Serving Commissaries, Exchanges, & Morale, Welfare, and Recreation

Presented at the:

American Logistics Association

National Convention

Presented By:

Daniel E. Turissini

CEO, Operational Research Consultants

October 20, 2008

IDENTITY SUPERIORITY

What is FiXs? Federation for Identity & Cross-Credentialing Systems

•  501(c)6 not-for-profit trade association –  Founded in 2004 in collaboration with the Department of Defense

–  Collaborated with General Services Administration HSPD-12 effort

–  Provides inter-operable use of identity credentials among governments & industry partners

•  A coalition of diverse companies/ organizations creating inter-operable identity cross-credentialing standards & systems

–  Government contractors, technology companies, & financial firms

–  Not-for-profit & non-profit organizations

–  DoD, GSA, & State governments

•  Trusted authority of standards, operating guidelines, & oversight of secure identity authentication network

FiXs Members/Advisors 2008

Commercial Entities •  AFCEA •  American Logistics Association •  American Systems •  Booz-Allen Hamilton •  ChoicePoint Government Services •  Covisint •  DSA, Inc. •  Daon •  EDS •  Eid Passport, Inc. •  Imadgen LLC •  Little River Management Group, LLC •  Lockheed Martin Corporation •  Mobilisa •  Northrop Grumman

Government Advisors •  Defense Manpower Data Center, DoD •  Office of Government-wide Policy, GSA •  CIO Office, State of Colorado

•  SAIC •  Secure Data Corporation •  SRA International, Inc •  SRP Consulting Group, LLC •  Telos Identity Management Solutions •  Unlimited New Dimensions, LLC •  Vuance, Inc. •  Wave Systems Corp. •  WidePoint Corporation •  3Factor LLC

And a growing number of subscribing members!

FiXs User Benefits & Responsibilities

•  Benefits –  Federated Solution –  Trusted authentication at FiXs recognized locations

& systems –  Syndicated Investment –  Syndicated Risk –  Branded Transaction –  Certified & Accredited Products/ Services

•  Responsibilities –  Warrant Trustworthiness of Employees –  Comply with Operating Rules

The Foundation

•  January 2006 - Memorandum of Understanding (MOU) with DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems: –  Operational framework for inter-operability between

DoD & FiXs –  Specific operational responsibilities –  Governance structure

•  Interim Authority To Operate (IATO) Granted by DMDC in July 2007

A Common Access Infrastructure

Currently over 7 million people have CAC-compliant credentials As this number grows - opportunities for efficiencies skyrocket

Federal Government Trading Partners & Allies First Responders

Governance Structure

•  Defined Trust Model •  Operating Rules •  Security Guidelines •  Policy Standards, including Privacy Act

compliance •  Technical Architecture Specifications &

Standards •  Implementation Guidelines

The Basic Principles

Personally identifiable information (PII)   Capture of biometric, SSN, & other unique information  Write once/ access many times = ID authentication & reduced sign-on

Structured to emulate the ATM model

PII maintained in a federated manner   No single targeted database of personal information   Distributed under the authority & control of the sponsoring organization  Queries of this information can be “logged” to support privacy

Meeting DoD Objectives

•  Credentials can be trusted with confidence –  “… fully operational for worldwide use in support of identity authentication purposes

& applications” -- DMDC ltr, 16JUL07 –  “establish & maintain the ECA program … to support the issuance of DoD-approved

certificates to industry partners & other external entities & organizations.” -- DoDI 8520

•  Short term return on investment (ROI) –  Existing highly available architectures for identity deployment & revocation

information accessibility –  Most efficient ingress & egress to government facilities & systems

•  Fulfills need for personal security in a high-tech world –  “… intended for all applications operating in environments appropriate for medium

assurance but which require a higher degree of assurance & technical non-repudiation.” -- DoD CP

–  Addresses “… the need for non-DoD entities & personnel to interoperate with DoD applications for the purpose of conducting business electronically with the DoD.” -- DoD/ ECA MOA

Consistent with DoD Investments

•  Assurance of interoperability & convergence –  DoD PKI Medium Hardware Assurance (CAC) –  ECA Medium Hardware Assurance –  Defense Cross Credentialing Identification System

(DCCIS) –  FiXs Initial Operating Capability (IOC)

•  Distributed trust model DoD-wide –  DoD PKI/ ECA Root distribution –  Global Directory System (GDS)/ Credential Validation –  FiXs Operating Rules - HSPD-12 compliant –  Defense National Visitor Center (DNVC) System –  Defense Biometric Identification System (DBIDS)

Supports a safe, secure shopping environment overseas and stateside

4.1301 Contract clause. The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system.

52.204-9 Personal Identity Verification of Contractor Personnel.

(a) The Contractor shall comply with agency personnel identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201.

(b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have physical access to a federally-controlled facility or access to a Federal information system.

FiXs Provides ALA Members

•  A seat at the table –  Interface with DoD & GSA for identity assurance matters –  Governance Structure between member organizations –  Certification Standards for creating identity credentials

consistent with Federal regulations •  A shared trusted network –  Secure network switch –  Standard interface with DoD & FiXs members –  Access to certified providers, sponsors, &credential

holders •  Clearinghouse for objective

consideration of technologies, business processes, rules & requirements

FiXs - Certified Credentials

“The Medium Hardware Assurance tokens and associated certificates issued by the ECA Providers have the same assurance level as the certificates on a Common Access Card (CAC).” -- EPMA

CAC FiXs

2D barcode, 1D barcode & mag-stripe

on back

2 RFID antenna

Clear Contractor Markings

Value Proposition & ROI

  Easy business decision for CFO & CIO

  Enterprise-wide capability & best practices

  Security & Privacy of staff, systems, & facilities

  Method for data security in compliance with latest identity authentication processes

  Complies with FAR contract requirements

  HSPD – 12 and DoD PIP compliant

  Leadership in a large &developing market on an matter that is of major national importance

ALA - FiXs Credential Use Case Assessment

•  People •  Process •  Tools •  Priorities

•  Current State •  Goals •  Requirements •  Future State

•  Company Profile •  Use Case Interest •  IT Infrastructure •  Key Organizations

Value-added Services to ALA Membership

• Web-based Diagnostic for Identity Assurance –  Available to each ALA member organization –  Provided by FiXs member – AMERICAN SYSTEMS

• Confidential On-site Workshop –  Focused current/ desired future state requirements

gathering gap analysis –  Lead by Senior Identity Assurance Consultants

• Roadmap –  Focused snapshot of current and future state –  Gap analysis, Quick Wins and increased ROI identified –  Identify increased ROI opportunities, priorities & Quick

Wins

• Non-intrusive & targeted towards a use case

Web-based Diagnostic

Identity Assurance Survey: – Web-based survey – Can be shared intra-organizationally for

business requirements gathering, prioritization & pain identification

– Detailed report summarizing initial findings – Can be fine-tuned for future phase use

On-site Workshop

Half-day workshop: – Lead by Senior Identity Assurance

consultant – Detailed requirements gathering, issue

identification, and future state discussion –  Initial requirements, achievable quick wins

and ROI assessed – Preliminary Roadmap presented to clearly

identify realistic next steps

How does ALA take advantage of this?

•  Facility access • Credit • Employee ID Medical information • Passport • ID card •

Purchasing authority • Rewards • Insurance • Debit •

Marketing • Age verification Memberships

Clearance Medical &

drug benefits School ID

Account access

Computer security

As we continue to deploy common, strong personal digital identities, levels of permission can be granted to any online application with a high degree of confidence.

This opens up endless possibilities for ALA to add value for their membership.

Digital signature

Data encryption

Summary

•  Single card for access bases & Facilities

•  No long lines/ reduced waiting times

•  Physical & logical privileges

Questions?

We greatly appreciate your time & consideration, thank you.

Contact Information

Dan Turissini - President, ORC/ FiXs Board Member turissd@orc.com 703 246 8550

Robert Martin, American Systems/ FiXs Corp Secretary Bob.Martin@fixs.org 703 321 6951

Dr. Michael Mestrovich, President, FiXs Michael.Mestrovich@fixs.org 703 928 3157