HSPD12 Update

1
HSPD-12 Update

• April 19, 2006
• SASIG Conference

2
Introduction to HSPD-12

• On August 27, 2004, a Homeland Security
  Presidential Directive was issued entitled
  HSPD-12, Policy for a Common Identification
  Standard for Federal Employees and Contractors.
• In response to HSPD-12, the National Institute of
  Standards and Technology (NIST) published the
  Federal Information Processing Standards
  Publication 201 (FIPS 201) on February 25, 2005

3
Timeline

• October 27, 2005
• Compliance with FIPS 201, Part 1
• Fall 2006
• Begin deployment of smart cards
• October 27, 2006
• Compliance with FIPS 201, Part 2
• October 27, 2007
• Verify and/or complete background investigations
  on current employees and contractors
• For Federal individuals employed for over 15
  years - October 27, 2008
• Beyond
• DOE Federal and contractor employees routinely
  use their smartcard to access buildings and
  computer systems
• Interoperability with other Federal agencies

4
FIPS 201, Part 1 and FIPS 201, Part 2

• FIPS 201, Part 1 (PIV-I) describes the minimum
  requirements for a Federal personal
  identification system that meets the control and
  security objectives of HSPD-12
• Personal identity proofing
• Registration
• Issuance
• FIPS 201, Part 2 (PIV-II) addresses the
  interoperability of PIV credentials and systems
  among departments and agencies
• Having one credential as a basis for identify
  within and across federal domains

5
Why PIV-I?

• Mandated by HSPD-12 and FIPS 201
• Historically, agencies issued badges/credentials
• To whoever they chose
• Verifying the persons identity however they
  chose
• A Federal identity proofing standard allows
  baseline of trust between agencies
• DOE will know that a person from another agency
  with a PIV Card
• Has had their fingerprints checked by the FBI
• Has had a successfully adjudicated NACI (or at
  least pending)
• Has had their identity source documents verified

6
FIPS 201, Part 1

• Identity Proofing, Registration, and Issuance
  Process
• All agencies will adopt and use an approved
  identity proofing and registration process
• An individual must appear in person at least once
  before the issuance of a credential
• At a minimum, a National Agency Check with
  inquires (NACI) must be initiated and the FBI
  fingerprint check has to be completed before
  credentials are issued
• No single individual has the capability to issue
  a credential without the cooperation of another
  authorized person

7
Fingerprint Check Timeliness

• PIV credentials can only be issued after
  fingerprint check results have been returned
• Currently, fingerprints must be submitted to OPM,
  which forwards to FBI, then results returned
• 2 day turnaround does not include OPM
  processing time - optimistic assumption that
  results could be returned quickly
• Average turnaround time is 16.5 business days for
  HQ
• Discussions are underway between DOE and OPM to
  reduce the turnaround time and to discuss
  electronic submission of fingerprints

8
PIV Reciprocity

• For individuals hired after October 27, 2005
• A PIV badge can be issued under reciprocity if an
  individual has had either
• A prior federal agency NAC within the last 15
  years, or
• Has held a government security clearance within
  the last 15 years
• Documentation of the results of the NAC or
  clearance BI kept in the PIV file
• Reciprocity verification, if possible, reduces
  wait time

9
PIV-II CardPhysical Attributes

• Physical Card
• Common look and feel across Federal government
• With areas set aside for agency specific
  information
• Common color coding scheme for employee
  affiliation
• Blue- foreign nationals
• Red emergency responder officials
• Green - contractors
• Must meet ANSI and ISO standards for physical
  durability
• Tamper resistant security features (e.g. optical
  varying structures)
• Magnetic stripe and bar code for legacy support
• Contact and contactless interface

10
PIV-II Card Topography
11
PIV-IILogical Credentials

• CHUID (Card Holder Unique Identifier)
• Extends the address space for SEWIG-012
• Designed for Federal interoperability
• Read through contact or contactless interface
• PIV Authentication Certificate (and associated
  public/private keys)
• PKI certificate issued from Federally certified
  PKI provider
• Read through contact interface
• PIN
• Personal Identification Number to unlock the PIV
  Card
• Two fingerprints
• Electronic template generated from fingerprint
  minutae
• Read through contact interface only after PIN
  unlock

12
PIV-IIInfrastructure

• Making everything work together
• Technically
• Since February 2005, NIST has released 10
  documents for PIV
• Including revisions to FIPS 201 and SP 800-73,
  Interfaces for PIV
• Policy
• OMB has issued
• 05-24, Implementing PIV
• 06-06, Model privacy documents
• GSA has issued (or is about to issue)
• Acquisition memo highly encourages the use of
  GSA approved products
• Two FAR (Federal Acquisition Regulation) clauses
• NIST is responsible for conformance testing
  technical interfaces
• GSA is responsible for interoperability and
  performance testing of PIV products
• Cost efficient
• Recent effort to drive down agency implementation
  cost by sharing resources

13
HSPD-12 ComponentsPIV I and PIV-II
Legend CMS-Card Management System CPS-Card
Printing System CRL-Certificate Revocation
List IDM-Identity Management IDMS-Identity
Management System LACS-Logical Access Control
System OCSP-Online Certificate Access
Protocol PACS-Physical Access Control
System PKI-Public Key Infrastructure SSO-Single
Sign On WKS-Workstation
14
Executive Steering Committee

• Executive Sponsors OMB, USDA, DHS, GSA, DOD,
  DOC, VA
• Objectives
• Reduce total Federal cost of HSPD-12
• Established shared government-wide
  infrastructure, policies and procedures to meet
  10/06 deadline
• Ensure government-wide interoperability
• Strategy
• Establish cost estimate
• Inventory existing inventory and geographic
  dispersement of Federal resources (including
  employees and contractors)
• Identify technical interfaces
• Make final recommendations for agency action
• Several sub-working groups
• DOE represented on all
• ESC seems to be embracing PIV as a suite of
  services which can be purchased through a Federal
  or commercial provider

15
Agency Owned/Shared

• DOE responsible for
• Our own security
• Background investigations
• Sponsor notification
• Authorization
• Card lifecycle management
• Physical/logical card readers
• Integration w/existing physical and logical
  systems

• Shared Services
• Registration services
• Registration locations
• Card Printing
• Card Management infrastructure
• Identity Management infrastructure
• PKI infrastructure

Preliminary
16
Agency Owned/Shared
Preliminary Core/Shared Components
17
Status of Federally Approved Products

• NIST conformance testing has begun
• A handful of products have been pre-validated
• GSA interoperability and performance testing
• Beginning in April
• Except for PKI certs and the Oberthur HSPD-12
  Smart Card, as of April 17th, there are no other
  approved products!
• GSA is assembling a FIPS 201 BPA to replace the
  existing smart card GWAC (expires in May)

18
DOE Policy

• Notice 206.3 Personal Identity Verification
• Establishes PIV compliant identity proofing
  policy
• DOE has 2 Acquisition Letters in place
• Acquisition Letter-2005-16, 10/04/05
• Application of identity proofing process to
  contractors
• Acquisition Letter-2005-10, 7/7/05
• Physical and Logical access control procurement
  require use of approved products
• GSA and OMB highly encourage agencies to only
  buy FIPS certified and approved products
• Coordination of procurement of anything related
  to access or identity management through HSPD-12
  PMO
• A FAR case is pending with similar procurement
  controls
• In progress
• Standard PIV Request Form
• Privacy Act System of Records Notice

19
HSPD-12 PMO

• CIO-led PMO operating for over a year
• Supported by
• Office of Security and Safety Performance
  Assurance
• Office of Management
• Office of General Council
• Office of Human Resources
• Biweekly field call (Thursdays 1-2 PM EST) to
  discuss HSPD-12, answer questions, etc
• Public Web site http//cio.doe.gov/HSPD-12/index.
  html
• Feedback on FIPS 201 process is important as we
  move ahead
• Processes that work
• Processes that dont work
• Ways of improving
• Contact the PMO at HSPD12PMO_at_hq.doe.gov
  questions, comments etc.