At the March 9 meeting of the U.S. Federal Government’s Smart Card Project Managers group, presentations centered around the recently approved SP800-73 spec for government wide secure credentials. SecureIDNews was approved to record the presentations and make the audio available to our readers. The link to these files is provided at the close of this piece as well as a link to the presentations.
We have provided a key snippet from each of the presentations to provide an overview of the meeting and the points made by the panelist.
John Moore – GSA Chair of Federal Smart Card Project Managers
Mr. Moore provided an overview of the suite of speakers and the recent achievement of an approved SP800-73 document.
“For approximately two years we had submitted a request to the Office of Management and Budget to get high level support for the interoperable standards we’ve been working on, and then rather preemptively, shortly after the publication of the 9-11 report came the recognition there would be a presidential directive directing us to do what we had been saying. It was like pushing on a door and having someone jerk it wide open…The presidential directive had four key points. It was a very condensed one-page document, non-technological, but providing for a credential strongly resistant to identity fraud, rapidly authenticated electronically, issued only by authenticated providers and providing physical access to federal buildings and computer information systems.
“One of the things to be addressed here is the tying together of the various identity management components. One of the more difficult ones is…tying together information security, physical access, human resources, electronic authentication and PKI, and privacy for smart card credential interoperability.”
Jim Dray – Chief Smart Card Scientist for NIST
Mr. Dray provided an overview of the process and implications of SP 800-73, the newly defined “single card edge,” and the process from this point to the end goal of “PIV2” cards.
“(SP 800-73) essentially defines the interfaces, the card interface, the client application interface, and some data structures that need to be imposed on the cards we’re going to be deploying in order to achieve the interoperability mandated by HSPD 12 and FIPS 201. We’re trying to achieve a technology neutral unified card edge interface definition. Agencies without an existing card deployment are free to jump all the way …. to PIV2; There is no reason for them to do a detour during the transition phase. The final PIV2 specification is the mandatory end point.”
Bob Gilson – DOD Contact Card Office and IAB Technical Team Leader
Mr. Gilson reviewed the DOD and Technical Team impressions of FIPS 201 and SP 800.73.
“What (SP 800-73) means to the DOD…With the large deployed system that we have, one of our key concerns was backwards compatibility, the migration strategy and a straight line path to PIV2. From the get go our goal was to try to push that process forward. With the joint effort of NIST and IAB…we all learned a lot more about each other’s work. What we did learn as a result of 201 was we are going to have to tap government databases more than ever before…We’re all going to have to get a little smarter about how we get online… Although we were doing contactless, now we have to be careful about how we’re doing contactless, at least for the PIV application. Outside of that, we can do contactless our own way if we want, and the rest of you can too.”
Judy Spencer – GSA Chair of Federal Identity Credentialing Committee
Ms. Spencer addressed the coordination with OMB & Fed ID Management.
“We now have a FIPS and an 800-73…The fact that we have them is a huge accomplishment. In the last six months, NIST did two years’ worth of work. But (our) work is just beginning. The rest of us have to really get busy. By June we must have our agency plans to OMB. What does this mean? We are putting together a template…we’re hoping within the next couple of weeks it will be released by OMB as a form-fillable (document that can be) emailed to OMB. It is a road map of where you are and where you want to go. You’re going to provide these milestones and time lines for meeting full compliance of FIPS 201. There is guidance coming out from OMB to explain what their expectations are for Oct. 25 and beyond.”
Kevin Crouch – DHS Chief, Security Training & Technical Support
Mr. Crouch provided a DHS view of FIPS 201 and SP 800.73 activities.
“We want to send a message to our DHS employees and that message is that their security, specifically the security of their identity, is what HSPD 12 is all about. We’ve labeled it secureware … simply because the PIV that we’re using is based on the secure identity of our employees that we do not want to compromise. We saw the significance of using cryptographic smart card technologies not only in its traditional cyber access but also for physical access. We’ve tried something which most of you would attest to as being a clash of the titans … a blending of physical security and cyber technology … With our migration to the PIV world, we’ll provide the means by which the DHS PIV card holders control their identity by wearing their security.”
Steve Parsons – DHS TSA Deputy Program Manager of TWIC Program
Mr. Parsons described TSA’s perspective on FIPS201 and gave an update on the TSA Transportation Worker Identity Credential (TWIC) program.
“What TWIC is about is a trusted high assurance credential that we can use for physical or logical access…Our program priority has been on the identity assertion, that is getting it right up front, that everything that happens subsequent to that can be trusted. We want to minimize the information that we put on the card and bind the cardholder with the credential and with their biometric. That is part of this chain of trust. I’m here to tell you we’re adopting those standards that “don’t exist.” We’re anxious to share with you those lessons learned. There are a few things on our plate, (such as a) decision about what the federal government’s role should be. Dockworkers, (etc.) are anxious to see what the disqualifying crimes might be to see where that bar may be set. Florida is concerned it set its bar so high that it might impede commerce, all the business would go to a different port of call.”
Tony Cieri – Representing IAB, Former Senior Leader of DOD Navy Smart Card Program
Mr. Cieri presented a review of IAB activities and the timetable.
“My message is we’re not done. We still have some issues; one of them is the biometric issue that we’re working through. The contactless piece…we’re going to get to … all the additional things we need to take on board to make this implementation successful. When it comes to 800-73 … I applaud both NIST and the rest of the agencies for having done this. It has been a major move forward, not only with smart cards but how they interact with PKI, (such as) identity proofing, binding of this credential to this person. Now we’re down to how do we implement this? What it gets down to is what is the expectation for Oct. 27, the day after Oct. 26? All agencies have gone through identity proofing, the issuance part…(but) issuing what? And what does registration really mean? We’re looking at this as a daunting challenge … We strongly suggest as an IAB … that come Oct. 27, that you take us up on education, the way to do it correctly and all the lessons learned and what not to do.”
To access the audio presentations, click here.
To access electronic copies of the presenations, click here.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.