www.FiXs.org

:

®

DoD & FiXs

Identity Superiority

Implementing common authentication now & Implementing common authentication into the future.

The Federation Identity Thefor Federation Cross-Credentialingand Systems (FiXs) UNCLASSIFIED FiXs - The Federation for Identity & Cross-Credentialing Systems

A 501(c)6 not-for-profit trade association initially formed in 2004 in collaboration with the Department of Defense to provide secure & inter-operable use of identity credentials between & among government entities & industry.

A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards & systems.

Members include: government contractors, companies, major financial firms, not-for- profit organizations, Department of Defense, General Services Administration, State Governments, etc.

2 UNCLASSIFIED UNCLASSIFIED FiXs is a Standards Organization

9 Complete Governance structure for member firms.

9 Certification standards for creating identity credentials & securing personal identifying information.

9 A secure network switch through which transactions can be passed.

9 Standards for interfacing with the network switch.

9 Network access to certified service providers & sponsors of individuals holding certified credentials.

9 Clearinghouse for objective consideration of , business processes, rules & requirements.

3 UNCLASSIFIED UNCLASSIFIED

Federal Acquisition Regulations (FAR) 4.1301 Contract clause The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system.

52.204-9 Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with (b) The Contractor shall insert this agency personnel identity verification clause in all subcontracts when procedures identified in the contract the subcontractor is required to that implement Homeland Security have physical access to a Presidential Directive-12 (HSPD-12), federally-controlled facility or Office of Management and Budget access to a Federal information (OMB) guidance M-05-24, and Federal system. Information Processing Standards Publication (FIPS PUB) Number 201.

4 UNCLASSIFIED UNCLASSIFIED The Foundation

In January 2006 FiXs entered into a formal Memorandum of Understanding (MOU) with the Department of Defense which established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems.

The terms & conditions include: ˜ an operational framework for inter-operability between DoD & FiXs; ˜ specific operational responsibilities; and, ˜ governance structure.

IATO Granted by DMDC in July 2007.

5 UNCLASSIFIED UNCLASSIFIED Governance Structure

9Defined Trust Model

9Operating Rules

9Security Guidelines

9Policy Standards, including Privacy Act compliance

9Technical Architecture Specifications & Standards

9Implementation Guidelines

6 UNCLASSIFIED UNCLASSIFIED The Basic Principles

Individual personal identifying information, such as biometrics, SSN, & other unique personal identifying information is captured once & accessed as required for authentication of identity.

This information is maintained in a federated manner, whereby there is no single database of every person’s identifying information. It is maintained in a distributed manner under the authority & control of the organization who “sponsors” the individual holding the credential.

Queries of this information can be “logged” to support privacy (like knowing when someone accesses your credit report).

Structured to emulate the ATM model of the banking industry.

7 UNCLASSIFIED UNCLASSIFIED Identity Federation between DCCIS & FiXs

DoD/DMDC Member Companies

DCCIS Association FiXs

DCCIS FiXs Users: DoD Network Network Users: Member company employees with employees w/ company CAC cards. (FiXs) badges.

DoD/DMDC DoD Member Issuers Member Issuance Facilities & / Subscribers Relying System Networks Parties

8 UNCLASSIFIED UNCLASSIFIED Meeting DoD Objectives

Credentials that can be trusted with confidence

˜“FiXs network fully operational for worldwide use in support of identity authentication purposes & applications” -- DMDC 16JUL07

˜“The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520

Short term return on investment (ROI)

˜Existing highly available architectures for identity deployment & revocation information -- immediate cost avoidance of CAC issuance “outside of the fence”.

9 UNCLASSIFIED UNCLASSIFIED

Meeting DoD Objectives (continued)

Fulfills need for personal security in a high-tech world

˜“Med H/W Assurance intended for applications operating in environments appropriate for med assurance but require higher degree of assurance & technical non- repudiation.” -- DoD CP

˜“ECA Policy Management Authority (EPMA) recognizes the need for non-DoD entities & personnel to interoperate w/ DoD PKI applications for the purpose of conducting business electronically w/ DoD.” -- DoD/ ECA MOA

10 UNCLASSIFIED UNCLASSIFIED Consistent with DoD Investments

Assurance of interoperability & convergence ˜ DoD PKI Medium Hardware Assurance (CAC) ˜ ECA Medium Hardware Assurance ˜ Defense Cross Credentialing Identification System (DCCIS) ˜ FiXs Initial Operating Capability (IOC)

Distributed trust model DoD-wide ˜ DoD PKI/ ECA Root distribution ˜ Global Directory System (GDS)/ Credential Validation ˜ FiXs Operating Rules - HSPD-12 compliant ˜ Defense National Visitor Center (DNVC) System ˜ Defense Biometric Identification System (DBIDS)

“The Medium Hardware Assurance tokens and associated certificates issued by the ECA Providers have the same assurance level as the certificates on a Common Access Card (CAC).” -- EPMA

11 UNCLASSIFIED UNCLASSIFIED FiXs Chain of Trust

12 UNCLASSIFIED UNCLASSIFIED Trust Anchors - Multiple Levels of Assurance

PKI (Logical)

FiXs (Physical) DoD/ECA Federal Private (FBCA)

Level 4 - Medium FPCPF Common N/A High Hardware Hardware

Level 3 - Medium FPCPF Common N/A Med-High Hardware Hardware

Level 2 - Medium FPCPF Common FBCA High or Medium & FBCA Medium Medium

Level 1 - N/A FPCPF Common FBCA Medium or Low Basic

13 UNCLASSIFIED UNCLASSIFIED Identity Authentication Architecture

Authentication Services Customers Authentication Station Logical Access Participant Control Systems Authenticator Sponsor ` [LACS] Mobile ` Adjudicator Authentication Physical Access Control Systems ` [PACS] Enrollment Services

FiXs Dept. Infrastructure Domain Of Enrollment ` Pre-Enrollment Server Defense Officer [FDS] Civilian Verification Agencies Transactions Card 10 Print Scanner Helpdesk FiXs Trust Camera Reader Capture Broker First Responder [FTB] E Authentication nr ollm Card Finalization Services en t D a ta FiXs Domain Health Identity Care Mgmt. of ` Governance Finalization System [IDMS] Officer Card Gov & Mgmt. Industries System Trust Gateway B e a Signature nc [CMS] C c Brokers (TGB) a h k Fingerprint Sensor su e g Card Reader Capture c ro s Is k u rt s n Ce d

Inventory & CRL/OCSP Key Mgmt. Card Mfgr. Card Printing Distribution Government Commercial PKI Certificates Card Production Investigation Services

14 UNCLASSIFIED UNCLASSIFIED Certified & Accredited Subsystems

FiXs Network - DMDC has successfully completed the final testing of the Government to Business interface between DMDC & the FiXs network. With the completion of this testing, the Defense Cross Credentialing Identification System (DCCIS) infrastructure & its interface to the FiXs network are now fully operational for worldwide use in support of identity authentication purposes and applications.

Credential Issuers (CI) - Each CI undergoes an extensive & complete review in accordance with the highest industry standards & cover all requirements of the solution proposed in the solution. This is documented in detailed Certification & Accreditation (C&A) reports.

Authentications Station - FiXs certified authentication stations enable FiXs & Department of Defense (DoD) CAC credentials to be verified & accepted for physical access authentication purposes by implementing the cross-credentialing services supported by this combined network. Final decisions on physical access privileges, whether at a government or vendor site, are local decisions.

15 UNCLASSIFIED UNCLASSIFIED Multi-Level Vetting & Access Control

All certificates on a FiXs credential include an Organizational Unit that identifies the FiXs assurance level as follows:

˜ ou=FiXs4, for FiXs credentials asserting FiXs equivalent “High”

˜ ou=FiXs3, for FiXs credentials asserting FiXs equivalent “Medium High”

˜ ou=FiXs2, for FiXs credentials asserting FiXs equivalent “Medium”

˜ ou=FiXs1, for FiXs credentials asserting FiXs equivalent “Low” (not recommended)

16 UNCLASSIFIED UNCLASSIFIED HSPD-12 Compliant Credential Management

FIPS 201 compliant lifecycle management of users, their identity devices, & associated credentials…

… with the strength of DoD Medium Hardware Assurance

17 UNCLASSIFIED UNCLASSIFIED Identity Superiority

Trusted Physical Access

2D , 2D barcode, 1D barcode & 1D barcode & mag-stripe mag-stripe on back on back 2 RFID antenna

Trusted Logical Access

“Hardware tokens [FiXs] & associated certificates issued by the ECA providers have the same assurance level as a Common Access Card (CAC).” -- EPMA

18 UNCLASSIFIED UNCLASSIFIED

Verify Authenticate Validate

19 UNCLASSIFIED UNCLASSIFIED Robust Validation Infrastructure

FiXs Validation CRL Update Path Service (ldap/ ldaps (Site 1) http/https)

20 plus FiXs 50 plus FiXs Compliant PKI FiXs Compliant CRLs Directories Validation Service Alternative (Site N) Validation Paths (OCSP) Local Area Network

https Application Servers

Client/WS Inside and/or Client/WS Outside the LAN Client/WS

Client/WS OCSP Repeater

20 UNCLASSIFIED UNCLASSIFIED Robust revocation processes

Credentials issuers are required to maintain FiXs enrollment, control, administrative, REVOCATION, & audit information.

Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Credential issuer.

Card & Certificate Revocation Lists issued immediately upon revocation.

“A revocation process must exist such that an expired or invalidated credential is swiftly revoked.”

21 UNCLASSIFIED UNCLASSIFIED Uniqueness Enforced Across the FiXs Network

X.500 DNs & Card Holder Unique Identifier (CHUID) Data Elements as stipulated in the FiXs implementation requirements.

FiXs Credential Issuers shall enforce credential uniqueness by ensuring: ˜The applicant does not hold another active FiXs credential; ˜The name contains the applicant’s identity & organization affiliation that is meaningful to humans; and, ˜The naming convention is as described in the corresponding CP.

“FiXs is designated by DoD to assign organizational codes to commercial entities.”

22 UNCLASSIFIED UNCLASSIFIED

Uniqueness Enforced Across the FiXs Network (cont.)

FiXs Credential Issuer will support special procedures that ensure that each individual holds only one active FiXs credential: ˜Management personnel authorized to approved the issuance of a credential to an applicant (e.g., contracting officer or contracting officer’s technical representative) ˜Collect a signed approval for the issuance of a credential to an applicant via digitally signed email from an agency management personnel authorized to approved the issuance of a certificate to an applicant ˜Verify that a request for credential issuance to an applicant was submitted by management authorized to do so via by comparing the approval letter or email to the list of approved agency management personnel authorized to approved the issuance of a certificate to an applicant ˜Verify applicant’s employment through use of official records ˜Establish applicant’s identity by in-person proofing, based on the processes defined in the FiXs Operating Rules

23 UNCLASSIFIED UNCLASSIFIED Interoperability Can be Achieved

Mandate common authentication scheme across DoD ˜ Multi-level physical access via DCCIS/ FiXs operating rules. ˜ All email in & out of DoD to be digitally signed by CAC equivalent. ˜ All sensitive information to be protected at Medium/ Medium H/W Assurance.

Mandate DoD PKI/ ECA & DCCIS/ FiXs in DITSCAP/ DIACAP evaluation ˜ Mechanism to enforce current objectives. ˜ Ensures compliance as technologies mature. ˜ Maintains common security infrastructure.

Re-allocate funds anticipated to issue CAC to “outside the fence” contractors to relying applications & DNVC/ DBIDS authentication station deployment

24 UNCLASSIFIED UNCLASSIFIED Base Access – Today’s Problem

No uniform compliance

Vulnerability

Lack of vision ˜ Who’s on - Who’s off

No threat flexibility ˜ DHS NIMS code deployment plan ˜ PX & commissary services ˜ Suppliers to docks ˜ Maintenance and repair access to grounds

25 UNCLASSIFIED UNCLASSIFIED Issues with base security

How do we protect our bases, balanced with ease of use? ˜ Easy, secure access for those who belong. ˜ Simple identification verification of visitors.

Identity assurance for contractors & suppliers must: ˜ Incorporate strong vetting for those that require base access. ˜ Follow DoD & Federal guidelines.

Access decisions must be automated & reliable.

The Base Commander is ultimately responsibility, so how do we help: ˜ Improve decisions. ˜ Make it more secure, smarter & cost efficient.

26 UNCLASSIFIED UNCLASSIFIED Do we re-invent the wheel?

Identity assurance policy & standards have been developed.

Vetting & security is in place.

FiXs, DoD/ECA CAC, & HSPD-12: ˜ All are secure identities. ˜ All can be used for gate access. ˜ All provide 2 factor authentication.

Its been done, decided, now lets use it.

27 UNCLASSIFIED UNCLASSIFIED Value Proposition & ROI

9 Easy business decision for CFO & CIO.

9 Enterprise-wide capability & best practices.

9 Security & Privacy of staff, systems, & facilities.

9 Method for data security in compliance with latest identity authentication processes.

9 Complies with FAR contract requirements.

9 HSPD – 12 and DoD PIP compliant.

9 Leadership in a large and developing market on an matter that is of major national importance.

28 UNCLASSIFIED UNCLASSIFIED FiXs Members 2008 Commercial Entities

AFCEA Mobilisa American Logistics Association AMERICAN SYSTEMS CORP. SAIC Booz Allen Hamilton SRA International, Inc ChoicePoint Government Services SRP Consulting Group, LLC Covisint Telos Identity Management Systems, LLC DSA, Inc. Unlimited New Dimensions, LLC EDS Vuance, Inc. Eid Passport, Inc. Wave Systems Corporation Imadgen, LLC WidePoint Corporation [ORC] Little River Management Group, LLC 3Factor, LLC Corporation

Government Advisors

Defense Manpower Data Center, DoD Office of Government-wide Policy, GSA CIO Office, State of Colorado

29 UNCLASSIFIED UNCLASSIFIED

Contact Information

Dr. Michael Mestrovich, President - FiXs ˜ [email protected] ˜ 703 928 3157

Robert Martin, Corporate Secretary - FiXs ˜ [email protected] ˜ 703 321 6951

Dan Turissini, Board Member - FiXs ˜ [email protected] ˜ 703 246 8550

30 UNCLASSIFIED