Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Enterprise PACS Best Practices June 18, 2013 J’son Tyson &

Similar presentations


Presentation on theme: "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Enterprise PACS Best Practices June 18, 2013 J’son Tyson &"— Presentation transcript:

1 Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Enterprise PACS Best Practices June 18, 2013 J’son Tyson & Will Morrison Co-Chair, ICAMSC Modernized Physical Access Working Group (MPAWG)

2 2  Review Evolution of PIV and PACS  Discuss PACS-enabled Authentication Mechanisms  Identify the PACS in EPACS Requirements  Review the MPAWG and get involved! Agenda

3 3 Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally- controlled facilities and federal information systems. HSPD- 12 aimed to:  Enhance security  Increase Federal Government efficiency  Reduce identity fraud  Create government-wide standard for secure and reliable forms of identification Evolution of PIV and for PACS

4 4 200020022003 2011 M-11-11 February 2011 20042005 FIPS 201 February 2005 2006 FIPS 201-1 March 2006 2008 20092010 2007 2013 FICAM Roadmap & Implementation Guidance v1.0 November 2009 SP 800-116 November 2008 HSPD-12 August 2004 *FICAM Roadmap & Implementation Guidance v2.0 Dec. 2011 M-05-24 August 2005 2012 *Including Chapter 10: Modernized PACS ICAMSC PIV in EPACS Guidance (update to federated PACS Guidance) Anticipated 2013 FIPS 201-2 Anticipated 2013

5 5 What is next for the PACS world? Federal Information Processing Standards Publication 201-2 (FIPS 201-2) Anticipated:  Nexus for updating NIST SP 800-116  Deprecates use of CHUID as an authentication mechanism (low)  CAK becomes mandatory  Impose use of PKI-AUTH (PAK) or CAK for token authentication Evolution of PIV and for PACS

6 6 PACS-enabled Authentication Mechanisms An agency PACS cannot be considered PIV-enabled if it is not leveraging the authentication mechanisms in accordance with the guidance in SP 800-116.  Federal Agency Smart Credential Number (FASC-N): A fixed length (75 Bit) data object; the primary identified on the PIV Card for physical access control.  FASC-N Identifier: A subset of the FASC-N, it is a unique identifier. For full interoperability of a PACS it must at a minimum be able to distinguish fourteen digits (i.e., a combination of an Agency Code, System Code, and Credential Number) when matching FASC-N based credentials to enrolled card holders.  Cardholder Unique Identifier (CHUID): An authentication mechanism that is implemented by transmission of the data object from the PIV Card to the PACS. Source: NIST SP 800-116

7 7  Card Authentication Key (CAK) [‘keyk’]: Defined in NIST SP 800-73; An authentication mechanism that is implemented by a key challenge/response protocol  Public Key Infrastructure (PKI): Defined in X.509 Certification Policy for the Federal Bridge Certification Authority (FBCA); A set of policies, processes, server platforms, software, and workstations used for administering certificates and public/private key pairs, including the ability to issue, maintain, and revoke public key certificates.  PKI-PIV Authentication Key (PKI-AUTH) or (PAK): Defined in FIPS 201-2; A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV card and a contact reader. PACS-enabled Authentication Mechanisms

8 8 ∆ How is your agency planning to accommodate potential PACS-related changes (i.e., FIPS 201-2, NIST SP 800-116-1, etc.)? ∆ Is your agency facing challenges around use of PKI-Auth or CAK for token authentication and if so, what types of challenges? Discussion Items

9 9 PACS-enabled Authentication Mechanisms What are the Challenge Factors? Something you H AVE e.g., PIV or PIV-I Card (Challenge/Response) Something you K NOW e.g., PIN (to unlock card) Something you A RE e.g., Biometrics (fingerprint, iris)

10 10 PACS-enabled Authentication Mechanisms Source: NIST SP 800-116 Security AreasItem Description Controlled1 Limited2 Exclusion3

11 11 PACS-enabled Authentication Mechanisms CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers FactorsPACS-enabled Authentication MechanismMax ConfidenceCL?INT?Factors No Factor PIN to PIV/PIV-I (without cryptography)No confidenceCL CHUID (FASC-N, UUID)No confidenceCL One Factor CHUID + VIS Little or No Confidence CLHave BIOSome Confidence-Are CAKSome ConfidenceCLHave CHUID + PIN to PACSSome ConfidenceCLKnow CHUID + BIO to PACSSome ConfidenceCLAre      

12 12 PACS-enabled Authentication Mechanisms FactorsPACS-enabled Authentication MechanismMax ConfidenceCL?INT?Factors Two Factor CAK + PIN to PACSHigh ConfidenceCLHave + Know CAK + BIO to PACSHigh ConfidenceCLAre + Have PKI-Auth (PAK)High Confidence-Know + Have Three Factor PKI-Auth (PAK) + BIOVery High Confidence-Know + Are + Have PKI-Auth (PAK) + BIO to PACSVery High Confidence-Know + Are + Have CAK + BIOVery High Confidence-Know + Are + Have CAK + BIO to PACS + PIN to PACSVery High ConfidenceCLKnow + Are + Have BIO-AVery High ConfidenceKnow + Are + Have     CL? = Authentication Mode is available on the contactless interface INT? = Authentication Mode is interoperable across cards from other PIV issuers

13 13 PACS will need to:  Provision or register the PIV Authentication Key (PKI- AUTH / PAK) or Card Authentication Cert (CAK) OR  Provision or register a PKI credential derived from PAK/CAK AND  Electronically validate PKI certificate  Validate/Challenge the private key of registered PIV/PKI certificate PIV in EPACS

14 14 What steps is your agency taking to implement an enterprise PACS? Discussion Items

15 15 MPAWG Overview Working Group Description: Facilitates the implementation and use of the technology and processes related to a modernized PACS. Functions:Coordinate with the Interagency Security Committee (ISC) to harmonize policy and guidance related to PACS Create guidance on enabling and configuring PACS to accept PIV and PIV-I credentials Coordinate with industry and PACS product vendors on behalf of the ICAMSC to ensure alignment with ICAM guidance and requirements Membership Profile:Minimum of one standing member who is a member of the ISC Representatives designated by their agency for physical security implementation/development Experience writing/reviewing technical physical access guidance Understanding of PIV-enablement for PACS (or a desire to understand) Federal Employee or Contractor sponsored by agency

16 16 MPAWG Docket Item NameItem DescriptionStatus Enterprise PACS Guidance (PIV in EPACS) Guidance on establishing Enterprise PACSFrom AWG's 2011 docket Selecting PIV Authentication Mechanisms for PACS Guidance to bridge the ISC facility risk assessment process and ICAM guidance for using PIV in PACS Recommended from ICAMSC Governance Review PACS Implementation MetricsA set of metrics to track and capture PACS implementations across agencies to be submitted as part of annual FISMA metric reporting. Recommended from ICAMSC PACS Policy and Guidance Gap Analysis An analysis of the gaps between PACS policy and guidance. Recommended from ICAMSC Governance Review GSA Schedule AnalysisAn analysis of where there are inconsistencies across the PACS products on the schedules and contradictions with the APL Recommended from ICAMSC Governance Review Mandatory PIV Usage GuidanceTechnical guidance on how to implement a mandatory PIV “usage” Recommended from ICAMSC Governance Review

17 17 o In what areas does your agency need more guidance to support implementation of an enterprise PACS? o What approaches or “best practices” to implementing an enterprise PACS have successfully worked for your agency? o What advice or “lessons learned” would you give to other agencies in the initial stages of implementing an enterprise PACS? Discussion Items

18 18  Will Morrison, FAA  William.Morrison@faa.gov  J’son Tyson, FEMA  J'son.Tyson@fema.dhs.gov Get Involved in the MPAWG

19 19 Align Collaborate Enable

20 20 Challenge Factors  Grayed areas do not appear in NIST SP 800-116 Low assurance factors indicate no cryptographic verification The CAK may be a symmetric or asymmetric key


Download ppt "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Enterprise PACS Best Practices June 18, 2013 J’son Tyson &"

Similar presentations


Ads by Google