The FEMA Mission To support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, and recover from, and mitigate all hazards Response / Recovery Officials Must Trust Each Other to Work Together 1
Historical Disaster / Emergency Access Controls Federal SLTT CIKR Prior to the release of the NIMS Guideline for the Credentialing of Personnel no uniform process exists for entry decisions Contingency Relocation or Response/Recovery Integration Volunteers 9/11 Commission and Post-Katrina Reports 2
HSPD-12 Requirement (Personal Identity Verification (PIV) Credential) Presidential Mandate: August 27, 2004 Applicable to employees of the Federal Executive Branch and associated employees contracted for more than 180 days "Secure and reliable forms of identification" for purposes of this directive means identification that: is issued based on sound criteria for verifying an individual employee's identity; is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; can be rapidly authenticated electronically; and is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application HSPD-12 Source: http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm#1 Mandated Very Highly Trusted Cyber-Secure Identities 3
Personal Identity Verification Interoperability (Approved by Federal CIO Council May 6, 2009) PIV I Credential: Can be interoperable with the Federal government PIV systems Can be trusted by Federal government relying parties Identity Proofing: Applicant is required to appear in person and Applicant is to provide two forms of identity source documents in original form List of acceptable documents included in Form I-9 At least one of the documents must be a valid State or Federal government-issued picture identification (ID) Non-Federal Issuers (NFI) Identity Authentication PKI Certificate NFI PIV Interoperable credentials must include an Identity Authentication PKI Certificate issued by a Certification Authority (CA) Chains to the Federal Bridge Certification Authority (FBCA) at the Medium Hardware assurance level via cross-certification Source: Personal Identity Verification Interoperability (PIV I) http://www.idmanagement.gov/documents/piv_io_nonfed_issuers_may2009.pdf Established Very Highly Trusted Cyber-Secure Identities 44
NIMS Guideline for the Credentialing of Personnel Overview: 1. The Guideline provides guidance on GSA-approved PIV/PIV-I credentialing for: Federal, State, Local and Tribal Authorities Emergency Management Assistance Compact (EMAC) Private sector organizations Critical Infrastructure owners and operators Voluntary, not-for-profit, and nongovernmental organizations 2. Both PIV and PIV-I use the same Federal Information Processing Standards (FIPS) 201 open source technology 3. The PIV/PIV-I solution includes: Common terminology and issuance process Trusted identity, attributes, and privileges Interoperability in identification and access control systems 5
PIV / PIV-I Interoperable Features PIV F/ERO 6.Expiration Date 1. Color Photograph 4. 1443 Contactless Wire PIV-I ERO 2. Security Clearance Designator (If applicable) 3. Integrated circuit chip (ICC) * Requires 6-8 Digit Personal Identification Number (PIN) to unlock * Cardholder unique identifiers *Digital certificates to authenticate the cardholder *Contains facial and fingerprint Biometrics: - Digital Facial Photo - Two encrypted fingerprint templates 5. Affiliation Designator: Contractor, Affiliate, or blank PIV / PIV-I Credentials Support Biometric-based Authentication 66
F/ERO Cyber Attributes F/ERO eattribute sponsorship and registered designations depending on NRF, NIPP, NCPIP and NDRF responsibilities Federal / Emergency Response Official: When checking the yes box during PIV issuance, the sponsoring Agency must determine and keep current what NRF, NIPP, NCPIP or NDRF category is being sponsored as depicted in the drop down boxes shown. x x x x YES NO National Continuity Policy Implementation Plan (NCPIP) Essential Government Function Emergency Support Function (ESF) 5 - Emergency Management Contingency Personnel ESF 1 ESF 2 ESF 3 ESF 4 ESF 5 ESF 6 ESF 7 ESF 8 ESF 9 ESF 10 ESF 11 ESF 12 ESF 13 ESF 14 ESF 15 Transportation Communications Public Works and Engineering Firefighting Emergency Management Mass Care, Emergency Assistance, Housing and Human Services Logistics Management and Resource Support Public Health and Medical Services Search and Rescue Oil and Hazardous Materials Response Agriculture and Natural Resources Energy Public Safety and Security Long-Term Recovery External Affairs Recommended Agency Requirements 1. All Agencies are to designate NRF, NIPP, NCPIP, and NDRF Attribute Administrators 2. Attribute Administrators are to actively sponsor or revoke F/ERO registrations in the F/ERO Repository once established National Doctrine F/ERO Population Sector 1 Agriculture and Food Sector 2 Banking and Finance Sector 3 Chemical Sector 4 Commercial Facilities Sector 5 Dams Sector 6 Defense Industrial Base Sector 7 Emergency Services Sector 8 Energy Sector 9 Government Facilities Sector 10 Information Technology Sector 11 National Monuments and Icons Nuclear Reactors, Materials and Sector 12 Waste Sector 13 Postal and Shipping Sector 14 Public Health and Healthcare Sector 15 Communications Sector 16 Transportation Systems Sector 17 Water Sector 18 Critical Manufacturing RSF 1 RSF 2 RSF 3 RSF 4 RSF 5 RSF 6 Planning and Capacity Building Economic Development Health and Social Services Housing Infrastructure Systems Natural and Cultural Resources 7 7
PIV-I/FRAC TTWG Targeted Audience Federal Medical Fire and Rescue Transportation / HAZMAT State PIV / PIV-I Identities and F/ERO Attributes Integration Infrastructure Local Military / National Guard / USCG Retail Force Protection Volunteer Resident 8
PIV/PIV-I Interoperability & FIPS 201 Technology Logical Access PIV / PIV-I Routine Access and Use- Case Applications Physical Access Disaster / Emergency Access and Use-Case Applications F/EROs Streamlining Routine and Emergency Use-Case Investment Strategies 99
F/ERO Electronic Validation Process Federal SLTT Leveraging CAC, PIV, or PIV-I credentials and FIPS 201 mobile validation devices for communication-in or-out risk management decisions JRSOI Contingency Relocation or Response / Recovery Disaster Access CIKR JRSOI = Joint Receiving Staging Operations Integration Volunteers Provides a real-time roster Access Data: accountability traceability liability EOC Geospatial Human Situational Awareness Display Achieving NIMS Credentialing Guideline Interoperability 10 10
End State: Mutual Aid Preparedness Incident Management: To get the right people with the right attributes to the right places at the right times thus reducing response/recovery times and promoting restoration to pre-incident quality of life conditions Intended benefit: F/EROs will possess FIPS 201 identity credentials that align with Federal standards and enable e-authentication of identity and disaster response/recovery attribute information for determining access privileges Additional benefit: FIPS 201 identity credentials issued by respective sponsoring agencies in a distributed environment can be integrated into standards-based physical and logical access systems thus eliminating proprietary solutions that can be costly to maintain/sustain over life-cycle investments All-of-Nation/Whole Credentialing and Validation Standardization 11 11