The Implementation of Homeland Security Presidential Directive 12

Similar documents
HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

The Government-wide Implementation of Biometrics for HSPD-12

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

GSA FIPS 201 Evaluation Program

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Federal Identity Management Handbook

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

HSPD-12 Homeland Security Presidential Directive #12 Overview

U.S. Department of Housing and Urban Development

Information Technology Policy

An Operational Architecture for Federated Identity Management

STATEMENT OF WORK. For

Justice Management Division

Personal Identity Verification (PIV) of Federal Employees and Contractors

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

DEPARTMENTAL REGULATION

Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

For Official Use Only (FOUO)

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

Personal Identity Verification (PIV) of Federal Employees and Contractors

Standard Government-Wide Senior Executive Service (SES) Performance Appraisal System

Smart Cards and Biometrics in Physical Access Control Systems

Privacy Impact Assessment of. Personal Identity Verification Program

Personal Identity Verification

U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV USDA

IDaaS: Managed Credentials for Local & State Emergency Responders

Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT

National Capital Region. Electronic Designation and Validation of Federal/Emergency Response Officials (F/EROs) in support of National Preparedness

Identity and Access Management Initiatives in the United States Government

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

US Security Directive FIPS 201

Personal Identity Verification (PIV) of Federal Employees and Contractors

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Report No. D June 23, DoD Implementation of Homeland Security Presidential Directive-12

ARC Outreach on HSPD 12 and Mandatory Use of ODIN

Emergency Response Official Credentials A Smart Card Alliance White Paper. Salvatore D Agostino CEO, IDmachines LLC sal@idmachines.

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Small Business Administration Privacy Impact Assessment

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Practical Challenges in Adopting PIV/PIV-I

Issuance and use of PIV at FAA

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

The Convergence of IT Security and Physical Access Control

Integration of Access Security with Cloud- Based Credentialing Services

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

DEPARTMENT OF DEFENSE GUIDEBOOK FOR CAC-ELIGIBLE CONTRACTORS FOR UNCLASSIFIED NETWORK ACCESS

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Identity, Credential, and Access Management

Enrolling with PIV and PIV-I Velocity Enrollment Manager

U.S. Department of Energy Washington, D.C.

SIGNIFICANT CHANGES DOCUMENT

Department of Defense INSTRUCTION

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

NEIS HELP DESK FAQS. HSPD-12 Policy/Business Process. General HSPD-12 FAQs can be found online at:

Developing a Federal Vision for Identity Management

I. U.S. Government Privacy Laws

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

SecurityManager. Enterprise Personnel & Physical Security Case Management Solution for Federal Agencies

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

~ Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12

SYSTEM NAME: Digital Identity Access Management System (DIAMS) - P281. SYSTEM LOCATION: U.S. Department of Housing and Urban Development, 451 Seventh

Identity, Credential, and Access Management. Open Solutions for Open Government

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Version 2.3

EMERGENCY SUPPORT FUNCTION ANNEXES: INTRODUCTION

I N F O R M A T I O N S E C U R I T Y

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

Identity & Privacy Protection

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

GAO Information Security Issues

I N F O R M A T I O N S E C U R I T Y

Using FIPS 201 and the PIV Card for the Corporate Enterprise

CoSign by ARX for PIV Cards

2012 FISMA Executive Summary Report

PIV Data Model Test Guidelines

Moving to Multi-factor Authentication. Kevin Unthank

Transcription:

The Implementation of Homeland Security Presidential Directive 12 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy Information Security and Privacy Advisory Board September 14, 2006 1

The HSPD-12 Mandate Home Security Presidential Directive 12 (HSPD-12): Policy for a Common Identification Standard for Federal Employees and Contractors -- Signed by President: August 27, 2004 HSPD-12 has Four Control Objectives: Issue Identification based on sound criteria to verify an individual s identity. Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation. Personal Identity can be rapidly authenticated electronically. Issued by providers who s reliability has been established by an official accreditation process. 2

Key Milestones Timeline August 27, 2004 Agency/Department Requirement/Milestone HSPD-12 signed and issued Not later than 6 months (February 27, 2005) Not later than 8 months following issuance of standard (October 27, 2005) NIST Issue standard (FIPS-201) Compliance with FIPS-201 Part One: Identity Proofing and Enrollment. PIV-I Not later 20 months following issuance of standard (October 27, 2006) Not later than 32 months following issuance of standard (October 27, 2007) Commence deployment of FIPS- 201 compliant Identity Credentials (FIPS-201 Part Two). PIV-II Compliance with FIPS-201 Part Two: Fully operational Physical and Logical Access 3

Four Authentication Assurance Levels to meet multiple risk levels PKI/ Digital Signature Multi-Factor Token PIV Card Increased $ Cost - PIN/User ID Low Access to Protected Website Knowledge-Based Strong Password Medium Applying for a Loan Online Biometrics High Obtaining Govt. Benefits Increased Need for Identity Assurance Very High Employee Screening for a High Risk Job 4

Multiple Authentication Technologies To provide multiple authentication assurance levels, FIPS 201 requires multiple authentication technologies: Authentication using PIV Visual Credentials Authentication using the CHUID contact or contactless Authentication using PIN Authentication using Biometric (match on/off card) Authentication using PIV asymmetric Cryptography (PKI) Something I have PIV Card Something I know - PIN Something I am - Biometric 5

OMB Guidance Key Points OMB Guidance for HSPD-12 - M-05-24: To ensure government-wide interoperability, agencies must acquire only products and services that are on the approved products list GSA is designated the executive agent for Government-wide acquisitions of information technology" for the products and services required to implement HSPD-12 GSA will make approved products and services available for acquisition through SIN 132-62 under IT Schedule 70 GSA will ensure all approved suppliers provide products and services that meet all applicable federal standards and requirements http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf 6

GSA s Role Establish interoperability and common performance testing to meet NIST standards, product interoperability testing Establish Approved Products Lists for product and services categories requiring FIPS 201 compliance Qualify products and services on IT Schedule 70 and SIN 132-62 as FIPS 201 compliant Provide full-range of qualified products and services to meet Agency implementation needs Approved products and services will be made available on government-wide basis through GSA IT Multi-Award Schedule 70 Under E-Gov Act of 2002, State and local Governments can acquire products/services directly from IT Schedule 70. 7

GSA FIPS 201 Evaluation Program NIST FIPS 201-- the PIV Standard -- established normative requirements for processes and technologies for HSPD-12 security and interoperability GSA identified 22 categories of products/services directly impacted by FIPS 201 requirements All 22 categories of products/services are needed for HSPD-12 implementation GSA Evaluation Program evaluates all products/services for conformance to FIPS 201 requirements Approved products are posted to the Approved Products List Evaluation Program Goal Ensure products/services used to implement HSPD-12 meet all FIPS 201 security and interoperability requirements. 8

Relationship of HSPD-12 Evaluation and Acquisition Programs NIST NPVIP Testing PIV Applets PIV Middleware GSA Qualified Integrated Solutions and Services GSA Evaluation Program 22 categories of products and services Interoperability testing Compliance with FIPS 201 GSA HSPD-12 Acquisition Program IT Schedule 70 SIN 132-61, 62 Approved products Qualified services GSA Approved Products List 9

HSPD-12 System Components Enrollment Services Enrollment Data Registration Data Capture Biometrics Document Verification Card Data Identity and Card Management Systems Card Printing, Production Inventory, & Distribution PKI Services Agency Physical Access Control Systems Agency Logical Access Control Systems Card Production Services Systems Infrastructure FPKI SSP & FBCA Cross-certified PKI Finalization Service Provider Cards issued and Activated Black arrows signify data interfaces 10

Accessing the Approved Products and Services Approved Products for PKI, systems integrators, and FIPS 201 products are accessed at http:idmanagement.gov 11

Where are we today? 43 days to go (counting weekends) 9 agencies committed to their own infrastructure: DHS, DoD, NASA, DoS, SSA, EPA, NSF, HHS, Treasury 100+ Agencies want to share infrastructure All small agencies DOC, HUD, USDA, DOI, GSA, DOE, OPM, Federal Reserve, NARA, FCC committed Several undecided Shared Service Providers DoD for branches of military 8 agencies serviced by State Dept DOI RFP issued July 24 for agencies serviced by DOI HR GSA GSA Government-wide Shared Service SSP RFP award 8/18 Intended for government-wide use Agencies to sign up through MOU and Interagency Agreement by September 30 GSA Managed Service Office established 7/06 Will meet 10/27/06 implementation requirements for all participating agencies 12

HSPD-12 Shared Services Architecture First, the issuing agency provides affiliation (sponsorship) feeds, adjudication results, and revocation requests to the SIP. The SIP provides reports back to the agency. Second, the ESP retrieves applicant data from the SIP, enrolls the applicant, and sends enrollment data back to the SIP. Card Reader Card Reader Camera Camera Document Document Scanner Scanner Fingerprint Fingerprint Scanner Scanner Enrollment Enrollment Service Enrollment Enrollment Service Officer Provider Officer Provider Adjudicator Personnel COTR Results Enrollment Data Agency affiliation, adjudication, and revocation data Issuing Agency Helpdesk Operations Security Helpdesk Operations Security IDMS CMS IDMS CMS Fingerprints Third, the SIP sends fingerprint data collected from the ESP to OPM for suitability checks, and results are sent to the agency. Fourth, after agency adjudication the PSP accepts cardholder information from the SIP needed to print the card. When card printing is completed card data is returned to the SIP, including which chip ID was used for this applicant. The card is then locked with a transport key and shipped to the designated FSP. Systems Systems Infrastructure Infrastructure Provider Provider Card Data OPM CMS CMS Card Distribution Card Distribution Card Printing Card Printing FBI Inventory Inventory Production Production Service Provider Service Provider Sixth, the certificate could be requested and loaded at the FSP, if desired. PACS Agency / LACS PACS / LACS CRL Key Mgt. CRL Key Mgt. FPKI SSP FPKI SSP Card Reader Card Reader Finalization Finalization Officer Officer Signed Objects Fingerprint Fingerprint Scanner Scanner Finalization Service Finalization Service Provider Provider Scope of shared services are Printed and HSPD-12 system components Pre-Personalized Cards inside the red border. These are core HSPD-12 services to meet Fifth, the FSP matches the applicant biometric, and then PIV uses the 1 SIP & CMS 2 to compliance. unlock the card, load the signed objects, and finalize the configuration. The card leaves LACS/PACS, FBI and OPM the FSP ready to use. This step is often referred to as interfaces issuance because it is are the last outside step in issuance scope. process. 13

Shared Services Initial Operating Capability GSA Shared Services will issue PIV cards NLT 10/27/06 for all participating agencies in 4 multi-tenant locations. New York, NY Jacob K Javits Federal Bldg 26 Federal Plaza Seattle, WA Jackson Federal Bldg 915 Second Ave Washington, DC GSA-ROB 7 th and D St SW Atlanta, GA Richard B Russell Federal Bldg 75 Spring St 14 *** These are the expected locations

Agencies Touched by Initial Rollout Initial Operating Capability in New York, Seattle, Atlanta, Washington DC provides local access to shared enrollment stations for 133 federal agencies. SBA USAF Dept COM HHS EPA USPS HUD DOJ RRB DOL NLRB SSA USA Dept GSA USDA DOS DHS New York, NY: Javits Federal Bldg HUD OPM SSA COM DoD DHS Tax CT Navy EOP DOC DOS DOJ USDA DOL DOI DOE VA DOT FTC EEOC ED USPS EPA GSA NLRB GAO SBA HHS USA Dept Seattle, WA: Jackson Federal Bldg RRB ED SSS ATBCB IMLS FCC OPIC USITC CRC AFRH GSA BBG CFA DOE MSPB FHFB DOC ABMC CCFF ED ARC USSC USDA CNS GSA USSC FTC NEA AC/IR ADF EEOC COM FLRA SBA DOJ FCA NIGC FRB USTR TPT DOT CNFSB MMC NSF RRB STB NARA FDIC NEH FAMA TDA JMMFF FERC FEC MCC DRA SEC DOL NCPC CPPBSD OSC NGA HRSF PBGB PRC HUD IAF NCD NRC NWTRB LSC USIP FCSIC TD NCLIS IMLS Washington, DC: GSA-ROB DOJ HUD USAF USDA Navy SSA Dept DOI DOL DOT HHS EEOC EOP ED GSA EPA USA Dept DHS USDA Atlanta, GA: Richard B Russell Federal Bldg 15

HSPD-12 Federal Shared Enrollment Service Station 1 Station 3 Station 2 ` ` Dual Site Shared Centralized Components ` Station 4 Station 5 ` Card Mgmt System ID Mgmt System Card Printing System PKI Certificate Integration Station 6 ` Enrollment Broker ` Station 7 Station 8 200+ geographically distributed & shared Enrollment Stations; GSA provides leased space, operators ` Station n ` Add. Needs Stations ` ` Other HSPD-12 Centralized Answers (a authorized by OMB) The Shared Enrollment Service will provide an Enrollment Broker to handle standard enrollment data from hundreds of enrollment stations into the shared PIV system. 16

Sharing Opportunities 1. Enrollment Stations largest single cost; largest opportunity for savings Station Station11 Station Station22 1. 2. `` Dual Dual Site Site Shared SharedCentralized Centralized Components Components `` Station Station33 2. Centralized Components fixed Station44 cost item whether 10,000 card Station holders or 1 million card holders `` `` Card CardMgmt MgmtSystem System ID IDMgmt MgmtSystem System Card CardPrinting PrintingSystem System PKI PKICertificate CertificateIntegration Integration Station Station55 Enrollment Broker `` 3. Standard Interfaces Station Station66 `` -- AWG developing standard interfaces for enrollment/sip, SIP/OPM, SIP/FBI, SIP/PACS, backend authentication -- Potential for standard APIs 4. Other Opportunities - TBD 3. Station Station77 Other OtherHSPD-12 HSPD-12 Centralized CentralizedAnswers Answers `` (as (asauthorized authorizedby byomb) OMB) Station Station88 450+ Geographically Distributed & Shared Enrollment Stations; Operated by Various Agencies for Cost Reimbursement `` Station Station n n Add. Add.Needs Needs Stations Stations `` `` 17

FAR Amendments for Implementation of HSPD-12 FAR Interim Rule: Common Identification Standard for Contractors Published as Interim Rule January 3, 2006; final rule approved for issuance 9/06. Contractors must comply with PIV requirements for personnel needing routine access to Federal facilities and/or information systems Coordinated and issued by Civilian Acquisition Council (CAC) and Defense Acquisition Regulations (DAR) Council. FAR Case 2005-017: Requirement to Purchase Approved Authentication Products and Services Issued as Proposed Rule, 8/23/06. Requires agencies to use only FIPS 201 approved products and services for the implementation of HSPD-12. 18

Conclusion Where we are today.. It ain t pretty.. Gotta move forward Lots and lots of moving parts I believe we ll achieve the goal. 19

For More Information Visit our Websites: http://www.idmanagement.gov http://www.cio.gov/ficc http://www.cio.gov/fpkipa http://www.csrc.nist.gov/piv-project Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information