Upload
ami-nicholson
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
Homeland Security Presidential Directive-12
(HSPD-12)
Previously Known As
E-Authentication/Smart Card
Prior to HSPD 12
• My Background- DOI Senior Consultant
• BLM Lead Bureau – biz process reinvention
• DOD/DOI partnership (eg ; initial aggregate buy)
• Interagency Advisory Board ( IAB)
• GSC 2.1 (especially contactless chip)
HSPD-12 Policy
Directs a Common Identification Standard* for Federal Employees and Contractors with
Unescorted Access to Federal Facilities and Access to Networks and Systems
*Referred to as the Personal Identity Verification (PIV) Card
HSPD-12 (Con’t.)
•One of the largest collaborative efforts in Government with leadership through the Interagency Advisory Board (IAB)
–National Institute for Standards and Technology (NIST) –General Services Administration (GSA)–Office of Management & Budget (OMB) –Private Sector Partners
•Enabling a common Government Information Technology (IT) architecture•The DOI team played a prominent role over the last 5 years
HSPD-12 Program Team
• Senior Executive Sponsor- Larry Parkinson• Program Manager- Bob Donelson• Project Management- David Belchick• Organizational Leads
– OLES- Glenn Smith– OCIO- Hap Huynh– HR- Beres Muschett– PIV/E-process- Andrew Goldsmith– Privacy- Marilyn Legnini– Budget- Tricia Hall– PAM- Willie Davis– Records- Ed McCeney
Synergy to Success
PHYSICAL SECURITY
HR
LOGICAL SECURITY
Executive Leadership
CFO
Intra-discipline Workgroups
Inter-discipline Workgroups
Legal / Privacy Advocate
Program Managers
Site Managers
Procurement (Contracts)
Inspector General
HSPD-12 Control Objectives
• Secure and reliable forms of identification – Issued based on sound criteria for verifying
an individual employee's identity– Strongly resistant to identity fraud,
tampering, counterfeiting, and terrorist exploitation
– Can be rapidly authenticated electronically– Issued only by providers whose reliability has
been established by an official accreditation process
2
FIPS 201 REQUIREMENTS: Phased-implementation In Two parts
• Part 1 – Common Identification and Security Requirements– HSPD-12 control objectives– Identity proofing, registration and issuance requirements – (revised from November draft)– Effective October 2005
• Part 2 - Common Interoperability Requirements– Detailed technical specifications– Most elements (revised) of October preliminary draft– No set deadline for implementation in PIV standard
• Migration Timeframe (i.e., Phase I to II)– Agency implementation plans to OMB before July 2005– OMB to develop schedule
HSPD-12 Policy
HSPD-12 Current Status
• OMB-300 and business case complete for E-Authentication/Smart Card
– Gap analysis underway to change to HSPD-12 OMB-300 for 2007
• HSPD-12 plan due to OMB June 27• E-Authentication project plan is being revised for HSPD-12 to meet target due dates
PIV Identity Verification and Issuance
EmployeeApplication
1:n biometric search
Confirm employment
NACI or Equivalent ID Validation through standard government wide services
Government DB’s
Threat risk
1:n biometric search
Confirm employment
NACI or Equivalent ID Validation through standard government wide services
Government DB’s
Threat risk
Identity VerificationIdentity Verification
Enrollment
FPPS
21
4
5Employer/
Sponsorship
7
ApprovalAuthority3
Employee and ContractorEnrolls
SSP Cert Issuance
OLES
CentralizedOCIO
PIV/E-process/HR
HR
HR
Card Production & Personalization
725 Physical Access Database
Black Arrows: Links exist todayOrange Arrows: Links partially exist todayRed Arrows: Links do not exist today
Other DOI Organizations: Privacy, Records, Budget, PAM
6
HSPD-12 Technical Current Status
• Have Web based E-process architecture in place for enrollment(#1-4)
– Provides secure, paperless in-processing of employees/contractors• Plan to use FPPS as HR system of record for unique
employee ID numbers (#5)• Selected Enterprise Physical Access system (#7)
– AMAG 725, currently starting C&A process• Public Key Infrastructure (PKI) Shared Service Provider (SSP)
selected (#7)• Central printing and card provisioning must be in place to be
successful• Policy Gaps are being identified and drafted
– OMB is asking either Shared Service Provisioning or acquisition by a SSP similar to the Payroll Model
• Current DOI roles mapped to new HSPD-12 roles by 1 August
Firewall
Small Agency
DOI Bureau
DOI Bureau
Small Agency
Small Agency
Enrollment Process(web-based, auditable,
encryption, digital signatures, centralized
database, role / authorization
levels)
PACS(Physical AccessControl System)
CMS(Card
Management System)
data
XML, etc
XML, etc
RA
VA
Printer
Data is collected and secured in a workflow process. Only authorized
users have access to perform roles.
Information is stored for
adjudication, reporting, etc.
On a need to know basis, other systems may
receive data to perform the card issuance process as well as other
support processes (FPPS, etc)
Authorized users access the system
using Level 4 authentication and and participate in the PIV process.
HSPD-12 PIV Workflow
• Supporting Publications– SP 800-73 – Interfaces for Personal Identity Verification (card interface commands and
responses)– SP 800-76 – Biometric Data Specification for Personal Identity Verification– SP 800-78 – Recommendation for Cryptographic Algorithms and Key Sizes– Future SP – Issuer Accreditation Guideline
• NIST PIV Website (http://csrc.nist.gov/piv-project/)– Draft Documents– Frequently Asked Questions (FAQs)– Comments Received in Original Format
• Forthcoming Planned Guidance– OMB Guidance (Policy) {http://www.whitehouse.gov/omb/inforeg/hspd-
12_guidance_040105.pdf}– FICC Guidance (Implementation – Identity Management Handbook)– {http://www.cio.gov/ficc/documents/FedIdentityMgmtHandbook.pdf}– NIST Guidance on Certification and Accreditation
HSPD-12 Guidance
• Existing OCIO Memo 2004-008– Freezes purchases on ID cards that do not conform to standard– Requires all new PCs to include a smart card reader
• Recently Issued OLES Policies– Released 5-25-05– Policy Memo 1: Sets standard DOI Card Design based on FIPS 201– Policy Memo 2: Sets minimum threshold for physical access readers
– Readers will be situated along with security guards at all operational access points to National Critical Infrastructures and Security Level IV facilities.
– At the discretion of each Bureau, card readers may be located at other facilities or sections there of.
– C&A must be done on all physical access systems.– Facilities that are not immediately moving to the FIPS 201 card can continue to use
their current ID card system for access to a building. However, these can not be used for visual ID and cannot have anything printed on them.
– Full implementation to be completed by the end of fiscal year 08.
HSPD-12 Policies
Joint Federal Committee Requirement
• 2001-2005 NCR “Incident Snapshot”
• Sep 11, 2001 Terrorist attack on Pentagon
• Anthrax crisis
• Sniper incident
• W. Wilson Bridge “rush-hour” attempted suicide
• Washington Monument “tractor man”
• 2005 Anthrax scare
• May 11, 2005 “no fly zone” violation
ALL LACKED FEDERAL/STATE/LOCAL MULTI-JURISDICTIONAL “COMMON IDENTITY TRUST”
Volunteer Community
Emergency Management Community
Federal Community
Local Community
State Community
Retail Community
Medical Community
Transportation / HAZMAT Community
Infrastructure Community
Resident / Tribal / NGO Community
Targeted Population
Fire and RescueCommunity
Force ProtectionCommunity
Military / National Guard
National Interoperability
DoD / DHS / DOI
Other Federal/State/Local
Credential Issuers
DoD CAC
ID Cards *CRLs
Validation Authority
Authorization Handhelds
Compressed, Signed Validation Lists
Valid
Valid
Valid
Valid
(produced and synchronized every 24 hours at minimum)
NCR Governments
Other Issuer
Privileged Lists
Trusted:…
Trusted:…
Trusted:…
Trusted:…
*CRLs – certificate revocation lists
Questions and Comments
Please Contact:
Bob Donelson
HSPD-12 Program Manager
Phone: 202.452.5190
Email: [email protected]
Questions?
• Office of National Capital • Region Coordination
• 202-254-2301
• Craig A. Wilson• Program Manager
• 202-254-2305 (office)• 703-597-4113 (cell)