Credentialing the First Responder community using the FIPS 201 model
10 October, 2006
category: Government, Library
A massive effort but one that could bring equally massive returns
By Chris Corum, Executive Editor
The nation saw first-hand the need to identify critical personnel in disaster situations in the days and weeks following 9-11 and Hurricane Katrina. “After Katrina we had 6000 doctors driving boats while people went without care simply because we couldn’t validate their credentials,” says Tony Cieri, Senior Advisor the Department of Homeland Security. And following 9-11 the challenge of getting the right people inside the perimeter while keeping others out was well publicized.
In response, steps are being taken to address this challenge and provide a secure credential to identify these key first responders in future times of need. That credential, called a First Responder Access Card (FRAC), is being built upon the work of the federal government’s identity initiative created in response to HSPD-12.
Recognizing the need for a credentialing solution, leaders in the first response community saw parallels in the work going on in the federal government to build the interoperable ID for agency employees and contractors. This program, codified in FIPS 201, seemed an ideal fit. “It was interoperable, secure, and sculpted through years of work by some of the best minds in government and industry,” says Mr. Cieri.
What is a First Responder?
HSPD-8 defines First Responders as “individuals who in the early stages of an incident are responsible for the protection and preservation of life, property, evidence, and the environment.” It goes on to cite the Homeland Security Act’s included groups: “Federal, state, and local emergency public safety, law enforcement, emergency response, (and) emergency medical.” Then HSPD-8 adds some additional groups of its own … “emergency management, public health, clinical care, public works, and other skilled support personnel (such as equipment operators) that provide immediate support services during prevention, response, and recovery operations.”
Obviously this is a huge body of people. But many experts point out that the community is really much larger, citing the massive private sector first responder community. Utilities, telecom, aide organizations and numerous other functions are critical to immediate relief in crises and should be considered part of the first response.
“The potential number of first responders is massive,” says Mr. Cieri, “larger than the projected HSPD-12 and TWIC (Transportation Worker Identification Credential) groups combined.” Much like peeling an onion, it seems there are many layers of people or roles and as you get further from the core, the layers grow larger and larger.
An initiative without a mandate, for now …
Most agree that by mandating that all federal agencies adopt the new credential by a specified date, HSPD-12 forced a mass migration that would not have happened – or would not have happened rapidly. But does the FRAC have a similar mandate? Not at this point, though there are strong suggestions in at least one key government plan, the Federal Emergency Management Agency’s (FEMA) National Incident Management System.
But it may be premature to expect a mandate at this stage. “The HSPD-12 (mandate) didn’t happen overnight,” says Mr. Cieri. “The DoD had issued millions of Common Access Cards, Interior and others had worked for years laying the groundwork before the mandate came along. The FRAC will get to this stage soon enough, but huge progress is already occurring.”
Winter Fox and other trials demonstrate feasibility
Just what progress has occurred? The most publicized effort to date took place in February 2006 during a trial called Winter Fox. It was a live test of an interoperable FIPS 201 credential in a multi-site, multi-jurisdiction environment. “It was really the first interoperability test of FIPS 201,” says Mr. Cieri.
The test was sponsored by DHS’ National Capital Region to determine the feasibility of the FRAC. Specifically it sought to find out if one entity read and authenticate a credential issued by another entity, and do so in a real-world setting.
Winter Fox took place at four locations: the Pentagon’s Navy Annex, Frederick County, Maryland’s Emergency operations center, the Port of Baltimore, and the Virginia Transportation Department. Each of the four entities issued FIPS 201 credentials to a test group of personnel and those credentials were used at facilities controlled by the other groups.
“We proved that it works,” says Mr. Cieri, “identity could be asserted.”
Post Winter Fox, other trials have met with similar success. A trial with George Washington University demonstrated private sector involvement; a trial at the Jacksonville, Baltimore, and Hampton Roads seaports explored transporation-related application; and a medical facility trial is rumored to be in the works.
“In the Navy we had a saying … you fight the way you train,” adds Mr. Cieri when asked of the nature of future trials. “We don’t need desktop excercises, we need to put the chaos into the event so we can learn to live with it.”
Still far from a sure thing
But not everyone is convinced that an issuance of this magnitude is warranted or possible. An executive from a vendor of instant issuance systems for emergency management told SecureIDNews that many of the field level personnel from FEMA and DHS think the FRAC is a long-shot at best. “Most groups I speak with just don’t buy it,” said the source. “The cost is unreasonable and it simply isn’t necessary. With better coordination and planning we can issue credentials at the site and achieve equal or better coverage.”
A business process revolution rather than a technology revolution
“We know the technology works,” says Mr. Cieri with regard to FIPS 201. “What we are undergoing is a cultural revolution … a technology disruption to the status quo on the business side of the equation.” When asked to describe this cultural shift, he stresses, “We no longer have to issue it to trust it.”
Truly, that is a monumental change in the way our world thinks about identification and authentication. The real impact of this shift, if it is successful, will likely not be realized until the rollout the federal infrastructure is well underway. As various entities see the evidence of the interoperable, secure, functional ID in use, the interest seems certain to follow. This requires a total paradigm shift for trust of other credentials. And according to Mr. Cieri, “it is what FIPS does.”
Tony Cieri is one of the leaders of a move that is bringing FIPS 201 solutions to the First Responder community. In this role, Tony serves as Senior Advisor to the Department of Homeland Security’s Tom Lockwood, the head of the National Capital Region. Previously, Mr. Cieri led the Navy’s smart card efforts and later held a key role in the DoD’s Common Access Card program. In addition to his advisory role with DHS, he serves as Senior Advisor to the IAB and GSA.
Compare FIPS 201 ProductsResearch and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.
