1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing...
-
Upload
reuben-rhoads -
Category
Documents
-
view
217 -
download
0
Transcript of 1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing...
1
HSPD-12 Compliance:The Role of Federal PKI
Judith SpencerChair, Federal Identity Credentialing
Office of Governmentwide PolicyGeneral Services Administration
2
Genesis
• July 2001 – Presidential commitment to moving E-Government forward
• February 2002 – E-Authentication Initiative launched
• April 2003 – CIO Council charters Federal Identity Credentialing Committee
• December 2003 – E-Authentication Guidance to Federal Agencies issued
• August 2004 – HSPD-12 Issued
3
1. Federal Asset Sales2. Online Rulemaking Management3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics 5. Business Compliance 1 Stop6. Int’l Trade Process Streamlining
Government to Govt. Internal Effectiveness and Efficiency
1. e-Vital (business case) 2. e-Grants3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
PMC E-Government Agenda
Government to BusinessGovernment to Citizen
1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
4
The Mandate
Home Security Presidential Directive 12 (HSPD-12):
“Policy for a Common Identification Standard for Federal Employees and Contractors”
Dated: August 27, 2004
5
The Control Objectives
Secure and reliable forms of personal identification that are:
• Based on sound criteria to verify an individual employee’s identity
• Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
• Rapidly verified electronically
• Issued only by providers whose reliability has been established by an official accreditation process
6
Applicability & Use
• Applicable to all government organizations and contractors (except identification associated with National Security Systems)
• Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems
• Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure
• Implemented in a manner that protects citizens’ privacy
7
Sound Criteria to Verify an Individual Employee’s Identity
• Organization shall use an approved identity proofing and registration process including: ― Require two identity source documents in original form from the list
associated with Form I-9, Employment Eligibility Verification. At least one document shall be a valid State or Federal government-issued picture identification
― National Agency Check with Written Inquiries (NACI) or equivalent.
― FBI National Criminal History Fingerprint Check completion before credential issuance.
― In-person appearance at least once before credential issuance
• Controls must ensure that no single individual can authorize issuance of a PIV credential
Standardize the Identity Credential Issuance Process as follows:
8
Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
Mandatory Electronic Data• All data from Topology
• PIN
• Cardholder Unique Identifier (CHUID)
• PIV Authentication Data (asymmetric key pair and corresponding PKI certificate)
• Two biometric fingerprints
Optional Electronic Data:
• Asymmetric key pair and corresponding certificate for digital signatures
• Asymmetric key pair and corresponding certificate for key management
• Asymmetric or symmetric card authentication keys for supporting confidentiality (encryption)
• Additional biometrics
• Minimum Cryptographic mechanisms specified in SP800-78.
9
FIPS-201 Requirements (Section 4.3)
• The PIV Card has a single mandatory key and four types of optional keys: • + The PIV authentication key shall be an asymmetric private key supporting card
authentication for an interoperable environment, and it is mandatory for each PIV Card.
• + The card authentication key may be either a symmetric (secret) key or an asymmetric private key for physical access, and it is optional.
• + The digital signature key is an asymmetric private key supporting document signing, and it is optional.
• + The key management key is an asymmetric private key supporting key establishment and transport, and it is optional. This can also be used as an encryption key.
• + The card management key is a symmetric key used for personalization and post-issuance activities, and it is optional.
• All PIV cryptographic keys shall be generated within a FIPS 140-2 validated cryptomodule with overall validation at Level 2 or above. In addition to an overall validation of Level 2, the PIV Card shall provide Level 3 physical security to protect the PIV private keys in storage.
10
Determining Assurance Levels
• E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, 2003—http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf —About identity authentication, not authorization or access
control— Incorporates Standards for Security Categorization of Federal
Information and Information Systems (FIPS-199)
• NIST SP800-63: Recommendation for Electronic Authentication—Companion to OMB e-Authentication guidance—http://csrc.nist.gov/eauth—Covers conventional token based remote authentication
11
M-04-04:E-Authentication Guidance for Federal Agencies
OMB Guidance establishes 4 authentication assurance levels
Level 4Level 3Level 2Level 1Little or no confidence
in asserted identity Some confidence in
asserted identityHigh confidence in asserted identity
Very high confidence in the asserted
identity
Assurance Levels
Self-assertionminimum records
On-line, instant qualification – out-of-
band follow-up
On-line with out-of-band verification for
qualificationCryptographic
solution
In person proofingRecord a biometric
Cryptographic SolutionHardware Token
12
Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors
1 2 3 4
Inconvenience, distress or damage to standing or reputation
Low Mod Mod High
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low ModHigh
Civil or criminal violations N/A Low Mod High
Maximum Potential Impacts
13
Implementing PKI in accordance with FIPS-201
• X.509 Certificate Policy for the Federal Common Policy Framework– Provides minimum requirements for Federal agency implementation of
PKI
– Operates at FBCA Medium Assurance/E-Authentication Levels 3 and 4
– Cross-certified with the FBCA
– Governing policy for the Shared PKI Service Provider program
• Certified PKI Shared Service Provider Program– Evaluates services against the Common Policy Framework
– Conducts Operational Capabilities Demonstrations
– Populates Certified Provider List with service providers who meet published criteria
– Agencies not operating an Enterprise PKI must buy PKI services from certified providers
14
Approved Shared Service Providers
• Verisign, Inc
• Cybertrust
• Operational Research Consultants
• USDA/National Finance Center
• Agencies operating an Enterprise PKI cross-certified with the FBCA at Medium Assurance or higher are considered compliant with FIPS-201.
• In January 2008, these Enterprise PKIs will start including the Common Policy OIDs in their certificates.
15
Acquisition Policy Strategy
• Two new FAR Rules
• FAR Case 2005-015 – Addresses HSPD-12 requirements – Interim rule issued end of CY-05
• FAR Case 2005-017 – Directs agencies to acquire only approved products– Interim Rule in Committee awaiting final approval
• OMB Guidance designates GSA as the “executive agent for Government-wide acquisitions of information technology" for the products and services required by HSPD-12
• Acquisition services will be offered via GSA Schedule Contracts
16
For More Information
• Supporting Publications— FIPS-201 – Personal Identity Verification for Federal Employees and Contractors— SP 800-73 – Interfaces for Personal Identity Verification— SP 800-76 – Biometric Data Specification for Personal Identity Verification— SP 800-78 – Recommendation for Cryptographic Algorithms and Key Sizes— SP 800-79 – Issuing Organization Accreditation Guideline — SP 800-85 – PIV Middleware and PIV Card Application Conformance Test
Guidelines
• NIST PIV Website (http://csrc.nist.gov/piv-project/)
• Federal Identity Credentialing Website (http://www.cio.gov/ficc)