Chain of Trust and Integration with IT Systems Extension to Other Programs

1
Chain of Trust and Integration with IT
SystemsExtension to Other Programs

• Roger Roehr

2
IDMS and CMS

• The Identity Management System (IDMS) securely
  collects, processes and stores the identity
  information.
• The Card Management System (CMS) produces,
  authenticates and manages the credential and the
  Public Key Infrastructure (PKI) through the life
  cycle of the credential.

3
Policy Training

• Policy
• Core of HSPD-12 is developing a chain of trust
• Roles
• Separation of duties
• Privacy issues
• Training
• Trusted agents facial features, fingerprints and
  pictures
• Help desk
• Card production staff
• System administrators
• Credential holder

4
Enrollment

• Sponsor
• An individual with an agency that can vouch for
  applicant affiliation
• Can be automated out of HR system or other
  authoritative source
• Pre Enrollment
• Not required but speeds up the process
• Enrollment
• Trusted agent is key
• Data quality check to ensure all data is
  collected during the first visit.
• I-9 documents are collected
• Fingerprints are taken

5
Background Checks and Adjudication

• NACI
• National Agency Checks
• Inquires have to be complete within six months of
  employment
• One to Many Search
• Fingerprints
• Photo
• Adjudication
• Can be automated if no flags are raised
• FBI IAFIS results require an authorized person
  to review the results

6
IDentity Management System (IDMS)

• Heart of the system
• Creates the cardholder record and manages the
  movement of data
• Housed in a secure data facility
• Level of service can require backup data center
  or off-site backup data storage
• All data at rest and in transit needs to be
  encrypted and signed
• System will require Certification Accreditation
  (CA)
• Privacy Assessment
• System
• Data elements collected

7
Card Management System

• Prints the card
• Adds a secure laminate
• Encodes the card
• Manages the PIN
• PIN resets
• Manages the PKI interface to the card
• Unlocks the cards from the safe shipping mode
• Creates the secure channel to the PKI for key
  escrow

8
Card Production

• Two Models
• Centralized
• BearingPoints preferred model
• Allows for easier change management
• Less initial card production errors
• More secure
• Distributed
• Faster issuance
• Large logistics
• Need for additional security and audits at each
  site
• Large number of errors in initial card production

9
Issuance

• Online real time process
• Biometric checks against enrollment record
• Photo verification
• Signing key generation
• PIN loaded
• Record activated in the IDMS

10
Help Desk

• Missing cards
• Lost card
• Enrollment station locations
• Issuance and update issues
• Privacy concerns

11
Privileges

• Physical Access
• Has biometrics on contact side only after the PIN
  is enter
• Logical Access
• Supported by Microsoft, Sun, and Linux for
  certificate based log on
• Logical access is the first place ROI can be
  realized
• Number one help desk call is password reset

12
Logical Access

• Logical access using the
• PKI Certificates
• Eliminate remote access tokens
• Reduce password reset
• Return on investment easier to quantify for new
  programs
• Middleware required to sign and encrypt email and
  other documents
• Need to have a recovery solutions for lost,
  forgotten, and stolen credentials.

13
Transportation Worker Identity Credential (TWIC)

• Civilian workers at seaports and related
  transportation activities
• The TWIC vision is to improve security through
  better identity management by establishing a
  system wide common credential, universally
  acceptable across all transportation modes, for
  all personnel whose duties require unescorted
  physical and/or logical/computer access to secure
  areas of the transportation system.

14
First Responder Access Card

• Multi-Jurisdictional ID e-Authentication
• National Capitol Region Exercise
• Federal
• State
• Local
• Private industry
• Medical Care
• Instructor restoration
• Lesson learned from 9-11 and Katrina

15
Stored Value

• Electronic purse on the card
• Cafeteria
• Vending
• Privileges
• Off-line physical access control