Presentation on theme: "“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)"— Presentation transcript:
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
2 HSPD-12 Briefing Outline Executive Summary Implementation Highlights Where We Are Now Issues
3 Executive Summary HSPD-12 Homeland Security Presidential Directive 12 was signed by President Bush Aug. 27, 2004 “…It is the policy of the United States to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy…” Improved personal identity verification (PIV) of all federal employees and contractors. Interoperable ID badges/ “ smart cards. ”
4 Executive Summary HSPD-12 Control Objectives “Secure and reliable forms of identification” must be: Issued based on sound criteria for verifying an individual employee ’ s identity. Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation. Able to be rapidly authenticated electronically. Issued only by providers whose reliability has been established by an official accreditation process.
5 Executive Summary To implement, we must… Strengthen and standardize identity verification process. Operate a comprehensive PIV card authentication and personal identity verification system. Procure standard ID badges/ smartcards, readers, and PKI services per FIPS 201. Capture index fingerprints on PIV card, and store fingerprints in database.
6 Executive Summary Guidance and Standards Federal Information Processing Standards 201 (FIPS) for HSPD-12 developed by NIST. FIPS 201 breaks down requirements into “ PIV I ” and “ PIV II. ” Includes NIST Special Publications SP – Smart card requirements. SP – Biometric requirements (fingerprints). SP – Cryptographic requirements (PKI). SP – Certification and accreditation (C&A). SP – Testing procedures for PIV products.
7 Executive Summary FIPS 201 (Part 1 & II) PIV I – the process Strengthens “identity-proofing” and background investigations. Defines credential issuance process. Mandates privacy protections. PIV II - components of the PIV system Interoperable PIV Card. Card Management Subsystem. Access Control Subsystem. Identity Management System (IDMS). PKI credential.
8 Implementation Highlights Due Dates By Oct. 27, 2005: PIV-I: Identity proofing and credential issuance process complies with FIPS 201, part 1. Completed. By Oct. 27, 2006: PIV-II: New employees/ contractors: Issue only PIV-II compliant cards and require use for both physical and logical access. Existing employees/ contractors: Begin replacing cards. FBI National Criminal History (fingerprint) Check portion of background investigation before PIV Card issuance. Full National Agency Check with Inquiries (NACI) must follow. By Oct. 27, 2007: Finish replacing cards for current employees/ contractors and require use for both physical and logical access. All federal employees with less than 15 years of service and all contractors must be identity proofed with a minimum of a NACI.
9 Where We Are Now Currently compliant with all FIPS 201 requirements for PIV I. PIV I Guidance issued. New PIV I form being utilized. New HR hiring practices are in place. Conducted training for all OSEP employees associated in PIV I process. CPO conducted Contracting Officers training. New HUDAR clause is written. OSEP has started Certification and Accreditation process. GSA currently working on hiring contractor support for future DSX upgrades and additional hardware.
10 Government Wide HUD Involvement Federal Identity Credentialing Committee (FICC) Interagency Partnership Working Group meetings Smart Card Interagency Advisory Board (IAB) Interagency Privacy Committee
11 Next Steps Future Issues: High project implementation costs. Integration of DSX to HUD infrastructure. HUD computer network access will require use of PIV card (including PKI credential). PKI credential has never been used in HUD environment. Procurement risks: Currently there are no products or services that are certified to be FIPS 201 compliant. GSA will require purchases of products using Schedule 70 (HITS?). GSA will not have new Schedule 70 in place until May 2006.