“No two agencies are in the same place and no two agencies have the same need,” says Judith Spencer, chair of the Federal Public Key Infrastructure Steering Committee for the GSA. “So they need to figure out what they need to do and what needs to be applied.”

Enter ICAM or Identity, Credential and Access Management, a group of government officials co-chaired by the General Services Administration and Department of Defense and charged with aligning the identity management activities of the federal government.

The organization released a “Roadmap and Implementation Guidance” document for officials late in 2009. Now ICAM is working on a more robust version of the implementation guidance, tentatively called Part B, which it hopes to complete by the end of September. “The Federal Government is operating in a constantly shifting threat environment–data breaches are all too common, identity theft is on the rise, and trust relationships are enforced in an inconsistent and hard-to understand manner,” states the Roadmap.

The hope is that ICAM work will extend outside the federal space. “The resulting framework can be leveraged in other areas as well–promoting data security, privacy and the high-assurance authentication needed to support improvements in health care and immigration and to promote collaboration through secure information sharing and transparency in government,” the document states.

The PIV is an essential component to ICAM. Some 4.1 million federal employees, or 71%, have been issued credentials, according to the Fiscal Year 2011 Federal Budget. The ICAM Roadmap is also cited in the budget, a fact that highlights just how ingrained the PIV credentials are with federal employees.

“The ICAM roadmap, issued in November 2009, outlines a number of transition activities for agencies to complete,” the document states. “It also serves as an important tool for providing awareness to external mission partners and driving the development and implementation of interoperable solutions. ICAM solutions will leverage the existing investments in the federal government while promoting efficient use of tax dollars when designing, deploying and operating ICAM systems.”

In preparation for the September issuance of the implementation guidance Part B, six different ICAM working groups have been created:

• The Federation Interoperability Working Group is looking at business rules and requirements for how agencies will establish reciprocal trust agreements so credentials can be used at other agencies, Spencer says.
• The Architecture Working Group is developing “how to’s” and expanding the new technical architecture of the credentials. The group is also working on 11 use cases for the credential, Spencer says.
• The Federal PKI Authority Working Group is looking at strong-assurance technology and administering the federal PKI policies.
• The Roadmap Development Team is reviewing the development and content of the ICAM Roadmap and Implementation Guidance.
• The Citizen Outreach Focus Group is working on recommendations concerning solutions for government-to-citizen interaction and how ID technology may play a role in the future.
• The Logical Access Working Group is developing guidance and best practices to assist agencies in implementing log on/authentication capabilities using PIV cards.

The ICAM roadmap also details some of the benefits agencies will experience via the implementation of ICAM systems and technology:

• Increased security, which correlates to reduction in identity theft, data breaches, and trust violations.
• Compliance with laws, regulations, and standards as well as resolution of issues highlighted in GAO reports of agency progress.
• Improved interoperability, specifically between agencies using their PIV credentials along with other partners carrying PIV-Interoperable or third-party credentials that meet the requirements of the federal trust framework.
• Enhanced customer service, both within agencies and with their business partners and constituents.
• Elimination of redundancy, both through agency consolidation of processes and workflow and the provision of government-wide services to support ICAM processes.
• Increased protection of personally identifiable information by consolidating and securing identity data.

Where does PIV-I fit?

ICAM is also considering how the PIV-I will interact with government credentialing, says Steve Howard, vice president of operations at CertiPath. The architecture group is working with a PIV-I subgroup to figure out use cases for how the two credentials will work together. “Their goal is to come up with the governing requirements that will translate to certificate policy,” he says.

While PIV-I has been looked at as a standard for first responders and state officials, federal contractors will also be using it, Howard says. This makes interaction unavoidable.

As the PIV initiative progresses, PIV-I has become a requirement for commercial enterprises that interact with government agencies on a daily basis. Non-federal issuers of credentials need to produce employee IDs that can technically interoperate with government PIV systems and can be trusted by relying parties via cross-certification. However, the PIV card standard is limited in scope to the federal government and has several requirements that can be addressed only by that community.

In response to these interoperability requirements, the Federal CIO Council defined the standards for PIV-I cards for non-federal issuers. Several federally sponsored PIV-I programs already exist, including the First Responder Authentication Credential (FRAC), the Transportation Worker Identity Credential (TWIC), and the Airport Credential Interoperability Solution (ACIS). Many other programs are in development with the same desired goal of technical interoperability and trustworthiness in the Federal government PIV environment.

The award looks for products that set the bar for other developments in security technologies. They recognize the CoreStreet FIPS-201 F5 Suite of products for advancing existing physical access control systems and making them functional.

Other features of the solution include credential compatibility for Personal Identity Verification cards, Common Access Cards, First Responder Authentication Credential cards and Transportation Worker Identification Credential cards.

Winners will be awarded at the Palace Hotel in San Francisco on March 18.

“Due to weak program management, including insufficient funding and resources, and a change in its implementation strategy, the department is well behind the deadline for fully implementing an effective HSPD-12 program,” the report states. “In addition, the department faces significant challenges in meeting HSPD-12 directive requirements for logical access to its information systems. Furthermore, system security and account management controls are not effective in protecting personally identifiable information collected and stored from unauthorized access. Existing security issues must be addressed to allow for the deployment of a robust, efficient, and secure interoperable identity card and issuance system department-wide.

The report makes 15 recommendations for the agency to make in order to get credential issuance on track. Following are some of those recommendations:

• Ensure that the program management office has the staffing and funding necessary to effectively coordinate and oversee the department-wide implementation of HSPD-12.

• Develop a regional implementation plan that includes detailed information about how the program management office will centrally manage the department-wide deployment of its HSPD-12 program. The plan should identify milestone dates and define program measures to track HSPD-12 implementation progress.

• Discuss and coordinate with OMB on the department’s updated milestones and implementation of HSPD-12 requirements.

• Estimate the department-wide cost to comply with HSPD-12 and FIPS 201-1 requirements and prioritize the department’s costs to ensure that physical and logical access interoperability requirements will be met. The estimate should cover the funding and other resources necessary to support HSPD-12 over a period of no less than five years.

• Identify the facility access points and information systems that will require the use of PIV cards.

The full report can be downloaded here.

charismathics’ Smart Security Interface PIV middleware was tested through the NIST PIV Program, and evaluated for approval by the GSA FIPS 201 Evaluation Program. With the successful evaluation, it is now listed on the GSA FIPS 201 approved Products List and can be purchased by all federal agencies.

As a result of its evaluation, atsec has determined that Codebench’s products meet FIPS 201 requirements on behalf of GSA, who ultimately grants the approval.

These products are now listed on the FIPS 201 Evaluation program Approved Product List, which only lists those products and services that are in compliance with the current version of the standard and its supporting NIST Special Publication 800-116, which provides recommendations for the Use of PIV credentials in physical access control systems.

The bill states that a program should be set up that would support the development of standards around identity management, with a particular focus on health care.

The new director would have to:

• Improve interoperability among identity management technologies;

• Strengthen authentication methods of identity management systems;

• Improve privacy protection in identity management systems, including health information technology systems, through authentication and security protocols; and

• Improve the usability of identity management systems.

The house passed the bill 422-5 and it’s not going to the U.S. Senate.

The reader is simply unfolded and inserted into a free USB port of a notebook. Then employees can insert their PIV/CAC card into the reader to enable secure access to government systems and data.

The SCR3500 SmartFold is now on the GSA Approved Products List which means the reader is compliant with all FIPS 201 and PIV/CAC card requirements, and is ready for purchase by government agencies and/or their purchasing agents.

• Opening Remarks
  Tony Cieri

  MP3: click here

• Global Threat Intelligence
  Phyllis Schneck, McAfee

• Digital Signature Lessons Learned
  John Landwehr, Adobe

  PDF: click here

  MP3: click here

• Challenges of Identity Management for the Virtual Lifetime Electronic Record (VLER)
  Doug Felton, DoD/VA Integrated Program Office

• The Value of PKI
  Judy Spencer, GSA

  PDF: click here

  MP3: click here

• New Initiative- Joint IAB/SCA meeting
  Randy Vanderhoof, Smart Card Alliance

  PDF: click here

  MP3: click here

• Closing Remarks
  Tony Cieri

  MP3: click here