Management and Operational Issues for HSPD 12

1
Management and Operational Issues for HSPD 12
Information and Technology for Better Decision
Making
IT Quarterly Forum

• Presented byMary Dixon

Deputy Director Defense Manpower Data Center
November 2005
2
What Did the President Say?

• Mandatory
• Government-wide
• Secure/Reliable forms of identification
• Issued by Federal Government
• Issued to employees and contractors

Please see notes for more explanation
3
Secure/Reliable Form of Identification

• Strong identity proofing/vetting
• Strong resistance to
• Identity fraud
• Tampering
• Counterfeiting
• Terrorist exploitation
• Rapid electronic authentication
• Strong reliability of issuers through
  accreditation process

4
Why Did He Say It?

• Wide potential for terrorist attacks
• Enhance security
• Increase Government efficiency
• Reduce identity fraud
• Protect personal privacy

5
How Real Are The Threats?

• Identity Protection and Management key to threat
  management

INDONESIA
SOFT TARGETS
SPAIN
UK
IRAQ
RUSSIA
INSIDERS TERRORISTS HACKERS
Please see notes for more information
6
Identity, Force Protection, and Policy
How much progress have we made?
Not much if you dont use the power of the new
card digital authentication and biometrics
Please refer to the notes for more information
7
What are the Keys?
Please refer to the notes for more explanation
Strong Secure Issuance Process
Authenticate Authenticate Authenticate Every Time
Close To Real Time Revocation
Strong Identity Proofing and Vetting
Chain of Trust
8
Identity Is Key!

• Before Credential Issuance
• Proofing - You are who you say you are
• Vetting - Trustworthiness
• At Credential Issuance
• Verification
• Affiliation
• After Credential Issuance
• Electronic enterprise authentication
• Timely revocation

Personnel Identity Protection
9
Identity Proofing and Vetting

• Current Requirement
• Initiate NAC-I
• Investigation part comes later
• Credential can be issued based on FBI National
  Criminal History Check (fingerprint check)
• Future Developments
• Real-time or short-time replacement for I in
  the identity proofing process

10
Secure Processes

• Division of roles
• Limit what issuer can do
• Rules based
• Training/Certification
• No initial entry
• Control on cardstock
• No privilege granting
• Authoritative data source
• Affirm affiliation
• Know when to revoke or change affiliation
• Technical solutions whenever possible

11
A Family of PIP Systems

• DEERS
• Functions as the DoD Person Data Repository (PDR)
• Collects affiliated personnel data from
  approximately 40 personnel systems into one
  system
• RAPIDS
• Issues credentials
• Scalable, flexible system
• Defense Biometric Identification System (DBIDS)
• Enables physical access
• Deployed theatre-wide
• Defense National Visitor System (DNVS)/Defense
  Cross-Credentialing Identification System (DCCIS)
• Supports concept of Federation
• Can be used with or without DBIDS

12
Please refer to the notes for more explanation
13
Please refer to the notes for more explanation
14
Please refer to the notes for more explanation
15
Please refer to the notes for more explanation
16
Please refer to the notes for more explanation
17
Please refer to the notes for more explanation
18
Please refer to the notes for more explanation
19
DoD Distributed Issuance
394 Deployable Sites
45 Asia Pacific Sites
870 U.S. Sites
1 Central Issuance Site
96 European Sites
18 Shipboard Sites
Please refer to the notes for more explanation
1,425 Sites Deployed Worldwide as of June 2005
20
Applications Growing

• Defense Travel System
• Personnel Tracking
• Personnel Status Tracking
• Manifesting
• Dining Facility
• Website Authentication
• E-Purse Pilot
• Rifle Range

21
What Did DoD Have To Do?

• Biggest challenge large installed
  infrastructure base backward compatibility
• 8 million CACs issued since inception
• 3.2 million in current operation
• Gap analysis over 700 items most already
  planned and/or underway
• Implementation plan submitted/approved
• PIV I Initial Operating Capability Compliance

22
Implementation Strategy
Security Domain
Access Control Applet PIN, Secure
Channel, External Authority
Mini Access Control Applet PIN, Secure
Channel, External Authority
Secure Transport
Secure Transport
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Dual Interface Infrastructure
Bio Action Applet

• PIV Data Model
• 2 Biometrics
• Photo
• PIV Key
• Optional

E-Purse Applet
CCC
Govt PKI Applet
PIV End State
DoD Applets
OP Domain API
OP Domain API
PKI Security Domain
JavaCard Runtime
Please refer to notes for further explanation
Please refer to notes for more information
23
Implementation Strategy

• Equal Treatment of DoD Usage and PIV Usage
• PIV and DoD use separate space on the CAC.
• CAC does not become less secure.
• DoD continues more advanced useof technology.
  (Access Control Applet).
• DoD continues vendor neutral biometrics
  implementation.
• Same strategy with ICAO for making a CAC
  contactless Passport.

Please refer to the notes for more explanation
24

• But we wanted a more complete solution
• Retirees/Family members (approx. 6 million)
• Contractors that should have a local credential
• Federated credentials

25
DBIDS

• Fully configurable, hardware independent,
  identity management solution for personnel
  authentication
• Links to DEERS and other systems (DNVS and DCCIS)
  
• Real-time sharing of updated information between
  systems
• Sharing of data and digital fingerprints
• Better authentication at registration using CAC
• Biometric capture devices including additional
  biometric technologies
• Handheld devices allowing for remote (wireless
  and contactless) biometric checks
• Contactless and wireless for people and vehicles
  (RFID) at gates
• Mobile systems for law enforcement vehicles for
  virtual perimeters

26
DBIDS Deployed Operational Worldwide
Please refer to the notes for more explanation
CONUS

gt 40K registered at POM/NPS, Ft. Hood, Ft. Polk
and COOP
Southwest Asia
Asia
Europe
Kuwait and Qatar gt40K at Camps Doha, Arifjan and
As Sayliyah
USFK gt355K at 35 locations CNFJ gt15K at
Yokosuka, Japan
gt400K at 166 locations
27
DNVS DCCIS

• DoD Personnel Identity Protection Program
• Stronger authentication for identity credentials
  at the front end
• Secure smartcard credentials CAC
• Binding identity to a strong back-end system
  using biometrics
• Defense National Visitors Center
• Federal government e-authentication model
• Should not need multiple credentials to do
  business
• Disparate systems can communicate with one
  another (cross credential)
• Defense Cross-Credential Identification System

28
Please refer to the notes for more explanation
29
If You Havent Started

• YOU ALREADY MISSED YOUR FIRST TWO DEADLINES
• AND YOU ARE ON YOUR WAY TO MISSING YOUR THIRD
• GET STARTED !

For help

• Get the Federal Identity Management Handbook
• http//www.cio.gov/ficc
• Join the Inter-Agency Advisory Board (IAB)
• mailtocacsupport_at_osd.pentagon.mil

30
A Hint of Things You Have to Do

• Authoritative databases
• Registration processes (who, what, where, how)
• Identity chain
• Biometrics
• Card
• Topology
• Data
• Architecture
• Federal Information Processing Standard (FIPS)
  certification
• Controls
• Acquisition
• Keys
• Public Key Infrastructure (PKI)
• Configuration Management

31
A Hint of Things You Have to Do

• Issuance processes and systems (central vs.
  distributed) (who, what, where, how)
• Card management system
• Document scanning
• Federal Information Security Management Act
  (FISMA) Certification and Accreditation
• Privacy
• Authentication
• Revocation
• Policy
• Communications Plan
• Testing
• Deployment
• Operations

32
IAB Actions in the Future

• IAB to Draft Specification Documents
• Prepare a Federal Pre-issuance Specification for
  buying smart cards
• Prepare a Developers Guide which reduces
  options allowed by PIV 201
• Limit the number of Card faces
• Limit the number of Crypto algorithms supported
• Choose between Mandatory vs. Optional data
• Define Issuer to Issuer Validation Transactions
  for when card is presented in another Issuer
  jurisdiction

33
Ingredients For Success

• Tear down those stovepipes
• Direction from the top
• Governance function
• Leadership
• Spiral development
• Committed staff
• Integration and reuse
• Lean on experience

Governance function
Direction from top
Leadership
Tear down stovepipes
Please refer to the notes for more explanation
HSPD-12
34
Questions?
Mary Dixon (703) 696-7396 cacsupport_at_osd.pentagon
.mil http//www.dmdc.osd.mil/smartcard