Access CarAccess Card Shuffle
LEGACY PROGRAM GIVES MILITARY A LEG UP IN TRANSITION TO GOVERNMENTWIDE IDENTITY VERIFICATION STANDARD.
As the Department of Defense transitions to a new access standard to be employed by the entire federal government, the existing Common Access Card (CAC) program is putting it in a unique position. But while the experience of implementing an identity verification program has provided the department with perspective in carrying out the mandate for the new cards, the existence of the now-outdated cards could also generate some headaches.
Homeland Security Presidential Directive (HSPD)-12 requires all federal agencies to adopt personal identity verification cards for logical and physical access to the resources of those agencies. The technical standard for meeting that requirement is propagated by Federal Information Processing Standard (FIPS) 201, devised by the National Institute of Standards and Technology. The FIPS 201 standard exempts national security concerns from becoming compliant with its requirements, but DoD has charged forward with enforcing the policy anyway.
The Defense Manpower Data Center (DMDC) serves as the primary agent for ensuring DoD compliance with FIPS 201 standards. DMDC developed the transition plan for HSPD-12 for the department and manages the implementation and reporting on the transition to the Office of Management and Budget. The DoD Identity Protection and Management Senior Coordinating Group works with DMDC in its FIPS 201 compliance efforts to provide the oversight of senior management with regards to biometrics, cryptology and smart cards.
DMDC currently manages the CAC program, which maintains more than 3.2 million cards distributed around the world. DMDC also maintains the Real-time Automated Personnel Identification System (RAPIDS) system, which encompasses 1,200 sites for issuing CAC cards.
To support the transition of these legacy access cards to the new FIPS 201 standards, DMDC has run marketing campaigns to inform its customers of the changes, according to Michael Butler, director of the DoD Access Card Office at DMDC.
“DMDC also has undertaken an aggressive marketing campaign to help advertise the changes brought about by HSPD-12,” Butler noted. “The marketing campaign included circulation of numerous television, radio and print stories; distribution of promotional materials to issuance sites and other high profile events such as the Marine Corps Marathon; deployment of an informational Website [www.cac.mil]; transmission of an Immigration and Customs Enforcement alert to law enforcement entities around the world; and a variety of other outreach mechanisms.”
Because DoD has maintained an access card program for several years, the department already has invested heavily in the infrastructure to support them—unlike many other federal agencies. The upshot of that is that the department has a number of pre-existing relationships with vendors for cards, readers and other identity management products.
“DoD has always taken a proactive approach with its vendors by developing specifications for the products they intend to procure,” Butler elaborated. “For example, DoD has developed a card specification, a reader specification and a middleware specification. The specifications ensure that the products DoD buys meet their exacting standards. Now, as a result of a common standard [FIPS-201], DoD has many of the same requirements as other agencies. However, since DoD is also a legacy program, any new products introduced into the DoD infrastructure must ensure backwards compatibility with legacy products.”
To fully integrate with all DoD and other federal products, the department is encouraging all vendors to obtain certification from the General Services Administration (GSA), he added.
But the department’s large legacy access card program does introduce some complications with the transition to FIPS 201 standards, particularly since so many of the old cards are in circulation.
“Making changes of any magnitude to this infrastructure are by nature challenging. Meanwhile, FIPS-201 cannot be considered a minor change by any stretch, and it is further exacerbated by the aggressive compliance deadline,” Butler remarked. “Also, with a legacy program, there are other considerations that a new program would not face such as backwards compatibility and current development paths.”
So DoD will make a transition to FIPS 201 compliance over the course of several years, partly due to the scope of the project and partly to spend carefully and preserve infrastructure and funds where possible. Butler pointed out that the legacy program also brings some advantages to the department as it strives to meet HSPD- 12 requirements. Due to the legacy CAC program, many of the pieces of HSPD-12 are in place and in service, and now the department must adjust those pieces to FIPS 201 standards. Making those adjustments would take less time than starting from scratch, Butler said.
“The primary advantage to being a legacy program is that the CAC has soaked through much of the department,” he said. “Our service members use the CAC to access their bases, log in to their computers and prove their identity. Also, DoD leadership is familiar with the program and its benefits. If the most difficult part of implementing a new technology is changing the culture to accept it, then DoD had a distinct advantage in that area.”
MERGING COMPETENCIES
The pressing need for all federal agencies to implement HSPD-12 plans to provide their employees with access cards compliant with FIPS 201 has created a market for companies large and small to assist agencies with meeting the requirements. Some of the large companies have teamed up to better assist DoD and other agencies by bringing together specific expertise into a joint operation.
General Dynamics, for example, has teamed up with Lockheed Martin to introduce a system called ChoiceID. General Dynamics had strong relationships with HSPD-12 and experience in fielding access systems, said Scott Price, vice president of homeland security solutions for General Dynamics Information Technology. Lockheed Martin had cutting-edge technology with its BioUnique Identity Framework.
“We have very much been doing work on the field deployment side of HSPD-12, again for programs like the DoD Common Access Card, first responder and government IDs,” Price explained. “Part of what we built was a very comprehensive end-to-end solution in a mobile platform, particularly applicable for first responders who tend to be smaller volumes of people in geographically diverse areas, but it also applied to federal employees as well in the HSPD-12 space.
“After looking at that space, we ended up doing some work with Lockheed Martin, which had a very strong competency in the development side,” he continued. “They had their own identity management system hooked to a card management system. It was very price competitive and frankly a very good system.”
The partnership makes sense because conversion or migration to FIPS 201 standards is challenging and complex, Price remarked.
“The technology is still new. A lot of it consists of niche companies with very strong intellectual property. The standards are complex and changing. There is a fairly significant investment that you have to make to do this stuff. There is a lot of market space to cover in terms of having feet on the street and trying to find the money. At the end of the day, the two companies just have a lot of synergies in working together in the market,” Price said.
Although the companies have yet to deploy ChoiceID in support of DoD, Price sees the department has a potential customer. General Dynamics deployed about 25 percent to 30 percent of the DoD CAC cards during the initial mass enrollment phase for the cards. DoD has since internalized management of CAC cards, although General Dynamics has provided occasional transition and background support when called upon to do so.
But Price believes that DoD will quickly outgrow the localized printing solutions it currently employs as it moves into FIPS 201 compliance, prompting the need for contractor support.
“The small printers in a security office are really not that robust,” he observed. “These little tabletop printers lack the security measures that you would like to see in production. DoD is reconsidering decentralized production and really considering the use of the large service bureaus for centralized production. We are actively working with DoD on a better long-term solution for them.”
MIDDLEWARE AND BEYOND
As DoD, the Army and Air Force rushed to comply with HSPD-12’s October 27, 2006, deadline to demonstrate initial activity for the new smart cards, each organization turned to a company called ActivIdentity. The military used the company’ smart card desktop client software, ActivClient, through a contract with EDS.
ActivIdentity had been assisting DoD with its CAC program long before HSPD- 12, explained Ed MacBeth, vice president of marketing and business development. The company began its federal government work more than six years ago by supporting the rollout of the first CAC cards with DMDC.
“I would say that, during that time, there has been an evolution of standards,” MacBeth stated. “There was the common access card version one, then common access version two. There was another standard that was sort of an evolution of the CAC standard called the Government Smart Card Interoperability Standard. And then HSPD-12 resulted in yet another evolution of the standard, the FIPS 201 standard.
“We have been involved in supporting the evolution of those standards as well as interoperability of the systems to ensure our customers could continue to maintain and operate their existing standards as well as accommodate new standards as they come out,” he added.
ActivIdentity helped with implementing the access card standards and software for issuing cards as well as applications that run on the card forstoring information to authenticate individuals. The company also provided client middleware. DMDC has worked very closely with the Department of Commerce and other agencies to create interoperable standards across government that are fiscally responsible while expanding capability, MacBeth noted. Successful systems not only fulfill the basic requirements, but also anticipate the need for expansion of functionality in the future, he said. “One of the things that we have worked on very diligently with all of our customers is to give them a system that will accommodate these evolving standards without disrupting their business,” MacBeth elaborated. “Anytime you get a huge install base, whether it’s hundreds of thousands or millions of devices and credentials out in the hands of people who are using them on a daily basis, they really have to look beyond the cost of just replacing the devices. There is also a tremendous amount of cost in erms of business process.
“The systems that we have put in place really go above and beyond the basic set of requirements for HSPD-12. They really look at utilizing the card as a renewable secure computing platform, where we can add capabilities and we can add new applications and allow that card to fulfill its useful life of three to five years,” he added.
HSPD-12 represents a true leap forward in smart card standards, MacBeth contended, because it is the first standard to truly focus on the process of vetting an individual and issuing a smart card securely. Previous standards focused much more on the content of smart cards and how they would contain biometrics, digital certificates and other authentication information, he said.
MOBILE SOLUTIONS
Due to the nature of their jobs, war fighters cannot always depend on having the support of a great deal of computer infrastructure when establishing a secure perimeter and verifying the identities of those moving into and out of a secure area. So a company called CoreStreet has developed a handheld solution that enables military service members to meet HSPD-12 standards and verify FIPS 201 access cards.
CoreStreet, which develops technology to support large-scale smart credentialing programs with both hardware and software, offers the PIVMAN system for the validation of government-issued credentials without outside communication. “For instance, in a disaster area, perimeter security can be established without necessarily having a network present to operate, which is somewhat unique if you think of the ways these solutions are typically deployed,” said CoreStreet’s chief executive officer, Chris Broderick.
“The PIVMAN device itself is a ruggedized handheld device,” Broderick added. “It is durable to withstand being dropped, banged against, being exposed to water, fire and so on. It is deployed in the hands of security officials, and has a smart card reader on it that can validate the credentials or smart cards of people in a spot check.”
Individuals present their smart cards to security officials, who can use the PIVMAN device to verify their identities. The procedure follows the multi-form factor authentication required by FIPS 201 by answering the three questions of who are you? Do you possess knowledge that verifies your identity? Are you matched to the biometrics on your access card?
The Pentagon Force Protection Agency recently purchased the PIVMAN system to help provide perimeter security around properties leased by the Pentagon in northern Virginia. The agency, established in the wake of the September 11, 2001, attacks to provide security and police services for the Pentagon properties, uses the PIVMAN system to conduct spot-checks of CAC cards on the Pentagon property as well as the various leased facilities.
To carry out these tasks, PIVMAN reads the FIPS 201 information on any valid access card just as larger stationary systems would.
“The FIPS 201 standard has resilience to fraud. It has all types of encryption technology on it so that it can’t be forged. It has a biometric on it. It has an image embedded in the card. All of the different form factors that one would use to validate the identity of somebody presenting the card are captured in the FIPS 201 standard,” Broderick commented. “The PIVMAN system was built to read the FIPS 201 standard so that the person holding the handheld can make a good decision as to whether or not the person presenting the credential is who they say they are.”
As part of this, the system verifies the privileges of the card bearer. A privilege, in this case, is something associated with the qualifications of the individual presenting the credential. For example, if that person possesses firefighting or medical skills, the ability to read his or her access card verifies that person’s training and qualifications.
FORCE PROTECTION
Specialized security integrators also are finding a role in FIPS 201 implementation. ADT Security Systems provides access security services to about 40 military bases throughout the United States, according to Mike Flannery, an operations/ sales manager with ADT Federal Systems Division.
“As an integrator, ADT has been certified and qualified by GSA as an approved HSPD-12 service provider,” Flannery said. “There are a number of categories that they evaluate and certify so that a government agency can be sure that we have passed a vetting process, we are familiar with the standards and requirements and that we have some quality assurance measures in place.”
ADT provides physical access control systems (PACS) to its military base clients. Those PACS systems will require upgrades to meet HSPD-12 requirements in order to read the new CAC cards compliant with FIPS 201.
ADT anticipates large-scale use of the new cards within 12 to 18 months. The company is currently an HSPD-12 upgrade to the system of a civilian government agency.
“The card technology between CAC and the civilian government is so similar because they are converging on the FIPS 201 standard,” Flannery observed. “That physical access system by definition will need to be HSPD-12 compliant to understand the credentials being presented to it.”
In many cases, defense agencies and installations could salvage prior investments by re-using some pieces of their legacy personal identity verification systems, even if those systems require firmware upgrades. However, in some cases, organizations will have no choice but to make the investment in new infrastructure, Flannery predicted.
“On the back end, much of that hardware can be saved. It depends on the age of the system. We are seeing that many of the computer platforms can be reused. Most manufacturers require updating of the software on those platforms. In most cases, the access control field panels can be saved. They may need firmware updates. But all of the readers have to be replaced, unfortunately,” Flannery said.
The ADT Sure Pass Identity-Access Management Platform consists of a package that uses a card management system produced by SETECS. ADT integrates that product with other components, such as CrossMatch identity vetting software and Aware biometrics software.
The company’s goal is to provide an HSPD-12 system that works seamlessly along a client’s IT backbone and that meets the FIPS 201 standard.
“Interoperability is the reason for any standard in the first place, and certainly the reason for this standard,” Flannery stated. “The FIPS model ensures interoperability of the technology that creates the credential but also it assures that the credential that adheres to the standard can be used across multiple government agencies and across multiple enterprises.” ♦
