Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Transcription

1 Simplifying Compliance with the U.S. Government Federal Identity Mandate The first in a series of papers on HID Global ss Federal Identity Initiative and Delivery Strategy U.S. government agencies are faced with the difficult challenge of complying with evolving standards for secure and reliable forms of identification used by Federal employees and contractors. These standards were initiated in August 2004 when President Bush ordered the Homeland Security Presidential Directive-12 (HSPD-12). of Homeland Security (DHS) and the Office of According to a February 2011 memorandum issued by the U.S. Department Management and Budget (OMB), starting next fiscal year, existing physical and logical access control systems must now be upgraded to use Personal Identification Verification (PIV) credentials in accordance with National Institute of Standards and Technology (NIST) guidelines, before federal agencies may use development and technology refresh funds to complete other activities. These systems must leverage smartcard and biometric technology and supports identification credentials according to government guidelines. HID Global s Federal Identity Compliance Initiative will enable agencies to cut the cost and complexity of Federal Information Processing Standards Publication 201 (FIPS-201) compliance using a modular hardware approach and the industry s only turnkey offering from a single supplier. The initiative combines the company s strengths in access control solutions and technology migration, the enhanced cryptographic security of itss next-generation readerr platform, and the extensive identity-assurance portfolio offered by ActivIdenty, an HID Global company that enables customers to confidently establish trust in on-line activities. Customers will be able to deploy HID Global pivclasss readers that are seamlessly integrated with the company s pivclasss Authentication Modules (PAMs), and achieve full FIPS 201 compliance without having to replace their current physical access control head-end server, panel or door control hardware. This paper will describe HID Global s new compliance initiative, which is unique in providing a fully interoperable, simple-to-deploy, cost-effective and turnkey solution that has been tested and validated under the company s Genuine HID umbrella. The initiative gives agencies a single point of deployment responsibility for FIPS-201 compliance, ensuring they can achieve compliance quickly, effectively and with all necessary audit support, on an incremental, pay-as-you-go basis, while preserving investmentss in their existing infrastructure.

2 2 Compliance Requirements and Deadlines HSPD-12 is intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. It requires agencies too follow specific technical standards and business processes for the issuance and routine usee of secure and reliable forms of identification, in compliance with FIPS-201. The FIPS-201 document, entitled Personal Identity Verification (PIV)) of Federal Employees and Contractors, defines the multi-factor authentication, digital signature andd encryption capabilities required for standardized PIV smart card credentials that will be used by federal employees and contractors to gain access too all government facilities and disaster responsee sites. FIPS-201 compliance is expected to create a standardized infrastructure of interoperable access control products across a wide range of facilities belonging to disparate agencies and partners. This will lead to reduced overall costs while improving the federal government s ability to leverage its formidable buying power. All new systems under development will need to support PIV credentials and physical building access changes according to NIST guidelines. One of the most important documents issued by the government is SP , which discusses the different PIV card capabilities so thatt the risk-based assessment can be aligned with the appropriate PIV authenticatio on mechanism (see Fig. 1-1). The SP document introduces thee concept of led, Limited, and Exclusion areas, which require agencies to employ risk-based PIV authenticatio on mechanisms for different areas within a facility. The document also proposes a PIV Implementation Maturity Model (PIMM) to measure the progress of facility and agency implementations. Finally, it recommends to federal agencies an overall strategy for the implementation of PIV authentication mechanisms within an agency s facility Physical Access System ( PACS). Components of HID s Federal Identity Compliance Initiative HID Global s compliance initiative solvess the difficult t problems that agencies have faced in trying to achieve FIPS 201 compliance. Until now, PIV implementation was not a turnkey process, and it was very expensive. HID Global remedies this situation by eliminating the need for agencies to acquire, organize, and deploy the expertise, technologies and suppliers thatt are necessary for achieving a working solution. The company s compliance initiative also provides agencies with a

3 DoD DoD Federal Interoperability Bridge Root NASA State of Illinois CertiPath Bridge DoJ E-Commerce SITA DoJ Northrop GPO Grumman DoE Dept. of State USDA NFC DHS US PTO Wells Fargo Identrus Root DST Root X2 Unaffiliated Individual US Treasury NASA Operational X6 Business Representative Boeing Lockeed Martin DoD Trusts Contractor DST Device Gov t Root CertiPath Common Policy Root ARINC SSA Federal Employee Exostar VD ot FRAC Unaffiliated NSF Co ommon Policy Root Entrust TWIC Root MSO VeriSign SSP TWIC DoT Port Trusts First Responder HUD Lockheed Martin ChoiceID Cybertrust SSP NHFB HHS GSA EOP VA B Business Business to Government Gov t United DoL EPA Space Alliance FTC 3 clear migration path from existing credentials, and a strategy for r protecting their current investments. A key element of HID Global s compliance initiative is its extensive core domain strength in PACS readers and credentials, which has provided the foundation for its next-generation iclass Securee Identity Object (SIO)-Enabled (iclasss SE) readerr platform.the platform uses a new standards- security, portability and performance. It also provides a robust foundation for new pivclass readers that HID Global offers as part of its Federal Identity Compliance Initiative. The iclass SE based, technology-independent and flexible data structure to significantly improve access-control platform features EAL5+ Secure Element hardware to ensure tamper-proof protection of keys and cryptographic operations, and also uses the industry-standard Open Supervised Devicee Protocol (OSDP) communications standard to establish a seamless and secure, bidirectional link between pivclass readers and pivclass PAMs. The HID Federal ID suite of products offers the following benefits: Upgrades existing physical access control systems (PACS) to authenticate credentials at full range of assurance levels Upgrades existing PACSs without the need for wholesalee rip and replacement of existing equipment Helps to fulfill the promise of converged physical and logical security as envisioned by HSPD-12 Is unique in delivering complete FIPS 201 and SP compliance Addresses security, compliance and ROI objectives by enabling PIV, PIV-I, PIV-C and C card access The HID Compliance system includes the PAMs, which are installed between HID Global s pivclass readers and the existing PACS panel (seee Fig. 2) to perform PIV authentication tasks. HID Global s pivclass Validation Serve provides centralized control of assurance level settings and distribution of validation data. The most recent pivclass offering also adds a new service application programming interface (API) that integrates PACS enrollment capability directly into the validation service. Federal Identity Solution Suite Existing PACS PACS Head-end Server Authorization Ethernet Functions Path discovery Path validation Revocation checking Construct FACL Optional Enroller TWIC Hot List Panel Validationn Authorities FACL Wiegand pivclass Authentication Module pivclass Reader Platform RS-485 Functions Signature checks Private key challenge Conformity checks Freshness checks PIN & BIO checks Gov t PKI FIPS 201 and SP compliant Upgrades existing PACS Authenticates credentials att full range of assurance levels Enables use of PIV, PIV-I, PIV-C and C cards to access facilities Fig. 2.

4 4 The HID Compliance system performs all of the steps required for PIV authentication. At the time of enrollment, the trusted card issuers (also known as the trust anchors) are set in the system. The statuss of enrolled PIV cards is checked on a periodicc basis to prohibit access by revoked cards. This is done by retrieving the card revocation status from the issuing certificate authority (OCSP/CRL/MiniCRL) and the TWIC Hotlist. When a PIV, PIV-I,, PIV-C (CIV) or TWIC card with the appropriate assurance level is presented to a corresponding reader, the PAM validates the card according to the assurance level setting, extracts thee badge ID from data on the card, and then passes the badge ID to the PACS panel for an access decision and logging. The PAM also validates PIV cards from visitors by using the Server-based Certificate Validation Protocol (SCVP) to implement the path discovery process and establish a chain of trust through thee Federal Bridge. HID Global has successfully completed cross-certification to the PIV-I standard via the CertiPath Bridge, which ensures interoperability across Government agencies and with nonto send a Government members of the Federal Bridge. For invalid cards, the PAM is configurable preset badge ID to the PACS panel and/ /or close an output relay. In case of communications interruption, PAMs maintain an updated validation data cache (e.g., issuer trust status, revocation status) so it can function offline, while strong authentication continues at the door. Additionally, cardholder data can be captured automatically the first time a card is presented to any PAM-connected reader for validation. The data can also then be stored and distributed to all other PAMs by the pivclass Validation Server. This feature delivers several benefits. First, it allows traditional enrollment of cardholders using existing PACS enrollment functionality. It also allows integration with an identity management system (IDMS) or card management system (CMS). Finally, it enables the use of third-party enrollment packages, such as visitor software or the pivclass Enroller. Additionally, with the successful completion of CertiPath cross-certification for PIV-I, HID Global also offers a comprehensive online PIV-II Service that will reducee the time and complexity required for contractors to obtain employee credentials whichh comply with PIV-I requirements. Transition Steps HID will be extending its iclass SE-based PIVclasss reader platform with a variety of modular hardware options that enablee agencies to very flexibly address compliance requirements across all PIV access-area permission levels. In the first two deployment phases of its Federal Identity Compliance Initiative, the company will be offering its coming, next-generation pivclass reader platform with PAMs in the following configurations: led access compliance: This solution will support Card Authentication Key (K) Certificatee access and deliver access permissions to led areas per SP requirements. Contact and biometric compliance: This solution will enable PIV authorization certificate access, which delivers access permissions too led, Limited and Exclusion areas per SP requirements. HID Global also plans to extend its program beyond FIPS 201 to support other Public Key Infrastructure (PKI)-at-the-door compliance requirements, as well as PIV-I and PIV-C (PIV- compatible) requirements for cards issued by non-federal entities.

5 5 Summary Federal agencies face a difficult challenge in upgrading their PACS infrastructure to meet the latest government mandates. Until now, they have had to work with multiple vendors and often faced the prospect of having to replacee their entire system. HID Global s Federal Identity Compliance Initiative give agencies a single point of responsibility y for achieving compliance, using fully tested and validated, modular hardware that preserves investments in their existing infrastructure while providing the flexibility to incrementally improve capabilities and adapt to new requirements over time. hidglobal.com 2011 HID Global. All rights reserved. HID, the HID logo, and Genuine HID are trademarks or registered trademarks of HID Global in the U..S. and/or other countries. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners HID-SimplifyingComplianceWithTheUSGovernmentFederalIdentityMandate-wp-en