1. 15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung

2. 15June’062 NASA PKI and the Federal Environment Background  eGov Act of 2002 established 24 applications in 4 areas –Government to Citizen  Government to Business –Government to Government  Internal Efficiency & Effectiveness –25th, eAuthentication Initiative, cut across all four areas »Provides a consistent means to authenticate identity of users  December 2003 - OMB 04-04 established 4 identity authentication assurance levels for eGov transactions –1 Little or no assurance 3 High assurance –2 Some assurance4 Very High Assurance  April-May 2004 - NASA updated our PKI requirements – Extant requirements developed in 1997 –Need to update for changing NASA environment  June 2004 - NIST 800-63 provided technical requirements for each authentication level –1 PINs3 PKI software –2. Passwords4 PKI hardware

3. 15June’063 NASA PKI and the Federal Environment Background, cont.  August 2004 - Homeland Security Presential Directive #12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors –Mandated NIST develop a Government-wide standard for secure and reliable forms of identification to be issued by the Federal Government to its employees and contractors  September 2004 - NASA decides to continue using Entrust as its PKI and outsource operations to the Department of the Treasury  December 2004 - OMB 05-05 required agencies to use a Shared Service Provider (SSP)  February 2005 - NIST Federal Information Processing Standard (FIPS) 201: Personal Identity Verification for Federal Employees and Contractors (update draft March 2006) –Required a myriad of NIST Special Publications with guidance on different aspects of FIPS-201; 800-73, 800-76, 800-78, 800-79, 800-85A, 800-85B, 800-87, 800-96  August 2005 - OMB 05-24 required agencies to develop and submit an HSPD-12 implementation plan

4. 15June’064 NASA PKI and the Federal Environment FIPS-201 PKI Implications  Mandates a PKI authentication certificate be on PIV 2 compliant smart card  Mandates two factor authentication for logical access to all agencies computer and network resources  Mandates PKI key sizes and digital signature algorithms  Requires changes to the FPKI Common Policy Framework Certificate Policy

5. 15June’065 NASA PKI and the Federal Environment So What Does This Mean for the NASA PKI?  NASA must provide PKI credentials to all employees and on-site (behind the firewall) contractors –NASA purchased 100,000 Entrust licences in March 2005  Treasury must become an SSP if NASA wants to outsource our PKI operations to them –Treasury agrees and submits their application in April 2005 –Treasury completes the process June 2006  NASA must begin to provide background checks for all new employees and contractors by October 27, 2006  NASA must begin to issue FIPS-201 PIV 2 compliant badges to all new employees and contractors by October 27, 2006 –These badges must include a PKI authentication certificate  NASA must have an approved HSPD-12 implementation plan –Submitted December 2005 –OMB is asking agencies to update their plan by August 2006  NASA must begin using two-factor authentication for all logical access to NASA resources

6. 15June’066 NASA PKI and the Federal Environment So What Does This Mean for the Federal PKI?  FPKI Common Policy Changes –Need to include OIDs for new authentication certificate –Need to include requirements for availability of CAs –Need to include requirements for availability of CRLs –Need to change publication frequency for CRLs –Need to change encryption and digital signature key sizes »Increase from current 1024 bit RSA to 2048 bit by 1 January 2009 –Need to change digital signature algorithm »Move from current SHA-1 to SHA-224 or SHA-256 by 1 January 2011  Common Policy and FBCA Harmonization Required –One change will be agencies cross-certified with FBCA must assert the common policy OID beginning in 2008  Forces agencies to make changes to their PKIs to comply  Unclear whether or not an agency must be subordinate to Common Policy CP starting in 2008

7. 15June’067 NASA PKI and the Federal Environment Backup Slides

8. 15June’068 NASA PKI and the Federal Environment NIST 800 Series Related to FIPS 201  800-73 Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006)  800-76 Biometric Data Specification for Personal Identity Verification, February 2006  800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification, April 2005  800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005  800-85A PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance),April 2006  Draft 800-85B, PIV Data Model Conformance Test Guidelines, May 25, 2006  800-87 Codes for the Identification of Federal and Federally- Assisted Organizations, October 2005 (document updated January 17, 2006)  Draft SP800-96 PIV Card/Reader Interoperability Guidelines

9. 15June’069 NASA PKI and the Federal Environment NASA’s Relationship to the FBCA & Common Policy CA Sub Authorized [Sub ordinate reference] Sub Authorized [Sub ordinate reference] Cross Certification [mutual or two-way reference] Common Policy CA Federal Bridge CA Treasury Root CA (TRCA) NASA Operational CA (NOCA) Cross Certification [mutual or two-way reference]

10. 15June’0610 NASA PKI and the Federal Environment NASA’s Original PKI Architecture RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA

11. 15June’0611 NASA PKI and the Federal Environment NASA’s SSP PKI Architecture Treasury RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA