U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV cards @ USDA



Similar documents
HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

USDA Identity, Credential and Access Management

DEPARTMENTAL REGULATION

NEIS HELP DESK FAQS. HSPD-12 Policy/Business Process. General HSPD-12 FAQs can be found online at:

How to Use Your LincPass Credential

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

The Convergence of IT Security and Physical Access Control

Issuance and use of PIV at FAA

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

HSPD-12 Homeland Security Presidential Directive #12 Overview

Justice Management Division

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

DOE Joint ICAM Program - Unclass & Secret Fabrics

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

The Convergence of IT Security and Physical Access Control

Audio: This overview module contains an introduction, five lessons, and a conclusion.

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Integration of Access Security with Cloud- Based Credentialing Services

Stefan Dürnberger. Consulting Systems Engineer Cisco Deutschland. sduernbe@cisco.com. Co-Author Bitkom Leitfaden BYOD

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Authentication Levels. White Paper April 23, 2014

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

Executive Summary P 1. ActivIdentity

Expiring Certificates on LincPass Cards

Security. TestOut Modules

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

PIV Scheduler Tool. Screen Shots from May 1, :00am Eastern

Moving to Multi-factor Authentication. Kevin Unthank

GSA FIPS 201 Evaluation Program

SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

CTS2134 Introduction to Networking. Module Network Security

OFFICE OF THE CHIEF INFORMATION OFFICER IDENTITY, CREDENTIAL, & ACCESS MANAGEMENT PROGRAM. Logging In with my LincPass

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

The Implementation of Homeland Security Presidential Directive 12

U.S. Department of Housing and Urban Development

Guard All Security Symposium. Identity and Access Management

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Section 12 MUST BE COMPLETED BY: 4/22

Strong Authentication for Healthcare

Global network of innovation. Svein Arne Lindøe Arnfinn Strand Security Competence Center Scandic Siemens Business Services (Norway)

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Privacy Impact Assessment of. Personal Identity Verification Program

US Security Directive FIPS 201

An Operational Architecture for Federated Identity Management

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Identity and Access Management Initiatives in the United States Government

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

CoSign by ARX for PIV Cards

Exploring Converged Access of IT Security and Building Access Today, Tomorrow and the Future

Remote Vendor Monitoring

Class 3 Registration Authority Charter

Identity & Privacy Protection

Secure Authentication for the Development of Mobile Internet Services Critical Considerations

Department of Defense PKI Use Case/Experiences

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

Remote Access Using the USDA LincPass

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

The User is Evolving. July 12, 2011

Lync SHIELD Product Suite

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Payment Card Industry Self-Assessment Questionnaire

USAccess System- Registrar. Help Guide. Prepared for

Deriving a Trusted Mobile Identity from an Existing Credential

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

USAccess System- Role Administrator. Help Guide. Prepared for

Enrolling with PIV and PIV-I Velocity Enrollment Manager

The Government-wide Implementation of Biometrics for HSPD-12

Remote Access Procedure. e-governance

Comodo Endpoint Security Manager SME Software Version 2.1

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

CMS Operational Policy for VPN Access to 3-Zone Admin and Development /Validation Segments

How To Integrate Identity And Security With A Network-Based Business Process

Deploying Smart Cards in Your Enterprise

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Information Technology Branch Access Control Technical Standard

Smart Card Two Factor Authentication

Transcription:

U.S. Department of Agriculture HSPD 12 Program USDA HSPD-12 Implementing PIV cards @ USDA April 2009

USDA and the GSA HSPD-12 Shared Solution USDA has been at the forefront of driving a shared solution for HSPD-12 across the Federal Government Co-chairing the HSPD-12 Executive Steering Committee Contributed to the development of the General Services Administration (GSA) Statement of Work for HSPD-12 Serving on the vendor evaluation committee To that end, USDA is prepared to adopt the GSA HSPD-12 Shared Solution as it s USDA Enterprise-side solution. 2

HSPD-12 PIV card - LincPass cards LincPass Process Logical Access Physical Access Getting a Card For Access to Computers Using a Card For Access to Buildings HR Sponsors BI Is Completed Person Enrolls Card Is Issued Person Activates 3

Identity and Access Management Auditing Disk Encryption Enhanced Non-Repudiable Services Authentication Non-Repudiation Dig/Sig egov Services Encryption Authentication Identity InCommon Federation Federation Authentication Authorization Collaboration Authorization Network Access Network Control Admission and Endpoint Control Security PIV User User Auth Auth 802.1X Remediation IPSec/SSL HB IPS/FW VPN Persistent Health State Connectivity Validation Device Auth PKI Quarantine DLP Mobile File Computing Integrity Remote/Wired/Wireless Security Profile Mgmt Access Control Enterprise Role Based Entitlement Access Control Management Role System Attribute (EEMS) Mgmt Application RBAC Win Rules 2K3 Entitlement Identity Entitlement Workflow RBAC AzMan Org Position Location Authorization Attributes Engine Mgmt Mgmt Engine Application Integration PACS E PACS AD Domains LACS Main frame eauth VPN Accounts HSPD-12 CHUID PKI Certificates eauth Username Password Credentials Identity Stores Customers Contractors Employees Identity 4

HSPD-12 Business Process General HSPD-12 Concept Sponsorship Enrollment Adjudication Issuance Activation Credential Usage PROCESS Capture applicant information & authorize PIV card Identity proof & capture biometrics Complete BI and record results Produce card and issue to applicant Authenticate applicant and activate card Manage card lifecycle COMPONENTS IDMS GUI IDMS DB IDMS GUI IDMS DB Certificate Authority ` Finalization Workstation CMS Card Reader CPS CA Enrollment CMS & IDMS Finalization 5

LACS, PACS, and HR CPS Card Distribution Card Printing CMS DB CMS CHMS CHMS DB OPM /FBI Shared Service PKI App Server AD App Server Reporting Registration Camera Key Mgt. Certificate authority CRL OCSP Responder Agency Controller Card Reader Registration WKS Finger Print Scanner Document Scanner Agency LACS Agency PACS Facility RDB MS Data Store Agency 2 LACS Agency 1 LACS MIIS AD USDA Responsibilities Personnel Management System WorkStation WorkStation Employees Contractors PACS Master DB PACS Enterprise Servers PACS Mobile Unit 6

Overall Architecture epacs EmpowHR EmpowHR Done EIDS Connector Done epacs Connector (3/13/09) EIMS Sponsorship & Adjudication Data Feed Done HSPD-12 Service Provider PP Done QuerySIP Data Feed Done Payroll Personnel NEIS Done EIDS V3.1 AD Connector & Card Info Feed In Progress 7 agencies done Non Employee Identity System (NEIS) Logical Access Control Systems LincPass Domain Login All Agencies in Progress Laptop User 7

Three Phases with NCE and GSA shared solution June 9 Sept 30, 2008 Summer Mobile enrollments October 1 April 30, 2009 Winter Mobile enrollments May 1 Sept 30, 2009 Sustainment and Operations General Services Administration Office of Personnel Management United States Department of Agriculture United States Department of Energy United States Department of Interior US Department of Justice United States Department of Treasury 8

An Example: Enrollment Answer from Mobile enrollment. Phase 1 and 2 Example of Enrollment Locations GRAND FORKS USDA/ARS FARGO USDA/ARS GRAND RAPIDS USDA/FS 5 DULUTH USDA/FS 1 1 ABERDEEN USDA HURON GSA 5 3 MORRIS USDA/ARS MARSHALL USDA/NRCS 2 4 BAXTER USDA/FSA MINNEAPOLIS USDA/APHIS 1 MANKATO USDA/FSA FALCON HEIGHTS GSA 2 ROCHESTER USDA/FSA 2 PARK FALLS USDA/FS STEVENS POINT USDA/RD 3 SIOUX FALLS DOI POCAHONTAS USDA/RD 1 1 WAVERLY USDA/RD MADISON USDA/FS 9

Phase 3 Permanent Locations Example * Yakima * Pendleton * Tangent * LaGrande * Roseburg * Klamath Falls 10

Phase 3 Light Activation Participants Identified: Permanent Enrollment \ Activation centers Shared Agency Only Light Activation Stations Shared Agency Only GSA s Light Activation Station Read/Write Smart Card Reader Fingerprint Reader Special Software 11

USDA Report Card Over 160 Mobile Enrollment stations during Summer 225 Mobile Enrollment Stations during Winter Enrolled 74,000+ Employees across the Entire Country Enabled Two-Factor Authentication for almost 55,000 Laptops Implemented a National PACS Infrastructure & Began Connecting 100 MCF s 12

USDA Next Steps PIV cards: Continue issuing cards to Federal and contract staff Complete remaining investigations Two-Factor Authentication: eauthentication Two-Factor Integration VPN Two-Factor Integration Digital Signature Integration for Office, Outlook and Adobe Encryption Integration for Outlook epacs: Identify remaining MCF s Implement solution at all MCF S Other: Continue to share information with NCE participants End Point Security \ VPN 13

Endpoint Security Agent Host-Based Firewall Health Check 802.1x Supplicant Endpoint Security Agent Host-Based Firewall Health Check 802.1x Supplicant Host-Based Firewall Health Check 802.1x Supplicant U.S. Department of Agriculture HSPD 12 Program United States Government OCT2012 Conceptual Strategy: Network & Endpoint Security Bloggs, Joseph USDA Affiliation Contractor Agency/Department Department of Agriculture Expires 2012OCT22 G Endpoint Security Agent Remote Access USDA Enterprise Directory Host-Based IPS SSL VPN NAC Agent VPN User Roles Health Check: Pass BigFix Anti-X Patch Management Disk Encryption FDCC Host-Based IPS SSL VPN Local Access Host-Based IPS SSL VPN Wireless File Integrity Checking Host-Based FW Host-Based IPS Data Loss Prevention Wireless Access Point Wired Distribution Layer Switch 14 IDS Network Access Controller ISOC Auditing and Reporting Health Check: Fail Remediate

USDA Contacts \ Questions Owen Unangst Owen.unangst@ftc.usda.gov (970) 295-5538 Meria A. Whitedove Meria.whitedove@usda.gov (970) 295-5198 15