GSA FIPS 201 Evaluation Program



Similar documents
The Government-wide Implementation of Biometrics for HSPD-12

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Required changes to Table 6 2 in FIPS 201

Practical Challenges in Adopting PIV/PIV-I

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

Personal Identity Verification (PIV) of Federal Employees and Contractors

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

Enrolling with PIV and PIV-I Velocity Enrollment Manager

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Product Testing Programs

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Smart Cards and Biometrics in Physical Access Control Systems

I N F O R M A T I O N S E C U R I T Y

Chapter 15 User Authentication

Personal Identity Verification (PIV) of Federal Employees and Contractors

Identity, Credential, and Access Management. Open Solutions for Open Government

NIST Test Personal Identity Verification (PIV) Cards

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Information Technology Policy

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

An Operational Architecture for Federated Identity Management

The Implementation of Homeland Security Presidential Directive 12

DEPARTMENTAL REGULATION

US Security Directive FIPS 201

Identity - Privacy - Security

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

NISTIR 7676 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

Introducing atsec information security. Helmut Kurth, Sal la Pietra and Staffan Persson

PIV Data Model Test Guidelines

I N F O R M A T I O N S E C U R I T Y

CoSign by ARX for PIV Cards

Personal Identity Verification (PIV) of Federal Employees and Contractors DRAFT

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

Justice Management Division

U.S. Department of Housing and Urban Development

Physical Access Control System (PACS) in a Federal Identity, Credentialing and Access Management (FICAM) Framework

NIST Cyber Security Activities

I N F O R M A T I O N S E C U R I T Y

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Personal Identity Verification (PIV) of Federal Employees and Contractors

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Department of Defense SHA-256 Migration Overview

Identity and Access Management Initiatives in the United States Government

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Issuance and use of PIV at FAA

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Personal Identity Verification Card

SIGNIFICANT CHANGES DOCUMENT

Federal Identity Management Handbook

Commonwealth of Virginia Personal Identity Verification-Interoperable (PIV-I) First Responder Authentication Credential (FRAC) Program

Human Factors in Information Security

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Department of Veteran Affairs. Fred Catoe Office of Cyber and Information Security AAIP Project Manager March 2004

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

No additional requirements to use the PIV I card for physical facility access have been identified.

intertrax Suite intertrax exchange intertrax monitor intertrax connect intertrax PIV manager User Guide Version

GOVERNMENT USE OF MOBILE TECHNOLOGY

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

Emergency Response Official Credentials A Smart Card Alliance White Paper. Salvatore D Agostino CEO, IDmachines LLC sal@idmachines.

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

STATEMENT OF WORK. For

FIPS 201 Evaluation Program Development - Configuration Management Plan

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

The Convergence of IT Security and Physical Access Control

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

Personal Identity Verification

APPENDIX C TABLE OF CONTENTS

2012 FISMA Executive Summary Report

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

For Official Use Only (FOUO)

FITSP-Auditor Candidate Exam Guide

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

Department of Defense PKI Use Case/Experiences

Key Management Best Practices

Transcription:

GSA FIPS 201 Evaluation Program David Temoshok Director, Federal Identity Policy and Management GSA Office of Governmentwide Policy NIST/DHS/TSA TWIC QPL Workshop April 21, 2010 1 HSPD-12 Government-wide Implementation and Acquisition Strategy NIST provides HSPD-12 process and technical requirements (FIPS 201 and associated Special Publications). Government-wide interoperability is required. Implementation is controlled through acquisition process. GSA designated as Executive Agent for Acquisition for Information Technology for the implementation of HSPD-12. GSA is designated to establish an evaluation program to ensure that products/services conform to HSPD-12 (FIPS 201) requirements and to maintain an Approved Products List for products determined conformant to FIPS 201. Agencies are required by policy (M-05-24) and regulation (FAR Amendment 2005-17) to acquire only products from GSA-approved APL for the implementation of HSPD-12. 2

The PIV Document Suite (NIST) PIV Document Date Issued Title FIPS 201-1 Mar 2006 Personal Identity Verification (PIV) of Federal Employees and Contractors SP 800-116 Nov 2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) SP 800-104 Jun 2007 A Scheme for PIV Visual Card Topography SP 800-96 Sep 2006 PIV Card to Reader Interoperability Guidelines SP 800-85 B Jul 2006 PIV Data Model Test Guidelines SP 800-85 A- 1 Mar 2009 PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance) SP 800-79 -1 Jun 2008 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI's) SP 800-78 -2 Feb 2010 Cryptographic Algorithms and Key Sizes for Personal Identity Verification SP 800-76 -1 Jan 2007 Biometric Data Specification for Personal Identity Verification SP 800-73 -3 Feb 2010 Interfaces for Personal Identity Verification (4 parts): 1- End-Point PIV Card Application Namespace, Data Model and Representation 2- End-Point PIV Card Application Interface 3- End-Point PIV Client Application Programming Interface 4- The PIV Transitional Data Model and Interfaces 3 PIV Authentication Factors PIV Authentication Mechanism Have Know Are Card Auth Key (CAK) + BIO (BIO, BIO-A or BIO AUTH) BIO Authentication (digital signature validation of BIO Object) PIV Assurance Level x x x 4 Very High confidence x x x 4 Very High confidence Interface Contact Contact BIO Attended x x x 4 Very High Contact confidence BIO Biometric match off-card x x x 3 - High confidence Contact PKI cryptographic challenge - response x x 3 - High confidence Contact CHUID Authentication (digital signature validation of CHUID) CAK -- cryptographic challenge - response x 3 - High confidence Contact/ Contactless x 2 Some confidence Contact/ Contactless CHUID + Visual x 2 Some confidence Contact/ Contactless 4

The Need for Interoperability Interoperability is defined as the ability: of any government facility or information system, regardless of PIV issuer, to verify a cardholder s identity using the credentials on the PIV card. FIPS 201-1 to use any PIV Card with any PACS application performing one or more PIV authentication mechanisms. SP 800-116 of two or more devices, components, or systems to exchange information in accordance with defined interface specifications and to use the information that has been exchanged in a meaningful way. GSA FIPS 201 Evaluation Program 5 The Starting Gate for Interoperability Standard data model Interoperability and security standards PIV data interface specifications Standard Testing Programs - Products Reference Implementations - data interface specifications Standard Testing Program - data interface specifications Federal Approved Product Lists FIPS 201 and associated NIST Special Publications PIV Interface Specifications Federal Bridge Certificate Policy FPKI Audit requirements FICAM Profiles and Architecture suite Standard Testing Programs - Products - GSA FIPS 201 Evaluation Program - NIST - FBI - NVLAP - FPKI 6

GSA FIPS 201 Evaluation Program Status GSA administers the FIPS-201 Evaluation Program to determine conformance to FIPS-201 normative requirements. - Accredited laboratories perform all FIPS 201 compliance evaluations - Approved Product List posted at http://fips201ep.cio.gov/ GSA/NIST identified 32 categories of products/services which must comply with specific normative requirements contained in FIPS 201 - e.g., PIV smart cards, smart card readers, fingerprint scanners, fingerprint capture stations, facial image capture stations, card printing stations, physical access control systems, etc. Current product and services approvals: - 450+ products on FIPS 201 Approved Product List GSA and NIST partner to use NVLAP for FIPS-201 (PIV) testing Current certified labs: - Require NVLAP accreditation, GSA FIPS 201 EP Certification - Atlan Laboratories, InfoGard Laboratories, Atsec Corporation 7 GSA FIPS 201 Evaluation Program Document Suite Lab Documentation - Lab Specification - Laboratory Qualification Requirements - Configuration Management Plan Suppliers Handbook Approval Procedures - Specific approval procedures for all 34 categories of products on FIPS-201 APL - Vendor test requirements, lab test requirements, specific approval requirements Lab Test Procedures - Specific test procedures for all categories of products on FIPS-201 APL 450+ requiring testing through NVLAP-accredited labs. Standard Forms and Agreements http://fips201ep.cio.gov/ 8

GSA FIPS 201 Evaluation Program Test Tools 800-85B Data Conformance Test Tool - Tests conformance to PIV data model and card encoding - Validates data objects Cardholder Facial Image Test Tool - Test biometric facial image stored on card - Tests compliance with NIST SP 800-76-1 requirements Biometric Data Specification for PIV - INCITS 385-2004 Server-based Certificate Validation Protocol (SCVP) Test Tool Data Populator Tool GSA Test Tools are available for download at: http:fips201ep.cio.gov/tools.php 9 Accessing the FIPS 201 Approved Products List 10

Schematic for GSA FIPS 201 EP Lab Accreditation and Certification NIST built lab accreditation for GSA EP on Basic Cryptographic and Security Testing and PIV applet and middleware testing accreditation programs. Steps for GSA EP Lab Certification: 1. Accreditation under NVLAP as a Basic Cryptographic and Security Testing (17BCS) laboratory. 2. Accreditation under NVLAP as a NIST Personal Identity Verification Program (NPIVP) Testing (17PIV) Laboratory. 3. Accreditation under NVLAP for all GSA FIPS 201 test methods (17GSAP). 4. Certification under GSA FIPS 201 Evaluation Program for all test, evaluation, and laboratory requirements. 11 Key Lessons Learned Carefully plan and standardize requirements and guidance documents for all users suppliers, test labs, approval authority. Rigorously plan for configuration management - Document updates - Changes to requirements - Product/version changes - New use cases - Facilitate product development, testing and conformance through development and maintenance of test tools. - Actively engage the user community suppliers, laboratories, implementers in ongoing operation of evaluation program. - Leverage other conformance and interoperability testing programs. 12

For More Information Visit our Websites: http://www.idmanagement.gov http://fips201ep.cio.gov/index.php Or contact: David Temoshok April Giles, CISM, CISA, CISSP Director, Federal Identity Policy FIPS 201 Evaluation Program Chief and Management Architect 202-208-7655 202-501-1123 david.temoshok@gsa.gov april.giles@gsa.gov 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information