Embed Size (px)
Citation preview
1
The Government-wide Implementation of Homeland Security Presidential
Directive 12 (HSPD-12)
David Temoshok Director, Identity Policy and Management
GSA Office of Governmentwide
Federal IT SummitOctober 9, 2007
2
President’s Domestic Agenda
• President’s Management Agenda:
1. Strategic Management of Human Capital
2. Competitive Sourcing
3. Improved Financial performance
4. Expanded Electronic Government
5. Budget and Performance Integration
• E-Government Act of 2002
• OMB Office of E-Government and Technology
3
Government to Govt. Internal Effectiveness and Efficiency Lead
1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
President’s E-Gov Agenda
OPMOPMOPMGSAOPMOPMGSANARA
LeadSSAHHS
FEMA
DOI
FEMA
Lead
GSATreasuryDoEDDOILabor
Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics 5. Business Gateway6. Int’l Trade Process Streamlining
Lead GSAEPA
Treasury
HHS
SBADOC
Cross-cutting Infrastructure: E-Authentication GSA
Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
4
The HSPD-12 Mandate
Home Security Presidential Directive 12 (HSPD-12):“Policy for a Common Identification Standard for Federal Employees and Contractors”
-- Signed by President: August 27, 2004
HSPD-12 has Four Control Objectives:
Issue Identification based on sound criteria to verify an individual’s identity.
Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation.
Personal Identity can be rapidly authenticated electronically.
Issued by providers who’s reliability has been established by an official accreditation process.
5
Key Milestones
October 27, 2005
Milestone Date Agency/Department Requirement/Milestone
August 27, 2004 HSPD-12 signed and issued
Not later than 6 months(February 27, 2005)
NIST Issue standard (FIPS-201)
Not later than 8 months following issuance of standard(October 27, 2005)
Compliance with FIPS-201 PIV I: Identity Proofing and Enrollment.
Not later than 20 months following issuance of standard(October 27, 2006)
October 27, 2006 Commence deployment of FIPS-201 compliant Identity Credentials (FIPS-201 Part Two). PIV-II
Convert all employees to PIV standard (October 27, 2008)
Compliance with FIPS-201 Part II for all employees and contractors.
6
Multi-Factor Token
Very High
High
Medium
Low
Employee Screening for a High Risk Job
Obtaining Govt. Benefits
Applying for a Loan
Online
Access to Protected
Website
PIN/User ID-
Knowledge
Strong Password
-Based
PKI/ Digital Signature
HSPD-12 PIV Card
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Four Authentication Assurance Levelsto meet multiple risk levels: M-04-04
Biometrics
7
Government-wide Implementation Strategy
• OMB provides policy and implementation guidance.
• NIST provides HSPD-12 process and technical requirements (FIPS 201 and associated Special Publications).
• GSA (OGP and FAS) provides government-wide implementation and acquisition assistance, coordinates agency implementation through the Federal Identity Credentialing Committee, develops and tests interface specifications for interoperability, and serves as “Executive Agent for Acquisition” for approval of products and services for the implementation of HSPD-12.
• Interoperability of HSPD-12 systems across government is required. Agency implementation is controlled through Approved Product List, acquisition controls, and Standard Interface Specifications.
• GSA is designated to provide shared services and infrastructure for government-wide implementation (MSO).
• Extremely aggressive milestones are needed to maintain focus and momentum.
8
Multiple PIV Authentication Technologies
To provide multiple authentication assurance levels, FIPS 201 requires multiple authentication technologies:
• Authentication using PIV Visual Credentials – Facial Image
• Authentication using the Cardholder Unique Identifier (CHUID) – contact or contact-less
• Authentication using PIN
• Authentication using Biometric (match on/off card) – fingerprint template
• Authentication using PIV asymmetric Cryptography (PKI) – authentication digital certificate
Something I have – PIV CardSomething I have – PIV CardSomething I know - PINSomething I know - PIN
Something I am - BiometricSomething I am - Biometric
9
GSA’s Role – Executive Agent for Acquisition
• Establish FIPS 201 Evaluation Program to ensure that commercial products comply with all normative requirements of FIPS 201.
• Establish Approved Products List to publicly post all approved products/services requiring FIPS 201 compliance.
• Establish Integration Services Qualification Program for vendors to be qualified to provide integrated, bundled solutions and contractor managed solutions.
• Establish Special Item Number (SIN) 132-62 on GSA MAS IT 70 for FIPS 201 compliant products and qualified services.
• Provide full-range of qualified products and services to meet Agency implementation needs, including integration services.
• Test agency-specific implementations for compliance.
10
Status of HSPD-12 Interface Specifications
• Interface Specifications are needed for interoperability in order to successfully exchange data between HSPD-12 systems and systems components
• OGP established the inter-agency HSPD-12 Architecture Working Group in FY 2006 to develop Interface Specifications for government-wide use.
• 10 Interface Specification Documents have been developed and issued in final
All Interface Specifications are posted at http://www.smart.gov/awg/
• GSA MSO is developing and currently testing Reference Implementation for the Agency – SIP (Systems Infrastructure Provider) Interface Specification.
The MSO Reference Implementation will be the standard for all MSO agencies to interface to EDS.
• Two new Interface Specifications are currently under development for MSO and government-wide use
SIP – OPM (Office of Personnel Management) for all fingerprint data transmissions to OPM and FBI
Back-end authentication for physical and logical access control (numerous use cases and Interface Specifications needed)
11
Key Architecture Design Considerations
• Different authentication assurance levels are needed for different types of transactions.
• Architecture must support multiple authentication technologies – PIN, biometric template, CHUID, authentication keys.
• Architecture must support multiple protocols.
• Federal Government will not mandate a single proprietary solution, therefore, Architecture must support multiple COTS products.
• All architecture components must interoperate with ALL other components (see www.idmanagement.gov) – requires product testing.
• Interface specifications are necessary for inter-system data exchange.
• Controls must protect privacy of personal information.
12
Why Shared Services for E-Authentication, Federal Bridge CA and HSPD-12 Implementation?
• Efficiencies – Eliminate need for redundant infrastructure.
• Enhance Interoperability – Much easier to ensure interoperability across a limited number of systems (GSA & DOI bring 75+ customer agencies to common, shared solution).
• Accelerate implementation timeframes.
• Reduce cost/implementation for HSPD-12 system interfaces.
• Aggregate Federal acquisitions to maximize potential for volume buys.
• Organize Federal marketplace for all of the above.
13
Status of GSA FIPS 201 Evaluation Program
• OGP administers the FIPS-201 Evaluation Program to determine conformance to FIPS-201 normative requirements.
Certified laboratories perform all FIPS 201 compliance evaluations OGP approves all evaluations and posts to Approved Product List Approved Product List posted at http://fips201ep.cio.gov/
• GSA/NIST identified 22 categories of products/services which must comply with specific normative requirements contained in FIPS 201
e.g., PIV smart cards, smart card readers, fingerprint scanners, fingerprint capture stations, facial image capture stations, card printing stations, etc.
• Current product and services approvals: 300+ products on FIPS 201 Approved Product List
• Current certified labs: Atlan Laboratories, InfoGard Laboratories Several more lab certifications in progress
14
Accessing the FIPS 201 Approved Products List
15
Where are we today?
• 12+ agencies committed to their own infrastructure: DHS, DoD, NASA, SSA, EPA, FTC, Dept. of State, VA, HHS, ED, DOL,
NSF,
• 100+ Agencies want to share infrastructure All small agencies DOC, HUD, USDA, DOJ, DOI, GSA, DOE, DOT, Treasury, OPM, Federal
Reserve, USPS, NARA, FCC committed
• Shared Service Providers DoD/DMDC – for branches of military Dept. of State -- 8 agencies serviced by State Dept. GSA for government-wide services – 70+ agencies
• GSA Roll-out Shared Service pricing released 6/8/07 -- $49/seat for enrollment, $36/year
for maintenance GSA implemented enrollment station roll-out for national deployment
starting in Washington DC in August 2007. Goal is to deploy 225 shared enrollment stations nationwide and enroll all
MSO customers (700,000 +) by October 2008.
16
GSA HSPD-12 Shared Services Interfaces
Fourth, after agency adjudication the PSP accepts cardholder information from
the SIP needed to print the card. When card printing is completed card data is
returned to the SIP, including which chip ID was used for this applicant. The
card is then locked with a transport key and shipped to the designated FSP.Second, the ESP retrieves applicant data from the SIP,
enrolls the applicant, and sends enrollment data back to the
SIP.
Fifth, the FSP matches the applicant biometric, and then
uses the SIP CMS to unlock the card, load the signed
objects, and finalize the configuration. The card leaves
the FSP ready to use. This step is often referred to as
issuance because it is the last step in issuance process.
Sixth, the
certificate could
be requested
and loaded at
the FSP, if
desired.
First, the issuing agency provides affiliation
(sponsorship) feeds, adjudication results, and revocation
requests to the SIP. The SIP provides reports back to
the agency.
Third, the SIP sends fingerprint data collected from the
ESP to OPM for suitability checks, and results are sent to
the agency.
SystemsInfrastructure
Provider
OperationsHelpdesk Security
CMSIDMS
OPM
CRL
FPKI SSP
Key Mgt.
SystemsInfrastructure
Provider
OperationsHelpdesk Security
CMSIDMS
Document Scanner
Camera
Fingerprint Scanner
Card Reader
EnrollmentOfficer
Enrollment Service Provider
Document Scanner
Camera
Fingerprint Scanner
Card Reader
EnrollmentOfficer
Enrollment Service Provider
Fingerprint Scanner
CardReader
FinalizationOfficer
Finalization Service Provider
Fingerprint Scanner
CardReader
FinalizationOfficer
Finalization Service Provider
Production Service Provider
CardPrinting
CardDistribution
CMS Inventory
Production Service Provider
CardPrinting
CardDistribution
CMS Inventory
FBI
IssuingAgency
Enrollment Data
Fingerprints
Printed andPre-Personalized
Cards
Signed Objects
Card Data
Agency affiliation,adjudication, and revocation data
Adjudicator Personnel COTR Results
PACS / LACS
CRL
FPKI SSP
Key Mgt.
AgencyPACS / LACS
Scope of shared services are HSPD-12 system components inside the red border. These are core HSPD-12 services to meet PIV 1 & 2 compliance.
12
2
3
17
HSPD-12 Federal Shared Enrollment Service
EnrollmentBroker
`
225+ geographically distributed & shared Enrollment Stations
• Card Mgmt System• ID Mgmt System
GSA Shared Service
SIP
`
`
`
`
`
`
`
`
`
FBI
Station 1
Station 2
Station 3
Station 4
Station 5
Station 6
Station 7
Station 8
Station “n”
Add. NeedsStations
The Shared Service Enrollment Stations transmit enrollment data to the SIP for consolidated FTS fingerprint transactions to OPM directly from the SIP.
OPM
MSO Enrollment & Biometrics Data
18
Conclusion• This is the THE START … surface is only scratched• There is much work …
– Roll-out hundreds of enrollment stations nationwide– Issue to 2 all users in next 15 months– Test and Qualify systems– Build common applications for access control and e-Government
• Physical security• Logical access• E-commerce• Emergency Response
• Stabilize operations …– Commitment to continue issuance– Protect and promote interoperability
• Testing, monitoring, auditing and configuration control• Make life-cycle easier
– Government procurement rules provide discipline• Extend to other communities
19
For More Information
● Visit our Websites: http://www.idmanagement.gov
http://www.FedIDCard.gov
http://www.cio.gov/ficc
http://www.csrc.nist.gov/piv-project
● Or contact:
David Temoshok
Director, Identity Policy and Management
202-208-7655
