Federal Aviation Administration How FAA Required 50,000+ People to Use PIV Cards in 2 Months

Similar documents
GOVERNMENT USE OF MOBILE TECHNOLOGY

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Law College Computer and Technology Information

NASA PIV smartcards at Headquarters Frequently Asked Questions (FAQ s)

Mary Theofanos Brian Stanton

Self-Service, Anywhere

Security Controls What Works. Southside Virginia Community College: Security Awareness

GSA FIPS 201 Evaluation Program

Checklist for ECM Success 14 Steps

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

SAP: One Logon for All Systems SAP NetWeaver Single Sign-On

LESSONS LEARNED. Agenda

MBAM Self-Help Portals

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

SELF SERVICE BANNER PASSWORD MANAGEMENT. User Guide

DEA's New Proposed Regulations For E-Prescribing

Multi-Factor Authentication Core User Policy and Procedures

Deriving a Trusted Mobile Identity from an Existing Credential

Last Updated: January 23, FLCCsecure

EDMS Project Stage 1 Business Plan

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Department of Veteran Affairs. Fred Catoe Office of Cyber and Information Security AAIP Project Manager March 2004

BITLOCKER USER GUIDANCE

10 Steps for EHR Success

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

UCLH VPN User Guide. January VPN User Guide v

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Online Banking. Customer Information

Provider OnLine. Log-In Guide

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Profesor: Francisco Javier Sanz Pérez. by fjspsv, PMP Test C13_01

Mini User Guide. Updating your contact details..2. Setting your Security Questions..4. Changing your password..5. Forgotten password...

How do I contact someone if my question is not answered in this FAQ?

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

Simplify Your Windows Server Migration

CoSign by ARX for PIV Cards

Network Services One Washington Square, San Jose, CA

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Remote Desktop Services User's Guide

Banner Employee Self-Service Web Time Entry. Student Workers User s Guide

ICT Professional Optional Programmes

How to enable Disk Encryption on a laptop

Results of 3rd Annual Survey of IT Pros on Managing Mobile Devices

Adaptive Project Management

Best Practices for Privileged User PIV Authentication

1 Hitachi ID Password Manager

Project Management for Everyone

NIST Cloud Computing Program Activities

Level: 3 Credit value: 5 GLH: 28 Relationship to NOS:

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

How to Use Your LincPass Credential

DHHS Information Technology (IT) Access Control Standard

Educational Technology Services Monthly Report. March, Prepared by Educational Technology Services, State Fair Community College

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

TRIPwire HSIN Federation:

DriveLock and Windows 7

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

MCBDirect Corporate Logging on using a Soft Token

Creating a Business Continuity Plan. What We ll Cover... What is a BCP? Micky Hogue, CRM

State of Montana Information Technology Managers Advisory Council

South Dakota Board of Regents. Web Time Entry. Student. Training Manual & User s Guide

Department of Veterans Affairs Two-Factor Authentication MobilePASS Quick Start Guide November 18, 2015

United Healthcare Certification Details

WIRELESS SETUP GUIDES FOR WINDOWS 8

The Convergence of IT Security and Physical Access Control

Department of Defense PKI Use Case/Experiences

Hardening Private Keys with Less Hassle, Less Cost and More Security: A Case Study in Authentication. An InformationWeek Webcast Sponsored by

3 Security needs to keep pace with evolving computer architecture. 1 General perceptions and understanding of computer security vary considerably.

Voice Over IP Network Solution Design, Testing, Integration and Implementation Program Overview

National Cyber Security Month 2015: Daily Security Awareness Tips

NIST Cybersecurity White Paper

Two factor strong authentication. Complex solution for two factor strong authentication

ARC Outreach on HSPD 12 and Mandatory Use of ODIN

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Guide to Getting Started with the CommIT Pilot

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

ITS Managed IT Support

Department of Defense SHA-256 Migration Overview

Identity Relationship and Access Management for the Extended Enterprise

How to: Accessing the TU/e wireless network using Windows XP

User Guide for CDC s SAMS Partner Portal. Document Version 1.0

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Certkiller Q.A. Cisco Understanding Cisco Business Value Analysis Fundamentals

Enhanced Security for Online Banking

Case Study: Leveraging TPM for Authentication and Key Security

Virtual Code Authentication User s Guide. June 25, 2015

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

STREAMLINING COMPUTER DELIVERY PROCESSES USING 1E SHOPPING AND SCCM

Enhancing Organizational Security Through the Use of Virtual Smart Cards

INFORMATION TECHNOLOGY SERVICES TECHNICAL SERVICES Program Review

Configuring an Android device to access Staff Wi-Fi and .

Department of the Navy ebusiness Operations Office

Next Gen Web Solutions Student Employment. Employer Training Template

SharePoint Project Management: The Key to Successful User Adoption

The Convergence of IT Security and Physical Access Control

Transcription:

How FAA Required 50,000+ People to Use PIV Cards in 2 Months Presented to: NIST Federal Computer Security Managers' Forum By: Myles Roberts, CISSP, PMP, JD Manager, FAA FICAM Program Date: August 27, 2015

Milestones Knock out pre-requisites FAA issues PIV Cards (2009-2010) FAA prepares computers and network (2011-2014) FAA pilots 4,000 users (Sep 2014) FAA sets target to PIV require everyone by Sep 2015 (Sep 2014) Execute FAA appoints one person to lead its FICAM Program as his sole duty (Dec 2014) FAA plans and gets executive approval (Feb-Mar 2015) FAA migrates HQ then one region (May 2015) FAA migrates three regions (June 2015) White House directs agencies to "cybersprint" (June 2015) FAA migrates remaining regions (Jul 2015) Epilogue: Goals for 2016 2

FAA prepares computers and network (2011-2014) Challenges: "What do I do if I..." Forget my PIV Card at home Break or lose my PIV Card, cardreader, configuration Don't have my PIV Card yet 3

FAA pilots 4,000 users (Sep 2014) Eat our own dog food All 600 IT personnel (federal and contract employees) Our colleagues in Acquisitions Budget & Finance Property Management Physical and Personnel Security Multiple locations 4

FAA sets target to PIV require everyone by Sep 2015 (Sep 2014) Set SMART Goal ("Target") to keep you focused Specific Measurable Achievable (realistic) Relevant (to the federal mandate) Time (specific date of deadline) Target Everyone must log into Windows on the FAA domain with their PIV Card by September 30, 2015 5

FAA sets target to PIV require everyone by Sep 2015 (Sep 2014) Focus! Avoid distractions (scope creep) Say "No" PIV to requests re signing, encryption Say "No" to issues getting a network account Begin to set stakeholder expectations Get executive support Keep unions informed, but avoid rabbit holes Invite but don't pursue Accept offers to collaborate (time permitting) Reject offers to form a "workgroup" Call bluff offers to "participate" 6

FAA appoints one person to lead its FICAM Program as his sole duty (Dec 2014) Focus: assign one person Focus: limit his or her duties to achieve the target 7

FAA plans and gets executive approval (Feb-Mar 2015) Meet with IT Directors in December January February Pause for Dyer Meet with Line of Business Executives in March Get approval in March to start in May 8

Set users' expectations (1/2) Email Supervisors & CORs Union Reps All Users Stragglers 2-3 times Staff Awareness Desk Monday-Friday Set expectations Answer questions Offer basic tech support Reset PIV PIN Test PIV Cards Test laptops 9

Set users' expectations (2/2) Windows lock screen Rejected tactics for Stragglers Call them Notify their Supervisors 10

Plan: Phased Rollout Gather requirements: call IT colleagues weekly How will PIV rollout affect you? Target-Driven Plan: September 30, 2015 12 groups (HQ, 2 centers, 9 regions) 1 group every 2 weeks Monday? CIO suggested. Decline her suggestion. Thursday: lowest call volume for Help Desk. Rejected Plans One facility at a time (125 with over 50 people; 1,100 total) By Line of Business/Staff Office All at once 11

Actual rollout with flexibility 1 group (May 2015) HQ 1 region 3 groups (June 2015) 1 center 2 regions White House directs agencies to "cybersprint" (June 2015) 7 remaining groups (Jul 2015) 6 regions 1 center (Academy campus) 12

Lessons Learned Write target in agency Business Plan Or equivalent: document signed by users' executive Periodic information-sharing conference calls Local points of contact IT stakeholders and PIV Issuers Union reps Be confident to say "No" to anyone Alternative: call their bluff People will still miss the message Problems will arise Issues (classrooms) Competing priorities (Dyre) Gaps will remain A good plan today is better than the perfect plan tomorrow 13

Epilogue: Goals for 2016 1. External Users (in order of priority) Use multifactor authentication for users outside our agency ("External" or "Affiliate" users who access sensitive info) 2. PIV Contingency Add a multifactor authentication contingency for agency users for when a PIV Card is not available or working 3. Streamline user services E.g., automate on- and off- boarding, user info during lifecycle 4. Close PIV Logon gaps Continue to PIV-Enable and PIV-Require additional information systems 5. PIV-Enable boot encryption on all laptops 6. Adopt Derived PIV Credentials on mobile devices 14

Q&A 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information