Presentation on theme: "Enterprise PACS Best Practices"— Presentation transcript:
1Enterprise PACS Best Practices J’son Tyson & Will MorrisonCo-Chair,ICAMSC Modernized Physical AccessWorking Group (MPAWG)June 18, 2013
2Agenda Review Evolution of PIV and PACS Discuss PACS-enabled Authentication MechanismsIdentify the PACS in EPACS RequirementsReview the MPAWG and get involved!
3Evolution of PIV and for PACS Homeland Security Presidential Directive 12 was issued August 27, 2004 to create a common identification standard for federal employees and contractors for accessing federally- controlled facilities and federal information systems. HSPD- 12 aimed to:Enhance securityIncrease Federal Government efficiencyReduce identity fraudCreate government-wide standard for secure and reliable forms of identification
4Evolution of PIV and for PACS SPNovember 2008FIPS 201February 2005HSPD-12August 2004FIPS 201-1March 2006M-05-24August 20052000200220032004200520062007200820092010201120122013M-11-11February 2011ICAMSC PIV in EPACS Guidance (update to federated PACS Guidance)Anticipated 2013FIPS 201-2Anticipated 2013FICAM Roadmap & ImplementationGuidance v1.0November 2009*FICAM Roadmap & ImplementationGuidance v2.0Dec. 20112011*Including Chapter 10: Modernized PACS
5Evolution of PIV and for PACS What is next for the PACS world?Federal Information Processing Standards Publication (FIPS 201-2)Anticipated:Nexus for updating NIST SPDeprecates use of CHUID as an authentication mechanism (low)CAK becomes mandatoryImpose use of PKI-AUTH (PAK) or CAK for token authentication
6PACS-enabled Authentication Mechanisms An agency PACS cannot be considered PIV-enabled if it is not leveraging the authentication mechanisms in accordance with the guidance in SPFederal Agency Smart Credential Number (FASC-N):A fixed length (75 Bit) data object; the primary identified on the PIV Card for physical access control.FASC-N Identifier: A subset of the FASC-N, it is a unique identifier.For full interoperability of a PACS it must at a minimum be able to distinguish fourteen digits (i.e., a combination of an Agency Code,System Code, and Credential Number) when matching FASC-Nbased credentials to enrolled card holders.Cardholder Unique Identifier (CHUID):An authentication mechanism that is implemented by transmission of the data object from the PIV Card to the PACS.Source: NIST SP
7PACS-enabled Authentication Mechanisms Card Authentication Key (CAK) [‘keyk’]:Defined in NIST SP ; An authentication mechanism that is implemented by a key challenge/response protocolPublic Key Infrastructure (PKI): Defined in X.509 Certification Policy for the Federal Bridge Certification Authority (FBCA); A set of policies, processes, server platforms, software, and workstations used for administering certificates and public/private key pairs, including the ability to issue, maintain, and revoke public key certificates.PKI-PIV Authentication Key (PKI-AUTH) or (PAK): Defined in FIPS 201-2; A PIV authentication mechanism that is implemented by an asymmetric key challenge/response protocol using the PIV authentication key of the PIV card and a contact reader.
8Discussion ItemsHow is your agency planning to accommodate potential PACS-related changes (i.e., FIPS 201-2, NIST SP , etc.)?Is your agency facing challenges around use of PKI-Auth or CAK for token authentication and if so, what types of challenges?
9PACS-enabled Authentication Mechanisms What are the Challenge Factors?Something you Havee.g., PIV or PIV-I Card (Challenge/Response)Something you Knowe.g., PIN (to unlock card)Something you Aree.g., Biometrics (fingerprint, iris)
11PACS-enabled Authentication Mechanisms FactorsPACS-enabled Authentication MechanismMax ConfidenceCL?INT?NoFactorPIN to PIV/PIV-I (without cryptography)No confidenceCLCHUID (FASC-N, UUID)OneCHUID + VISLittle or No ConfidenceHaveBIOSome Confidence-AreCAKCHUID + PIN to PACSKnowCHUID + BIO to PACSCL? = Authentication Mode is available on the contactless interfaceINT? = Authentication Mode is interoperable across cards from other PIV issuers
12PACS-enabled Authentication Mechanisms FactorsPACS-enabled Authentication MechanismMax ConfidenceCL?INT?Two FactorCAK + PIN to PACSHigh ConfidenceCLHave + KnowCAK + BIO to PACSAre + HavePKI-Auth (PAK)-Know + HaveThree FactorPKI-Auth (PAK) + BIOVery High ConfidenceKnow + Are + HavePKI-Auth (PAK) + BIO to PACSCAK + BIOCAK + BIO to PACS + PIN to PACSBIO-ACL? = Authentication Mode is available on the contactless interfaceINT? = Authentication Mode is interoperable across cards from other PIV issuers
13PIV in EPACS PACS will need to: Provision or register the PIV Authentication Key (PKI- AUTH / PAK) or Card Authentication Cert (CAK)ORProvision or register a PKI credential derived from PAK/CAKANDElectronically validate PKI certificateValidate/Challenge the private key of registered PIV/PKI certificate
14Discussion ItemsWhat steps is your agency taking to implement an enterprise PACS?
15MPAWG Overview Working Group Description: Facilitates the implementation and use of the technology and processes related to a modernized PACS.Functions:Coordinate with the Interagency Security Committee (ISC) to harmonize policy and guidance related to PACSCreate guidance on enabling and configuring PACS to accept PIV and PIV-I credentialsCoordinate with industry and PACS product vendors on behalf of the ICAMSC to ensure alignment with ICAM guidance and requirementsMembership Profile:Minimum of one standing member who is a member of the ISCRepresentatives designated by their agency for physical security implementation/developmentExperience writing/reviewing technical physical access guidanceUnderstanding of PIV-enablement for PACS (or a desire to understand)Federal Employee or Contractor sponsored by agency
16MPAWG Docket Item Name Item Description Status Enterprise PACS Guidance (PIV in EPACS)Guidance on establishing Enterprise PACSFrom AWG's 2011 docketSelecting PIV Authentication Mechanisms for PACSGuidance to bridge the ISC facility risk assessment process and ICAM guidance for using PIV in PACSRecommended from ICAMSC Governance ReviewPACS Implementation MetricsA set of metrics to track and capture PACS implementations across agencies to be submitted as part of annual FISMA metric reporting.Recommended from ICAMSCPACS Policy and Guidance Gap AnalysisAn analysis of the gaps between PACS policy and guidance.GSA Schedule AnalysisAn analysis of where there are inconsistencies across the PACS products on the schedules and contradictions with the APLMandatory PIV Usage GuidanceTechnical guidance on how to implement a mandatory PIV “usage”
17Discussion ItemsIn what areas does your agency need more guidance to support implementation of an enterprise PACS?What approaches or “best practices” to implementing an enterprise PACS have successfully worked for your agency?What advice or “lessons learned” would you give to other agencies in the initial stages of implementing an enterprise PACS?
18Get Involved in the MPAWG Will Morrison, FAAJ’son Tyson, FEMA
19Align Collaborate Enable ICAM Mission Align federal agencies around common practices by fostering effective government-wide identity, credential and access management Collaborate with federal government and external identity management activities (non-federal, commercial and more) to leverage best practices and enhance interoperabilityEnable trust and interoperability in online transactions, through the application of common policies and approaches, in activities that cross organizational boundaries
20Challenge Factors Grayed areas do not appear in NIST SP 800-116 Low assurance factors indicate no cryptographic verificationThe CAK may be a symmetric or asymmetric key