DoD & FiXs : Identity Superiority

Transcription

1 DoD & FiXs : Identity Superiority Implementing common authentication now & into the future. The Federation for Identity and Cross-Credentialing Systems (FiXs)

2 FiXs - The Federation for Identity & Cross-Credentialing Systems A 501(c)6 not-for-profit trade association initially formed in 2004 in collaboration with the Department of Defense to provide secure & inter-operable use of identity credentials between & among government entities & industry. A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards & systems. Members include: government contractors, technology companies, major financial firms, not-forprofit organizations, Department of Defense, General Services Administration, State Governments, etc. 2

3 FiXs is a Standards Organization Complete Governance structure for member firms. Certification standards for creating identity credentials & securing personal identifying information. A secure network switch through which transactions can be passed. Standards for interfacing with the network switch. Network access to certified service providers & sponsors of individuals holding certified credentials. Clearinghouse for objective consideration of technologies, business processes, rules & requirements. 3

4 Federal Acquisition Regulations (FAR) Contract clause The contracting officer shall insert the clause at , Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with agency personnel identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201. (b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have physical access to a federally-controlled facility or access to a Federal information system. 4

5 The Foundation In January 2006 FiXs entered into a formal Memorandum of Understanding (MOU) with the Department of Defense which established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems. The terms & conditions include: an operational framework for inter-operability between DoD & FiXs; specific operational responsibilities; and, governance structure. IATO Granted by DMDC in July

6 Governance Structure Defined Trust Model Operating Rules Security Guidelines Policy Standards, including Privacy Act compliance Technical Architecture Specifications & Standards Implementation Guidelines 6

7 The Basic Principles Individual personal identifying information, such as biometrics, SSN, & other unique personal identifying information is captured once & accessed as required for authentication of identity. This information is maintained in a federated manner, whereby there is no single database of every person s identifying information. It is maintained in a distributed manner under the authority & control of the organization who sponsors the individual holding the credential. Queries of this information can be logged to support privacy (like knowing when someone accesses your credit report). Structured to emulate the ATM model of the banking industry. 7

8 Identity Federation between DCCIS & FiXs DoD/DMDC Member Companies DCCIS Association FiXs Users: DoD employees with CAC cards. DCCIS Network FiXs Network Users: Member company employees w/ company (FiXs) badges. DoD/DMDC Issuance System DoD Facilities & Networks Member Issuers / Subscribers Member Relying Parties 8

9 Meeting DoD Objectives Credentials that can be trusted with confidence FiXs network fully operational for worldwide use in support of identity authentication purposes & applications -- DMDC 16JUL07 The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations. -- DoDI 8520 Short term return on investment (ROI) Existing highly available architectures for identity deployment & revocation information -- immediate cost avoidance of CAC issuance outside of the fence. 9

10 Meeting DoD Objectives (continued) Fulfills need for personal security in a high-tech world Med H/W Assurance intended for applications operating in environments appropriate for med assurance but require higher degree of assurance & technical nonrepudiation. -- DoD CP ECA Policy Management Authority (EPMA) recognizes the need for non-dod entities & personnel to interoperate w/ DoD PKI applications for the purpose of conducting business electronically w/ DoD. -- DoD/ ECA MOA 10

11 Consistent with DoD Investments Assurance of interoperability & convergence DoD PKI Medium Hardware Assurance (CAC) ECA Medium Hardware Assurance Defense Cross Credentialing Identification System (DCCIS) FiXs Initial Operating Capability (IOC) Distributed trust model DoD-wide DoD PKI/ ECA Root distribution Global Directory System (GDS)/ Credential Validation FiXs Operating Rules - HSPD-12 compliant Defense National Visitor Center (DNVC) System Defense Biometric Identification System (DBIDS) The Medium Hardware Assurance tokens and associated certificates issued by the ECA Providers have the same assurance level as the certificates on a Common Access Card (CAC). -- EPMA 11

12 FiXs Chain of Trust 12

13 Trust Anchors - Multiple Levels of Assurance PKI (Logical) FiXs (Physical) DoD/ECA Federal Private (FBCA) Level 4 - High Medium Hardware FPCPF Common Hardware N/A Level 3 - Med-High Medium Hardware FPCPF Common Hardware N/A Level 2 - Medium Medium FPCPF Common & FBCA Medium FBCA High or Medium Level 1 - Low N/A FPCPF Common FBCA Medium or Basic 13

14 Identity Authentication Architecture Authentication Services Customers ` Logical Access Control Systems [LACS] ` Physical Access Control Systems [PACS] Authentication Station Sponsor Participant Authenticator Mobile Authentication Adjudicator ` Enrollment Services Infrastructure ` Enrollment Officer Pre-Enrollment FiXs Domain Server [FDS] Dept. Of Defense Civilian Agencies Verification Transactions Card Reader Camera 10 Print Capture En ro llm en td ata Finalization Services ` Finalization Officer Card Reader CRL/OCSP Fingerprint Sensor Key Mgmt. PKI Certificates FiXs Trust Broker [FTB] Helpdesk Scanner e Signature nc ua Capture Iss s rt Ce Card Mfgr. Card Mgmt. System [CMS] Card Printing Identity Mgmt. System [IDMS] FiXs Domain of Governance Card Production Health Care Gov & Industries Trust Gateway Brokers (TGB) B Ch ack ec gro ks un d Inventory & Distribution First Responder Authentication Card Government Commercial Investigation Services 14

15 Certified & Accredited Subsystems FiXs Network - DMDC has successfully completed the final testing of the Government to Business interface between DMDC & the FiXs network. With the completion of this testing, the Defense Cross Credentialing Identification System (DCCIS) infrastructure & its interface to the FiXs network are now fully operational for worldwide use in support of identity authentication purposes and applications. Credential Issuers (CI) - Each CI undergoes an extensive & complete review in accordance with the highest industry standards & cover all requirements of the solution proposed in the solution. This is documented in detailed Certification & Accreditation (C&A) reports. Authentications Station - FiXs certified authentication stations enable FiXs & Department of Defense (DoD) CAC credentials to be verified & accepted for physical access authentication purposes by implementing the cross-credentialing services supported by this combined network. Final decisions on physical access privileges, whether at a government or vendor site, are local decisions. 15

16 Multi-Level Vetting & Access Control All certificates on a FiXs credential include an Organizational Unit that identifies the FiXs assurance level as follows: ou=fixs4, for FiXs credentials asserting FiXs equivalent High ou=fixs3, for FiXs credentials asserting FiXs equivalent Medium High ou=fixs2, for FiXs credentials asserting FiXs equivalent Medium ou=fixs1, for FiXs credentials asserting FiXs equivalent Low (not recommended) 16

17 HSPD-12 Compliant Credential Management FIPS 201 compliant lifecycle management of users, their identity devices, & associated credentials with the strength of DoD Medium Hardware Assurance 17

18 Identity Superiority Trusted Physical Access 2D barcode, 1D barcode & mag-stripe on back 2D barcode, 1D barcode & mag-stripe on back 2 RFID antenna Trusted Logical Access Hardware tokens [FiXs] & associated certificates issued by the ECA providers have the same assurance level as a Common Access Card (CAC). -- EPMA 18

19 Verify Authenticate Validate 19

20 Robust Validation Infrastructure FiXs Validation Service (Site 1) CRL Update Path (ldap/ ldaps http/https) FiXs Validation Service (Site N) Alternative Validation Paths (OCSP) 50 plus FiXs Compliant CRLs 20 plus FiXs Compliant PKI Directories Local Area Network https Application Servers Client/WS Client/WS Inside and/or Outside the LAN Client/WS Client/WS OCSP Repeater 20

21 Robust revocation processes Credentials issuers are required to maintain FiXs enrollment, control, administrative, REVOCATION, & audit information. Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Credential issuer. Card & Certificate Revocation Lists issued immediately upon revocation. A revocation process must exist such that an expired or invalidated credential is swiftly revoked. 21

22 Uniqueness Enforced Across the FiXs Network X.500 DNs & Card Holder Unique Identifier (CHUID) Data Elements as stipulated in the FiXs implementation requirements. FiXs Credential Issuers shall enforce credential uniqueness by ensuring: The applicant does not hold another active FiXs credential; The name contains the applicant s identity & organization affiliation that is meaningful to humans; and, The naming convention is as described in the corresponding CP. FiXs is designated by DoD to assign organizational codes to commercial entities. 22

23 Uniqueness Enforced Across the FiXs Network (cont.) FiXs Credential Issuer will support special procedures that ensure that each individual holds only one active FiXs credential: Management personnel authorized to approved the issuance of a credential to an applicant (e.g., contracting officer or contracting officer s technical representative) Collect a signed approval for the issuance of a credential to an applicant via digitally signed from an agency management personnel authorized to approved the issuance of a certificate to an applicant Verify that a request for credential issuance to an applicant was submitted by management authorized to do so via by comparing the approval letter or to the list of approved agency management personnel authorized to approved the issuance of a certificate to an applicant Verify applicant s employment through use of official records Establish applicant s identity by in-person proofing, based on the processes defined in the FiXs Operating Rules 23

24 Interoperability Can be Achieved Mandate common authentication scheme across DoD Multi-level physical access via DCCIS/ FiXs operating rules. All in & out of DoD to be digitally signed by CAC equivalent. All sensitive information to be protected at Medium/ Medium H/W Assurance. Mandate DoD PKI/ ECA & DCCIS/ FiXs in DITSCAP/ DIACAP evaluation Mechanism to enforce current objectives. Ensures compliance as technologies mature. Maintains common security infrastructure. Re-allocate funds anticipated to issue CAC to outside the fence contractors to relying applications & DNVC/ DBIDS authentication station deployment 24

25 Base Access Today s Problem No uniform compliance Vulnerability Lack of vision Who s on - Who s off No threat flexibility DHS NIMS code deployment plan PX & commissary services Suppliers to docks Maintenance and repair access to grounds 25

26 Issues with base security How do we protect our bases, balanced with ease of use? Easy, secure access for those who belong. Simple identification verification of visitors. Identity assurance for contractors & suppliers must: Incorporate strong vetting for those that require base access. Follow DoD & Federal guidelines. Access decisions must be automated & reliable. The Base Commander is ultimately responsibility, so how do we help: Improve decisions. Make it more secure, smarter & cost efficient. 26

27 Do we re-invent the wheel? Identity assurance policy & standards have been developed. Vetting & security is in place. FiXs, DoD/ECA CAC, & HSPD-12: All are secure identities. All can be used for gate access. All provide 2 factor authentication. Its been done, decided, now lets use it. 27

28 Value Proposition & ROI Easy business decision for CFO & CIO. Enterprise-wide capability & best practices. Security & Privacy of staff, systems, & facilities. Method for data security in compliance with latest identity authentication processes. Complies with FAR contract requirements. HSPD 12 and DoD PIP compliant. Leadership in a large and developing market on an matter that is of major national importance. 28

29 Commercial Entities FiXs Members 2008 AFCEA American Logistics Association AMERICAN SYSTEMS CORP. Booz Allen Hamilton ChoicePoint Government Services Covisint DSA, Inc. EDS Eid Passport, Inc. Imadgen, LLC Little River Management Group, LLC Lockheed Martin Corporation Mobilisa Northrop Grumman SAIC SRA International, Inc SRP Consulting Group, LLC Telos Identity Management Systems, LLC Unlimited New Dimensions, LLC Vuance, Inc. Wave Systems Corporation WidePoint Corporation [ORC] 3Factor, LLC Government Advisors Defense Manpower Data Center, DoD Office of Government-wide Policy, GSA CIO Office, State of Colorado 29

30 Contact Information Dr. Michael Mestrovich, President - FiXs Michael.Mestrovich@fixs.org Robert Martin, Corporate Secretary - FiXs Bob.Martin@fixs.org Dan Turissini, Board Member - FiXs turissd@orc.com