Leveraging the LincPass in USDA

Similar documents
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Electronic Signature Policy

Strategies for the Implementation of PIV I Secure Identity Credentials

Cryptologic and Cyber Systems Division

Helping Meet the OMB Directive

DATA SHEET. ez/piv CARD KEY FEATURES:

PKI and FICAM Overview and Outlook

Development Authority of the North Country Governance Policies

Single Secure Credential to Access Facilities and IT Resources

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Implementing Electronic Signature Solutions 11/10/2015

IMPLEMENTING AN HSPD-12 SOLUTION

Secure Government Computing Initiatives & SecureZIP

Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Leveraging HSPD-12 to Meet E-authentication E

PKI is Alive and Well: The Symantec Managed PKI Service

The Benefits of EPCS Beyond Compliance August 15, 2016

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

FiXs - Federated and Secure Identity Management in Operation

Digital signatures: How it s done in PDF

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Sparta Systems TrackWise Digital Solution

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Interagency Advisory Board Meeting Agenda, March 5, 2009

Adobe Sign and 21 CFR Part 11

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

State of Colorado Cyber Security Policies

Massachusetts Health Data Consortium CAQH CORE - NEHEN - VeriSign/Symantec Pilot. September 2010

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Introduction to AWS GoldBase

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board Meeting Agenda, August 25, 2009

Interagency Advisory Board Meeting Agenda, February 2, 2009

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Secure Lightweight Activation and Lifecycle Management

Who s Protecting Your Keys? August 2018

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

ENTERPRISE ARCHITECTURE

Interagency Advisory Board Meeting Agenda, December 7, 2009

INFORMATION ASSURANCE DIRECTORATE

CNATRAINST A N6 3 Mar 16. Subj: CNATRA ELECTRONIC MAIL DIGITAL SIGNATURE AND ENCRYPTION POLICY

INFORMATION ASSURANCE DIRECTORATE

The Device Has Left the Building

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Interagency Advisory Board Meeting Agenda, April 27, 2011

Virtual Machine Encryption Security & Compliance in the Cloud

Interagency Advisory Board Meeting Agenda, July 28, 2010

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

U.S. E-Authentication Interoperability Lab Engineer

Sparta Systems TrackWise Solution

POSITION DESCRIPTION

Interagency Advisory Board Meeting Agenda, February 2, 2009

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

What It Takes to be a CISO in 2017

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

NIC Portal eauthentication System Integration: A Transition Guide for NIC Portal Users

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Executive Order 13556

Streamlined FISMA Compliance For Hosted Information Systems

No More Excuses: Feds Need to Lead with Strong Authentication!

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Security and Privacy Governance Program Guidelines

Sectigo Security Solution

Nomination for NASCIO 2012 Recognition Awards. State of Hawaii. Office of Information Management and Technology

Yubico with Centrify for Mac - Deployment Guide

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

GLOBAL PKI TRENDS STUDY

Education Network Security

Healthcare Security Success Story

IT Consulting and Implementation Services

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Making the Case for Digital Signatures

MNsure Privacy Program Strategic Plan FY

NYDFS Cybersecurity Regulations

E-CONSTRUCTION AN UPDATE ON STATE CONSTRUCTION OFFICE E-CONSTRUCTION SYSTEMS

HIPAA Compliance Checklist

CERTIFICATE POLICY CIGNA PKI Certificates

Security Survey Executive Summary October 2008

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

IT-CNP, Inc. Capability Statement

NFC Identity and Access Control

FedRAMP Digital Identity Requirements. Version 1.0

CERN Certification Authority

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

The SafeNet Security System Version 3 Overview

The NIST Cybersecurity Framework

Cloud Customer Architecture for Securing Workloads on Cloud Services

SECURITY & PRIVACY DOCUMENTATION

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Solutions Technology, Inc. (STI) Corporate Capability Brief

Transcription:

Leveraging the LincPass in USDA Two Factor Authentication, Digital Signature, Enterprise VPN, eauth Single Sign On February 2010

USDA Takes Advantage of the LincPass USDA is taking advantage of the LincPass (USDA s FIPS-201 compliant PIV card) for more than just identity Two-Factor Authentication First rolled out for laptop users, then to desktop computers Uses the LincPass+PIN to authenticate to Agency domains (and soon for physical access) Integration with USDA eauthentication Digital Signature Uses the digital signature certificate on the LincPass Enables users to digitally sign documents (e.g., PDFs, Word docs, etc.) and emails Working with Agencies to streamline processes to take advantage of digital signatures and reduce paper shuffling Working with application developers and COTS providers to make use of LincPass digital signature capabilities

Innovations & Operational Architecture (IOA) Selection & Rollout Business Requirements Analysis Direct Select Governance Measure Control Portfolio Selection C o m m Brief Version Roadmap Version Architecture Version Project Plan Version IOA Mission: Provide USDA-wide direction to identify, architect, and implement emerging technologies and solutions in a timely manner to enhance the delivery and quality of business. Agency Input Federal Input Policy & Regulation Industry Trends Emerging Technologies FEA/FSAM Input Baseline Business Architecture Portfolio Assessment Baseline IT Architecture Business Requirements Analysis Direct Select Governance Measure Control Portfolio Selection m u ni c at C o m municat Gap Analysis i o n Brief Version Roadmap Version Architecture Version Project Plan Version Agency Input Federal Input Policy & Regulation Industry Trends Emerging Technologies FEA/FSAM Input Baseline Business Architecture Portfolio Assessment Baseline IT Architecture u ni c at C o m m u ni c at Gap Analysis Project Charter Preliminary Scope Statement i on Initiate Business Cases Deliverable List (WBS) Identify Stakeholders Develop Use Cases Requirements Specification Detailed Process Maps Business Case Version 2.0 2.0 Plan Communication Plan Marketing Plan Risk Management Plan Quality Plan Project Plan Test Plan Training Plan Help Desk Plan Transition Plan Procurement Plan Project Governance Roadmap Version 2.0 2.0 Execute Direct & manage completion of deliverables Interaction, direction, and coordination with implementation team C o m m u n i c a t i o n s Architecture Version 2.0 2.0 Transfer Implement Transition Plan Deliver Operations Guide Operational Governance: Quality Control & Change Control Project Plan Plan Version 2.0 2.0 Methodology Business need drives solution selection Project plans include design, testing & proof of concept (pilot), marketing, funding plans, and ownership agreements Rollout plans involve proactive engagement of agency leadership, technical staff, training and help desk staff, and users 7

Next Projects for LincPass Utilization Enterprise VPN Enables remote access to USDA networks Employs network admission control policies to ensure both the user and the device are authorized Remote access to USDA networks requires two-factor user authentication, and the Enterprise VPN leverages the LincPass credential to meet this requirement eauthentication Single Sign-On USDA s eauthentication Service (key component of the USDA Identity, Credential, and Access Management (ICAM) vision) provides common authentication and single sign-on services for over 300 USDA Web-based applications Level 1, 2, or 3 accounts have been issued to over 300,000 USDA employees, contractors, and external customers Will be leveraging the USDA LincPass as a level 3 credential for USDA employees and contractors, resulting in single signon for those users 8

Status: Enterprise VPN Initial Project Scope Implement a common remote network access solution for all USDA sub-agencies Implement enterprise-wide network admission control and endpoint health policies Leverage the LincPass to ensure two-factor user authentication USDA Pilot Agencies: Farm Service Agency Natural Resources and Conservation Service Rural Development Agencies (Rural Housing Service, Rural Utilities Service, Rural Business-Cooperative Service) Food and Nutrition Service Project Status Completed enterprise infrastructure deployment Completed user acceptance testing and integration with the LincPass Executing agency pilots Planning for full agency deployments Initiate Plan Execute Transfer C o m m u n i c a t i o n s Benefits: Two-factor user authentication for remote network access Network admission control and endpoint health monitoring Tight integration with USDA s Identity, Credential and Access Management (ICAM) solution Automated monitoring, auditing, and reporting capability to meet FISMA and A-123 requirements Compliance with NIST and Departmental policies on remote network access 9

Status: eauthentication Single Sign-On Initial Project Scope Expand eauthentication Service to leverage the LincPass as a level 4 assurance credential Use the HSPD-12 PIV-1 background investigation process to improve identity proofing Project Status Completed solution development and testing Planning for initial agency pilot Schedule full Department deployment Initiate Plan Execute Transfer C o m m u n i c a t i o n s Benefits: LincPass integrated Increased security level access based on Two Factor Authentication Improved user experience Reduces number of ID and Password credentials you have to remember Reduced department helpdesk workload (password resets, forgotten user ID s, etc.) Single credential for both LACS & PACS Leveraging the LincPass in USDA for authentication, digital signing, and in the future encryption 10

Status of Digital Signatures Project Initial Project Scope Adobe Acrobat files and forms Versions 8 & 9 Microsoft Office (Word, Excel, PowerPoint) Versions 2003 & 3007 Microsoft Outlook Versions 2003 & 2007 USDA Pilot Agencies: OES... Federal Register Publishing. Business process under review & approval. APHIS... Forms Integration Project development in research and planning. FS.. FMMI & Paycheck8... Project in technical development & roll out planning. OASCR.. General Document Mgmt.. Reviewing current business processes for integration. ARS Application Integration.. Reviewing current applications for integration. OCIO.. AAR Management / Submission. Business process under review for update and approval. Project Status Completed proof of functionality, QA, and pilot rollout on Adobe and Microsoft products Completed project planning, rollout methodology, and processes Initiate Completed all documentation and training materials Plan Feb. 2010: Distribute communication to Agency CIOs on Digital Signatures. Execute March 2010: Developing policy with OCIO Cyber Security and OGC. Transfer Benefits: LincPass integrated Assurance that the information has not been altered since it was sent Provides a digital signature certificate that can be used for a non-repudiable digital signature Verification of the signer's digital identity Efficient, time saving, cost reducing alternative to wet ink signature 11 C o m m u n i c a t i o n s

Education at USDA Electronic vs. Digital Signatures The Digital Signature project helps Agencies implement digital signatures using the USDA LincPass Number 1 obstacle: Agencies don t understand the difference between electronic signatures and digital signatures (and vendors sometimes muddy the waters) USDA s LincPass provides a digital signature certificate that can be used for a non-repudiable digital signature Digital Signature 12

What is Non-Repudiation? Non-repudiation : Countering a claim that the signature is unauthorized or has no binding force Two common claims of repudiation: Not me Not what I signed A non-repudiable signature offers reasonable assurance that it was the person signing, and the file/record/ transaction is unchanged from when it was signed 13

What is an Electronic Signature? Electronic Signature : A token (sound, symbol, process) logically associated with an electronic record with intent to sign the record Example: A travel tracking system with a user ID/password access requires a manager click a button labeled Digital Signature to approve travel for her staff. Problems: single-factor; user ID not traceable to anything, e.g., an official HR record or a PIV card Authorized by the law (e.g., 1998 Digital Signature and Electronic Authentication Law (SEAL), 1999 Uniform Electronic Transactions Act (UETA), 2003 GPEA, etc.) Loose and variable standards make electronic signatures increasingly easy to forge or spoof Generally requires compensating controls and out-of-band identity validation (e.g., wet-ink signature on a timesheet) 14

What is a Digital Signature? Digital Signature : A sub-category of electronic signatures; includes a cryptographic assurance of the originator s (authors) identity, and an integrity check on the text received Uses PKI for cryptographic assurance Extremely difficult to forge Example: A travel tracking system with a user ID/password access makes the manager digitally sign using her LincPass card when approving travel for her staff. Solves security (repudiation) problems: two-factor authentication; user ID traceable (via PKI infrastructure) to a known and verified identity in HSPD-12 system; content no modified 15

Assurance Levels, eauthentication, and USDA LincPass Identity Assurance Levels (as defined by NIST 800-63): how sure you are of the identity of an individual, and that the person with whom you are interacting is that individual digital signatures not related USDA eauthentication: a software solution for authentication (is the user known?) and authorization (is the user allowed access) digital signatures not related, and eauth provides no support for them LincPass (PIV card): a hardware token solution that enables authentication (is the user known), and has an electronic certificate on the card s chip that can pass along a digital representation of that identity the tool that allows a user with an application (e.g., Outlook, Acrobat) to create digitally signed files 16

PKI and Digital Signature Public Key Infrastructure (PKI): the mechanism for digital signature verification 3 When Beth opens the document, she sees that the document is digitally signed, and Word shows the certificate is trusted (specifically, Word checks the validity of the signature by checking the GSA MSO Certificate Revocation List [CRL], then does a hash comparison of the document) Root CA Beth GSA MSO s Certificate Authority (Root CA) issues 1 Digital Signature certificate on LincPass card to Alice (identify verified during LincPass enrollment step) Alice Two-factor authentication based on something Alice has (her LincPass) and something she knows (her PIN). 2 Alice digitally signs a Word document using her LincPass card (specifically, her digital signature PKI certificate s private key), then sends the document to Beth. The digital signature indicates the document is unchanged since Alice sent it (any change to the file destroys the digital signature, therefore, it is non-repudiable) 17

More Information For more information on USDA s projects that leverage the LincPass, contact: Owen Unangst, Director USDA Innovations and Operational Architecture Owen.Unangst@ftc.usda.gov 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback