and moving ahead. Identity matters.

IDmachines’ Analysis of the NSTAC Report to the President on Identity Management Strategy

The NSTAC is an important policy body made up of up to 30 industry chief executives from telecommunication, network, information technology, finance and aerospace companies. It addresses critical national security and emergency preparedness (NS/EP) issues. It published its identity management strategy report to the President on 21 May 2009. The report is now generally available here.

It makes the obvious but important statement that National Security/Emergency Preparedness users have the same characteristics as Internet users and importantly they take advantage of a common infrastructure. It proceeds to state that there is a need to identify NS/EP emergency responders and facilitate their authentication and authorization on these networks.

In fact the need is even more widespread as many of us depend on so-called cyber applications in some way. Secure, privacy protected and efficient identification is a quid pro quo for anyone to fully leverage the information, applications and services of the Internet and other modern means of communications. In any case the recommendations will necessarily have to take this wider need into account.

The report highlights the following statement in its Executive Summary:

“The evolving threat environment, coupled with the increasing reliance on communications networks, requires the development of a national, comprehensive Identity Management vision, strategy, policy and implementation procedures.”

It calls for a federation of interoperable identity management processes and that this federation would involve three operational characteristics:

1. Interoperability
2. Trust Anchors
3. Choice-based participation.

The executive summary goes on to say the identity management strategy should embrace commercial providers, address privacy and civil liberties, allow choice by the enterprise, program and individuals, yet maintain standards. As far as IDmachines can tell this is exactly what a large number of organizations, across end-users, integrators and vendors have been doing for the last five years since HSPD-12 was published. IDmachines is glad to hear there is clear direction to stay the course, even if the directive is not recognized.

Also, in the report’s Executive summary:

“With respect to Governmental organization and coordination, establish a single, authoritative and comprehensive Dim governance process with a dedicated mission and office under an accountable official reporting directly to the President, embracing all Federal policy, technology, and Dim application activities related to both screening and access controls. The established lead official should have control over defined ID management programs and resources across Government, including budget, as needed to advance Federal Dim under a single coherent strategy.”

Centralizing identity in a single office is an excellent though not new idea and follows a lead set by other countries including very recently India. The one word that matters for a change above is “budget.” The progress that has been made to date has been the result of an unfunded mandate. Taking this into account the evolution of FIPS 201 Personal Identity Verification and its 2.0 evolution into Personal Identity Verification - Interoperability (PIV-I) is pretty impressive.

Now if there was program and project funding, guidance on grants (where funding already exists) and recognition of the economic and social benefits then we might really be getting somewhere. In addition this remains a national competitiveness issue particularly given the significant investments being made in dozens of other countries.

Also in the introduction it calls out:

With respect to public-private programs, direct the appropriate federal government departments and agencies to work with the private sector to develop and advance a comprehensive and progressive ID management research and development agenda, focusing on Government-civil Dim interoperability.

While a research and development agenda is a reasonable part of the policy (IDmachines believes that the evolution of PIV-I holds tremendous opportunities for innovation across sectors and application) at the same time the report makes it sound like federated identity management is not ready for prime time. This is far from the case, in fact there are commercial off the shelf solutions for credentialing, logical and physical access control and other related applications.

There exist both products and services that scale to the enterprise and federation and meet the type of Dim called out in this report. Simply take a look at the General Services Administration Approved Products List to see the breadth of solutions based on FIPS 201. It is disappointing in the extent to which this document does not reference HSPD-12, FIPS 201 or PKI other than one footnote reference the Federal Bridge. How can the council ignore/fail to highlight billions invested directly related in its recommendations to the President!

Yes, the government needs to put its house in order. It needs to stop making the silly mistake of developing multiple identity credentials that do not meet the basics set out above in particular interoperability and trust. At one point there were (and there may still be) more than 40 ID programs in DHS alone and the last timeIDmachines checked there was little, if no, interoperability.

IDmachines agrees with the recommendations:

• Leadership on ID management
• National office under the Executive Office of the President
• Develop an agenda to address:
  • Government organization and coordination
  • Public-private Dim programs
  • Policy and legislative coordination
  • National privacy and civil liberties culture

IDmachines applauds the broad definition of identity adopted in the document, specifically: “ID management covers a broad scope, including both digital and physical identification of individuals, applications, devices, objects, and information.”

As mobile devices expand their functionality the need for strong authentication of the device as well as the user becomes one of the most important short-term challenges facing the information technology, identity and security industries (which in fact are one and the same).

At the same time the report identifies ID management as a critical enabler of homeland security priority agenda items and it reinforces the need to bring physical access control under the Dim umbrella.IDmachines applauds the NSTAC for repeating and reinforcing this need as it did in 2003. In doing so this report defines identity and convergence as the combination of people and device and logical and physical domains.IDmachines has long held this is the only way to view identity and security. This approach has relevance across critical infrastructure and forms the basis for any modern network importantly including the electrical or “smart” grid.

On privacy the report simply highlights the need for protection of privacy to be foundational to any ID management strategy. This simple statement is welcome. In this same section it makes the point that requiring identification for anonymous activity does not make sense. Again a very good piece of design advice and it calls out Web browsing as an example. Some recent actions by the government are contrary to this point and should take the NSTAC guidance into account.

The report provides a useful list of ID management benefits. It includes both hard and soft economic benefit categories. It would be more useful to have included an overt statement on the return on investment but the emphasis and highlighting of the benefits provides a citable list that members of the industry can call on when making the argument about their business, enterprise activity or ID management investment.

The report discusses the problems in the current operating environment yet fails to discuss the opportunities that exist. This point is the same as the earlier one about “ignoring” FIPS 201. Clearly in the discussion of commercial and government factors it bears discussion of the interoperability and trust anchors that are in place, particularly in the context of PIV-I.

The same issue exists with the next section (5.0 Need for an Identity Strategy), it open with an all inclusive statement: “Current Government and private sector ID management systems are numerous and stove-piped, causing redundancy and inefficient and uncoordinated ID management efforts.

In fact interoperability among government agencies and between the U.S. Department of Defense and CertiPath organizations–as just two examples–exist today. While this is true for information and communications technology (ICT) it is not, as an example, true for aerospace.

The report does say there are some programs that exist that could be used as models. “Realistic potential exists for the private sector and individuals to benefit from participation in a federation of interoperable ID management processes.”

In fact it should call out the fact that real progress has been made already. As an example the SAFE BioPharma Association has cross-certified to the Federal Bridge Certificate Authority and promotes benefits that include risk mitigation, IT system interoperability, facilitates the use of regulatory compliant digital signatures as well as green benefits. In fact both CertiPath and SAFE are part of the 4 Bridges Forum an organization and that seems to be ignored by this report.

In the Findings and Conclusions section of the report correctly points out that: “The administration’s commitment to broadening transparency throughout Government will likely have cybersecurity implications and increase the need for an implementable federation of interoperable ID management processes.”

While not directly related to the communications sector there clearly exists a need for strong identity management and authentication in association with the desire for transparency of the bail out and stimulus monies being spent. A very small percentage of the monies dedicated in these areas could likely provide the foundation of the ID management (and even better for strong identity credentials that adhere to FIPS 201) required by the relevant businesses involved in receiving these government funds.

IDmachines completely agrees with the statement in Conclusions that “If ID management stakeholders do not address the fundamentals now, then more isolated Dim systems will emerge and it will become more difficult to adopt viable comprehensive and interoperable Dim solutions in the future.” Again, recognition needs to take place of those who are addressing the fundamentals of strong authentication, interoperability and trust anchors as mentioned earlier in this analysis.

The Recommendation reiterates the need for a national ID management office.IDmachines strongly backs this goal and the associated statement: “to develop a coordinated programmatic agenda to implement a comprehensive ID management vision and strategy to address, at a minimum, four component areas, specifically: Government organization and coordination; public-private ID management programs; policy and legislative coordination; and national privacy and civil liberties culture.”

IDmachines would add the statement that the ID management office should look to build off the work already done and the investment made in PIV-I to achieve this goal.

Image Source: National Institute of Standards and Technology.

Two publications from the National Institute of Standards and Technology describe new capabilities for authentication systems using smart cards or other personal security devices within and outside federal government applications.

One report describes a NIST-led international standard, ISO/IEC 24727, which defines a general-purpose identity application programming interface (API). The other is a draft publication on refinements to the Personal Identity Verification (PIV) specification.

NIST is responsible for developing specifications for PIV cards required for the government under HSPD-12. The goal is to develop methods that allow each worker to have a PIV card that works with PIV equipment at all government agencies and with all card-reader equipment regardless of the manufacturer.

Because there is growing interest in using secure identity credentials, like PIV cards, for multiple applications beyond the federal workplace, NIST provided its smart card research expertise in the development of the ISO/IEC 24727 international standard. The standard aims to provide a set of authentication protocols and services common to identity management frameworks.

The new NIST report describes the standard’s general-purpose identity application programming interface, the “Service Access Layer Interface for Identity (SALII)”, which enables cards and readers to communicate and operate with applications. The report also describes a proof-of-concept experiment demonstrating that existing PIV cards and readers can work interoperable with ISO/IEC 24727. The applications tested included logging on to Windows or Linux systems, signing and encrypting email, and performing Web authentications.

The report on ISO 24727 can be downloaded here.

The other publication - Special Publication 800-73-3, Interfaces for Personal Identity Verification - provides specifications for PIV-Interoperable and PIV-Compatible cards issued by non-federal issuers, which also may be used with the federal system.

It also provides specifications designed to ease implementation, facilitate interoperability and ensure performance of PIV applications in the federal workplace. The new publication specifies a PIV data model, card edge interface and application programming interface. The report also provides editorial changes to clarify information in the earlier version.

The draft version of NIST SP 800-73-3 is open for public comment through Sept. 13. The document is available online here.

Technology as a cultural lever

By Dennis L. Gavin MBA, PMP
CGN and Associates

Illinois is unique among states because it has deployed an enterprise-level PKI that is cross-certified with the Federal Bridge. While this is a major accomplishment, it is only one component in the state’s quest to develop a federally interoperable credential. Technology is a lever and a force multiplier in any process, but must take a subordinate position to process and policy. Prior to the existence of the PIV Interoperable standard or FIPS 201, Illinois had a coordinated and engaged emergency response community that recognized the critical importance of interdisciplinary and cross-jurisdictional cooperation. Interoperable technology thus found a welcome home in the Land of Lincoln.

Empowering the emergency response community

Beginning with its pilot rollout in September of 2008, Illinois has more than 1,200 emergency responders in various stages of the credentialing process. These responders are drawn from a highly diverse cross-section of disciplines–from Emergency Management and Counterterrorism Professionals to HAZMAT and Technical Rescue Teams. This initial population of candidates represents not only members of state agencies, but also the strong tradition of not-for-profit associations formed for the purpose of cross-jurisdictional mutual aid within the state.

The core process vision of the credentialing program is one of decentralized authority. Rather than centralize the process at a specific agency or location, the credentialing system delegates the authority and responsibility for candidate selection, validation and activation down to constituent organizations and teams. This is accomplished using a Web-based portal where credentialing candidates and their supervisors create and validate responder profiles.

Highlights of the credentialing process

The background check

Users enter the credentialing system through a fingerprint-based background check. The candidate reports to a site capable of collecting both fingerprints and a digital photo, which passes through a criminal background process before transmission to the Web-based credentialing portal. In addition to the obvious benefit of screening the criminal background of credentialing applicants, this process provides a crucial validation point. Submission of fingerprints in this manner provides reasonable assurance that the individual presented as an emergency responder is the individual whom he or she purports to be–a crucial factor in an identity validation application.

The team concept

The backbone of the Illinois Credentialing Process lies with the team. The team serves as the “administrative home” of the credential profile and may or may not correspond to the team or organizational affiliation of the individual. The team, which may be as large or small as needed, consists of individuals with a common emergency response affiliation. When a candidate joins a team, the Team Leader is responsible for review of the profile and affirmation of the candidate’s skills and abilities as enumerated. When the Team Lead digitally signs the profile, he/she is giving credence to the qualifications and identity of the applicant. This has three advantages.

1. A Team Leader accepting an applicant into his/her team provides administrative control over the profile.
2. By requiring a Team Lead to digitally sign an applicant’s profile certifying the validity of the information, there is a strong incentive for Team Leaders to ensure that the applicant’s data is accurate.
3. A Team Leader validating the candidate’s qualifications with a digital signature provides a much more cost-effective and streamlined method of validating qualifications than building interfaces to external qualifications databases, assuming that such a database exists for a given qualification.

A responder may, of course, belong to more than one team. For example, an individual may be a member of a local fire department, while also serving on a HAZMAT response team and an Urban Search and Rescue team. In these cases, the candidate would enter the system under his primary team. The other two Team Leaders would then add the credentialed individual to their teams once the primary Team Leader approved the profile.

Designated card distributors

After a card has been approved for production and created, the finished product will be sent to a Designated Card Distributor for final delivery to the recipient. This individual, who is selected by the Team Leader, will arrange to meet the credentialing candidate to activate the card, write the certificates to the chip, and implant both the PIN and biometric signature. This separation of duties provides an additional auditing step. No single person has authority from beginning to end over the process, requiring a second individual to verify the identity of the user.

In conclusion

Illinois has achieved federal interoperability through diligent and focused efforts and effective program design. Many states are looking at the Illinois model with an eye toward achieving interoperability for their own state.

---

Mr. Glavin is a senior project manager with CGN and Associates and served as project lead for the Illinois First Responder Credentialing initiative.

The August meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

---

• Opening Remarks

  MP3: click here

• Policy, process, regulations, technology, and infrastructure to fully employ HSPD-12 for employees and contractors in USDA
  Owen Unangst, USDA

  PDF: click here

  MP3: click here

• Policy and Infrastructure for PIV use for Logical Access. Migrating to one PIV use across domains
  Tim Baldridge, NASA

  PDF: click here

  MP3: click here

• NIST UPDATE
  Bill MacGregor, NIST

  • Recent publications (esp., draft SP 800-73-3)
  • Safeguards built into PIV, and the recommendations in SP 800-116

  PDF: click here

  MP3: click here

• Leveraging open identity standards for Government interaction with the American people
  Chris Louden for Judy Spencer

  PDF: click here

  MP3: click here

• Closing Remarks

  MP3: click here

SanDisk Corp., a provider of flash memory cards, announced that its SanDisk Cruzer Enterprise secure USB flash drives are now enhanced to meet the requirements of government employees. The Cruzer Enterprise design was independently tested and certified under Military Standard 810-F environmental standards in addition to being suitable for use by the visually-impaired under Section 508 requirements.

Cruzer Enterprise drives feature cryptographic modules and encryption algorithms, a waterproof design and are compliant with Trade Agreements Act requirements for purposes of U.S. Government procurements. In addition, the Cruzer Enterprise line of flash drives is listed for Common Criteria certification, which it is expected to receive next month.