CURRENT ISSUE

MIT 14.5

Issue 14, Volume 5
June 2010

KMI MEDIA GROUP
WEBSITES

SUBSCRIPTION SERVICES

New Cards for Enhanced Security

Written by Michael Burnett

Attention: open in a new window. PDFPrintE-mail

MIT 2008 Volume: 12 Issue: 3 (April)




DoD is upgrading the workstations that issue the identity credentials
of its personnel worldwide to comply with the requirements of Homeland
Security Presidential Directive-12 by the end of the year.


The Department of Defense is on track to upgrade the workstations that issue the identity credentials of its personnel worldwide to comply with the requirements of Homeland Security Presidential Directive (HSPD) 12 by the end of the year, according to a top official in the Defense Manpower Data Center (DMDC).

To meet the mandate of HSPD-12, DoD must issue personal identity verification (PIV) cards that provide military and civilian employees with physical and logical access to its facilities and computer systems, respectively. In addition, the new cards must work in a contactless mode, enabling warfighters and civilians to enter buildings by sweeping their identity passes past a reader that interprets information from the cards without contact with a magnetic strip.

As of press time, DoD had upgraded more than 450 workstations out of 2,300 worldwide for the Real-Time Automated Personnel Identification System (RAPIDS) from its old Common Access Card (CAC) infrastructure to support the new HSPD-12 cards, said Frank Jones, DMDC director of the Personnel Identity Protection Solutions Division.

“When we presented our implementation plan to the Office of Management and Budget [OMB], we told them we would be taking a phased approach,” Jones elaborated. “DoD has about 3.5 million active Common Access Cards in play at any one point in time across the department. With that amount of infrastructure issuing cards and that numbers of cards currently in use, it didn’t make sense to try to do some ‘big bang’ where we replace all cards in one fell swoop.

“It made more sense to let these cards reach their normal expiration and then replace them with compliant cards as they are reissued. OMB agreed and that is the strategy that is in play right now,” he added.

As DoD personnel upgrade the RAPIDS workstations, they are replacing a legacy client/server system with one that will be Web-based. IT workers convert the individual RAPIDS workstations to the Web-based HSPD-12 system, and thus those workstations will remain active when the old RAPIDS servers go offline.

Contactless Cards

As the year progresses, more and more DoD personnel will carry the new HSPD-12 compliant CAC card, which looks markedly different than the old card. It has a wavy background instead of a plain white one, and is light blue in color. The new cards also are contactless, so they lack the magnetic stripe found on older cards.

What isn’t visible is more important, Jones stressed: HSPD-12 brings significant security enhancements to the DoD workplace.

“It brings interoperability so that for the first time we have an identity credential that can be recognized and used across and all over the department and the agencies of the federal government,” he said.

“This card is a bit different than any others because possession of this card implies a reliable train of trust, a reliable standardized level of vetting the cardholder so that you have a greater level of trust that the person holding the card is who they say they are. It has a strong tie to biometrics,” he continued. “It has the potential for the concept of federation, which is new to federal space. Federation is the ability to recognize and trust a credential that has been issued by an organization other than your own, based on confirmation that the proofing and vetting of the cardholder has been completed, the process is auditable so it can be trusted, and the credential can be rapidly electronically authenticated.”

This will end the risk that potential intruders could use a card as a “flash pass,” where they hold up a card to enter a facility while guards have no real assurance as to whether the card is counterfeit or the cardholder is still an authorized employee of the agency.

Still, Jones estimated that all 3.5 million CAC cards would not be replaced until late 2011 or early 2012, as the RAPIDS stations replace old cards as they naturally expire in the course of the next several years.

Oberthur Card Systems is one of the major contactors supplying DMDC with the HSPD-12 cards, as a contractor to EDS. The new cards represent a major leap in security technology, according to Patrick Hearn, director of sales for government ID markets for the Americas.

“We have a very simple job. We are the ones providing the common access card to them. It’s a dual-interface card. That means it has a single chip on it that works in contact, which means you put it into a reader, as well as contactless mode, which means you put it close to a reader. Then you transmit information between the reader and the card,” Hearn explained.

“We were the first ones to put this out to DMDC. We have been putting it out in large volumes over the course of the past couple of months to enable their transition to a PIV-enabled program,” he added.

Hearn estimated the company had manufactured 750,000 cards for DoD to date, slowly providing the new HSPD-12 cards as old CAC cards expire. DMDC has been issuing the new cards to RAPIDS stations that have been converted, including recently converted sites such as the DMDC center in Arlington, Va., and at Fort Belvoir, Va.

“The big difference between the old one and the new one is that the old ones were never able to communicate in a contactless mode. That’s useful for physical access control,” Hearn described. “Instead of having to slide your card through a magnetic stripe reader or inserting your card or using it as a flash pass, you can actually take the card and put it to a reader and authenticate. That’s one element of a throughput process. The cards also will be interoperable as part of HSPD-12, which is the broad effort on the part of the federal government to put together a standardized, recognized credential across the federal government.”

DoD has been ahead of the game on meeting HSPD-12 requirements because the CAC program, which dates from around 2000, has been in place for access control for some time.

Multiple Identities

Once military and civilian DoD employees have their new access cards, however, managers are faced with the challenge of actually providing the employees with the access to multiple systems promised by HSPD-12. Identity management software can help meet that challenge, seamlessly linking systems together for access through the HSPD-12 PIV credential, said Jeff Stratyner, manager of alliance solutions at the Public Sector Group of Quest Software.

“HSPD-12 is all about identity. How can I verify who is at the door when they want to come into a facility?” Stratyner asked. “My view of HSPD-12 is that it was a trigger to get people to understand how to accept someone’s identity and then use that identity to traverse a network, get in and out of physical facilities, and to access data and things like that. There should be one piece of identification that can get me access to multiple places, whether digital or physical.”

Quest manufactures software that helps agencies to store the identities presented by HSPD-12 cardholders for use in accessing multiple systems. To date, many federal agencies have been focused on obtaining valid HSPD-12 cards and the hardware to support them. But Quest’s customers are beginning to realize that they now need to figure out how to use the cards to access data.

So for example, an Army user may require access to a Marine Corps application, Stratyner said. Quest identity management software would enable the authentication of the Army user’s identity for use in the Marine Corps system.

“Say I’m in the Army as a new employee and I get an HSPD-12 card,” Stratyner mused. “I come into an Army facility and I can log into the desktop. I can log in using a Microsoft account. But what if I’m also responsible for managing data that sits on a Unix box? Right now I have to have a different card to get to the data on that box.

“One thing we do is provide software that would allow that Unix box to natively integrate with Active Directory, which is what most agencies have to coordinate their operating systems. I would then be able to use that HSPD-12 card—that same one I used to get into the door and that same one I used to get on my desktop—to login to that Unix box,” he added. “We are letting people realize one of the ultimate goals of HSPD-12 with one secure identity that gets access to multiple secure sources of information or locations.”

Users must find HSPD-12 to be portable and interoperable with different data systems and agencies to be truly effective, Stratyner said. Quest is helping both the Army and Marine Corps to deal with those issues, providing assistance to streamline processes around identity management.

“HSPD-12 was a little pebble dropped in the pond, and now they are starting to be touched by the logical access ripple and they are not quite sure what to do about it. I’m not seeing a lot of holistic plans at these agencies. In phase one, we figured out how to look at the proper papers and verify who you are. In phase two, we can put all of that data on a card and issue that card. In phase three, what do I do with that now? How do I tie the logical systems together with the physical systems and get it all to work?” Stratyner commented.

Very few agencies have a long-term plan to deal with those questions at present, he observed, but they are going to need them to figure out what their system will look like and be capable of doing over the next several years.

Cross Credentialing

Federated identity management also offers the potential for DoD and other agencies to maximize the potential of HSPD-12 credentials, according to Charles Scruggs, vice president and director of identity management and information assurance at American Systems.

To that end, American Systems is one of many companies and organizations supporting the Federation for Identity and Cross-Credentialing Systems (FiXs), which is dedicated to creating policies and procedures to enable various identity management systems to recognize and trust credentials from each other.

“So say I have a credential issued by the General Services Administration [GSA] and it has a federated certificate loaded onto it,” Scruggs said. “Now I could take that credential from GSA and go to the Department of Housing and Urban Development [HUD]. As long as they recognize and trust the FiXs root, they could trust that credential without issuing their own credential at HUD.”

The FiXS certificate is cross certified with the DoD public key infrastructure, Scruggs noted, so DoD networks could verify someone carrying a FiXs credential. To his knowledge, FiXs is the only federated identity management entity that has a cross-credentialing memorandum of understanding with DMDC.

The concept of “one badge, one government” represents a dream that Scruggs first encountered when he started work at the National Security Agency 30 years ago.

“I can remember times in my life when I had as many as 12 or 13 badges hanging around my neck. The aspect of one badge to get me in and out of different government agencies or even just taking a couple of those badges off my neck seemed to me like it was a really great idea. That was 30 years ago, and now it seems like it might get close to happening before I retire,” he quipped.

American Systems is assisting two large federal departments with their HSPD-12 conversions. One of those is the Department of Veterans Affairs, which sometimes shares facilities and information systems with DoD.

“The VA is probably one of the leading agencies in terms of real HSPD-12 deployment. They awarded a contract to EDS to actually deploy their whole infrastructure and to train their employees. As a subcontractor to EDS, we are the guys doing the deployment of all the enrollment workstations at 240 VA locations across the country,” Scruggs said.

American Systems also has been assisting the Department of State, which had established a smart card infrastructure before 9/11 and the HSPD-12 mandate.

“So when the HSPD-12 requirement came out, the Department of State was in a very enviable position where they already had a lot of what HSPD-12 was looking for right out off the bat,” Scruggs recalled. “Now across the infrastructure, as deployments have started to happen and as we see people trying to implement some of these things, we have found that since the Department of State rolled their infrastructure out so long ago, some of the equipment they have does not meet the requirements of HSPD-12, and some of the equipment may but it needs to be upgraded.

“We are upgrading the card readers that will be used with the new Department of State identity cards. We rolled out an infrastructure of new readers, in some cases upgrading firmware and in some cases pulling out old readers in favor of new ones, so we have backwards capability with all the old Department of State badges but forward compatibility with the new HSPD-12 Department of State badges,” he added.

Another part of the genius of HSPD-12 standards is that the loss of a PIV card would not compromise government employees at any of these agencies, Scruggs said.

“There is no private information on any of these cards. Even the fingerprint data collected on these HSPD-12 cards is not a fingerprint. It is something called minutia. They take your fingerprint and run it through an algorithm. That produces a number. That number is unique to your fingerprint but there is no way to reverse-engineer the number to find out what your fingerprint is,” he said. “Your fingerprint is not on your card so there’s nothing to worry about.” ♦