May 13 2007

Multiple Identities

Looking for a few good locksmiths.

Over the next five months, agencies will be doing just that as they set up identity management systems to meet the new governmentwide mandate for smart IDs to secure access to both systems and facilities.

In its latest guidance, issued as a draft in April and expected for final release at press time, the Office of Management and Budget laid out a timeline for agencies to have smart-card identification and back-end identity management systems ready by Oct. 27.

The guide sets up more than a dozen deadlines that agencies—in some cases the project drivers, like the National Institute of Standards and Technology or the General Services Administration, and in others, all organizations governmentwide—will have to heed.

These deadlines range from the requirement that NIST release conformance-testing information by Aug. 5 to the Oct. 27 mandate for GSA to issue an amendment to the Federal Acquisition Regulation on the card standard. And in between, all agencies must provide lists to OMB on Aug. 27 of possible other uses for the new IDs beyond facility and systems access.

But before any of that, all agencies face a June deadline to tell OMB how they will go about checking IDs and backgrounds. By the Oct. 27 deadline, they must have negotiated with OMB how they will make the transition from existing badges to token-based physical and logical access systems that resist tampering and work rapidly and securely.

The trigger for these mandates came from the White House in August, when President Bush signed off on Homeland Security Presidential Directive 12.

In its new guidance this spring, the administration made it clear that—despite some government and industry officials calling the rollout rushed—it expects agencies to act swiftly to set up a common government ID program.

In crafting a specifications standard for the directive, NIST has tried to detail "what can be used for access without telling agencies what the circumstances might be," says W. Curtis Barker, project manager of NIST's Personal Identity Verification Project. "Think of it as a key ring with three keys for three locks of different strengths, where each agency designs its own locks."

Agencies are on their own to formulate their "lock" policies for authenticating employees, contractors and visitors, Barker says. The NIST specifications issued in February's Federal Information Processing Standard 201 just establish the framework. For example, small agencies might continue using photos for local admittance and not bother collecting and comparing biometric fingerprints, although the prints could still be required when their workers visit other federal sites.

The Defense Department has taken the early lead among agencies beginning to standardize the verification of the identities of employees and contractors. Several million DOD workers already use personal software certificates to authenticate and encrypt documents and e-mail. Defense's 4.5 million Common Access smart cards can store these certificates as well as photos, seals, logos and other data.

Photo: Randall Scott

Bob Gilson, program analyst in Defense's CAC office

DOD has been working on smart identification for decades, said Bob Gilson, a management and program analyst in the Common Access Card office. "It evolved from a mandate to overhaul how we issued cards" back in the 1970s, Gilson says. "There were cards for commissary and other benefits, and there were Geneva Convention cards for service members" in case they became prisoners of war.

But widespread counterfeiting of its cards led the department to try to establish a chain of trust with an unforgeable credential that could be issued at trouble spots around the world, he says.

DOD built a huge central database for the Defense Enrollment Eligibility Reporting System that still underlies its ID management. The centralized approach, however, has lost favor in the intervening decades. Now Defense and other agencies must take a federated, or cross-credentialing, approach based on trusted relationships.

Layer Upon Layer

Any agency that has begun a smart-card and identity management project now faces a degree of retrofitting or initial investment to comply with FIPS 201. The standard calls for a secure, common federal token with several levels of personal identity verification, including biometrics in the form of digital fingerprints.

The timeline for compliance will be short even though funds are lacking for what will likely be a slow changeover from current badging systems. Moreover, agencies face the broader challenge of "federating" their identity management policies so that the common credential, once it exists, can reliably open many different federal gateways and turnstiles.

GSA is even juggling two different federated ID authenticating efforts. One, E-Authentication, is outward-facing, to verify identities of citizens and businesses that want to conduct online transactions with agencies. The inward-facing program deals with identity-proofing for intragovernment transactions.

Both programs have the common element of "not issuing a single unique identifier" such as a national ID or referring back to central, governmentwide files, says David Temoshok, GSA's director of ID policy management. The reason is to protect individual privacy as well as eliminate a single vulnerability point.

"All agencies have badging programs that generate a slew of different passwords," Temoshok says. The funding for those programs must now be directed to the new ID systems, although some agencies might have to reprioritize their spending.

"Nothing in the FIPS directs vendors to change their badges," Temoshok adds, "but contractors, researchers and other users will need access. Some agencies have been badging contractors and can continue to do so. But it's reasonable for vendors to look at the standard" and move toward making their own IDs compliant.

To start the ball rolling, the CIO Council's Federal Identity Credentialing Committee has posted a handbook on identity management and a template for implementation at Temoshok calls it a first step that will help not only federal agencies but also state and local organizations that issue IDs.

The handbook says tokens are to be issued only by certified and accredited authorities in a chain of trust involving sponsors, registrars and signatories. It calls for user education and training of agency workers who perform such tasks as maintaining, revoking, destroying and reissuing tokens. It allows two general types of ID: role-based and system-based. The security requirements for ensuring individual privacy are complex, and overall responsibility falls on each agency's designated senior official for privacy.

A December OMB memorandum also cautions agencies that their commercial providers' security controls must be up to the mark for digital certificates, electronic signatures and other authentication services. The memo mandates use of shared-services providers that meet GSA and OMB requirements.

The CIO Council handbook acknowledges that, although enrollment of fingerprint biometrics is mandatory, subsequent use of the prints may be unnecessary unless a large number of employees work with confidential information or there is serious risk of system attack or compromise.

Authentication policies also must deal with such factors as single sign-on and eventual harmonization with each agency's enterprise architecture as well as the Federal Enterprise Architecture.

Although NIST's Barker could not estimate the overall cost of the changeover from current procedures, he says the investment in new hardware for credential issuance and access control will be substantial. In addition to the hardware, existing software will need modification and, in the case of agencies with no current ID management systems, software must be developed from scratch.

"If you have nothing, the infrastructure will be the biggest hit," he says. "If you already have a badging program, the modifications will be the big hurdle."

Vendors of existing smart-card systems late last year objected to the first-draft version of the FIPS, arguing it ignored their years of development work and would be impossible to comply within a reasonable time. The rewritten final version of the standard, however, appears to have overcome most of those objections.

"Several vendors have shown a keen interest" in stepping up to the new requirements for a common credential, Barker says. "I believe there is a significant number that want to do the whole thing, end to end," from data capture to back-end processing.

The Frontrunners

Besides DOD, Barker said, NASA and the Bureau of Land Management have a head start in refining the elements of a common credential. The space agency's One NASA smart card is now being issued to about 100,000 workers under a $94 million program. Previously, each NASA center had multiple stovepiped badges and identity management systems for employees, contractors, maintenance staff and visitors.

By the end of last year, BLM had scheduled replacement of all its employees' and contractors' badges with smart IDs modeled on the DOD Common Access Card.

But, Barker adds, those are merely the leading agencies. Don't expect to see similar programs tomorrow in most or even many agencies. Strong ID management is unlikely to spring up rapidly and homogeneously across the government. Barker expects "incremental implementation and incremental advances."

GSA's Temoshok agrees: "The timeline includes a transition to a higher level of security. Commercial services will need to undergo conformance testing. We can't specify a time; we'll have to see what agencies determine with OMB."