Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.

Published byReuben Rhoads Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration."— Presentation transcript:

1 1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration judith.spencer@gsa.gov

2 2 Genesis July 2001 – Presidential commitment to moving E-Government forward February 2002 – E-Authentication Initiative launched April 2003 – CIO Council charters Federal Identity Credentialing Committee December 2003 – E-Authentication Guidance to Federal Agencies issued August 2004 – HSPD-12 Issued

3 3 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics 5. Business Compliance 1 Stop 6. Int’l Trade Process Streamlining Government to Govt. Internal Effectiveness and Efficiency 1. e-Vital (business case) 2. e-Grants 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management PMC E-Government Agenda Government to BusinessGovernment to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4 4 The Mandate Home Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004

5 5 The Control Objectives Secure and reliable forms of personal identification that are: Based on sound criteria to verify an individual employee’s identity Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Rapidly verified electronically Issued only by providers whose reliability has been established by an official accreditation process

6 6 Applicability & Use Applicable to all government organizations and contractors (except identification associated with National Security Systems) Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure Implemented in a manner that protects citizens’ privacy

7 7 Sound Criteria to Verify an Individual Employee’s Identity Organization shall use an approved identity proofing and registration process including: ― Require two identity source documents in original form from the list associated with Form I-9, Employment Eligibility Verification. At least one document shall be a valid State or Federal government-issued picture identification ― National Agency Check with Written Inquiries (NACI) or equivalent. ― FBI National Criminal History Fingerprint Check completion before credential issuance. ― In-person appearance at least once before credential issuance Controls must ensure that no single individual can authorize issuance of a PIV credential Standardize the Identity Credential Issuance Process as follows:

8 8 Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Mandatory Electronic Data All data from Topology PIN Cardholder Unique Identifier (CHUID) PIV Authentication Data (asymmetric key pair and corresponding PKI certificate) Two biometric fingerprints Optional Electronic Data: Asymmetric key pair and corresponding certificate for digital signatures Asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting confidentiality (encryption) Additional biometrics Minimum Cryptographic mechanisms specified in SP800-78.

9 9 FIPS-201 Requirements (Section 4.3) The PIV Card has a single mandatory key and four types of optional keys: + The PIV authentication key shall be an asymmetric private key supporting card authentication for an interoperable environment, and it is mandatory for each PIV Card. + The card authentication key may be either a symmetric (secret) key or an asymmetric private key for physical access, and it is optional. + The digital signature key is an asymmetric private key supporting document signing, and it is optional. + The key management key is an asymmetric private key supporting key establishment and transport, and it is optional. This can also be used as an encryption key. + The card management key is a symmetric key used for personalization and post- issuance activities, and it is optional. All PIV cryptographic keys shall be generated within a FIPS 140-2 validated cryptomodule with overall validation at Level 2 or above. In addition to an overall validation of Level 2, the PIV Card shall provide Level 3 physical security to protect the PIV private keys in storage.

10 10 Determining Assurance Levels E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, 2003 — http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf — About identity authentication, not authorization or access control — Incorporates Standards for Security Categorization of Federal Information and Information Systems (FIPS-199) NIST SP800-63: Recommendation for Electronic Authentication — Companion to OMB e-Authentication guidance — http://csrc.nist.gov/eauth — Covers conventional token based remote authentication

11 11 M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 4Level 3Level 2Level 1 Little or no confidence in asserted identity Some confidence in asserted identity High confidence in asserted identity Very high confidence in the asserted identity Assurance Levels Self-assertion minimum records On-line, instant qualification – out-of- band follow-up On-line with out-of- band verification for qualification Cryptographic solution In person proofing Record a biometric Cryptographic Solution Hardware Token

12 12 Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1234 Inconvenience, distress or damage to standing or reputation LowMod High Financial loss or agency liabilityLowMod High Harm to agency programs or public interestsN/ALowModHigh Unauthorized release of sensitive informationN/ALowModHigh Personal SafetyN/A LowMod High Civil or criminal violationsN/ALowModHigh Maximum Potential Impacts

13 13 Implementing PKI in accordance with FIPS-201 X.509 Certificate Policy for the Federal Common Policy Framework –Provides minimum requirements for Federal agency implementation of PKI –Operates at FBCA Medium Assurance/E-Authentication Levels 3 and 4 –Cross-certified with the FBCA –Governing policy for the Shared PKI Service Provider program Certified PKI Shared Service Provider Program –Evaluates services against the Common Policy Framework –Conducts Operational Capabilities Demonstrations –Populates Certified Provider List with service providers who meet published criteria –Agencies not operating an Enterprise PKI must buy PKI services from certified providers

14 14 Approved Shared Service Providers Verisign, Inc Cybertrust Operational Research Consultants USDA/National Finance Center Agencies operating an Enterprise PKI cross-certified with the FBCA at Medium Assurance or higher are considered compliant with FIPS-201. In January 2008, these Enterprise PKIs will start including the Common Policy OIDs in their certificates.

15 15 Acquisition Policy Strategy Two new FAR Rules FAR Case 2005-015 –Addresses HSPD-12 requirements –Interim rule issued end of CY-05 FAR Case 2005-017 –Directs agencies to acquire only approved products –Interim Rule in Committee awaiting final approval OMB Guidance designates GSA as the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12 Acquisition services will be offered via GSA Schedule Contracts

16 16 For More Information Supporting Publications — FIPS-201 – Personal Identity Verification for Federal Employees and Contractors — SP 800-73 – Interfaces for Personal Identity Verification — SP 800-76 – Biometric Data Specification for Personal Identity Verification — SP 800-78 – Recommendation for Cryptographic Algorithms and Key Sizes — SP 800-79 – Issuing Organization Accreditation Guideline — SP 800-85 – PIV Middleware and PIV Card Application Conformance Test Guidelines NIST PIV Website (http://csrc.nist.gov/piv-project/) Federal Identity Credentialing Website (http://www.cio.gov/ficc)

Download ppt "1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration."

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
Cerner Presentation to S&I esMD Workgroup – Industry Scan

Cerner Presentation to S&I esMD Workgroup – Industry Scan
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 U.S. General Services Administration E-Government Procurement: Standard Transactions and Interoperability David Temoshok Director, Federal Identity Management.

1 U.S. General Services Administration E-Government Procurement: Standard Transactions and Interoperability David Temoshok Director, Federal Identity Management.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
FIPS 201 Framework: Special Pubs 800-73,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005.

FIPS 201 Framework: Special Pubs ,76,78 Jim Dray HSPD-12 Workshop May 4/5, 2005.
Status of U.S. Smart Card Deployment Jim Dray Porvoo 7/ World eID Meeting May 2005.

Status of U.S. Smart Card Deployment Jim Dray Porvoo 7/ World eID Meeting May 2005.
Single Sign-On and Federated Authentication at NIH and Beyond

Single Sign-On and Federated Authentication at NIH and Beyond
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Brian Epley, VA PIV Program Manager

Brian Epley, VA PIV Program Manager
Institutional Transformation of Government in the Network Society Jane E. Fountain Director, National Center for Digital Government Harvard University.

Institutional Transformation of Government in the Network Society Jane E. Fountain Director, National Center for Digital Government Harvard University.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org FiXs ® - Federated and Secure Identity Management in Operation Implementing.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.

1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
Department of Health and Human Services Personal Identity Verification Training APPLICANT.

Department of Health and Human Services Personal Identity Verification Training APPLICANT.

Similar presentations

Ads by Google