Office of the Chief Information Officer HSPD12 Update

Office of the Chief Information Officer HSPD-12 Update April 19, 2006 SASIG Conference

Office of the Chief Information Officer Introduction to HSPD-12 q On August 27, 2004, a Homeland Security Presidential Directive was issued entitled HSPD-12, “Policy for a Common Identification Standard for Federal Employees and Contractors. ” q In response to HSPD-12, the National Institute of Standards and Technology (NIST) published the Federal Information Processing Standards Publication 201 (FIPS 201) on February 25, 2005 2

Office of the Chief Information Officer q Timeline October 27, 2005 § Compliance with FIPS 201, Part 1 q Fall 2006 § Begin deployment of smart cards q October 27, 2006 § Compliance with FIPS 201, Part 2 q October 27, 2007 § Verify and/or complete background investigations on current employees and contractors q q For Federal individuals employed for over 15 years - October 27, 2008 Beyond § DOE Federal and contractor employees routinely use their smartcard to access buildings and computer systems § Interoperability with other Federal agencies 3

Office of the Chief Information Officer q FIPS 201, Part 1 and FIPS 201, Part 2 FIPS 201, Part 1 (PIV-I) describes the minimum requirements for a Federal personal identification system that meets the control and security objectives of HSPD-12 § Personal identity proofing § Registration § Issuance q FIPS 201, Part 2 (PIV-II) addresses the interoperability of PIV credentials and systems among departments and agencies § Having one credential as a basis for identify within and across federal domains 4

Office of the Chief Information Officer Why PIV-I? q Mandated by HSPD-12 and FIPS 201 q Historically, agencies issued badges/credentials § To whoever they chose § Verifying the person’s identity however they chose q A Federal identity proofing standard allows baseline of trust between agencies q DOE will know that a person from another agency with a PIV Card § Has had their fingerprints checked by the FBI § Has had a successfully adjudicated NACI (or at least pending) § Has had their identity source documents verified 5

Office of the Chief Information Officer q FIPS 201, Part 1 Identity Proofing, Registration, and Issuance Process § All agencies will adopt and use an approved identity proofing and registration process § An individual must appear in person at least once before the issuance of a credential § At a minimum, a National Agency Check with inquires (NACI) must be initiated and the FBI fingerprint check has to be completed before credentials are issued § No single individual has the capability to issue a credential without the cooperation of another authorized person 6

Office of the Chief Information Officer Fingerprint Check Timeliness q PIV credentials can only be issued after fingerprint check results have been returned q Currently, fingerprints must be submitted to OPM, which forwards to FBI, then results returned q “ 2 day turnaround” does not include OPM processing time optimistic assumption that results could be returned quickly q Average turnaround time is 16. 5 business days for HQ q Discussions are underway between DOE and OPM to reduce the turnaround time and to discuss electronic submission of fingerprints 7

Office of the Chief Information Officer q PIV Reciprocity For individuals hired after October 27, 2005 § A PIV badge can be issued under reciprocity if an individual has had either q q A prior federal agency NAC within the last 15 years, or Has held a government security clearance within the last 15 years § Documentation of the results of the NAC or clearance BI kept in the PIV file q Reciprocity verification, if possible, reduces wait time 8

Office of the Chief Information Officer q PIV-II Card Physical Attributes Physical Card § Common ‘look and feel’ across Federal government q With areas set aside for agency specific information § Common color coding scheme for employee affiliation q q q § § Blue- foreign nationals Red – emergency responder officials Green - contractors Must meet ANSI and ISO standards for physical durability Tamper resistant security features (e. g. optical varying structures) Magnetic stripe and bar code for legacy support Contact and contactless interface 9

Office of the Chief Information Officer PIV-II Card Topography 10

Office of the Chief Information Officer q PIV-II Logical Credentials CHUID (Card Holder Unique Identifier) § Extends the address space for SEWIG-012 § Designed for Federal interoperability § Read through contact or contactless interface q PIV Authentication Certificate (and associated public/private keys) § PKI certificate issued from Federally certified PKI provider § Read through contact interface q PIN § Personal Identification Number to unlock the PIV Card q Two fingerprints § Electronic template generated from fingerprint minutae § Read through contact interface only after PIN unlock 11

Office of the Chief Information Officer q PIV-II Infrastructure Making everything work together § Technically q q Since February 2005, NIST has released 10 documents for PIV Including revisions to FIPS 201 and SP 800 -73, “Interfaces for PIV” § Policy q OMB has issued § 05 -24, Implementing PIV § 06 -06, Model privacy documents q GSA has issued (or is about to issue) § Acquisition memo ‘highly encourages’ the use of GSA approved products § Two FAR (Federal Acquisition Regulation) clauses q q NIST is responsible for conformance testing technical interfaces GSA is responsible for interoperability and performance testing of PIV products § Cost efficient q Recent effort to drive down agency implementation cost by sharing resources 12

Office of the Chief Information Officer HSPD-12 Components PIV I and PIV-II Legend: CMS-Card Management System CPS-Card Printing System CRL-Certificate Revocation List IDM-Identity Management IDMS-Identity Management System LACS-Logical Access Control System OCSP-Online Certificate Access Protocol PACS-Physical Access Control System PKI-Public Key Infrastructure SSO-Single Sign On WKS-Workstation 13

Office of the Chief Information Officer Executive Steering Committee q Executive Sponsors: OMB, USDA, DHS, GSA, DOD, DOC, VA q Objectives: § Reduce total Federal cost of HSPD-12 § Established shared government-wide infrastructure, policies and procedures to meet 10/06 deadline § Ensure government-wide interoperability q Strategy: § Establish cost estimate § Inventory existing inventory and geographic dispersement of Federal resources (including employees and contractors) § Identify technical interfaces § Make final recommendations for agency action § Several sub-working groups q q DOE represented on all ESC seems to be embracing PIV as a suite of services which can be purchased through a Federal or commercial provider 14

Office of the Chief Information Officer q Agency Owned/Shared* DOE responsible for: q Shared Services § Our own security § Registration services § Background investigations § Registration locations § Sponsor notification § Card Printing § Authorization § Card Management § Card lifecycle management § Physical/logical card readers § Integration w/existing physical and logical systems infrastructure § Identity Management infrastructure § PKI infrastructure *Preliminary 15

Office of the Chief Information Officer Agency Owned/Shared Preliminary Core/Shared Components 16

Office of the Chief Information Officer q Status of Federally Approved Products NIST conformance testing has begun § A handful of products have been pre-validated q GSA interoperability and performance testing § Beginning in April q Except for PKI certs and the Oberthur HSPD-12 Smart Card, as of April 17 th, there are no other approved products! q GSA is assembling a FIPS 201 BPA to replace the existing smart card GWAC (expires in May) 17

Office of the Chief Information Officer q DOE Policy Notice 206. 3 Personal Identity Verification § Establishes PIV compliant identity proofing policy q DOE has 2 Acquisition Letters in place § Acquisition Letter-2005 -16, 10/04/05 q Application of identity proofing process to contractors § Acquisition Letter-2005 -10, 7/7/05 q q q Physical and Logical access control procurement require use of approved products GSA and OMB “highly encourage” agencies to only buy FIPS certified and approved products Coordination of procurement of anything related to access or identity management through HSPD-12 PMO A FAR case is pending with similar procurement controls In progress § Standard PIV Request Form § Privacy Act System of Records Notice 18

Office of the Chief Information Officer HSPD-12 PMO q CIO-led PMO operating for over a year q Supported by § § Office of Security and Safety Performance Assurance Office of Management Office of General Council Office of Human Resources q Biweekly field call (Thursdays 1 -2 PM EST) to discuss HSPD-12, answer questions, etc q Public Web site http: //cio. doe. gov/HSPD-12/index. html q Feedback on FIPS 201 process is important as we move ahead § Processes that work § Processes that don’t work § Ways of improving q Contact the PMO at HSPD 12 PMO@hq. doe. gov; questions, comments etc. 19