Title: Management and Operational Issues for HSPD 12
1Management and Operational Issues for HSPD 12
Information and Technology for Better Decision
Making
IT Quarterly Forum
Deputy Director Defense Manpower Data Center
November 2005
2What Did the President Say?
- Mandatory
- Government-wide
- Secure/Reliable forms of identification
- Issued by Federal Government
- Issued to employees and contractors
Please see notes for more explanation
3Secure/Reliable Form of Identification
- Strong identity proofing/vetting
- Strong resistance to
- Identity fraud
- Tampering
- Counterfeiting
- Terrorist exploitation
- Rapid electronic authentication
- Strong reliability of issuers through
accreditation process
4Why Did He Say It?
- Wide potential for terrorist attacks
- Enhance security
- Increase Government efficiency
- Reduce identity fraud
- Protect personal privacy
5How Real Are The Threats?
- Identity Protection and Management key to threat
management
INDONESIA
SOFT TARGETS
SPAIN
UK
IRAQ
RUSSIA
INSIDERS TERRORISTS HACKERS
Please see notes for more information
6Identity, Force Protection, and Policy
How much progress have we made?
Not much if you dont use the power of the new
card digital authentication and biometrics
Please refer to the notes for more information
7What are the Keys?
Please refer to the notes for more explanation
Strong Secure Issuance Process
Authenticate Authenticate Authenticate Every Time
Close To Real Time Revocation
Strong Identity Proofing and Vetting
Chain of Trust
8Identity Is Key!
- Before Credential Issuance
- Proofing - You are who you say you are
- Vetting - Trustworthiness
- At Credential Issuance
- Verification
- Affiliation
- After Credential Issuance
- Electronic enterprise authentication
- Timely revocation
Personnel Identity Protection
9Identity Proofing and Vetting
- Current Requirement
- Initiate NAC-I
- Investigation part comes later
- Credential can be issued based on FBI National
Criminal History Check (fingerprint check) - Future Developments
- Real-time or short-time replacement for I in
the identity proofing process
10Secure Processes
- Division of roles
- Limit what issuer can do
- Rules based
- Training/Certification
- No initial entry
- Control on cardstock
- No privilege granting
- Authoritative data source
- Affirm affiliation
- Know when to revoke or change affiliation
- Technical solutions whenever possible
11A Family of PIP Systems
- DEERS
- Functions as the DoD Person Data Repository (PDR)
- Collects affiliated personnel data from
approximately 40 personnel systems into one
system - RAPIDS
- Issues credentials
- Scalable, flexible system
- Defense Biometric Identification System (DBIDS)
- Enables physical access
- Deployed theatre-wide
- Defense National Visitor System (DNVS)/Defense
Cross-Credentialing Identification System (DCCIS) - Supports concept of Federation
- Can be used with or without DBIDS
12Please refer to the notes for more explanation
13Please refer to the notes for more explanation
14Please refer to the notes for more explanation
15Please refer to the notes for more explanation
16Please refer to the notes for more explanation
17Please refer to the notes for more explanation
18Please refer to the notes for more explanation
19DoD Distributed Issuance
394 Deployable Sites
45 Asia Pacific Sites
870 U.S. Sites
1 Central Issuance Site
96 European Sites
18 Shipboard Sites
Please refer to the notes for more explanation
1,425 Sites Deployed Worldwide as of June 2005
20Applications Growing
- Defense Travel System
- Personnel Tracking
- Personnel Status Tracking
- Manifesting
- Dining Facility
- Website Authentication
- E-Purse Pilot
- Rifle Range
21What Did DoD Have To Do?
- Biggest challenge large installed
infrastructure base backward compatibility - 8 million CACs issued since inception
- 3.2 million in current operation
- Gap analysis over 700 items most already
planned and/or underway - Implementation plan submitted/approved
- PIV I Initial Operating Capability Compliance
22Implementation Strategy
Security Domain
Access Control Applet PIN, Secure
Channel, External Authority
Mini Access Control Applet PIN, Secure
Channel, External Authority
Secure Transport
Secure Transport
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Access Control
Dual Interface Infrastructure
Bio Action Applet
- PIV Data Model
- 2 Biometrics
- Photo
- PIV Key
- Optional
E-Purse Applet
CCC
Govt PKI Applet
PIV End State
DoD Applets
OP Domain API
OP Domain API
PKI Security Domain
JavaCard Runtime
Please refer to notes for further explanation
Please refer to notes for more information
23Implementation Strategy
- Equal Treatment of DoD Usage and PIV Usage
- PIV and DoD use separate space on the CAC.
- CAC does not become less secure.
- DoD continues more advanced useof technology.
(Access Control Applet). - DoD continues vendor neutral biometrics
implementation. - Same strategy with ICAO for making a CAC
contactless Passport.
Please refer to the notes for more explanation
24- But we wanted a more complete solution
- Retirees/Family members (approx. 6 million)
- Contractors that should have a local credential
- Federated credentials
25DBIDS
- Fully configurable, hardware independent,
identity management solution for personnel
authentication - Links to DEERS and other systems (DNVS and DCCIS)
- Real-time sharing of updated information between
systems - Sharing of data and digital fingerprints
- Better authentication at registration using CAC
- Biometric capture devices including additional
biometric technologies - Handheld devices allowing for remote (wireless
and contactless) biometric checks - Contactless and wireless for people and vehicles
(RFID) at gates - Mobile systems for law enforcement vehicles for
virtual perimeters
26DBIDS Deployed Operational Worldwide
Please refer to the notes for more explanation
CONUS
gt 40K registered at POM/NPS, Ft. Hood, Ft. Polk
and COOP
Southwest Asia
Asia
Europe
Kuwait and Qatar gt40K at Camps Doha, Arifjan and
As Sayliyah
USFK gt355K at 35 locations CNFJ gt15K at
Yokosuka, Japan
gt400K at 166 locations
27DNVS DCCIS
- DoD Personnel Identity Protection Program
- Stronger authentication for identity credentials
at the front end - Secure smartcard credentials CAC
- Binding identity to a strong back-end system
using biometrics - Defense National Visitors Center
- Federal government e-authentication model
- Should not need multiple credentials to do
business - Disparate systems can communicate with one
another (cross credential) - Defense Cross-Credential Identification System
28Please refer to the notes for more explanation
29If You Havent Started
- YOU ALREADY MISSED YOUR FIRST TWO DEADLINES
- AND YOU ARE ON YOUR WAY TO MISSING YOUR THIRD
- GET STARTED !
For help
- Get the Federal Identity Management Handbook
- http//www.cio.gov/ficc
- Join the Inter-Agency Advisory Board (IAB)
- mailtocacsupport_at_osd.pentagon.mil
30A Hint of Things You Have to Do
- Authoritative databases
- Registration processes (who, what, where, how)
- Identity chain
- Biometrics
- Card
- Topology
- Data
- Architecture
- Federal Information Processing Standard (FIPS)
certification - Controls
- Acquisition
- Keys
- Public Key Infrastructure (PKI)
- Configuration Management
31A Hint of Things You Have to Do
- Issuance processes and systems (central vs.
distributed) (who, what, where, how) - Card management system
- Document scanning
- Federal Information Security Management Act
(FISMA) Certification and Accreditation - Privacy
- Authentication
- Revocation
- Policy
- Communications Plan
- Testing
- Deployment
- Operations
32IAB Actions in the Future
- IAB to Draft Specification Documents
- Prepare a Federal Pre-issuance Specification for
buying smart cards - Prepare a Developers Guide which reduces
options allowed by PIV 201 - Limit the number of Card faces
- Limit the number of Crypto algorithms supported
- Choose between Mandatory vs. Optional data
- Define Issuer to Issuer Validation Transactions
for when card is presented in another Issuer
jurisdiction
33Ingredients For Success
- Tear down those stovepipes
- Direction from the top
- Governance function
- Leadership
- Spiral development
- Committed staff
- Integration and reuse
- Lean on experience
Governance function
Direction from top
Leadership
Tear down stovepipes
Please refer to the notes for more explanation
HSPD-12
34Questions?
Mary Dixon (703) 696-7396 cacsupport_at_osd.pentagon
.mil http//www.dmdc.osd.mil/smartcard