IDENTITY SUPERIORITY

Serving Commissaries, Exchanges, & Morale, Welfare, and Recreation

Presented at the: American Logistics Association National Convention

Presented By: Daniel E. Turissini CEO, Operational Research Consultants

October 20, 2008 What is FiXs? Federation for Identity & Cross-Credentialing Systems

• 501(c)6 not-for-profit trade association

– Founded in 2004 in collaboration with the Department of Defense – Collaborated with General Services Administration HSPD-12 effort

– Provides inter-operable use of identity credentials among governments & industry partners • A coalition of diverse companies/ organizations creating inter-operable identity cross-credentialing standards & systems – Government contractors, companies, & financial firms

– Not-for-profit & non-profit organizations – DoD, GSA, & State governments • Trusted authority of standards, operating guidelines, & oversight of secure identity authentication network FiXs Members/Advisors 2008

Commercial Entities • AFCEA • SAIC • American Logistics Association • Secure Data Corporation • American Systems • SRA International, Inc • Booz-Allen Hamilton • SRP Consulting Group, LLC • ChoicePoint Government Services • Telos Identity Management Solutions • Covisint • Unlimited New Dimensions, LLC • DSA, Inc. • Vuance, Inc. • Daon • Wave Systems Corp. • EDS • WidePoint Corporation • Eid Passport, Inc. • 3Factor LLC • Imadgen LLC Government Advisors • Little River Management Group, LLC • Defense Manpower Data Center, DoD • Corporation • Office of Government-wide Policy, GSA • Mobilisa • CIO Office, State of Colorado •

And a growing number of subscribing members! FiXs User Benefits & Responsibilities

• Benefits – Federated Solution – Trusted authentication at FiXs recognized locations & systems – Syndicated Investment – Syndicated Risk – Branded Transaction – Certified & Accredited Products/ Services • Responsibilities – Warrant Trustworthiness of Employees – Comply with Operating Rules The Foundation

• January 2006 - Memorandum of Understanding (MOU) with DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems: – Operational framework for inter-operability between DoD & FiXs – Specific operational responsibilities – Governance structure • Interim Authority To Operate (IATO) Granted by DMDC in July 2007 A Common Access Infrastructure

Currently over 7 million people have CAC-compliant credentials As this number grows - opportunities for efficiencies skyrocket

Federal Government Trading Partners & Allies First Responders Governance Structure

• Defined Trust Model • Operating Rules • Security Guidelines • Policy Standards, including Privacy Act compliance • Technical Architecture Specifications & Standards • Implementation Guidelines

The Basic Principles

Personally identifiable information (PII)  Capture of biometric, SSN, & other unique information  Write once/ access many times = ID authentication & reduced sign-on Structured to emulate the ATM model

PII maintained in a federated manner  No single targeted database of personal information  Distributed under the authority & control of the sponsoring organization  Queries of this information can be “logged” to support privacy Meeting DoD Objectives

• Credentials can be trusted with confidence – “… fully operational for worldwide use in support of identity authentication purposes & applications” -- DMDC ltr, 16JUL07 – “establish & maintain the ECA program … to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520 • Short term return on investment (ROI) – Existing highly available architectures for identity deployment & revocation information accessibility – Most efficient ingress & egress to government facilities & systems • Fulfills need for personal security in a high-tech world – “… intended for all applications operating in environments appropriate for medium assurance but which require a higher degree of assurance & technical non- repudiation.” -- DoD CP – Addresses “… the need for non-DoD entities & personnel to interoperate with DoD applications for the purpose of conducting business electronically with the DoD.” -- DoD/ ECA MOA Consistent with DoD Investments

• Assurance of interoperability & convergence – DoD PKI Medium Hardware Assurance (CAC) – ECA Medium Hardware Assurance – Defense Cross Credentialing Identification System (DCCIS) – FiXs Initial Operating Capability (IOC) • Distributed trust model DoD-wide – DoD PKI/ ECA Root distribution – Global Directory System (GDS)/ Credential Validation – FiXs Operating Rules - HSPD-12 compliant – Defense National Visitor Center (DNVC) System – Defense Biometric Identification System (DBIDS)

Supports a safe, secure shopping environment overseas and stateside 4.1301 Contract clause. The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system.

52.204-9 Personal Identity Verification of Contractor Personnel.

(a) The Contractor shall comply with (b) The Contractor shall insert this agency personnel identity verification clause in all subcontracts when the procedures identified in the contract that subcontractor is required to have implement Homeland Security physical access to a federally- Presidential Directive-12 (HSPD-12), controlled facility or access to a Federal Office of Management and Budget (OMB) information system. guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201. FiXs Provides ALA Members

• A seat at the table – Interface with DoD & GSA for identity assurance matters – Governance Structure between member organizations – Certification Standards for creating identity credentials consistent with Federal regulations • A shared trusted network – Secure network switch – Standard interface with DoD & FiXs members – Access to certified providers, sponsors, &credential holders • Clearinghouse for objective consideration of , business processes, rules & requirements FiXs - Certified Credentials

Clear Contractor CAC Markings FiXs

2D , 1D barcode & 2 RFID antenna mag-stripe on back

“The Medium Hardware Assurance tokens and associated certificates issued by the ECA Providers have the same assurance level as the certificates on a Common Access Card (CAC).” -- EPMA Value Proposition & ROI

 Easy business decision for CFO & CIO  Enterprise-wide capability & best practices

 Security & Privacy of staff, systems, & facilities

 Method for data security in compliance with latest identity authentication processes

 Complies with FAR contract requirements  HSPD – 12 and DoD PIP compliant  Leadership in a large &developing market on an matter that is of major national importance ALA - FiXs Credential Use Case Assessment

• Company Profile • People • Use Case Interest • Process • IT Infrastructure • Tools • Key Organizations • Priorities

• Current State • Goals • Requirements • Future State Value-added Services to ALA Membership

• Web-based Diagnostic for Identity Assurance – Available to each ALA member organization – Provided by FiXs member – AMERICAN SYSTEMS • Confidential On-site Workshop – Focused current/ desired future state requirements gathering gap analysis – Lead by Senior Identity Assurance Consultants • Roadmap – Focused snapshot of current and future state – Gap analysis, Quick Wins and increased ROI identified – Identify increased ROI opportunities, priorities & Quick Wins • Non-intrusive & targeted towards a use case Web-based Diagnostic

Identity Assurance Survey: – Web-based survey – Can be shared intra-organizationally for business requirements gathering, prioritization & pain identification – Detailed report summarizing initial findings – Can be fine-tuned for future phase use On-site Workshop

Half-day workshop: – Lead by Senior Identity Assurance consultant – Detailed requirements gathering, issue identification, and future state discussion – Initial requirements, achievable quick wins and ROI assessed – Preliminary Roadmap presented to clearly identify realistic next steps How does ALA take advantage of this?

• Facility access • Credit • Employee ID As we continue to Medical information • Passport • ID card • deploy common, strong Purchasing authority • personal digital Rewards • Insurance • Debit • identities, levels of Marketing • Age verification permission can be Memberships granted to any Clearance Medical & online application drug benefits with a high degree School ID of confidence. Account access This opens Computer up endless security Digital possibilities for ALA signature to add value for their Data encryption membership. Summary

• Single card for access bases & Facilities

• No long lines/ reduced waiting times

• Physical & logical privileges Questions?

We greatly appreciate your time & consideration, thank you. Contact Information

Dan Turissini - President, ORC/ FiXs Board Member [email protected] 703 246 8550

Robert Martin, American Systems/ FiXs Corp Secretary [email protected] 703 321 6951

Dr. Michael Mestrovich, President, FiXs [email protected] 703 928 3157