U.S. Department of AgricultureHSPD 12 Program

USDA HSPD-12 Implementing PIV cards @ USDA

April 2009

2

U.S. Department of Agriculture HSPD 12 Program

USDA and the GSA HSPD-12 Shared SolutionUSDA has been at the forefront of driving a shared solution for HSPD-12

across the Federal Government…

Co-chairing the HSPD-12 Executive Steering CommitteeContributed to the development of the General Services Administration (GSA) Statement of Work for HSPD-12Serving on the vendor evaluation committee

To that end, USDA is prepared to adopt the GSA HSPD-12 Shared Solution as it’s USDA Enterprise-side solution.

3

U.S. Department of Agriculture HSPD 12 Program

HSPD-12 PIV card - LincPass cards

LincPass Process Logical AccessPhysical Access

Getting a Card Using a Card

HR Sponsors BI Is Completed

Person Activates

Card Is Issued

Person Enrolls

For Access to Computers For Access to Buildings

4

U.S. Department of Agriculture HSPD 12 Program

Identity and Access ManagementNon-RepudiableeGov Services

HSPD-12CHUID

PKI Certificates

eAuth

Password

AD Domains eAuthMain

frame

LACSVPN

Application RBAC

Win 2K3 AzMan

Entitlement Mgmt

Role Based Access Control

E PACS

802.1XSecurity Profile Mgmt

Network Admission Control

QuarantineDevice AuthUser Auth

InCommon FederationAuthentication Authorization

Disk Encryption Authentication

Identity

Credentials

Accounts

Access Control

Application Integration

Authorization

Employees

Customers

Identity Stores

Contractors

Username

PACS

Role Attribute Mgmt

Org Position Location

Persistent ConnectivityMobile Computing

IPSec/SSL VPN

Collaboration

Audi

ting

Non-RepudiableeGov Services

HSPD-12CHUID

PKI Certificates

eAuth

Password

AD Domains eAuthMain

frame

LACSVPN

Application RBAC

Win 2K3 AzMan

Entitlement Mgmt

Role Based Access Control

E PACS

802.1XSecurity Profile Mgmt

Network Admission Control

QuarantineDevice AuthUser Auth

InCommon FederationAuthentication Authorization

Disk Encryption Authentication

Identity

Credentials

Accounts

Access Control

Application Integration

Authorization

Employees

Customers

Identity Stores

Contractors

Username

PACS

Role Attribute Mgmt

Org Position Location

Persistent ConnectivityMobile Computing

IPSec/SSL VPN

Collaboration

Audi

ting

HSPD-12CHUID

PKI Certificates

eAuth

Password

AD Domains eAuthMain

frame

LACSVPN

RBAC Attributes

Rules Engine

Identity Mgmt

Enterprise Entitlement Management System (EEMS)

E PACS

Remote/Wired/Wireless

Network Access Control and Endpoint Security

Device PKI PIV User Auth

FederationAuthentication Authorization

Enhanced Services

Identity

Credentials

Accounts

Access Control

Application Integration

Authorization

Employees

Customers

Identity Stores

Contractors

Username

PACS

Health State ValidationFile IntegrityHB IPS/FW

Identity

Audi

ting

Entitlement Mgmt

Workflow Engine

RemediationDLP

EncryptionDig/SigNon-Repudiation

5

U.S. Department of Agriculture HSPD 12 Program

HSPD-12 Business Process

General HSPD-12 Concept

Adjudication CredentialUsageSponsorship Enrollment Issuance Activation

Capture applicant

information& authorize

PIV card

Identity proof & capture

biometrics

Complete BI and record results

Produce card and issue to applicant

Authenti-cate

applicant and activate

card

Manage card

lifecycle

IDMS GUI

IDMS DB

IDMS GUI

IDMS DB

CertificateAuthority

CMS

`

FinalizationWorkstation

CardReader

CA

Enrollment

Finalization

CPS

CMS & IDMS

PRO

CES

SC

OM

PON

ENTS

6

U.S. Department of Agriculture HSPD 12 Program

LACS, PACS, and HR

ContractorsEmployees

AppServer

CHMS DB

AppServer

Reporting

OPM /FBI

RegistrationWKS

Document Scanner

CardReader

Camera

Finger Print Scanner

Interaction

Card Printing

Card Distribution

CMS

CPS

Interaction

PKI

CRL

Certificate authority

Key Mgt .

RegistrationAD

CHMS

Agency 1 LACS

ADMIIS

RDBMS

Data Store

Agency 2 LACS

WorkStationWorkStation

Agency LACS

PACSEnterprise

Servers

Agency PACS

OCSP Responder

Personnel Management System

Interaction

Interaction

Interaction

Interaction

Interaction Interaction

AgencyController

PACSMaster DB

PACSMobile Unit

Facility

CMS DB Shared Service

USDA Responsibilities

7

U.S. Department of Agriculture HSPD 12 Program

Overall Architecture

EIMS

HSPD-12 Service Provider

Logical AccessControl Systems

Sponsorship & Adjudication Data Feed Done

QuerySIP Data FeedDone

EmpowHR

Non EmployeeIdentity System

(NEIS)

EIDS V3.1

EIDSConnector Done

PayrollPersonnel

PP Done

EmpowHRDone

NEISDone

AD Connector& Card Info FeedIn Progress –7 agencies done

Laptop UserLincPass

Domain LoginAll Agencies in Progress

ePACS

ePACSConnector (3/13/09)

8

U.S. Department of Agriculture HSPD 12 Program

Three Phases with NCE and GSA shared solution

June 9 – Sept 30, 2008 – Summer Mobile enrollmentsOctober 1 – April 30, 2009 – Winter Mobile enrollmentsMay 1 – Sept 30, 2009 – Sustainment and Operations

• General Services Administration• Office of Personnel Management• United States Department of Agriculture• United States Department of Energy• United States Department of Interior• US Department of Justice• United States Department of Treasury

9

U.S. Department of Agriculture HSPD 12 Program

An Example: Enrollment Answer from Mobile enrollment. Phase 1 and 2

SIOUX FALLSDOI

MINNEAPOLISUSDA/APHIS

FARGOUSDA/ARS

FALCON HEIGHTSGSA

PARK FALLSUSDA/FS

STEVENS POINT

USDA/RD

GRAND FORKSUSDA/ARS

POCAHONTASUSDA/RD

WAVERLYUSDA/RD

DULUTHUSDA/FS

MANKATOUSDA/FSA ROCHESTER

USDA/FSA

GRAND RAPIDSUSDA/FS

BAXTERUSDA/FSA

MORRISUSDA/ARS

MARSHALLUSDA/NRCS

1

2

3

5

4

1

2

1

2

3

1

MADISONUSDA/FS

HURONGSA

ABERDEENUSDA

1

5

Example of Enrollment Locations

SIOUX FALLSDOI

MINNEAPOLISUSDA/APHIS

FARGOUSDA/ARS

FALCON HEIGHTSGSA

PARK FALLSUSDA/FS

STEVENS POINT

USDA/RD

GRAND FORKSUSDA/ARS

POCAHONTASUSDA/RD

WAVERLYUSDA/RD

DULUTHUSDA/FS

MANKATOUSDA/FSA ROCHESTER

USDA/FSA

GRAND RAPIDSUSDA/FS

BAXTERUSDA/FSA

MORRISUSDA/ARS

MARSHALLUSDA/NRCS

1

2

3

5

4

1

2

1

2

3

1

MADISONUSDA/FS

HURONGSA

ABERDEENUSDA

1

5

Example of Enrollment Locations

10

U.S. Department of Agriculture HSPD 12 Program

Phase 3 Permanent Locations Example

* Klamath Falls

* LaGrande

* Pendleton

* Roseburg

* Tangent

* Yakima

11

U.S. Department of Agriculture HSPD 12 Program

Phase 3 Light Activation

Participants Identified:

Permanent Enrollment \ Activation centersShared Agency Only

Light Activation Stations Shared Agency Only Fingerprint Reader

Read/Write Smart Card Reader

Special Software

GSA’s Light Activation Station

12

U.S. Department of Agriculture HSPD 12 Program

USDA Report Card

• Over 160 Mobile Enrollment stations during Summer

• 225 Mobile Enrollment Stations during Winter

• Enrolled 74,000+ Employees across the Entire Country

• Enabled Two-Factor Authentication for almost 55,000 Laptops

• Implemented a National PACS Infrastructure & Began Connecting 100 MCF’s

13

U.S. Department of Agriculture HSPD 12 Program

USDA Next StepsPIV cards:

Continue issuing cards to Federal and contract staffComplete remaining investigations

Two-Factor Authentication: eAuthentication Two-Factor IntegrationVPN Two-Factor IntegrationDigital Signature Integration for Office, Outlook and AdobeEncryption Integration for Outlook

ePACS:Identify remaining MCF’sImplement solution at all MCF’S

Other:Continue to share information with NCE participantsEnd Point Security \ VPN

14

U.S. Department of Agriculture HSPD 12 Program

Distribution Layer Switch

WiredHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Host-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health CheckHealth Check

Endpoint Security Agent

Conceptual Strategy:Network & Endpoint Security

Network Access Controller

Host-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VPN

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VPN

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VPN

Health Check

Host-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VPN

Health CheckHealth Check

Endpoint Security Agent

Remediate

United States Government

OCT2012

USDA

Bloggs, Joseph

G

Expires 2012OCT22

Affiliation ContractorAgency/DepartmentDepartment of Agriculture

United States Government

OCT2012

USDA

Bloggs, Joseph

G

Expires 2012OCT22

Affiliation ContractorAgency/DepartmentDepartment of Agriculture

Wireless Access Point

WirelessHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Endpoint Security AgentHost-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health Check

Host-Based Firewall

802.1x Supplicant

Hos

t-Bas

ed IP

S

SSL

VP

N

Health CheckHealth Check

Endpoint Security Agent

USDA Enterprise Directory

VPN

IDS

Health Check: Pass

Health Check: Fail

NAC Agent

BigFixAnti-XPatch ManagementDisk EncryptionFDCC

File Integrity CheckingHost-Based FWHost-Based IPSData Loss Prevention

User Roles

ISOC Auditing and Reporting

RemoteAccess

Local Access

15

U.S. Department of Agriculture HSPD 12 Program

USDA Contacts \ Questions

Owen UnangstOwen.unangst@ftc.usda.gov(970) 295-5538

Meria A. WhitedoveMeria.whitedove@usda.gov(970) 295-5198