Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Transcription

1 Interagency Advisory Board Meeting Agenda, Tuesday, November 1, Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. FIPS Update and Panel Discussion with NIST Experts in Q&A Session (Bill MacGregor and Hildy Ferraiolo, NIST) 3. Securing Mobile Devices for Government Specific Apps (Debb Blanchard, Verizon) 4. Enabling HSPD-12 and Biometrics to Secure the Pentagon and Mark Center (Derek Nagel and Roger Roehr, PFPA) 5. An Example of Enabling HSPD-12 in Multi-Tenant Building by Operating a PACS Platform as a Service (Tom Corder, Bridgepoint Systems) 6. DoD PIV-I Update (Paul Grant, DoD) 7. Closing Remarks (Mr. Tim Baldridge, IAB Chair)

2 PACS as a Platform in the GSA Cloud Tom Corder, President BridgePoint Systems 530 McCormick St., San Leandro CA USA tcorder@bridgepointsystems.com

3 Who is This Person?

4 Neal Smith Federal Building, Des Moines IA - 10 Stories - 400,000 Square Feet - 45 US Gov t Agencies People 550 PIV Holders 300 Contractors - Energy Star Building (4% less Energy Use than 9 Years Ago)

5 WHY PIV? Old system was failing and GSA did not want to put more money into a non-compliant system We do not want a bad guy to wheel a load of explosives into the freight elevator, push a button and send it up to one of the floors. - Mike L, GSA Project Manager & Facility Manager

6 PACS Challenges Replace a 10+ Year Old Legacy System Interoperate with 45 Agencies & 550 Employees Include 300 Other non-piv Employees Control 3 Parking Gates Control 5 Automated Doors Control 15 Freight Elevator Access Points Meet HSPD-12 Compliance Make Mike Happy

7 GSA: Oh, by-the-way We have a Limited Budget 4 Days for Installation (2 days Elevator; 2 days Doors) Cannot Disrupt Facility Operation (Overnight) Enroll 850 Users in Advance (Produce 300 PIV- C ) It Must Scale to Other Agencies in the Facility Maybe Other Facilities in the Region We Require a Green Solution (no Local Server) System must be Certified to be on the GSA Network = Cloud Based (in Kansas City?) Make Mike Smile

8 GSA is Trying to Sell Dog Food

9 Identity, Credential and Access Management Personal Identity Verification (PIV) Interoperable (PIV-I) Update At Industry Advisory Board Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential and Access Management Sub-Committee Federal CIO Council 1 November

10 Get GSA Smart HAVE A PLAN AND A QUALIFIED TEAM EmbarkIT 8A Prime Provider to GSA Utilize Existing Infrastructure - Elevator Interface Controls - Door Hardware - Cabling - Electrical Cabinets Designed Plug In Controller Sub-plates Created Adaptor Harness (Plug & Play) Pre-Loaded Enrollment Software on Two Client PC s Enrolled 550 PIV Users in Advance Produced & Enrolled 300 PIV-C Credentials

11 Compliant with Current & Future Guidance FISMA-2 (Q4 2011) PACS is Included FIPS (Q4 2011) CAK Mandatory M Requires Use of Certificates M Includes PACS in FISMA M OMB & DHS Require Implementation in FY 2012

12 BridgePoint Pedigree? 1 st to: Open a door using a DoD CAC (Ft. Belvoir 2002) Integrate the CAC with biometrics in a real world deployment (Ft. Belvoir 2003) Install a FIPS-201 reader in a Government building (GSA building in NYC, October 2007) Build PKI Challenge Response into a Reader Utilize PKI validation and verification in a DoD facility in a door access system (Ft. Huachuca 2008) Install a PACS with PKI in a multi-tenant government building in Washington D.C. (FEMA HQ 2010)

13 BridgePoint Strong HSPD-12 Compliance Mitigate Cloned Credentials in a PACS Off-line Environment 1. Validate Certificate Status (OCSP / SCVP) 2. Cache the results (In a PACS, Certificate Status Validation is not real time) 3. Generate HASH of the Certificate(s) 4. Verify the Private Key (Challenge-Response) 5. Match the Certificate HASH

14 PACS Platform in the Cloud Architecture Local 3-Factor Enrollment Station Local Camera & Card Printer PACS Virtual Server d/b Server with Credential Repository Local PACS Client Controllers Gates Readers Doors Freight Elevator

15 PKI Enabled Architecture Verify Private Key & Enroll HASH of Certificate Validate Certificate Status Frequently OCSP Match FASC-N & Enrolled HASH with Real Time HASH Read PIV Verify Private Key & Create Real Time HASH

16 One Click Enrollment (12 Seconds)

17 Controller Cabinet Before and After

18 GSA Des Moines Summary Installed Ahead of Original Completion Date On Budget No Fork Lifting of the Legacy Infrastructure Saved a Server Highly Compliant Easy Transition Security: 1-F PIV During the Day and 2-F PIV + PIN to PIV at Night PKI Enabled no Cost to go PKI Live

19 Lessons Learned Have Good People Have a Good Plan Smooth the Transition - Enroll in Advance - Always Capture Certificates - Install Authenticating Readers/Controllers Always More Work to do Mike L. Can Smile Installed on schedule. FSC and tenants very satisfied with system changeover and ease of use. ~ M.L.

20 GSA is Eating the HSPD-12 Dog Food