160 likes | 338 Views
HSPD-12 Compliance: The Role of Federal PKI . Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration judith.spencer@gsa.gov. Genesis. July 2001 – Presidential commitment to moving E-Government forward
E N D
HSPD-12 Compliance:The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration judith.spencer@gsa.gov
Genesis • July 2001 – Presidential commitment to moving E-Government forward • February 2002 – E-Authentication Initiative launched • April 2003 – CIO Council charters Federal Identity Credentialing Committee • December 2003 – E-Authentication Guidance to Federal Agencies issued • August 2004 – HSPD-12 Issued
PMC E-Government Agenda Government to Citizen Government to Business 1.Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics 5. Business Compliance 1 Stop 6. Int’l Trade Process Streamlining 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online Government to Govt. Internal Effectiveness and Efficiency 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management 1. e-Vital (business case) 2. e-Grants 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks
The Mandate Home Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004
The Control Objectives Secure and reliable forms of personal identification that are: • Based on sound criteria to verify an individual employee’s identity • Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation • Rapidly verified electronically • Issued only by providers whose reliability has been established by an official accreditation process
Applicability & Use • Applicable to all government organizations and contractors (except identification associated with National Security Systems) • Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems • Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure • Implemented in a manner that protects citizens’ privacy
Sound Criteria to Verify an Individual Employee’s Identity Standardize the Identity Credential Issuance Process as follows: • Organization shall use an approved identity proofing and registration process including: • Require two identity source documents in original form from the list associated with Form I-9,Employment Eligibility Verification. At least one document shall be a valid State or Federal government-issued picture identification • National Agency Check with Written Inquiries (NACI) or equivalent. • FBI National Criminal History Fingerprint Check completion before credential issuance. • In-person appearance at least once before credential issuance • Controls must ensure that no single individual can authorize issuance of a PIV credential
Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Mandatory Electronic Data • All data from Topology • PIN • Cardholder Unique Identifier (CHUID) • PIV Authentication Data (asymmetric key pair and corresponding PKI certificate) • Two biometric fingerprints • Optional Electronic Data: • Asymmetric key pair and corresponding certificate for digital signatures • Asymmetric key pair and corresponding certificate for key management • Asymmetric or symmetric card authentication keys for supporting confidentiality (encryption) • Additional biometrics • Minimum Cryptographic mechanisms specified in SP800-78.
FIPS-201 Requirements (Section 4.3) • The PIV Card has a single mandatory key and four types of optional keys: • + The PIV authentication keyshall be an asymmetric private key supporting card authentication for an interoperable environment, and it is mandatory for each PIV Card. • + The card authentication keymay be either a symmetric (secret) key or an asymmetric private key for physical access, and it is optional. • + The digital signature keyis an asymmetric private key supporting document signing, and it is optional. • + The key management keyis an asymmetric private key supporting key establishment and transport, and it is optional. This can also be used as an encryption key. • + The card management keyis a symmetric key used for personalization and post-issuance activities, and it is optional. • All PIV cryptographic keys shall be generated within a FIPS 140-2 validated cryptomodule with overall validation at Level 2 or above. In addition to an overall validation of Level 2, the PIV Card shall provide Level 3 physical security to protect the PIV private keys in storage.
Determining Assurance Levels • E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, 2003 • http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • About identity authentication, not authorization or access control • Incorporates Standards for Security Categorization of Federal Information and Information Systems (FIPS-199) • NIST SP800-63: Recommendation for Electronic Authentication • Companion to OMB e-Authentication guidance • http://csrc.nist.gov/eauth • Covers conventional token based remote authentication
Level 1 Level 2 Level 3 Level 4 Little or no confidence in asserted identity Some confidence in asserted identity High confidence in asserted identity Very high confidence in the asserted identity Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels On-line with out-of-band verification for qualification Cryptographic solution Self-assertion minimum records In person proofing Record a biometric Cryptographic Solution Hardware Token On-line, instant qualification – out-of-band follow-up
Implementing PKI in accordance with FIPS-201 • X.509 Certificate Policy for the Federal Common Policy Framework • Provides minimum requirements for Federal agency implementation of PKI • Operates at FBCA Medium Assurance/E-Authentication Levels 3 and 4 • Cross-certified with the FBCA • Governing policy for the Shared PKI Service Provider program • Certified PKI Shared Service Provider Program • Evaluates services against the Common Policy Framework • Conducts Operational Capabilities Demonstrations • Populates Certified Provider List with service providers who meet published criteria • Agencies not operating an Enterprise PKI must buy PKI services from certified providers
Approved Shared Service Providers • Verisign, Inc • Cybertrust • Operational Research Consultants • USDA/National Finance Center • Agencies operating an Enterprise PKI cross-certified with the FBCA at Medium Assurance or higher are considered compliant with FIPS-201. • In January 2008, these Enterprise PKIs will start including the Common Policy OIDs in their certificates.
Acquisition Policy Strategy • Two new FAR Rules • FAR Case 2005-015 • Addresses HSPD-12 requirements • Interim rule issued end of CY-05 • FAR Case 2005-017 • Directs agencies to acquire only approved products • Interim Rule in Committee awaiting final approval • OMB Guidance designates GSA as the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12 • Acquisition services will be offered via GSA Schedule Contracts
For More Information • Supporting Publications • FIPS-201 – Personal Identity Verification for Federal Employees and Contractors • SP 800-73 – Interfaces for Personal Identity Verification • SP 800-76 – Biometric Data Specification for Personal Identity Verification • SP 800-78 – Recommendation for Cryptographic Algorithms and Key Sizes • SP 800-79 – Issuing Organization Accreditation Guideline • SP 800-85 – PIV Middleware and PIV Card Application Conformance Test Guidelines • NIST PIV Website (http://csrc.nist.gov/piv-project/) • Federal Identity Credentialing Website (http://www.cio.gov/ficc)