U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV USDA

Transcription

1 U.S. Department of Agriculture HSPD 12 Program USDA HSPD-12 Implementing PIV USDA April 2009

2 USDA and the GSA HSPD-12 Shared Solution USDA has been at the forefront of driving a shared solution for HSPD-12 across the Federal Government Co-chairing the HSPD-12 Executive Steering Committee Contributed to the development of the General Services Administration (GSA) Statement of Work for HSPD-12 Serving on the vendor evaluation committee To that end, USDA is prepared to adopt the GSA HSPD-12 Shared Solution as it s USDA Enterprise-side solution. 2

3 HSPD-12 PIV card - LincPass cards LincPass Process Logical Access Physical Access Getting a Card For Access to Computers Using a Card For Access to Buildings HR Sponsors BI Is Completed Person Enrolls Card Is Issued Person Activates 3

4 Identity and Access Management Auditing Disk Encryption Enhanced Non-Repudiable Services Authentication Non-Repudiation Dig/Sig egov Services Encryption Authentication Identity InCommon Federation Federation Authentication Authorization Collaboration Authorization Network Access Network Control Admission and Endpoint Control Security PIV User User Auth Auth 802.1X Remediation IPSec/SSL HB IPS/FW VPN Persistent Health State Connectivity Validation Device Auth PKI Quarantine DLP Mobile File Computing Integrity Remote/Wired/Wireless Security Profile Mgmt Access Control Enterprise Role Based Entitlement Access Control Management Role System Attribute (EEMS) Mgmt Application RBAC Win Rules 2K3 Entitlement Identity Entitlement Workflow RBAC AzMan Org Position Location Authorization Attributes Engine Mgmt Mgmt Engine Application Integration PACS E PACS AD Domains LACS Main frame eauth VPN Accounts HSPD-12 CHUID PKI Certificates eauth Username Password Credentials Identity Stores Customers Contractors Employees Identity 4

5 HSPD-12 Business Process General HSPD-12 Concept Sponsorship Enrollment Adjudication Issuance Activation Credential Usage PROCESS Capture applicant information & authorize PIV card Identity proof & capture biometrics Complete BI and record results Produce card and issue to applicant Authenticate applicant and activate card Manage card lifecycle COMPONENTS IDMS GUI IDMS DB IDMS GUI IDMS DB Certificate Authority ` Finalization Workstation CMS Card Reader CPS CA Enrollment CMS & IDMS Finalization 5

6 LACS, PACS, and HR CPS Card Distribution Card Printing CMS DB CMS CHMS CHMS DB OPM /FBI Shared Service PKI App Server AD App Server Reporting Registration Camera Key Mgt. Certificate authority CRL OCSP Responder Agency Controller Card Reader Registration WKS Finger Print Scanner Document Scanner Agency LACS Agency PACS Facility RDB MS Data Store Agency 2 LACS Agency 1 LACS MIIS AD USDA Responsibilities Personnel Management System WorkStation WorkStation Employees Contractors PACS Master DB PACS Enterprise Servers PACS Mobile Unit 6

7 Overall Architecture epacs EmpowHR EmpowHR Done EIDS Connector Done epacs Connector (3/13/09) EIMS Sponsorship & Adjudication Data Feed Done HSPD-12 Service Provider PP Done QuerySIP Data Feed Done Payroll Personnel NEIS Done EIDS V3.1 AD Connector & Card Info Feed In Progress 7 agencies done Non Employee Identity System (NEIS) Logical Access Control Systems LincPass Domain Login All Agencies in Progress Laptop User 7

8 Three Phases with NCE and GSA shared solution June 9 Sept 30, 2008 Summer Mobile enrollments October 1 April 30, 2009 Winter Mobile enrollments May 1 Sept 30, 2009 Sustainment and Operations General Services Administration Office of Personnel Management United States Department of Agriculture United States Department of Energy United States Department of Interior US Department of Justice United States Department of Treasury 8

9 An Example: Enrollment Answer from Mobile enrollment. Phase 1 and 2 Example of Enrollment Locations GRAND FORKS USDA/ARS FARGO USDA/ARS GRAND RAPIDS USDA/FS 5 DULUTH USDA/FS 1 1 ABERDEEN USDA HURON GSA 5 3 MORRIS USDA/ARS MARSHALL USDA/NRCS 2 4 BAXTER USDA/FSA MINNEAPOLIS USDA/APHIS 1 MANKATO USDA/FSA FALCON HEIGHTS GSA 2 ROCHESTER USDA/FSA 2 PARK FALLS USDA/FS STEVENS POINT USDA/RD 3 SIOUX FALLS DOI POCAHONTAS USDA/RD 1 1 WAVERLY USDA/RD MADISON USDA/FS 9

10 Phase 3 Permanent Locations Example * Yakima * Pendleton * Tangent * LaGrande * Roseburg * Klamath Falls 10

11 Phase 3 Light Activation Participants Identified: Permanent Enrollment \ Activation centers Shared Agency Only Light Activation Stations Shared Agency Only GSA s Light Activation Station Read/Write Smart Card Reader Fingerprint Reader Special Software 11

12 USDA Report Card Over 160 Mobile Enrollment stations during Summer 225 Mobile Enrollment Stations during Winter Enrolled 74,000+ Employees across the Entire Country Enabled Two-Factor Authentication for almost 55,000 Laptops Implemented a National PACS Infrastructure & Began Connecting 100 MCF s 12

13 USDA Next Steps PIV cards: Continue issuing cards to Federal and contract staff Complete remaining investigations Two-Factor Authentication: eauthentication Two-Factor Integration VPN Two-Factor Integration Digital Signature Integration for Office, Outlook and Adobe Encryption Integration for Outlook epacs: Identify remaining MCF s Implement solution at all MCF S Other: Continue to share information with NCE participants End Point Security \ VPN 13

14 Endpoint Security Agent Host-Based Firewall Health Check 802.1x Supplicant Endpoint Security Agent Host-Based Firewall Health Check 802.1x Supplicant Host-Based Firewall Health Check 802.1x Supplicant U.S. Department of Agriculture HSPD 12 Program United States Government OCT2012 Conceptual Strategy: Network & Endpoint Security Bloggs, Joseph USDA Affiliation Contractor Agency/Department Department of Agriculture Expires 2012OCT22 G Endpoint Security Agent Remote Access USDA Enterprise Directory Host-Based IPS SSL VPN NAC Agent VPN User Roles Health Check: Pass BigFix Anti-X Patch Management Disk Encryption FDCC Host-Based IPS SSL VPN Local Access Host-Based IPS SSL VPN Wireless File Integrity Checking Host-Based FW Host-Based IPS Data Loss Prevention Wireless Access Point Wired Distribution Layer Switch 14 IDS Network Access Controller ISOC Auditing and Reporting Health Check: Fail Remediate

15 USDA Contacts \ Questions Owen Unangst Owen.unangst@ftc.usda.gov (970) Meria A. Whitedove Meria.whitedove@usda.gov (970)