www.FiXs.org
:
®
DoD & FiXs
Identity Superiority
Implementing common authentication now & Implementing common authentication into the future.
The Federation Identity Thefor Federation Cross-Credentialingand Systems (FiXs) UNCLASSIFIED FiXs - The Federation for Identity & Cross-Credentialing Systems
A 501(c)6 not-for-profit trade association initially formed in 2004 in collaboration with the Department of Defense to provide secure & inter-operable use of identity credentials between & among government entities & industry.
A coalition of diverse companies/organizations supporting development & implementation of inter-operable identity cross-credentialing standards & systems.
Members include: government contractors, technology companies, major financial firms, not-for- profit organizations, Department of Defense, General Services Administration, State Governments, etc.
2 UNCLASSIFIED UNCLASSIFIED FiXs is a Standards Organization
9 Complete Governance structure for member firms.
9 Certification standards for creating identity credentials & securing personal identifying information.
9 A secure network switch through which transactions can be passed.
9 Standards for interfacing with the network switch.
9 Network access to certified service providers & sponsors of individuals holding certified credentials.
9 Clearinghouse for objective consideration of technologies, business processes, rules & requirements.
3 UNCLASSIFIED UNCLASSIFIED
Federal Acquisition Regulations (FAR) 4.1301 Contract clause The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system.
52.204-9 Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with (b) The Contractor shall insert this agency personnel identity verification clause in all subcontracts when procedures identified in the contract the subcontractor is required to that implement Homeland Security have physical access to a Presidential Directive-12 (HSPD-12), federally-controlled facility or Office of Management and Budget access to a Federal information (OMB) guidance M-05-24, and Federal system. Information Processing Standards Publication (FIPS PUB) Number 201.
4 UNCLASSIFIED UNCLASSIFIED The Foundation
In January 2006 FiXs entered into a formal Memorandum of Understanding (MOU) with the Department of Defense which established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems.
The terms & conditions include: an operational framework for inter-operability between DoD & FiXs; specific operational responsibilities; and, governance structure.
IATO Granted by DMDC in July 2007.
5 UNCLASSIFIED UNCLASSIFIED Governance Structure
9Defined Trust Model
9Operating Rules
9Security Guidelines
9Policy Standards, including Privacy Act compliance
9Technical Architecture Specifications & Standards
9Implementation Guidelines
6 UNCLASSIFIED UNCLASSIFIED The Basic Principles
Individual personal identifying information, such as biometrics, SSN, & other unique personal identifying information is captured once & accessed as required for authentication of identity.
This information is maintained in a federated manner, whereby there is no single database of every person’s identifying information. It is maintained in a distributed manner under the authority & control of the organization who “sponsors” the individual holding the credential.
Queries of this information can be “logged” to support privacy (like knowing when someone accesses your credit report).
Structured to emulate the ATM model of the banking industry.
7 UNCLASSIFIED UNCLASSIFIED Identity Federation between DCCIS & FiXs
DoD/DMDC Member Companies
DCCIS Association FiXs
DCCIS FiXs Users: DoD Network Network Users: Member company employees with employees w/ company CAC cards. (FiXs) badges.
DoD/DMDC DoD Member Issuers Member Issuance Facilities & / Subscribers Relying System Networks Parties
8 UNCLASSIFIED UNCLASSIFIED Meeting DoD Objectives
Credentials that can be trusted with confidence
“FiXs network fully operational for worldwide use in support of identity authentication purposes & applications” -- DMDC 16JUL07
“The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520
Short term return on investment (ROI)
Existing highly available architectures for identity deployment & revocation information -- immediate cost avoidance of CAC issuance “outside of the fence”.
9 UNCLASSIFIED UNCLASSIFIED
Meeting DoD Objectives (continued)
Fulfills need for personal security in a high-tech world
“Med H/W Assurance intended for applications operating in environments appropriate for med assurance but require higher degree of assurance & technical non- repudiation.” -- DoD CP
“ECA Policy Management Authority (EPMA) recognizes the need for non-DoD entities & personnel to interoperate w/ DoD PKI applications for the purpose of conducting business electronically w/ DoD.” -- DoD/ ECA MOA
10 UNCLASSIFIED UNCLASSIFIED Consistent with DoD Investments
Assurance of interoperability & convergence DoD PKI Medium Hardware Assurance (CAC) ECA Medium Hardware Assurance Defense Cross Credentialing Identification System (DCCIS) FiXs Initial Operating Capability (IOC)
Distributed trust model DoD-wide DoD PKI/ ECA Root distribution Global Directory System (GDS)/ Credential Validation FiXs Operating Rules - HSPD-12 compliant Defense National Visitor Center (DNVC) System Defense Biometric Identification System (DBIDS)
“The Medium Hardware Assurance tokens and associated certificates issued by the ECA Providers have the same assurance level as the certificates on a Common Access Card (CAC).” -- EPMA
11 UNCLASSIFIED UNCLASSIFIED FiXs Chain of Trust
12 UNCLASSIFIED UNCLASSIFIED Trust Anchors - Multiple Levels of Assurance
PKI (Logical)
FiXs (Physical) DoD/ECA Federal Private (FBCA)
Level 4 - Medium FPCPF Common N/A High Hardware Hardware
Level 3 - Medium FPCPF Common N/A Med-High Hardware Hardware
Level 2 - Medium FPCPF Common FBCA High or Medium & FBCA Medium Medium
Level 1 - N/A FPCPF Common FBCA Medium or Low Basic
13 UNCLASSIFIED UNCLASSIFIED Identity Authentication Architecture
Authentication Services Customers Authentication Station Logical Access Participant Control Systems Authenticator Sponsor ` [LACS] Mobile ` Adjudicator Authentication Physical Access Control Systems ` [PACS] Enrollment Services
FiXs Dept. Infrastructure Domain Of Enrollment ` Pre-Enrollment Server Defense Officer [FDS] Civilian Verification Agencies Transactions Card 10 Print Scanner Helpdesk FiXs Trust Camera Reader Capture Broker First Responder [FTB] E Authentication nr ollm Card Finalization Services en t D a ta FiXs Domain Health Identity Care Mgmt. of ` Governance Finalization System [IDMS] Officer Card Gov & Mgmt. Industries System Trust Gateway B e a Signature nc [CMS] C c Brokers (TGB) a h k Fingerprint Sensor su e g Card Reader Capture c ro s Is k u rt s n Ce d
Inventory & CRL/OCSP Key Mgmt. Card Mfgr. Card Printing Distribution Government Commercial PKI Certificates Card Production Investigation Services
14 UNCLASSIFIED UNCLASSIFIED Certified & Accredited Subsystems
FiXs Network - DMDC has successfully completed the final testing of the Government to Business interface between DMDC & the FiXs network. With the completion of this testing, the Defense Cross Credentialing Identification System (DCCIS) infrastructure & its interface to the FiXs network are now fully operational for worldwide use in support of identity authentication purposes and applications.
Credential Issuers (CI) - Each CI undergoes an extensive & complete review in accordance with the highest industry standards & cover all requirements of the solution proposed in the solution. This is documented in detailed Certification & Accreditation (C&A) reports.
Authentications Station - FiXs certified authentication stations enable FiXs & Department of Defense (DoD) CAC credentials to be verified & accepted for physical access authentication purposes by implementing the cross-credentialing services supported by this combined network. Final decisions on physical access privileges, whether at a government or vendor site, are local decisions.
15 UNCLASSIFIED UNCLASSIFIED Multi-Level Vetting & Access Control
All certificates on a FiXs credential include an Organizational Unit that identifies the FiXs assurance level as follows:
ou=FiXs4, for FiXs credentials asserting FiXs equivalent “High”
ou=FiXs3, for FiXs credentials asserting FiXs equivalent “Medium High”
ou=FiXs2, for FiXs credentials asserting FiXs equivalent “Medium”
ou=FiXs1, for FiXs credentials asserting FiXs equivalent “Low” (not recommended)
16 UNCLASSIFIED UNCLASSIFIED HSPD-12 Compliant Credential Management
FIPS 201 compliant lifecycle management of users, their identity devices, & associated credentials…
… with the strength of DoD Medium Hardware Assurance
17 UNCLASSIFIED UNCLASSIFIED Identity Superiority
Trusted Physical Access
2D barcode, 2D barcode, 1D barcode & 1D barcode & mag-stripe mag-stripe on back on back 2 RFID antenna
Trusted Logical Access
“Hardware tokens [FiXs] & associated certificates issued by the ECA providers have the same assurance level as a Common Access Card (CAC).” -- EPMA
18 UNCLASSIFIED UNCLASSIFIED
Verify Authenticate Validate
19 UNCLASSIFIED UNCLASSIFIED Robust Validation Infrastructure
FiXs Validation CRL Update Path Service (ldap/ ldaps (Site 1) http/https)
20 plus FiXs 50 plus FiXs Compliant PKI FiXs Compliant CRLs Directories Validation Service Alternative (Site N) Validation Paths (OCSP) Local Area Network
https Application Servers
Client/WS Inside and/or Client/WS Outside the LAN Client/WS
Client/WS OCSP Repeater
20 UNCLASSIFIED UNCLASSIFIED Robust revocation processes
Credentials issuers are required to maintain FiXs enrollment, control, administrative, REVOCATION, & audit information.
Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Credential issuer.
Card & Certificate Revocation Lists issued immediately upon revocation.
“A revocation process must exist such that an expired or invalidated credential is swiftly revoked.”
21 UNCLASSIFIED UNCLASSIFIED Uniqueness Enforced Across the FiXs Network
X.500 DNs & Card Holder Unique Identifier (CHUID) Data Elements as stipulated in the FiXs implementation requirements.
FiXs Credential Issuers shall enforce credential uniqueness by ensuring: The applicant does not hold another active FiXs credential; The name contains the applicant’s identity & organization affiliation that is meaningful to humans; and, The naming convention is as described in the corresponding CP.
“FiXs is designated by DoD to assign organizational codes to commercial entities.”
22 UNCLASSIFIED UNCLASSIFIED
Uniqueness Enforced Across the FiXs Network (cont.)
FiXs Credential Issuer will support special procedures that ensure that each individual holds only one active FiXs credential: Management personnel authorized to approved the issuance of a credential to an applicant (e.g., contracting officer or contracting officer’s technical representative) Collect a signed approval for the issuance of a credential to an applicant via digitally signed email from an agency management personnel authorized to approved the issuance of a certificate to an applicant Verify that a request for credential issuance to an applicant was submitted by management authorized to do so via by comparing the approval letter or email to the list of approved agency management personnel authorized to approved the issuance of a certificate to an applicant Verify applicant’s employment through use of official records Establish applicant’s identity by in-person proofing, based on the processes defined in the FiXs Operating Rules
23 UNCLASSIFIED UNCLASSIFIED Interoperability Can be Achieved
Mandate common authentication scheme across DoD Multi-level physical access via DCCIS/ FiXs operating rules. All email in & out of DoD to be digitally signed by CAC equivalent. All sensitive information to be protected at Medium/ Medium H/W Assurance.
Mandate DoD PKI/ ECA & DCCIS/ FiXs in DITSCAP/ DIACAP evaluation Mechanism to enforce current objectives. Ensures compliance as technologies mature. Maintains common security infrastructure.
Re-allocate funds anticipated to issue CAC to “outside the fence” contractors to relying applications & DNVC/ DBIDS authentication station deployment
24 UNCLASSIFIED UNCLASSIFIED Base Access – Today’s Problem
No uniform compliance
Vulnerability
Lack of vision Who’s on - Who’s off
No threat flexibility DHS NIMS code deployment plan PX & commissary services Suppliers to docks Maintenance and repair access to grounds
25 UNCLASSIFIED UNCLASSIFIED Issues with base security
How do we protect our bases, balanced with ease of use? Easy, secure access for those who belong. Simple identification verification of visitors.
Identity assurance for contractors & suppliers must: Incorporate strong vetting for those that require base access. Follow DoD & Federal guidelines.
Access decisions must be automated & reliable.
The Base Commander is ultimately responsibility, so how do we help: Improve decisions. Make it more secure, smarter & cost efficient.
26 UNCLASSIFIED UNCLASSIFIED Do we re-invent the wheel?
Identity assurance policy & standards have been developed.
Vetting & security is in place.
FiXs, DoD/ECA CAC, & HSPD-12: All are secure identities. All can be used for gate access. All provide 2 factor authentication.
Its been done, decided, now lets use it.
27 UNCLASSIFIED UNCLASSIFIED Value Proposition & ROI
9 Easy business decision for CFO & CIO.
9 Enterprise-wide capability & best practices.
9 Security & Privacy of staff, systems, & facilities.
9 Method for data security in compliance with latest identity authentication processes.
9 Complies with FAR contract requirements.
9 HSPD – 12 and DoD PIP compliant.
9 Leadership in a large and developing market on an matter that is of major national importance.
28 UNCLASSIFIED UNCLASSIFIED FiXs Members 2008 Commercial Entities
AFCEA Mobilisa American Logistics Association Northrop Grumman AMERICAN SYSTEMS CORP. SAIC Booz Allen Hamilton SRA International, Inc ChoicePoint Government Services SRP Consulting Group, LLC Covisint Telos Identity Management Systems, LLC DSA, Inc. Unlimited New Dimensions, LLC EDS Vuance, Inc. Eid Passport, Inc. Wave Systems Corporation Imadgen, LLC WidePoint Corporation [ORC] Little River Management Group, LLC 3Factor, LLC Lockheed Martin Corporation
Government Advisors
Defense Manpower Data Center, DoD Office of Government-wide Policy, GSA CIO Office, State of Colorado
29 UNCLASSIFIED UNCLASSIFIED
Contact Information
Dr. Michael Mestrovich, President - FiXs [email protected] 703 928 3157
Robert Martin, Corporate Secretary - FiXs [email protected] 703 321 6951
Dan Turissini, Board Member - FiXs [email protected] 703 246 8550
30 UNCLASSIFIED