Your Complete Source for GSA Approved Identity Products

Audio from June 23 IAB meeting online now

FIPS 201 Administrator — Wed, 01 Jul 2009 08:11:00 -0400

The June meeting of the influential Government Smart Card Interagency Advisory Board (IAB) was recently held in Washington D.C. FIPS201.com was on hand to cover the event and has provided, as a service to the IAB and the smart card community, an audio recording of the presentations. Click on the link below to access a list of audio and accompanying PowerPoint slides (in pdf format).

Opening Remarks
Tim Baldridge, NASA

MP3: click here
The Four Bridges Forum
- Peter Alderman, FCBA
- Jeff Nigrini, Certipath
- Gary Seacrest, Safe BioPharma
- Scott Rea, HEBCA
PDF: click here

MP3: click here
PIV Standards Update
Bill MacGregor, NIST

PDF: click here

MP3: click here
Federally Interoperable Credentialing in Illinois
Dennis Glavin, CGN PM

PDF: click here

MP3: click here
Closing Remarks
Tim Baldridge, NASA

MP3: click here

GSA rolling out PKI validation service

FIPS 201 Administrator — Fri, 19 Jun 2009 08:56:00 -0400

The General Services Administration will unveil Central Certificate Validator program that will of perform certificate path discovery and validation (PD-VAL) in compliance with RFC 5280 in support of PKI-based authentication mechanisms described in FIPS 201.

The proof-of-concept of the Central Certificate Validator will be demonstrated to agencies, suppliers and other interested parties on July 21 at 2.00 pm ET at the GSA Auditorium at 1800 F Street Washington DC 20405. At this time, vendors will showcase interoperability of their products, such as handheld devices and computer applications, with this GSA validation service.

The Central Certificate Validator is based on RFC-5055 – “Server-based Certificate Validation Protocol” and makes it easier to deploy Public Key Infrastructure-enabled applications (in the case of PIV for physical and logical access) by delegating path discovery and/or validation processing to a server.

By implementing SCVP compliant client modules within Physical Access Control Systems or within the middleware for logical access, such organizations can leverage GSA’s CCV service to perform complete PKI certificate validation for a certificate in question prior to allow the credential-holder access.

An agenda for the event is available here.

Registration for the event is available here.

ActiveIdentity, Konica Minolta partner

FIPS 201 Administrator — Tue, 09 Jun 2009 11:11:00 -0400

Konica Minolta Business Solutions U.S.A. Inc., a provider of imaging and networking technologies for the desktop to the print shop, and ActivIdentity Corp., a provider of strong authentication and credential management, announced that they have co-developed a Personal Identification Verification-Compliant Card System that increases security and document control for customers using multifunctional products, such as print, copy, fax, and scan all in one system.

The ActivIdentity ActivClient security software is available to U.S. Department of Defense customers - as well as customers of other government agencies - using Konica Minolta multifunctional products. The PIV-Compliant Card System can be used in conjunction with the Common Access Card, as well as the next generation CAC, a PIV-Compliant Identification Card.

FIPS 201 for health credentials

FIPS 201 Administrator — Tue, 09 Jun 2009 11:11:00 -0400

By Salvatore D’Agostino, IDmachines

Interoperability among health care providers, payers and patients provides a great use case for high assurance interoperable credentials. Health care is a perfect use case for an identity credential and is a great opportunity to use the new PIV-I specification.

Any investment in health care IT has to realize this. Health care needs strong identity assurance yet most systems in the U.S. don’t make the investment in an identity infrastructure. The United States government needs to invest in infrastructure to identity management/privacy and civil liberties.

Some organizations have begun this, Mt. Sinai being a leader. Many countries have also done this; the U.S. has not. Unless the U.S. invests in strong identity, we won’t get the cost saving or improve health care and the U.S. will continue to be a laggard.

Please don’t give me another ID card, Web account, user name and password. Even scarier don’t accept federated IDs that don’t have any way of knowing who is establishing the accounts. Don’t make me get more certificates either. Can someone commit to identity infrastructure as part of the Health IT stimulus? That’s the gist of this.

IDmachines supports the efforts of the Smart Card Alliance and the Secure ID Coalition when they combined to deliver message that strong identity matters for any health IT effort at National Press Club briefing in Washington DC.

Credentialing matters when millions of individuals are involved in a program, surely this is the case as state and national health insurance programs grow. Strong privacy and security, interoperability and multi-use would be good things to have in a credential.

I don’t see any in the health market place. I access my health accounts (also Microsoft and Google “Vaults”) with user name and password or a bar code/number at a desk. Why can’t I use my government issued digital ID to log into these sites?

These are strong assurance credentials, background investigation and breeder document checks. The process is well defined and in my case the issuance procedures worked. I want to be able to use it. Organizations can have greater assurance of my identity when I use it.

I have an ability to logon, digitally sign communications and encrypt sensitive information. Please spare me from my endless usernames and passwords and changing them on a frequent basis, what a pain. Give me my PIN and biometric and chip and certificate(s) private key’s that I use for everything. Sounds uber-tech, well it’s the way in dozens of countries.

Estonia, despite - or maybe as a result of - getting cyber attacked is making a renewed investment. As I said, dozens of large scale programs including England, Italy, Belgium, Austrian health cards, German health cards, Brisbane driver license, Angola, Nigeria, Ivory Coast, it’s a long list. A lot of places are making the identity investment that will then be leveraged.

In the United States without a funded program, in the current economic conditions it’s not about whether it’s the “right” thing to do. The real question is why invest when you can just print a flash pass or bar code. I refer to why Mount Sinai would do it. I have heard Paul Contino before but he repeated this week. It always makes sense. To repeat again…

“Correctly identifying patients and their records is difficult just within a single hospital, but gets far worse between multiple institutions, according to a leading practitioner and specialist on the subject,” said Paul Contino, vice president, Information Technology, at Mount Sinai Medical Center in New York.

Paul cautioned that identity management must be addressed correctly up front or “we’re going to have problems with the linkages of electronic medical records” on a regional or even national basis. Mount Sinai revamped patient registration processes and implemented a smart card-based patient card to more accurately link individuals to their medical and administrative records.

In fact it’s completely irresponsible to invest in health information technology without doing it. The financial arguments are well established. Organizations implement new health IT applications can use PKI and PIV credentials. Soon the entire U.S. government will use it and a lot of people interact with it.

More information is available in Smart Card Alliance publications. “Effective Health care Identity Management: A Necessary First Step for Improving U.S. Health Care Information Systems” explains the current problems with identity management in health care and its costs. It also proposes solutions that leverage existing standards developed for other federal identity programs.

The newly published “Smart Card Technology in Health Care” frequently asked questions document outlines how the technology is used to manage patient identity and protect a health care consumer’s personal information.

SAFRAN Group receives PIV certification

FIPS 201 Administrator — Mon, 08 Jun 2009 11:02:00 -0400

SAFRAN Group’s Sagem Orga and MorphoTrak have received FIPS 201 approval of its technology for the PIV program.

The General Services Administration-approved products include smart cards and readers that satisfy security standards of the PIV program.

With the GSA certification, the two firms are now an official source of PIV smart cards, PIV logical and physical access readers, as well as template generator and matcher for federal agencies and other organizations required to adhere to the FIPS 201 standard.

Sagem Orga says its PIV cards may be purchased by federal agencies to comply with the HSPD-12 to issue a secure, interoperable smart card containing biometric data, cryptographic keys and personally identifiable information about the cardholder.

National Laminating unveils RF-blocking badge holder

FIPS 201 Administrator — Wed, 03 Jun 2009 11:24:00 -0400

National Laminating has launched a new radio frequency shielding, rigid, 2-card, non-metallic, lightweight badge holder.

The part, #RFSHIELD01, received FIPS 201 approval, on April 28, under the category of “Electromagnetically Opaque Sleeve” and is listed as #423 on the FIPS 201 Approved Products List.

National Laminating RF shielding badge holder is composed in part of renewable material made from wood pulp.

The RF shielding badge holder was designed to avoid the use of metal components. Feedback from federal agencies indicated a concern for safety issues associated with conductivity from metallic badge holders particularly in lab environments.

NASA's PIV project didn't meet fed rules

FIPS 201 Administrator — Wed, 03 Jun 2009 11:00:00 -0400

NASA’s Office of Inspector General released a report stating that the agency didn’t fully comply with federal regulations for the issuance of PIV credentials.

As of January, NASA had issued more than 70,000 credentials to staff and contractors, more than 98% of the PIV cards NASA planned to issue. The problem is the credential issuer had not been accredited because NASA did not fully comply with federal guidance.

If NASA’s PIV issuer reveals that the problems still exits the agency could be required to stop issuing credentials and reissue other cards at a minimum of a $1 million cost.

“NASA’s noncompliance with Federal guidance resulted from the lack of a project management plan for the Agency’s transition to HSPD-12 compliant cards. For example, NASA did not establish an implementation office to plan and coordinate project integration until July 2006–two years after HSPD-12 was signed and three months before the deadline for agencies to begin issuing HSPD-12 compliant identity cards,” the report states.

NASA also didn’t comply with its policy on incorporating new requirements into ongoing projects nor conduct a gap analysis to ensure that the ongoing common badging and access control projects incorporated HSPD-12 requirements. “In an effort to meet established deadlines, NASA implemented processes and systems that had not been adequately planned and, as a result, developed the system for producing PIV cards but did not complete the accreditation process for ensuring that the system subcomponents met Federal requirements for HSPD-12.”

There were also problems with the controls in the issuance process. NASA had one individual sponsoring and authorizing employees PIV cards, going against federal requirements, the report states. This issues has been resolved and two individuals are now performing this task.

There were also no audit trails put in place for the issuance process. “If the deficiencies identified are not corrected, the risk of NASA issuing PIV cards to individuals who have no legitimate need to access NASA’s facilities or systems could be increased.”

The full report can be downloaded here.

CGN & Associates assists Illinois with FIPS 201

FIPS 201 Administrator — Thu, 28 May 2009 11:37:00 -0400

CGN & Associates Inc., a business consulting firm, provided program management for the State of Illinois FIPS 201 Interoperable Secure Credentialing Project.

Last week the State of Illinois participated in the Federal Emergency Management Agency (FEMA) Office of National Capital Region Coordination (NCRC)’s, Spring Ahead, a Federal and Mutual Aid multi-jurisdictional electronic validation demonstration leveraging Federal Information Processing Standard (FIPS) 201-compliant and FIPS 201-interoperable credentials.

The State of Illinois participated in the Federal Emergency Management Agency (FEMA) Office of National Capital Region Coordination (NCRC)’s, Spring Ahead, a Federal and Mutual Aid multi-jurisdictional electronic validation demonstration leveraging Federal Information Processing Standard (FIPS) 201-compliant and FIPS 201-interoperable credentials.

CGN & Associates coordinated participants and technology support to deliver the State of Illinois portion of the demonstration. Illinois’ participation demonstrated the ability for state-wide emergency response officials to be validated using FIPS 201 interoperability standards.

A representative sample of Illinois-based emergency response officials from the emergency management, fire rescue, law enforcement, and critical infrastructure sectors reported to a simulated emergency operations center and presented smart credentials for electronic authentication and entry to the scene.

Also participating in the demonstration were Entrust, Inc. represented by Brent Crossland; Corestreet, Ltd. represented by Paul DeCrisanstis; and Salamander Technologies represented by Joseph Robinson, along with their partner, IdentiSys, represented by Joe Samuels. These companies provided on-site technical support for credential validation.

Illinois has developed the first state level, non-hosted, smart credential solution to achieve federal interoperability. Throughout the course of this project CGN & Associates managed stake holders and vendors, coordinated interagency cooperation, and oversaw intricacies in order to stand-up a credentialing solution to meet the new standards.

More than 30 organizations, in 20 locations across the United States, simultaneously participated in Spring Ahead, which consisted of eight scenarios.

CoreStreet tapped by Staten Island Ferry

FIPS 201 Administrator — Thu, 28 May 2009 09:12:00 -0400

CoreStreet, a provider of credential validation solutions, announced that its CoreStreet PIVMAN Solution has been chosen by the Staten Island Ferry for its Transportation Worker Identification Credential (TWIC) reader pilot program. Under terms of the agreement, the solution will be used by the ferry to validate TWIC cards at facility access control points.

Providing 20 million people per year with service between Staten Island and lower Manhattan, the Staten Island Ferry is one of the vessel operators participating in the program. Test results will be used to support the final TWIC reader rule which will establish requirements for all TWIC readers.

The CoreStreet PIVMAN Solution includes a portable TWIC reader running the CoreStreet PIVMAN Client software. The device reads the TWIC card and uses the TSA TWIC hotlist to determine the most current validity status of the card. The solution authenticates and validates FIPS 201-compliant or compatible cards and additionally allows for integration with existing Physical Access Control Systems (PACS), such as Lenel OnGuard.

The CoreStreet PIVMAN System is also the listed on the TSA TWIC Initial Capability Evaluation list, the FIPS 201 Approved Products List, the Department of Homeland Security Authorized Equipment List and the DHS Standardized Equipment List. The solution furthermore qualifies for DHS grant reimbursement under numerous programs, including the Port Security Grant Program.

TWIC was established by Congress through the Maritime Transportation Security Act, and is a common identification credential issued to workers and credentialed merchant mariners who require unescorted access to secure areas of ports, vessels and outer continental shelf facilities. Through the TWIC reader pilot program, TWIC card scanning systems will be evaluated in real-world security environments.

Episode 31: TWIC update

FIPS 201 Administrator — Tue, 26 May 2009 13:33:00 -0400

Comments for proposed rules for the Transportation Worker Identification Credential close today. Regarding ID Editor Zack Martin talked with U.S. Coast Guard Cdr. David Murk about the proposed rulemaking and some of the other latest developments with the credential.

Older podcasts.