What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Size: px
Start display at page:

Download "What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012"

Transcription

1 Federal CIO Council Information Security and Identity Management Committee IDManagement.gov What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form December 3, 2012

2 HSPD-12 Component Interfaces HSPD-12 Shared Component Architecture (SCA) New near-term docket item for the AWG. Objective is to produce commodity-based commercial technology/solutions that would be listed on an approved products list. Allow federated processes with certainty of identity (e.g., person from agency A goes to agency B's enrollment station). Two interface specification deliverables to start: Standardized interface between Enrollment Workstations and TBD Standardized interface between IDMS and CMS Waiting on obtaining material that will inform this effort 2

3 What is an HSPD-12 Conformant PACS? A system that leverages high assurance identity credentials Both PIV and PIV-I (and maybe local procedures to support CIV) Is designed in accord with the FICAM Roadmap and Implementation Guidance Implements the guidance from NIST SP for area controls Is designed, built and operated according to the FICAM PIV in E-PACS guidance 3

4 How Policies Govern Implementations Usage (Buildings/ Facilities) NIST SP Lock FICAM PIV in Enterprise PACS Key PIV/PIV-I per FIPS 201 & FBCA CP 4

5 PIV in E-PACS Document Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS) Version May 24,

6 Current Status Published as final June 30, 2012 on IDManagement.gov Has since been removed from IDManagement.gov Edit cycle in progress by the Modernized Physical Access Working Group (MPAWG) FICAM ISC 6

7 Section 1-2: Introductory Material Section 1 Introduction Background Purpose and Audience Implementation of OMB M conformant PACS Technologists (system owners and OEMs) Procurement officials Scope Document Organization Section 2 PIV and PIV-I Cards Definitions FIPS and FBCA CP Specifications NIST SP , -76, -78 7

8 Section 3: PACS Overview Section 3 PACS Overview 8

9 PACS in the FICAM World PACS are no longer isolated systems They are network connected They are part of the CyberSecurity initiative for the federal enterprise Summarizes FICAM positioning of E-PACS Shows target architecture 9

10 FICAM Roadmap Overview of PACS within the Overall Infrastructure 10

11 Typical Current PACS System 11

12 FIPS 201 Changes to PACS 12

13 FICAM Roadmap Federal Enterprise Target Conceptual Diagram 13

14 Generic Federated PACS Functions This is an error in FICAM Roadmap: should be connected to Agency PACS, not Door reader 14

15 Section 4: Authentication Mechanisms Section 4 Smartcard Authentication Mechanisms 15

16 Discussion on PIV Authentication Mechanisms Summary per FIPS and NIST SP for PIV applet PIV and PIV-I Cards themselves provide four electronic identification and authentication mechanisms, which alone or in conjunction with other authentication mechanisms can establish confidence (to varying levels of assurance) in the identity of the cardholder: Authentication Certificate (PKI-Auth) allows PKI-based authentication only accessible via the contact interface when the user PIN is provided; Biometric authentication of the cardholder s fingerprints using biometric templates on the card, including verification of the signature and signer; Cardholder Unique Identifier (CHUID) contact or contactless read of the CHUID object, including verification of the signature and signer; and Card Authentication Key (CAK) allows cryptographic authentication of the card via contact or contactless interface. This is currently an optional certificate on the PIV Card, and a required certificate on the PIV-I Card. CAK may also be a symmetric key on PIV Cards. 16

17 Summary View 17

18 Section 5: Introductory Material (Con t) Section 5 GSA APL Must buy off of the GSA APL With a big caveat 18

19 Section 6: Introductory Material (Con t) Section 6 PACS Threats Extends and expands on NIST SP Talks about threats to PACS, not just misuse of PIV in PACS 19

20 Section 7: Introductory Material, contd. Section 7 Summary discussion of NIST SP Show harmony between documents 20

21 Section 8: E-PACS Security Functions Section 8 Enterprise PACS Security Functions 21

22 Control Families (based on NIST SP ) 22

23 PIA Control Family Class Family ID Control T PIA PIA-1 Identification and Authentication Policy Implementation T PIA PIA-2 Authentication Modes T PIA PIA-3 Identity Factor Authentication T PIA PIA-3.1 Accepting Device (AD) T PIA PIA-3.2 Validation of Trusted Origin (VTO) T PIA PIA-3.3 Active Authentication T PIA PIA-3.4 Protection of Authenticator (POA) T PIA PIA-3.5 Revocation Check (RC) T PIA PIA-3.6 Expiration Check (EC) T PIA PIA-4 Signature Validation T PIA PIA-5 Full Path Validation T PIA PIA-6 Cross-Agency Interoperable Authentication T PIA PIA-7 Card Revocation Check Mechanisms T PIA PIA-8 Provisioning via Import T PIA PIA-9 Provisioning via Registration T PIA PIA-10 I&A for Administration Significant portion of the document is on the PIA family 23

24 PIA-2: PACS Authentication Modes E-PACS should support one or more PIV-enabled authentication modes have/know/are model Combinations Table 8-3 enumerates these authentication modes 24

25 Table 8-3, PACS Enabled Authentication Mechanisms 25

26 PIA-3: Identity Factor Authentication Establishes requirements for Identity Factor Authentication Accepting device Verification of trusted origin Active Authentication Protection of authenticator Revocation check (should also have stated Expiration check) Each of these are given a control (PIA 3.1 PIA 3.6) Details in Table

27 Table 8-4, Authentication Elements Have Factors Know Factors Are Factors Authentication Mode: CHUID + VIS PIN to PIV/PIV-I BIO-A PKI PIN to PACS BIO CAK BIO to PACS PIA-3.1 Smart Card Reader PIN PAD Biometric Reader Accepting Device PIA-3.2 Verification of Trusted Origin Verify signature on the CHUID and validate associated Content Signer Certificate PKI - Signature Check on PKI Certificate CAK (Asymmetric) - Signature Check on CAK Certificate CAK (Symmetric) knowledge of shared secret See PIA-5 PIN to PIV/PIV-I trust transferred by PIV Authentication Private Key PIN to PACS Secure connection to authoritative reference Verify signature on the biometric and validate associated Content Signer Certificate BIO to PACS Protected storage for Biometric Reference Template See PIA-5 PIA-3.3 Active Authentication Challenge Response PIN to PIV/PIV-I Verified on Card, crypto channel transfers trust to PACS PIN to PACS Verify in PACS Biometric Match PIA-3.4 Protection of Authenticator Protection from Modification by nonvetted entities PIN to PIV/PIV-I provided by FIPS Level 2 Module PIN to PACS: Encrypted at rest, secure delivery to comparison element Encrypted (or controlled access) at rest, Secure delivery to comparison element PIA-3.5 Revocation Check (within 18 hours) For all PIV factors, revocation checking is always accomplished by performing PDVal on CAK or PIV Authentication certificates. 27

28 PIA 3.2: Validation of Trusted Origin E-PACS should verify Issuer That the reference authenticator was created by that issuer That the reference authenticator has not been altered Signature validation of all objects (bio, certs) Full PDVAL on digital certificates (detailed in PIA- 5) Mutual authentication using symmetric key Public key matches public key registered in PACS database Mitigates a known APT issue 28

29 PIA-3.3: Active Authentication Verify factor presented matches Reference authenticator Is genuine (not altered, cloned, forged, replayed, or spoofed) Detailed guidance Challenge/response VIS by guard PIN models Bio models 29

30 PIA-3.4: Protection of Authenticator Ensure reference authenticator used in PIA-3.3 is adequately protected Encrypted at rest Encrypted in motion FIPS validated (hardware) Four cases described: PIV/PIV-I carries the authenticator, PACS confirms (e.g., match-to-card, cert sig verify) PIV/PIV-I carries the authenticator, PIV confirms (on-cardcomparison of bio or PIN) Requires use of crypto ch/rsp PACS has the authenticator (PIN or BIO to PACS models) PACS uses symmetric CAK (must protect master symm key) 30

31 PSC-2: Trust Anchor Protection Provide and manage Root and Issuing CA certificates per local policy Must have full logging of changes Must mitigate MSFT Root Store Updates 31

32 Facility Assessment and Security Authorization PCA-5: Facility Assessment Consider as a pre-operational audit by third party Facility Architecture System Configuration Validation components working correctly (e.g., PKI PDVal) PCA-6: Security Authorization Get Certification and Accreditation in accordance with FISMA and NIST SP

33 Summary of Planning Controls 33

34 Section 10: Authentication Patterns Section 10 Authentication Patterns 34

35 Table 10, Authentication Patterns Summary Table 10-1: Summary of patterns to moving between NIST SP security areas A sampling follows 35

36 Primitive CHUID Today s Security Risk Zero Factors of Authentication! 36

37 CHUID + VIS Fully implements one factor Considered a weak method Prone to human error 37

38 Asymmetric CAK A strong one factor Can be used in combination with BIO for access to Exclusion areas 38

39 BIO One factor can t prove card verified PIN Note bio compared by system, not reader Can be used with PKI for access to Exclusion areas 39

40 PKI-Auth Full two factor solution Note the challenge/response is managed by the system, not the reader 40

41 So What Do I Need to Do for my Facility PACS? Sections 1-10 discuss How to implement PIV technology in PACS How to maintain security and integrity of the system What documentation you need What certifications you need And suddenly, they realize they haven t given any guidance on how to design and deploy a PACS 41

42 Section 11: Implementation Guidance Determine Facility Security Level NIST SP designations for each physical area Key processes Develop Provisioning Populations Temporary cards Requirements and design of solution Leverage security controls and authentication patterns Holistic review Before, during, and after implementation 42

Practical Challenges in Adopting PIV/PIV-I

Practical Challenges in Adopting PIV/PIV-I UNCLASSIFIED Practical Challenges in Adopting PIV/PIV-I Hank Morris UNCLASSIFIED 2 UNCLASSIFIED // FOUO Purpose and Agenda Purpose: Explore the policy, process, and mechanisms to securely leverage biometrics

More information

GSA FIPS 201 Evaluation Program

GSA FIPS 201 Evaluation Program GSA FIPS 201 Evaluation Program David Temoshok Director, Federal Identity Policy and Management GSA Office of Governmentwide Policy NIST/DHS/TSA TWIC QPL Workshop April 21, 2010 1 HSPD-12 Government-wide

More information

Required changes to Table 6 2 in FIPS 201

Required changes to Table 6 2 in FIPS 201 The PIV Working Group appreciates the opportunity to provide guidance on the initial scope for ICAM Part B. In addressing your request we created three bodies of content: Required changes to Table 6 2

More information

Integration of Access Security with Cloud- Based Credentialing Services

Integration of Access Security with Cloud- Based Credentialing Services Integration of Access Security with Cloud- Based Credentialing Services Global Identity Summit September 17, 2014 All text, graphics, the selection and arrangement thereof, unless otherwise cited as externally

More information

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management An information exchange For Information Security and Privacy Advisory Board Deb Gallagher

More information

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Strong Authentication for PIV and PIV-I using PKI and Biometrics Strong Authentication for PIV and PIV-I using PKI and Biometrics Adam Shane PSP, Product Manager and Sr. Systems Design Architect AMAG Technology Bob Fontana CSCIP/G, Vice President-Federal Identity Codebench/HID

More information

Smart Cards and Biometrics in Physical Access Control Systems

Smart Cards and Biometrics in Physical Access Control Systems Smart Cards and Biometrics in Physical Access Control Systems Robert J. Merkert, Sr. Vice President of Sales Americas Biometric Consortium 2005 Conference September 21, 2005 All Company and/or product

More information

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1. Federal Identity, Credentialing, and Access Management Personal Identity Verification Interoperable (PIV-I) Test Plan Version 1.1.0 Final February 22, 2011 Table of Contents 1 Introduction... 1 1.1 Background...

More information

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way. + Expiration date + Agency card serial number (back of card) + Issuer identification (back of card). The PIV Card may also bear the following optional components: + Agency name and/or department + Department

More information

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006 HSPD-12 Implementation Architecture Working Group Concept Overview Version 1.0 March 17, 2006 Table of Contents 1 PIV Lifecycle... 3 2 High Level Component Interaction Diagram... 4 3 PIV Infrastructure

More information

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ) Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ) Version 1.0 January 18, 2011 Table of Contents 1. INTRODUCTION... 3 1.1 BACKGROUND... 3 1.2 OBJECTIVE AND AUDIENCE...

More information

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010 Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010 Tim Baldridge AWG

More information

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards GAO United States Government Accountability Office Report to Congressional Requesters September 2011 PERSONAL ID VERIFICATION Agencies Should Set a Higher Priority on Using the Capabilities of Standardized

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201. PERSONAL IDENTITY VERIFICATION (PIV) OVERVIEW INTRODUCTION (1) Welcome to the Homeland Security Presidential Directive 12 (HSPD-12) Personal Identity Verification (PIV) Overview module, designed to familiarize

More information

Identity, Credential, and Access Management. Open Solutions for Open Government

Identity, Credential, and Access Management. Open Solutions for Open Government Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management www.idmanagement.gov Open Solutions for Open Government Judith Spencer Co-Chair, ICAM

More information

Justice Management Division

Justice Management Division Justice Management Division Privacy Impact Assessment for the Personal Identity Verification (PIV) Card System Issued by: Stuart Frisch, Senior Component Official for Privacy Reviewed by: Vance E. Hitch,

More information

Enrolling with PIV and PIV-I Velocity Enrollment Manager

Enrolling with PIV and PIV-I Velocity Enrollment Manager Enrolling with PIV and PIV-I Velocity Enrollment Manager Overview The Homeland Security Presidential Directive 12 (HSPD-12) called for a common identification standard to be adopted by all Federal Government

More information

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM Four Pillars that HSPD-12 Programs must consider for a secure, efficient, interoperable PIV enterprise deployment. Continued HSPD-12 Implementation under OMB

More information

Physical Access Control System (PACS) in a Federal Identity, Credentialing and Access Management (FICAM) Framework

Physical Access Control System (PACS) in a Federal Identity, Credentialing and Access Management (FICAM) Framework Physical Access Control System (PACS) in a Federal Identity, Credentialing and Access Management (FICAM) Framework PACS Best Practices using PKI-Authentication A SIA White Paper Security Industry Association

More information

DEPARTMENTAL REGULATION

DEPARTMENTAL REGULATION U.S. DEPARTMENT OF AGRICULTURE WASHINGTON, D.C. 20250 DEPARTMENTAL REGULATION SUBJECT: Identity, Credential, and Access Management Number: 3640-001 DATE: December 9, 2011 OPI: Office of the Chief Information

More information

Chapter 15 User Authentication

Chapter 15 User Authentication Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric

More information

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics Jan Krhovják Outline Introduction and basics of PIV Minimum

More information

NOAA HSPD-12 PIV-II Implementation October 23, 2007. Who is responsible for implementation of HSPD-12 PIV-II?

NOAA HSPD-12 PIV-II Implementation October 23, 2007. Who is responsible for implementation of HSPD-12 PIV-II? NOAA HSPD-12 PIV-II Implementation What is HSPD-12? Homeland Security Presidential Directive 12 (HSPD-12) is a Presidential requirement signed on August 27, 2004 requiring Federal agencies comply with

More information

The Convergence of IT Security and Physical Access Control

The Convergence of IT Security and Physical Access Control The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which

More information

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed. Purpose and Scope The purpose of this policy is to define the roles and responsibilities on implementing the Homeland Security Presidential Directive 12 (HSPD-12) Logical Access Control (LAC) throughout

More information

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) NIST Special Publication 800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) William MacGregor Ketan Mehta David Cooper Karen Scarfone I N F O R M A T I O

More information

The Government-wide Implementation of Biometrics for HSPD-12

The Government-wide Implementation of Biometrics for HSPD-12 The Government-wide Implementation of Biometrics for HSPD-12 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy September 24, 2008 1 The HSPD-12 Mandate Home Security

More information

For Official Use Only (FOUO)

For Official Use Only (FOUO) The FEMA Mission To support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, and

More information

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2, This document is scheduled to be published in the Federal Register on 09/05/2013 and available online at http://federalregister.gov/a/2013-21491, and on FDsys.gov Billing Code 3510-13 DEPARTMENT OF COMMERCE

More information

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance December 2, 2011 Powered by the Federal Chief Information Officers Council and the Federal Enterprise Architecture

More information

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT Department of Veterans Affairs VA DIRECTIVE 6510 Washington, DC 20420 Transmittal Sheet VA IDENTITY AND ACCESS MANAGEMENT 1. REASON FOR ISSUE: This Directive defines the policy and responsibilities to

More information

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Audio: This overview module contains an introduction, five lessons, and a conclusion. Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules

More information

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0

FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0 FY14 Q2 Chief Information Officer Federal Information Security Management Act Reporting Metrics v1.0 Prepared by: US Department of Homeland Security Office of Cybersecurity and Communications Federal Network

More information

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2 Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2 AMAG Technology has been providing tailored and unified security solutions across a range of government agencies facilities for many years.

More information

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-78-3 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William E. Burr Hildegard Ferraiolo David Cooper I N F

More information

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y

More information

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation This document has been archived and replaced by piaauthentx1207..0 National Science Foundation NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment Version: 1.1 Date: 12/04/2006 Table

More information

An Operational Architecture for Federated Identity Management

An Operational Architecture for Federated Identity Management An Operational Architecture for Federated Identity Management March 2011 Implementing federated identity management and assurance in operational scenarios Federated Identity Solution The Federated identity

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials Federal Identity, Credential, and Access Management Trust Framework Solutions Relying Party Guidance For Accepting Externally-Issued Credentials Version 1.1.0 Questions? Contact the FICAM TFS Program Manager

More information

Derived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials

Derived credentials. NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Daon your trusted Identity Partner Derived Credentials A Use Case Cathy Tilton Daon 1 February 2012 Derived credentials NIST SP 800-63-1 ( 5.3.5) provides for long term derived credentials Derived credential

More information

US Security Directive FIPS 201

US Security Directive FIPS 201 Security US Security Directive FIPS 201 Compliance Strategies Learn about compliance strategies for governmental agencies in meeting requirements of Homeland Security Presidential Directive 12 (HSPD-12),

More information

CoSign by ARX for PIV Cards

CoSign by ARX for PIV Cards The Digital Signature Company CoSign by ARX for PIV Cards Seamless and affordable digital signature processes across FIPS 201-compliant systems Introduction to Personal Identity Verification (PIV) In response

More information

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL Federal PKI Trust Infrastructure Overview V1.0 September 21, 2015 FINAL This Page is Blank Table of Contents 1. Introduction... 1 2. Public Key Infrastructure Overview... 2 3. Federal Public Key Infrastructure

More information

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013 MAESON MAHERRY 3 Factor Authentication and what it means to business. Date: 21/10/2013 Concept of identity Identity and Access Management Authoritive Identity Source User Identity Feed and Role Management

More information

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS Homeland Security Presidential Directive 12 (HSPD 12), FIPS 201, and the latest Federal Identity,

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

Deriving a Trusted Mobile Identity from an Existing Credential

Deriving a Trusted Mobile Identity from an Existing Credential Deriving a Trusted Mobile Identity from an Existing Credential Exploring and applying real-world use cases for mobile derived credentials +1-888-690-2424 entrust.com Table of contents Approval of the mobile

More information

Driving Safely on Information Highway. April 2006

Driving Safely on Information Highway. April 2006 Driving Safely on Information Highway April 2006 Agenda FIPS 201 and PK enabling Challenges of PK enabling Ways to meet the challenges PKIF Webcullis (demo) TrustEnabler (demo) FIPS 201 unique PK enabling

More information

Issuance and use of PIV at FAA

Issuance and use of PIV at FAA Issuance and use of PIV at FAA Presented to: Government Smart Card Interagency Advisory Board By: Ed Ebright, Division Manager, ID Media Division Date: May 2011 Agenda What we use PIV Card Status FAA HSPD-12

More information

Biometrics, Tokens, & Public Key Certificates

Biometrics, Tokens, & Public Key Certificates Biometrics, Tokens, & Public Key Certificates The Merging of Technologies TOKENEER Workstations WS CA WS WS Certificate Authority (CA) L. Reinert S. Luther Information Systems Security Organization Biometrics,

More information

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May 2009. By Lynne Prince Defense Manpower Data Center

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May 2009. By Lynne Prince Defense Manpower Data Center Life After PIV Authentication In Federated Spaces Presented to Card Tech/Secure Tech By Lynne Prince Defense Manpower Data Center Interoperability with HSPD12 Capability PIV provides a secure common credential,

More information

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering Architecture for Issuing DoD Mobile Derived Credentials David A. Sowers Thesis submitted to the faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements

More information

Authentication Tokens

Authentication Tokens State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Authentication Tokens No: NYS-S14-006 Updated: 05/15/2015 Issued By: NYS ITS

More information

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010 Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010 Interagency Advisory Board Meeting Agenda, October 27, 2010 1. Opening Remarks 2. A Discussion

More information

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM) Department of Energy Identity, Credential, and Access Management (ICAM) Cyber Security Training Conference Tuesday, May 18, 2010 1 Announcement LACS Birds-of-a-Feather Session Logistics Wednesday, May

More information

STATEMENT OF WORK. For

STATEMENT OF WORK. For STATEMENT OF WORK For Credentialing and Validation Support for DC Homeland Security & Emergency Management Agency (DC HSEMA) IN SUPPORT OF THE GOVERNMENT OF THE DISTRICT OF COLUMBIA November 15, 2012 1.

More information

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a

More information

NIST Test Personal Identity Verification (PIV) Cards

NIST Test Personal Identity Verification (PIV) Cards NISTIR 7870 NIST Test Personal Identity Verification (PIV) Cards David A. Cooper http://dx.doi.org/10.6028/nist.ir.7870 NISTIR 7870 NIST Text Personal Identity Verification (PIV) Cards David A. Cooper

More information

U.S. Department of Housing and Urban Development

U.S. Department of Housing and Urban Development U.S. Department of Housing and Urban Development PRIVACY IMPACT ASSESSMENT FOR: PERSONAL IDENTITY VERIFICATION (PIV) PROCESS TECHNOLOGY AND DATABASE IN COMPLIANCE WITH HOMELAND SECURITY PRESIDENTIAL DIRECTIVE

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Identity Protection and Access Management (IPAM) Architectural Standard Identity Management Services ITP Number ITP-SEC013 Category Recommended Policy Contact RA-ITCentral@pa.gov

More information

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:

More information

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013 Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management TSCP Symposium November 2013 Quantum Secure s Focus on FICAM and Related Standards Complete Suite of Physical Iden:ty

More information

The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?

The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You? The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You? A Smart Card Alliance Physical Access Council White Paper Publication

More information

Personal Identity Verification (PIV) of Federal Employees and Contractors

Personal Identity Verification (PIV) of Federal Employees and Contractors FIPS PUB 201-2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Personal Identity Verification (PIV) of Federal Employees and Contractors Computer Security Division Information Technology Laboratory

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Arkansas Department of Information Systems Arkansas Department of Finance and Administration Arkansas Department of Information Systems Arkansas Department of Finance and Administration Title: Electronic Signature Standard Document Number: SS 70 011 Effective Date: Act 722 of 2007 requires state

More information

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to

More information

Personal Identity Verification (PIV) of Federal Employees and Contractors

Personal Identity Verification (PIV) of Federal Employees and Contractors FIPS PUB 201-1 Change Notice 1 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Personal Identity Verification (PIV) of Federal Employees and Contractors Computer Security Division Information Technology

More information

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-73-3 Interfaces for Personal Identity Verification Part 1: End-Point PIV Card Application Namespace, Data Model and Representation Ramaswamy Chandramouli David Cooper James

More information

Personal Identity Verification

Personal Identity Verification for the Personal Identity Verification Contact Point Cynthia Sjoberg Program Manager, HSPD 12 Training and Operations Security Division Office of Security Department of Homeland Security (202) 447 5010

More information

User Authentication Guidance for IT Systems

User Authentication Guidance for IT Systems Information Technology Security Guideline User Authentication Guidance for IT Systems ITSG-31 March 2009 March 2009 This page intentionally left blank March 2009 Foreword The User Authentication Guidance

More information

FICC Shared Service Provider (SSP) Industry Day, 3/11. Questions and Answers

FICC Shared Service Provider (SSP) Industry Day, 3/11. Questions and Answers FICC Shared Service Provider (SSP) Industry Day, 3/11 Questions and Answers A request to repeat the URL where the presentation and documents will be stored was made. -Judith Spencer repeated the URL, www.cio.gov/ficc/ssp_documents.htm,

More information

Enabling Security, Compliance and Efficiency: Achieve Your Federal Identification Credentialing Goals

Enabling Security, Compliance and Efficiency: Achieve Your Federal Identification Credentialing Goals Enabling Security, Compliance and Efficiency: Achieve Your Federal Identification Credentialing Goals executive summary Identity management and verification depend on trusted credentialing technologies.

More information

State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013

State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013 State Identity, Credential, and Access Management (SICAM) Roadmap and Implementation Guidance Version 2.0 October 14, 2013 Statewide Information Management Manual (SIMM) Section 158A Enterprise Architecture

More information

Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT

Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 FIPS PUB 201-2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Personal Identity Verification (PIV) of Federal Employees and

More information

The Global Unique ID (GUID)

The Global Unique ID (GUID) The Global Unique ID (GUID) CardTech/SecureTech 7.April.2009 CertiPath Commercial PKI Bridge operated by a joint venture of ARINC : Exostar : SITA Agenda Recommendation on the Credential Numbering Scheme

More information

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Frequently Asked Questions (FAQs) SIPRNet Hardware Token Air Force Public Key Infrastructure System Program Office (ESC/HNCDP) Phone: 210-925-2562 / DSN: 945-2562 Web: https://afpki.lackland.af.mil Frequently Asked Questions (FAQs) SIPRNet Hardware Token Updated:

More information

Personal Identity Verification (PIV) of Federal Employees and Contractors

Personal Identity Verification (PIV) of Federal Employees and Contractors FIPS PUB 201-2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Personal Identity Verification (PIV) of Federal Employees and Contractors Computer Security Division Information Technology Laboratory

More information

Identity - Privacy - Security

Identity - Privacy - Security Identity - Privacy - Security Systems Security Engineering and Privacy Privacy and Security Workshop 3 Nov 2006 Toronto Recent Digital FIPS Border 201 Motivation Identity Security for Security Privacy

More information

Federal Identity Management Handbook

Federal Identity Management Handbook September 2005 PUBLIC DRAFT Acknowledgements The Office of Management and Budget and the Federal Identity Credentialing Committee would like to acknowledge the significant contributions of the National

More information

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE Privacy Impact Assessment Personal Identity Verification System Card Management System (HSPD12-PIVS/CMS) PTOI-007-00 September 18,

More information

Using BroadSAFE TM Technology 07/18/05

Using BroadSAFE TM Technology 07/18/05 Using BroadSAFE TM Technology 07/18/05 Layers of a Security System Security System Data Encryption Key Negotiation Authentication Identity Root Key Once root is compromised, all subsequent layers of security

More information

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications in Open Distributed Processing s 1 in Open Distributed Processing s 2 Prof. Sead Muftic Matei Ciobanu Morogan Lecture 7: 1 2 in Open Distributed Processing s 3 in Open Distributed Processing s Smart s

More information

Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program

Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program October 2012 W. Duane Stafford Statewide Credentialing Coordinator

More information

Interagency Advisory Board Meeting Agenda, Wednesday, February 22, 2012

Interagency Advisory Board Meeting Agenda, Wednesday, February 22, 2012 Interagency Advisory Board Meeting Agenda, Wednesday, February 22, 2012 1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. Generic Identity Command Set (GICS): Leveraging PIV to Build a Standard Platform

More information

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3 Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3 Approved by: Government Smart Card Interagency Advisory Board Prepared by: Physical Access Interagency

More information

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC 20301-6000

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC 20301-6000 DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, DC 20301-6000 CHIEF INFORMATION OFFICER OCT 05 2010 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOrNT CHIEFS OF STAFF

More information

Moving to Multi-factor Authentication. Kevin Unthank

Moving to Multi-factor Authentication. Kevin Unthank Moving to Multi-factor Authentication Kevin Unthank What is Authentication 3 steps of Access Control Identification: The entity makes claim to a particular Identity Authentication: The entity proves that

More information

No additional requirements to use the PIV I card for physical facility access have been identified.

No additional requirements to use the PIV I card for physical facility access have been identified. 1. The RFI request document regarding Driver Authentication states that "any one or more of the following methods" will be required: Personal Identification Number (PIN) Non Federal Personal Identity Verification

More information

CryptoNET: Security Management Protocols

CryptoNET: Security Management Protocols CryptoNET: Security Management Protocols ABDUL GHAFOOR ABBASI, SEAD MUFTIC CoS, School of Information and Communication Technology Royal Institute of Technology Borgarfjordsgatan 15, SE-164 40, Kista,

More information

Executive Summary P 1. ActivIdentity

Executive Summary P 1. ActivIdentity WHITE PAPER WP Converging Access of IT and Building Resources P 1 Executive Summary To get business done, users must have quick, simple access to the resources they need, when they need them, whether they

More information

INFORMATION PROCEDURE

INFORMATION PROCEDURE INFORMATION PROCEDURE Information Security - Identification and Authentication Procedure Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

A Method of Risk Assessment for Multi-Factor Authentication

A Method of Risk Assessment for Multi-Factor Authentication Journal of Information Processing Systems, Vol.7, No.1, March 2011 DOI : 10.3745/JIPS.2011.7.1.187 A Method of Risk Assessment for Multi-Factor Authentication Jae-Jung Kim* and Seng-Phil Hong** Abstract

More information

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware

Implementing Federal Personal Identity Verification for VMware View. By Bryan Salek, Federal Desktop Systems Engineer, VMware Implementing Federal Personal Identity Verification for VMware View By Bryan Salek, Federal Desktop Systems Engineer, VMware Technical WHITE PAPER Introduction This guide explains how to implement authentication

More information

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions

More information

State Identity Credential and Access Management (SICAM) Guidance and Roadmap

State Identity Credential and Access Management (SICAM) Guidance and Roadmap State Identity Credential and Access Management (SICAM) - Version 1.0 September 2012 EXECUTIVE SUMMARY The State Identity and Credential Access Management (SICAM) outline a strategic vision for state-based

More information