To be covered: S&T Intro TTWG. Research/Pilots. Scope Goals Report

Transcription

1 Personal Identity Verification- Interoperability/ First Responder Authentication Credential (PIV-I/FRAC) I/FRAC) Technology Transition Work Group (TTWG) Karyn Higa-Smith Research Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency Science and Technology Directorate U.S. Department of Homeland Security November 16, 2010 To be covered: S&T Intro TTWG Scope Goals Report Research/Pilots 2

2 3 DHS S&T Mission Strengthen America s security and resiliency by providing knowledge products and innovative technology solutions for the Homeland Security Enterprise

3 S&T Goals Cyber Security Division DHS S&T continues with an aggressive cyber security research agenda Working with the community to solve the cyber security problems of our current (and future) infrastructure Outreach to communities outside of the Federal government, i.e., building public-private partnerships is essential Working with academe and industry to improve research tools and datasets Looking at future R&D agendas with the most impact for the nation, including education Need to continue strong emphasis on technology transfer and experimental deployments

4 S&T IdM Program Focus on IdM research requirements to support the homeland security mission The Identity Management Testbed provides: Technical Risk Mitigation, T&E, validation of technologies and approaches R&D, SME & Engineering Support Exploration of architectural approaches to Identity and Access Management Collaborating across communities and working the interoperability seams Working with industry and Commercial off-the-shelf vendors PIV-I/FRAC Technology Transition Work Group FEMA and S&T supporting State and Local Emergency Response Officials FEMA and S&T Partnership Public Safety Standard Credential Interoperability & Trust Innovation

5 Technology Transition Working Group DHS Membership Charter S&T, FEMA, NPPD, SCO State & Local Sponsorship R&D Support State and Local Participants: Colorado Maryland Virginia District of Columbia Missouri Southwest Texas Pennsylvania Chester County, PA Pittsburgh, PA West Virginia Hawaii Rhode Island Illinois Tough Lessons Daunting Task of: Collaboration Coordination

6 Insights from Work Group It will take our continued commitment to really and finally get the issues related to credentialing and access management accepted as an important component of our national interoperability objectives to enhance homeland security capabilities in both the public and private sectors. This concept of integrated interoperability will promote enhanced joint planning, improve performance, and increase efficiency among all our partners. - Members of the Technology Transition Work Group Making It Work In The Field A national standard, interoperable & trusted ID for emergency response (PIV-I) One voice from the TTWG to policy makers Share lessons and successes Identify technology gaps Transition from research to operations

7 Return Of Investment (ROI) Top-down Bottom-up Case Study S&T knowledge product Published on: Credentialing Challenges Multiple stove-piped credentials Multi-jurisdictional response to large-scale disasters Lack of trust and interoperability Too many credentials! Insecure physical and logical access

8 Collaborating Across Domains and Jurisdictions Research, Development, Testing & Evaluation Privacy Enhancing Technologies Policy-Based Decision Engine Identity and Attribute Exchange Physical and Logical Access Control Integration Fusion Center Information Sharing For More Information Karyn Higa-Smith DHS S&T Program Manager

9

10 Implementing PIV as a Countermeasure for the Physical Protection of CI/KR Facilities, Assets, and Personnel Charlie Luddeke, Jr. Chief of Physical Security HSPD-12 Program Manager Interagency Security Committee Member Federal Emergency Management Agency Department of Homeland Security

11 PIV Policies/Directives Under Homeland Security Presidential Directive 12 (HSPD-12), all federal agencies are required to adopt the Personal Identity Verification (PIV) Card standard, as defined in Federal Information Processing Standards Publication (FIPS 201-1) FIPS defines a standard (the PIV Card) for a smart card identity credential that: is issued based on sound criteria for verifying an individual employee's identity; is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; can be rapidly authenticated electronically; and is issued only by providers whose reliability has been established by an official accreditation process. The PIV Card serves to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy 2

12 Federal PKI The Federal Public Key Infrastructure (PKI) establishes a web of trust between all federal government HSPD-12 systems and enables interoperability of the PIV Card among all federal government agencies and authenticated non-federal entities Proves the Card is still valid REVOKED 3

13 Layered Protection uses Countermeasures ALARMS- IDS 4

14 We are only as strong as our gatekeeper! 5

15 Our gatekeepers are as capable as the tools we provide them!... 6

16 PIV is the Countermeasure KEY to Access 7

17 From Flash Pass e c n a r u s s A Low y Poor accurac ard C V I P f o n io t Visual Inspec 8

18 To Contactless Read Medium Assurance Contactless read of FASC-N from PIV Card with or w/out PIN entry No protection from an unknown lost or stolen PIV Card 9

19 To Contact Read with Biometric and PIN High Assurance Contract Read, Biometric with PIN entry Proves identity 10

20 Contact Read with PKI, Biometric & PIN Very High Assurance PKI certificate authentication with biometric and pin nty Proves identity and assures a valid PIV Card 11

21 PIV Assurance Levels Low Visual Inspection of PIV Card Flash Pass Medium Contactless read of FASC-N from PIV Card with or w/out PIN entry High Biometric with PIN entry Very High PKI certificate authentication with PIN entry 12

22 FEMA PIV Firsts First DHS Component to issue PIV Card under Pilot Program; FEMA has now issued over 12,000 PIV Cards Nationwide. First DHS Component to install a FIPS 201 compliant contactless physical access card reader First DHS Component to convert entire PACS to FIPS 201 compliant readers Piloting first PIV card authentication tool in DHS, which authenticates Federally-issued PIV cards First to issue a policy manual for the use of the PIV Card 13

23 Physical Access Control FEMA is upgrading to FIPS 201 compliant card readers which enable the use of the PIV Card for facility access The PIV Card can be authenticated (up to 3-factor authentication) using a handheld reader Depending on the Threat Level and Risk Card readers are available that do full PIV authentication of the PIV Card; FEMA is currently using these readers to validate the movement of critical F/ERO personnel Current PIV Card Reader Handheld Reader Full PIV Authentication Reader 14

24 PIV Card Authentication Tool FEMA is currently piloting a PIV Card Authentication Tool to perform 3-factor PIV authentication on all OGA PIV Cards/CACs (OGAs = Other Government Agencies) validating to the Federal Bridge The tool authenticates the PIV Card and programs it into physical access control software for a specified period of time Once programmed the PIV Cardholder can simply swipe the card in front of the card reader to gain access (Add PIN for heightened security levels) 15

25 All-in-One PIV Authentication Tool Portable Visitor Enrollment and Access Control System in one package PIV Enabled to interoperate with all PIV, CAC, TWIC and FRAC Credentials to validate and grant access for F/ERO personnel Enrolls Credentials and maintains audit record of entry (and exit) Controls One Guard Attended Point of Entry using a RED/GREEN Lamp Expandable to control multiple entry points

26 Identification; Authentication and Enrollment into PACs Actual Real Time Usage 17

27 Credential Repository Stores Personal & Card Auth Certificates Interfaces with PACS to Enroll Credentials Manages CRL Status Checks by OCSP/SCVP Notifies PACS of any Revoked Certificates Requires network connection

28 Guard Attended Access PACs User presents PIV Credential to Reader in 1-Factor (Contactless) or 2-Factor (Contact) mode. System lamp displays Red or Green based on identity authentication and access privileges granted. Less than 2 Seconds 19

29 2-Factor Authentication Reader Dual Interface (Contact or Contactless) Modes PIN for higher security level Extracts Certificates & Public Key Executes PKI challenge to certificate private key Rated for exterior use BIOmetric option available 20

30 Regularly Checks Certificate Status ENROLL Certificates, Name, Exp Date, FASC-N Validate Certificate is not Revoked by Checking CRL via OCSP every X Hours PC/Server AUTHENTICATION & VALIDATION: PIN DATE BIO PHOTO PKI VERIFY Validate CRL Compare FASC-N Grant Access Deny Access Read Certificate Issue PKI Challenge to Verify Private Key Create FASC-N & Send to PC/Server

31 Summary FEMA participates in the NIPP to assure its mission VIGILENCE - It is everyone s responsibility to protect CI/KR facilities and resources. We need the tools for success Establish the threat: Assessment. Determine the Countermeasures. Accept the Risk FEMA uses the PIV Card along with visual identification as acountermeasure to mitigate risk for many access control issues. The PIV Card, when issued and used correctly, is a tamper-proof key to the multiple layers of protection for CI/KR facilities and sites 22

32 Challenges Facing Our Community How will PIV-Interoperable (FRAC, etc.) cards best be used in this protection framework Smartcard technology is strong platform, but not sole answer Risk Based Background investigative standards must be aligned with federal requirements to eliminate trust issues. For Federal Access, Non-Federal organizations must provide the same trust factors as the Federal government as proscribed by FIPS 201 Technology (TTWG) Background Investigation Identity Proofing Fraud Prevention (Roles & Responsibilities) Infrastructure Protection Access is a Risk Decision at the facility Solution to above challenges can grant access to the federal castle 23

33

34 Commonwealth of Virginia First Responder Authentication Credential (FRAC) Program 9 th Annual Smart Cards in Government Identity, Security & Healthcare Conference November 2010 W. Duane Stafford Statewide Credentialing Coordinator Governor s Office of Commonwealth Preparedness 1

35 Arlington County 9/11 After Action Report Some firefighters said they had never seen so many volunteers, and wondered aloud if a volunteer firefighter tee shirt was the only required identification. The last full activation of the EOC was in preparation for the anticipated problems associated with the arrival of the year 2000 (Y2K). As a result, although many county officials had EOC identification (ID) badges, they had long since expired. A current ID system was not in place. Arlington County should work with neighboring jurisdictions and other emergency response agencies and volunteer organizations to implement a uniform identification system. The Governor s Office of Commonwealth Preparedness 2

36 Federal Response to Hurricane Katrina Lessons Learned [Complete] the development of a credentialing system to allow authorized volunteers and workers restoring critical infrastructure access to relief sites The Federal response should better integrate the contributions of volunteers and nongovernmental organizations into the broader national effort. This integration would be best achieved at the State and local levels, prior to future incidents. In particular, State and local governments must credential their personnel, and provide them the necessary resource support for their involvement in a joint response. The Governor s Office of Commonwealth Preparedness 3

37 Commonwealth FRAC Mission To use Federal Information Processing Standard (FIPS) 201 technology to deploy a credential that is interoperable at all levels using the standard. To enhance not only Virginia's response and recovery efforts, but those of the Nation as well, so that credentialing no longer delays those efforts in any scenario requiring the deployment of Emergency Responders. *FRAC First Responder Authentication Credential Governor s Office of Commonwealth Preparedness 4

38 Commonwealth FRAC Program The Commonwealth developed a Federal Information Processing Standards 201 (FIPS 201) interoperable (or PIV-I) FRAC Program using multi-year State Homeland Security Grant (SHSG) funding The FRAC is a standards-based smart card that is issued to the Emergency Response Community and recognized as a true representation of identity and other pertinent data The FRAC provides an interoperable identity credential platform for all Federal, State, local and private sector Emergency Responders Enhances cooperation and efficiency between Federal, state, regional, local, and private sector emergency responders before and during a critical incident Governor s Office of Commonwealth Preparedness 5

39 FRAC Capability During incidents such as natural and man-made disasters, there is a need to expeditiously authenticate and validate federal, state, local and private sector emergency responders: The FRAC is the standard credential for Virginia Emergency Response Officials. Verify the identities, attributes and credentials of emergency responders at incident scenes. Allow access into and out of secured areas and across multijurisdictions. Identifying a person s status within Sectors, Agency, or ESF. Governor s Office of Commonwealth Preparedness 6

40 Interoperability Terminology for Identity Cards Federal CIO Council releases Personal Identity Verification (PIV) Standard for Non-Federal Issuers in July 2010: PIV Card (PIV) an identity card that is fully conformant with federal PIV standards (i.e., Federal Information Processing Standard (FIPS) 201 and related documentation). Only cards issued by federal entities can be fully conformant. Federal standards ensure that PIV Cards are interoperable with and trusted by all Federal government relying parties. PIV Interoperable Card (PIV-I) an identity card that meets the PIV technical specifications to work with PIV infrastructure elements such as card readers, and is issued in a manner that allows Federal government relying parties to trust the card. The FRAC is a PIV-I card. PIV Compatible Card (PIV-C) an identity card that meets the PIV technical specifications so that PIV infrastructure elements such as card readers are capable of working with the card, but the card itself has not necessarily been issued in a manner that assures it is trustworthy by Federal government relying parties. *As defined by the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guide and the Personal Identity Verification Interoperability for Non-Federal Issuers document. Governor s Office of Commonwealth Preparedness 7

41 Department of Defense and PIV-I The Department [DoD] is aggressively moving to accept qualified PIV-I credentials for access to physical and logical resources. In those cases where DoD relying parties, installation commanders, and facility coordinators determine that granting access is appropriate and that appropriate vetting requirements are met, they should begin accepting DoD-approved PIV-I credentials for authentication and access. Governor s Office of Commonwealth Preparedness 8

42 The Northern Virginia FRAC Pilot The Commonwealth developed a pilot FRAC using the Virginia portion of a NCR UASI grant in 2006 Virginia was the first nationally Issued over 2,300 FRACs to Arlington County and the City of Alexandria Emergency Response Community Credential certificate life cycle to ended in March 2010 Governor s Office of Commonwealth Preparedness 9

43 Hampton Roads Region FRAC Program Secured additional DHS grant funding for FRAC implementation in the Hampton Roads region Hampton Roads Regional Credentialing Working Group Public and Private participation Institutionalize as a business process to increase ROI Governor s Office of Commonwealth Preparedness 10

44 Hampton Roads FRAC Topography Governor s Office of Commonwealth Preparedness 11

45 2010 Hampton Roads Credentialing Roll Out Verizon Business - Set up and configuration of the solution infrastructure (hardware, software, support and services) Deployment of the 8 enrollment and issuance stations hosted and operated by localities. 39 handhelds for on-scene credential validations 12,900 FRACs $3.2 M (over three FY grant cycles) Governor s Office of Commonwealth Preparedness 12

46 Next Steps Credential issuance using PIV-I standard Emergency Responders and CIKR Responders Localities develop Standard Operating Procedures (SOP) for credential use during emergencies as well as for routine use (physical and logical access) Initial issuance station deployed in Newport News Re-engage in Northern Virginia Begin to initiate issuance planning for the remainder of Virginia Governor s Office of Commonwealth Preparedness 13

47 Contact Information Mike McAllister Office: (804) W. Duane Stafford Office: (804) Governor s Office of Commonwealth Preparedness 14

48 DC One Card PIV-I Usage Scenarios Smart Card Alliance November 16, 2010

49 Contents DC One Card Background Program Objectives Click to edit Master text styles Goals Second level Card Uses Third level Roadmap Fourth level Fifth level Maturity Path Phased Implementation PIV-I Case Studies Taxicab Smart Meter Solution Future PIV-I Uses 2

50 Objectives Citizens have multiple ID Cards Citizens have multiple online identities Click to edit Master text styles Objectives Second level Convenience Third level Security Fourth level Cost Savings Fifth level Fraud Reduction Agency A User ID: Password: Agency B User ID: Password: Agency C User ID: Password: Agency D User ID: Password: dc one ID User ID: Password: Improved Access First Responder Support Standard Tools 3

51 DC One Card Roadmap ITSM Planning Stage 1: Establish / Confirm Vision Program Goals Click to edit Master text styles Second level Third level Fourth level Fifth level 4

52 One Card, Many Different Uses as Determined by the Customer Agency DCPL uses it for: Borrowing privileges Tracking due dates, fees Online access DPR uses it for: Identification Facility access Reservations Usage DOES uses it for: Identification Time Tracking Click to edit Master text styles Second level Third level Fourth level Fifth level DCPS uses it for: Identification School access Attendance Cafeteria / library use WMATA uses it for: Metro rail Metro bus Parking lot access Agencies use it for: Identification Door Access

53 DC One Card Roadmap ITSM Planning Stage 1: Establish / Confirm Vision Maturity Path Click to edit Master text styles Second level Third level Fourth level Fifth level 6

54 Challenge / Situation: Case Study High Assurance Credential Taxicab Smart Meter Solution Eliminate extensive cab driver license fraud Improve poor trip reporting Solution Approach Click to edit Master text styles Second level Third level Fourth level Fifth level Issue standard PIV I credential to all taxi cab drivers Deploy modern cab infrastructure integrated with PIV I credential solution Expected Benefits Significantly reduce taxi cab fraud Improve accountability and passenger safety Improve services to customers (e.g., credit card, interactive services) Introduce additional revenue opportunities for drivers and the DCTC 7

55 Future PIV-I Uses FRAC Medicaid Food Stamps WIC Click to edit Master text styles Second level Third level Fourth level Fifth level Child Support Expanded Online Government Services Utilities 8