1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration

2 Genesis July 2001 – Presidential commitment to moving E-Government forward February 2002 – E-Authentication Initiative launched April 2003 – CIO Council charters Federal Identity Credentialing Committee December 2003 – E-Authentication Guidance to Federal Agencies issued August 2004 – HSPD-12 Issued

3 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics 5. Business Compliance 1 Stop 6. Int’l Trade Process Streamlining Government to Govt. Internal Effectiveness and Efficiency 1. e-Vital (business case) 2. e-Grants 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management PMC E-Government Agenda Government to BusinessGovernment to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4 The Mandate Home Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004

5 The Control Objectives Secure and reliable forms of personal identification that are: Based on sound criteria to verify an individual employee’s identity Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Rapidly verified electronically Issued only by providers whose reliability has been established by an official accreditation process

6 Applicability & Use Applicable to all government organizations and contractors (except identification associated with National Security Systems) Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure Implemented in a manner that protects citizens’ privacy

7 Sound Criteria to Verify an Individual Employee’s Identity Organization shall use an approved identity proofing and registration process including: ― Require two identity source documents in original form from the list associated with Form I-9, Employment Eligibility Verification. At least one document shall be a valid State or Federal government-issued picture identification ― National Agency Check with Written Inquiries (NACI) or equivalent. ― FBI National Criminal History Fingerprint Check completion before credential issuance. ― In-person appearance at least once before credential issuance Controls must ensure that no single individual can authorize issuance of a PIV credential Standardize the Identity Credential Issuance Process as follows:

8 Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Mandatory Electronic Data All data from Topology PIN Cardholder Unique Identifier (CHUID) PIV Authentication Data (asymmetric key pair and corresponding PKI certificate) Two biometric fingerprints Optional Electronic Data: Asymmetric key pair and corresponding certificate for digital signatures Asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting confidentiality (encryption) Additional biometrics Minimum Cryptographic mechanisms specified in SP

9 FIPS-201 Requirements (Section 4.3) The PIV Card has a single mandatory key and four types of optional keys: + The PIV authentication key shall be an asymmetric private key supporting card authentication for an interoperable environment, and it is mandatory for each PIV Card. + The card authentication key may be either a symmetric (secret) key or an asymmetric private key for physical access, and it is optional. + The digital signature key is an asymmetric private key supporting document signing, and it is optional. + The key management key is an asymmetric private key supporting key establishment and transport, and it is optional. This can also be used as an encryption key. + The card management key is a symmetric key used for personalization and post- issuance activities, and it is optional. All PIV cryptographic keys shall be generated within a FIPS validated cryptomodule with overall validation at Level 2 or above. In addition to an overall validation of Level 2, the PIV Card shall provide Level 3 physical security to protect the PIV private keys in storage.

10 Determining Assurance Levels E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, 2003 — — About identity authentication, not authorization or access control — Incorporates Standards for Security Categorization of Federal Information and Information Systems (FIPS-199) NIST SP800-63: Recommendation for Electronic Authentication — Companion to OMB e-Authentication guidance — — Covers conventional token based remote authentication

11 M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 4Level 3Level 2Level 1 Little or no confidence in asserted identity Some confidence in asserted identity High confidence in asserted identity Very high confidence in the asserted identity Assurance Levels Self-assertion minimum records On-line, instant qualification – out-of- band follow-up On-line with out-of- band verification for qualification Cryptographic solution In person proofing Record a biometric Cryptographic Solution Hardware Token

12 Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1234 Inconvenience, distress or damage to standing or reputation LowMod High Financial loss or agency liabilityLowMod High Harm to agency programs or public interestsN/ALowModHigh Unauthorized release of sensitive informationN/ALowModHigh Personal SafetyN/A LowMod High Civil or criminal violationsN/ALowModHigh Maximum Potential Impacts

13 Implementing PKI in accordance with FIPS-201 X.509 Certificate Policy for the Federal Common Policy Framework –Provides minimum requirements for Federal agency implementation of PKI –Operates at FBCA Medium Assurance/E-Authentication Levels 3 and 4 –Cross-certified with the FBCA –Governing policy for the Shared PKI Service Provider program Certified PKI Shared Service Provider Program –Evaluates services against the Common Policy Framework –Conducts Operational Capabilities Demonstrations –Populates Certified Provider List with service providers who meet published criteria –Agencies not operating an Enterprise PKI must buy PKI services from certified providers

14 Approved Shared Service Providers Verisign, Inc Cybertrust Operational Research Consultants USDA/National Finance Center Agencies operating an Enterprise PKI cross-certified with the FBCA at Medium Assurance or higher are considered compliant with FIPS-201. In January 2008, these Enterprise PKIs will start including the Common Policy OIDs in their certificates.

15 Acquisition Policy Strategy Two new FAR Rules FAR Case –Addresses HSPD-12 requirements –Interim rule issued end of CY-05 FAR Case –Directs agencies to acquire only approved products –Interim Rule in Committee awaiting final approval OMB Guidance designates GSA as the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12 Acquisition services will be offered via GSA Schedule Contracts

16 For More Information Supporting Publications — FIPS-201 – Personal Identity Verification for Federal Employees and Contractors — SP – Interfaces for Personal Identity Verification — SP – Biometric Data Specification for Personal Identity Verification — SP – Recommendation for Cryptographic Algorithms and Key Sizes — SP – Issuing Organization Accreditation Guideline — SP – PIV Middleware and PIV Card Application Conformance Test Guidelines NIST PIV Website ( Federal Identity Credentialing Website (