1

HSPD-12 Compliance:The Role of Federal PKI

Judith SpencerChair, Federal Identity Credentialing

Office of Governmentwide PolicyGeneral Services Administration

judith.spencer@gsa.gov

2

Genesis

• July 2001 – Presidential commitment to moving E-Government forward

• February 2002 – E-Authentication Initiative launched

• April 2003 – CIO Council charters Federal Identity Credentialing Committee

• December 2003 – E-Authentication Guidance to Federal Agencies issued

• August 2004 – HSPD-12 Issued

3

1. Federal Asset Sales2. Online Rulemaking Management3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics 5. Business Compliance 1 Stop6. Int’l Trade Process Streamlining

Government to Govt. Internal Effectiveness and Efficiency

1. e-Vital (business case) 2. e-Grants3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks

1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management

PMC E-Government Agenda

Government to BusinessGovernment to Citizen

1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online

4

The Mandate

Home Security Presidential Directive 12 (HSPD-12):

“Policy for a Common Identification Standard for Federal Employees and Contractors”

Dated: August 27, 2004

5

The Control Objectives

Secure and reliable forms of personal identification that are:

• Based on sound criteria to verify an individual employee’s identity

• Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation

• Rapidly verified electronically

• Issued only by providers whose reliability has been established by an official accreditation process

6

Applicability & Use

• Applicable to all government organizations and contractors (except identification associated with National Security Systems)

• Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems

• Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure

• Implemented in a manner that protects citizens’ privacy

7

Sound Criteria to Verify an Individual Employee’s Identity

• Organization shall use an approved identity proofing and registration process including: ― Require two identity source documents in original form from the list

associated with Form I-9, Employment Eligibility Verification. At least one document shall be a valid State or Federal government-issued picture identification

― National Agency Check with Written Inquiries (NACI) or equivalent.

― FBI National Criminal History Fingerprint Check completion before credential issuance.

― In-person appearance at least once before credential issuance

• Controls must ensure that no single individual can authorize issuance of a PIV credential

Standardize the Identity Credential Issuance Process as follows:

8

Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation

Mandatory Electronic Data• All data from Topology

• PIN

• Cardholder Unique Identifier (CHUID)

• PIV Authentication Data (asymmetric key pair and corresponding PKI certificate)

• Two biometric fingerprints

Optional Electronic Data:

• Asymmetric key pair and corresponding certificate for digital signatures

• Asymmetric key pair and corresponding certificate for key management

• Asymmetric or symmetric card authentication keys for supporting confidentiality (encryption)

• Additional biometrics

• Minimum Cryptographic mechanisms specified in SP800-78.

9

FIPS-201 Requirements (Section 4.3)

• The PIV Card has a single mandatory key and four types of optional keys: • + The PIV authentication key shall be an asymmetric private key supporting card

authentication for an interoperable environment, and it is mandatory for each PIV Card.

• + The card authentication key may be either a symmetric (secret) key or an asymmetric private key for physical access, and it is optional.

• + The digital signature key is an asymmetric private key supporting document signing, and it is optional.

• + The key management key is an asymmetric private key supporting key establishment and transport, and it is optional. This can also be used as an encryption key.

• + The card management key is a symmetric key used for personalization and post-issuance activities, and it is optional.

• All PIV cryptographic keys shall be generated within a FIPS 140-2 validated cryptomodule with overall validation at Level 2 or above. In addition to an overall validation of Level 2, the PIV Card shall provide Level 3 physical security to protect the PIV private keys in storage.

10

Determining Assurance Levels

• E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, 2003—http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf —About identity authentication, not authorization or access

control— Incorporates Standards for Security Categorization of Federal

Information and Information Systems (FIPS-199)

• NIST SP800-63: Recommendation for Electronic Authentication—Companion to OMB e-Authentication guidance—http://csrc.nist.gov/eauth—Covers conventional token based remote authentication

11

M-04-04:E-Authentication Guidance for Federal Agencies

OMB Guidance establishes 4 authentication assurance levels

Level 4Level 3Level 2Level 1Little or no confidence

in asserted identity Some confidence in

asserted identityHigh confidence in asserted identity

Very high confidence in the asserted

identity

Assurance Levels

Self-assertionminimum records

On-line, instant qualification – out-of-

band follow-up

On-line with out-of-band verification for

qualificationCryptographic

solution

In person proofingRecord a biometric

Cryptographic SolutionHardware Token

12

Assurance Level Impact Profiles

Potential Impact Categories for Authentication Errors

1 2 3 4

Inconvenience, distress or damage to standing or reputation

Low Mod Mod High

Financial loss or agency liability Low Mod Mod High

Harm to agency programs or public interests N/A Low Mod High

Unauthorized release of sensitive information N/A Low Mod High

Personal Safety N/A N/A Low ModHigh

Civil or criminal violations N/A Low Mod High

Maximum Potential Impacts

13

Implementing PKI in accordance with FIPS-201

• X.509 Certificate Policy for the Federal Common Policy Framework– Provides minimum requirements for Federal agency implementation of

PKI

– Operates at FBCA Medium Assurance/E-Authentication Levels 3 and 4

– Cross-certified with the FBCA

– Governing policy for the Shared PKI Service Provider program

• Certified PKI Shared Service Provider Program– Evaluates services against the Common Policy Framework

– Conducts Operational Capabilities Demonstrations

– Populates Certified Provider List with service providers who meet published criteria

– Agencies not operating an Enterprise PKI must buy PKI services from certified providers

14

Approved Shared Service Providers

• Verisign, Inc

• Cybertrust

• Operational Research Consultants

• USDA/National Finance Center

• Agencies operating an Enterprise PKI cross-certified with the FBCA at Medium Assurance or higher are considered compliant with FIPS-201.

• In January 2008, these Enterprise PKIs will start including the Common Policy OIDs in their certificates.

15

Acquisition Policy Strategy

• Two new FAR Rules

• FAR Case 2005-015 – Addresses HSPD-12 requirements – Interim rule issued end of CY-05

• FAR Case 2005-017 – Directs agencies to acquire only approved products– Interim Rule in Committee awaiting final approval

• OMB Guidance designates GSA as the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12

• Acquisition services will be offered via GSA Schedule Contracts

16

For More Information

• Supporting Publications— FIPS-201 – Personal Identity Verification for Federal Employees and Contractors— SP 800-73 – Interfaces for Personal Identity Verification— SP 800-76 – Biometric Data Specification for Personal Identity Verification— SP 800-78 – Recommendation for Cryptographic Algorithms and Key Sizes— SP 800-79 – Issuing Organization Accreditation Guideline — SP 800-85 – PIV Middleware and PIV Card Application Conformance Test

Guidelines

• NIST PIV Website (http://csrc.nist.gov/piv-project/)

• Federal Identity Credentialing Website (http://www.cio.gov/ficc)