The Government-wide Implementation of Biometrics for HSPD-12

Transcription

1 The Government-wide Implementation of Biometrics for HSPD-12 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy September 24,

2 The HSPD-12 Mandate Home Security Presidential Directive 12 (HSPD-12): Policy for a Common Identification Standard for Federal Employees and Contractors -- Signed by President: August 27, 2004 HSPD-12 has Four Control Objectives: Issue Identification based on sound criteria to verify an individual s identity. Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation. Personal Identity can be rapidly authenticated electronically. Issued by providers who s reliability has been established by an official accreditation process. 2

3 Government-wide Implementation Strategy OMB provides policy and implementation guidance. NIST provides HSPD-12 process and technical requirements (FIPS 201 and associated Special Publications). Government-wide interoperability is required. Implementation is controlled through acquisition process. GSA designated as Executive Agent for Acquisition for Information Technology for the implementation of HSPD-12. GSA is designated to establish an evaluation program to ensure that products/services conform to HSPD-12 (FIPS 201) requirements. GSA designated as Government-wide Shared Service Provider to provide shared services and infrastructure for government-wide implementation (MSO). Extremely aggressive milestones are needed to maintain focus and momentum. 3

4 The Quest for Interoperability Interoperability is defined as the ability of: Diverse systems and organizations to work together (inter-operate). Wikipedia Two or more systems or components to exchange information and to use the information that has been exchanged. IEEE Any government facility or information system, regardless of PIV issuer, to verify a cardholder s identity using the credentials on the PIV card. FIPS Two or more devices, components, or systems to exchange information in accordance with defined interface specifications and to use the information that has been exchanged in a meaningful way. GSA 4

5 The Starting Gate for Government-wide Interoperability Standard data model CHUID FP Biometric Template PIV Authentication Certificate Optional digital credentials Interoperability and security standards PIV data interface specifications Standard Testing Programs - Products Reference Implementations - data interface specifications Standard Testing Program - data interface specifications FIPS 201 and associated NIST Special Publications SP Biometric Data Specification for Personal Identity Verification PIV Interface Specifications Standard Testing Programs - Products - GSA FIPS 201 Evaluation Program - NIST - FBI - NVLAP - OPM 5

6 Status of GSA FIPS 201 Evaluation Program GSA administers the FIPS-201 Evaluation Program to determine conformance to FIPS-201 normative requirements. Certified laboratories perform all FIPS 201 conformance tests and evaluations GSA approves all evaluations and posts to Approved Product List Approved Product List posted at GSA identified 24 categories of products/services which must comply with specific normative requirements contained in FIPS 201 Current product and services approvals: 360+ products on FIPS 201 Approved Product List Current certified labs: Require NVLAP accreditation, GSA FIPS 201 EP Certification Atlan Laboratories, InfoGard Laboratories Several more lab certifications in progress 6

7 FIPS 201 EP Product/Service Categories # Product/Service Category # Product/Service Category 1 Authentication Key Reader 13 Facial Image Capturing Middleware 2 Biometric Reader 14 Fingerprint Capture Station 3 Biometric Reader Authentication 15 Graphical Personalization CHUID Authentication Reader (Contact) CHUID Authentication Reader (Contactless) CHUID Reader (Contact) CHUID Reader (Contactless) Cryptographic Module Electromagnetically Opaque Sleeve Electronic Personalization Electronic Personalization (Service) OCSP Responder Single Fingerprint Capture Device PIV Card PIV Card Delivery PIV Middleware Fingerprint Template Generator Fingerprint Template Matcher Transparent Reader Card Printer Station 12 Facial Image Capturing Camera 7

8 APL Products for PIV Architecture Components PIV Enrollment Fingerprint Capture Station Facial Image Capture Camera/Station Facial Image Capture (middleware) FP Template Generator FP Template Matcher Authentication Use Cases PIV Card Reader Transparent PIV Card Reader CHUID PIV Card Reader Auth Key PIV Card Reader Biometric PIV Card Reader Biometric Auth PIV Middleware Cryptographic modules PIV IDMS (SIP) FP Template Generator FP Template Matcher Card Issuance/ Activation Single FP Capture Device FP Template Generator FP Template Matcher Cryptographic modules Card Sleeve OPM/FBI National Criminal History Check NACI Fingerprint Capture Station Card Production and Management System PIV Card PIV Middleware PIV Card Printer Station PIV Card Electronic Personalization (product, service) PIV Card Graph. Personalization PIV Card Delivery 8

9 FIPS 201 Evaluation Program Biometrics GSA FIPS 201 Evaluation Program evaluates 8 categories of biometric products 1. Fingerprint Capture Station 2. Single Fingerprint Capture Device 3. Facial Image Capture camera/station 4. Facial Image Capture (middleware) 5. Fingerprint Template Generator 6. Fingerprint Template Matcher 7. PIV Card Reader (Biometric) 8. PIV Card Reader (Biometric Authentication) NIST performs testing for FP Template Generator/Matcher. NIST Minutiae Interoperability Exchange Tests (MINEX) Intended to assess performance and sufficiency of algorithms under ANSI/INCITS 378 standard. NIST MINEX QPL at FBI performs testing and certification for FP scanning equipment. FIPS 201 Evaluation Program categories Fingerprint Capture Station and Single Fingerprint Capture Device FBI tests conformance to FBI IAFIS Quality Specifications. FBI Certification list at All products are approved by GSA FIPS 201 Evaluation Program 9

10 10

11 11

12 Accessing the FIPS 201 Approved Products List 12

13 Schematic for GSA FIPS 201 EP Lab Accreditation and Certification Steps for GSA EP Lab Certification: 1. Accreditation under NVLAP as a Basic Cryptographic and Security Testing (17BCS) laboratory. 2. Accreditation under NVLAP as a NIST Personal Identity Verification Program (NPIVP) Testing (17PIV) Laboratory. 3. Accreditation under NVLAP for all GSA FIPS 201 test methods (17GSAP). 4. Certification under GSA FIPS 201 Evaluation Program for all test, evaluation, and laboratory requirements. 13

14 HSPD-12 Systems Shared and Stand-Alone 3 SSPs for HSPD stand-alone Shared HSPD-12 systems GSA Dept. State DoD Achieving interoperability across 3 separate and distinct systems is VERY HARD, achieving interoperability across 19 systems is well VERY, VERY HARD. Stand-Alone DOL DHS ED EOP EPA FAA FHFB FTC HHS HUD IBB NASA NCUA SBA SSA VA 14

15 Where We are Today Manage configurations across Govt for new technologies/requirements Extend PIV infrastructure to new Communities (FRAC, Healthcare) Implement and test standard interface Specifications across PIV systems Build and test standard use case applications Complete conversion to PIV Credentials for all contractors Complete conversion to PIV Credentials for all employees Stabilize issuance operations Across 19 HSPD-12 systems We re still climbing the first steps 15

16 For More Information Visit our Websites: Or contact: David Temoshok April Giles, CISM, CISA, CISSP Director, Identity Policy and FIPS 201 Evaluation Program Chief Management Architect