HSPD-12 Plugs Into Transformation Goals
ID CARD MANDATE DOVETAILS WITH EFFORTS TO REFORM HOW BUSINESS APPLICATIONS ARE BOUGHT AND USED.
The Department of Defense and its transformation management office have embraced the fact that business applications often require upgrades much faster than warfighter applications, which are the systems that DoD has traditionally acquired through its procurement offices. As transformation leaders have sought to leverage commercial business expertise for DoD back office activities, defense officials have been striving to change the way they procure business applications and how those applications are used.
Those efforts are effectively dovetailing, meanwhile, with a presidential directive that requires them to toughen standards on how authorized personnel gain access to sensitive information stored in those applications.
That directive, Homeland Security Presidential Directive-12 (HSPD-12), requires government agencies to develop a secure personal identification verification (PIV) system for their personnel and contractors. So DoD personnel, for example, would use a PIV card that meets the requirements of HSPD-12 to gain access to authorized facilities and computer systems.
DoD has been a leader in the area of PIV cards with its Common Access Card, but the department has been in the process of revising its credential in line with standards developed by the National Institute of Standards and Technology (NIST) in support of HSPD-12. NIST issued those standards, embodied in Federal Information Processing Standard (FIPS) 201, in February 2005.
FIPS 201 actually contains three publications that spell out the technical requirements of implementing the HSPD-12 order: NIST Special Publication 800-73, “Interfaces for Personal Identity Verification”; NIST Special Publication 800-76, “Biometric Data Specification for Personal Identity Verification”; and NIST Special Publication 800-78, “Cryptographic Algorithms and Key Sizes for Personal Identity Verification.”
Implementing the NIST specifications for access cards in DoD requires a lot of focus from across the department, said Paul Brinkley, deputy undersecretary of defense for business transformation.
“It has a big impact on our systems infrastructure,” Brinkley said. “We are working with DISA [Defense Information Systems Agency] to identify how those initiatives and those efforts are going to play into business systems infrastructure, authentication, and validation of authority, especially as the department in its umbrella of engaged entities for business operations gets broader and broader and outsourcing increases.
“There is a lot of effort underway for a unified vision that is still in process,” he added.
Brinkley’s office, charged with the administration of transformation across DoD business applications, has seized upon the input that the cycle for upgrading business applications found in private industry generally moves faster than warfighter applications unique to the military.
The White House has told federal agencies that they must start issuing new security access cards by October 27 of this year to kickoff a governmentwide effort to meet the requirements of HSPD-12, which requires tightening of both building and computer security. It has become very important, then, for industry to provide expertise on how to implement HSPD-12 specifications, particularly given that the White House offered no additional funding to install new systems to comply with the directive.
UNFUNDED MANDATE
Federal agencies will protect the investments that they have made in their physical security systems to date, knowing that they will not receive additional funding for an entire upgrade of their physical security system in their facilities, predicted Jim St. Pierre, president and chief executive officer of MDI Federal Security Systems Division.
The agencies are looking for a migration path to implement the PIV mandate without replacing major components within their installed systems, and within their current budgets.
“Part of this October 27 deadline is to determine how they are going to fund this directive,” St. Pierre said. “MDI is making sure that our customers have a technical solution that allows the agency not to have to replace all of their field hardware and not to have to rewire their facility.
“They have to replace the access-control readers, issue the new PIV cards, take a picture of a person and enroll the PIV card into the database,” he explained. “There’s a cost associated with that, but it’s not nearly as costly as reinstalling a major system.”
MDI Security Systems has been in the business of supplying and upgrading government computer systems for about 25 years. Based upon its experience with installing many access systems over those years, including physical control systems at many governmental agencies, the company knows that it must provide HSPD-12 migration strategies that preserve as much of an agency’s existing infrastructure as possible.
HSPD-12 requires upgrades to both logical access control for accessing databases and the like, and physical access control for entering buildings. MDI Security Systems, a physical access control company, offers its SAFEnet technology to meet the HSPD-12 directive. The configurable IPbased appliance works with the company’s Open Architecture Command and Control Operating System.
“It’s using electronics and a database to validate people. Inside the card would be fingerprints. If you have a high security area, you would validate yourself with what you know, which could a PIN number in your head, and with what you have, which would be a biometric from your finger, and it could be what you have in the card, to validate those kind of things into a database to unlock a door,” he said.
Prototypes for FIPS 201-compliant credentials are only now being issued, St. Pierre noted, providing MDI and other companies with examples to test the ability of their systems to meet the HSPD-12 mandate.
“Part of the program is like currency,” St. Pierre said. “You don’t go out and hire some commercial company like us to print the government’s currency. It’s the same thing with the government-owned PIV credential. There will be tight controls on who is going to issue the credential. That has not been totally done yet. We are waiting for the final governmentissued PIV card, and who is going to issue and manage the credentials within the agencies. Then we will finalize the PIV deployment we started in early 2005.” MDI is involved with several early adapter test sites.
SYSTEMS INTEGRATION
Federal agencies that have previously deployed part of a total HSPD-12 solution may feel that converting to an entirely new package is not desirable, even if they did have the money to do so. So the use of open standards is an imperative in developing HSPD-12 solutions, said Tony Damalas, chief technology officer of Actcom Security Solutions,
“We know that not every potential client could use the end-to-end solution if they already have an established enrollment package with some equipment that they may be used to using,” Damalas said. “We want to make sure that the registration software that we use is open to the traditional standard products that are available in industry. So we are trying to capture that in open-standards fashion.”
Actcom also takes care to see that its solutions can transmit registration information from any identity management system (IDMS) to federal agencies like the Office of Personnel Management or the FBI for the appropriate background checks using open standards. Actcom acts as an integrator, bringing together the products of various technology partners to meet the HSPD-12 requirements for either physical access control or logical access control.
Such a system could start off by reading a driver’s license or a passport to obtain information on a potential enrollee, Damalas explained. The system would then capture 10 fingerprints, using a device from Identix for example, from the enrollee. The prints are then transmitted to the FBI for background checks.
Working with widely implemented vendors such as Identix enables Actcom to ensure interoperability with other fielded systems, Damalas stated.
“Obviously, when dealing with legacy equipment and infrastructure that cannot necessarily be funded for replacement, you have to somehow find a way for them to be interoperable. Whether it can or can’t depends on what you have and how much it can be upgraded. To do all of that and make use of whatever is there, if it’s possible, is certainly a financial advantage,” Damalas said.
Companies such as Suretec provide the reader document and card verification system in an Actcom solution, while an IDMS from Daon would process that information. An Activ Identity card management system (CMS) would feed the information into a card production system, such as one made by Oberthur. Oberthur, in fact, was the first company to produce a FIPS 201 certified smart card, Damalas noted.
“FIPS 201 is a dynamically evolving process,” Damalas said. “Data models are being finalized. Specifications and standards are being finalized.
“We have NIST and also the various interagency advisory board members—AFCEA [the Armed Forces Communications and Electronics Association], the Security Industry Association, the Smart Card Alliance—all of these organizations are working together with government in a cooperative effort to bring together what the standards bodies and the policymaking bodies have identified with the industry that is supposed to be responding to these standards and producing these products,” he said.
CLOSING THE GAPS
Lars Suneborn, director of government programs for Hirsch Electronics, pointed out that many military installations might want to keep their registration and enrollment processes as secure as possible. That could mean an installation would not have any interest in receiving verification of an enrollee’s identity from outside databases.
“As a manufacturer, we have to make our products flexible enough to accommodate various implementation goals and strategies,” Suneborn said. “Some people would like to have everything come from a CMS or IDMS, where they populate the data fields and a guy shows up on the doorstep and a door opens.
“At the other end, some agencies say, ‘No, we will have an error gap, so no connections to the outside world at all. We will do all of the physical access registration of this credential right locally on site.’ So then they scan the driver’s license or passport. Then it verifies the PKI certificate before the person is allowed to proceed inside with the credential.”
Hirsch Electronics manufactures physical access control systems, field hardware, server software, readers and scrambling keypads. The company also employs readers from other manufacturers through its open interface.
Hirsch server software can receive input from a variety of sources, Suneborn said. “Information can be entered into our system from either an XML link or a CMS or an IDMS or an operator can type it in manually in the old-fashioned way or by scanning documents or scanning the PIV card or scanning driver’s licenses and so on.”
In a demonstration of the Hirsch Visitor Management system, Suneborn took a driver’s license and scanned it into a mock-up of a fixed HSPD-12 system. The system scanned the data and populated data fields in an enrollment manager with the enrollee’s information.
The enrollment manager reproduced the driver’s license picture of the enrollee, but the system also had the ability to take a new picture and add it to the system.
Suneborn then took a PIV card and scanned it into the system. The system matched the PIV card to the data on the driver’s license. The system also populated PIV data fields with an agency code, a system code and a credential number.
“Those three fields are compacted into one 14-digit data stream. That is downloaded to the control station. System operators will have previously set up various areas of campus so that this person can be added to the proper doors for access. It’s a role-based model. So when this card is now presented to the reader, access is granted, and the door opens,” Suneborn said.
Although the system is largely intended to run as a permanently installed workstation, Hirsch also produces a mobile version that military units could field very quickly if required.
CAPTURE AND ARCHIVE
A key requirement of HSPD-12 is the capture and storage of enrollee data, said Carter Marantette, vice president of sales for Comnetix.
“In the case of the solution for the enrollment, we capture the fingerprints, photos and demographic information,” Marantette said of his company’s access system. “We scan in any documents associated with the individual. We then transmit the record for a background check to the FBI, and information comes back to our database and updates the record. We can work with multiple databases as far as pulling down demographic information to populate the Live Scan record.”
Comnetix’s Live Scan System comes in workstation and mobile configurations. The system uses its image quality assurance and finger-sequence verification applications to ensure a high acceptance rate of fingerprint captures. Fingerprints are then used to create biometric identifiers for secure ID badges.
“We have that part of it, then we work with third-party companies that are in the access control world, whether physical access or logical access, for the requirements for HSPD-12 for the badges,” Marantette said.
As such, the Comnetix system basically transfers data to the PIV cards. The company works with systems integrators that can provide the smart card components to complete a total HSPD-12 solution.
“With a lot of systems, you enroll to do background checks on people and then you enroll a second time into access control, but ours is a single enrollment. We don’t do the backend, but we do everything up to that. We offer a good solution for upfront capture and storage capabilities,” Marantette said.
Comnetix also offers server applications with its IntelliServ centralized server product. The IntelliServ database can queue records and archive them in compliance with federal standards. IntelliServ operates as a go-between for enrollee management with the capture of fingerprints and photos that occurs to identification and verification systems at a federal agency site, according to Comnetix.
IntelliServ can exchange information and images across multiple databases, but it could also simply act as independent storage for images.
BUSINESS TRANSFORMATION
Across the federal government, individual agencies employ thousands of security personnel charged with policing logical access to their systems. The HSPD-12 requirements could impact their jobs in ways that many people haven’t fully considered, reflected Bill Wright, chief technology officer at Troux Technologies.
“On the outset, it’s a logistical issue on the surface,” Wright noted. “How do we get everyone issued these cards and how do we do that in a secure way and how does the process cut across the whole government? But you have to look further than that. How is this card going to be used? What do you need it for today and where are they really going with the use of it?”
Troux Technologies helps DoD agencies understand how to manage transformation and develop strategies for how efforts like HSPD-12 implementation will impact processes. Wright foresees the standardization of not just technical specifications across government from HSPD-12, but also the standardization of how access control is implemented.
“Every agency in the government is doing the same thing a different way. Even in their same organizations, they may have multiple ways that they do that with their computer systems,” Wright stated. “Ultimately, if they can get HSPD-12 and the mechanisms that they are trying to put into place, that will provide common means and mechanisms for people not just to get into buildings but also to access the computing facilities, to access information, and to track what is happening and who is doing what.”
Troux software enables agencies to architect and design change across business applications, including security considerations. Such change occurs slowly, however, Wright cautioned. After witnessing similar implementations in private industry, he can testify that the conversion to new computing applications or systems does not occur overnight.
And that’s even presuming that expert personnel who completely understand the requirements are available.
“The whole issue of security and how do you architect security is still in the process of discovery. Not a lot of people understand it,” Wright said. “We have FISMA rules and direction and guidance, which a lot of people frankly struggle with. It’s pretty complex. One of the things that we have to do is continue to bring into our product line ways that make it easier for people to understand how to architect security in what they are doing. HSPD-12 is only one small piece, but an important piece because it cuts across everything.” ♦
