08 January, 2010
Would implementation of PIV based access control help improve the performance of the intelligence community?
By Salvatore D’Agostino, IDmachines
We’ve had President Obama characterizing the 2009 Christmas Bomber incident as a failure on the part of the “system” to address a threat. Problems with information sharing again play a major villain.
IDmachines wonders if the fundamental ability of PIV and PIV-I to improve creation, distribution and access to information is fully appreciated by the intelligence community and the Department of Homeland Security.
It’s a new decade and one that will clearly see the widespread adoption of PIV and PIV-I credentials across federal, state and local governments and critical infrastructure enterprises. By providing a common, trusted, standard, interoperable, high-assurance identity credential FIPS 201, creates a straightforward path to information sharing.
The Department of Defense uses its version of PIV known as the Common Access Card for network log-on among its public key-enabled applications. Is this true for the widespread intelligence community and the many data sources and individuals who need to network?
It seems that it’s time to mandate that all intelligence databases and Web sites leverage this standard for access. The PIV Authentication Certificate–which by definition is two factor, certificate plus PIN–and an additional biometric on the credential can be used to authenticate a user to intelligence resources pretty easily.
The intelligence community, including the Department of Homeland Security, needs to make sure that those who need access have these credentials. They need to implement access control that uses them. They need to certify their information technology infrastructure supports PIV and federated access. Information sharing is a fundamental benefit to PIV and is there for the taking with relatively minor investment. And it’s consistent with the federal enterprise architecture.
Now that it’s done, the next logical step is to expand the interoperability to critical infrastructure. By issuing PIV-I credentials to critical infrastructure the same authentication methods and access control applications, policy and infrastructure could be used by all the sectors involved with the National Infrastructure Protection Plan and the Information Sharing and Analysis Centers.
Information sharing has to be based on standards for secure, high-availability access using generally available solutions. PIV and PIV-I do this now. Given recent events an emphasis needs to be placed on getting this funded and done as quickly as practical.