- IDManagement.gov

Interagency Advisory Board
Meeting Agenda, March 23, 2011
1.
Open Remarks (Mr. Tim Baldridge, IAB Chair)
2.
Impact of M-11-11 on PACS (Ron Martin, HHS)
3.
FIPS 201-2 Update (Bill MacGregor, NIST)
4.
Status Brief on ICAM Roadmap (Shelly Hartsook, Deloitte)
5.
Status of FPKI Management Authority (MA Team, GSA)
6.
Closing Remarks (Mr. Tony Cieri)
Office of Management and Budget
(OMB)
OMB Memorandum 11-11 2/3/2011
Continuation of HSPD-12 Implementation
A Physical Access Control (PACS)
Perspective
PACS Reality Check
“…The Physical Access Control System is a significant security component of
any enterprise. These systems are an inherent and essential part of the overall
security protection environment and must be interfaced to the enterprise
Identification Management System (IDMS) and a Card Management System
(CMS) to provide full HSPD-12 interoperability and FIPS 201-1 compliance. ..”
Ron Martin, CPP April 2007
The PACS is an Application that resides on the organization’s enterprise. It
therefore must adhere to all of the Logical Access Control protocols.
HSPD – 12
MARCH
2006
Resistance is Futile!
PACS
HSPD-12 Managed
Service Physical
Architecture
LACS
Internet or
WAN
Customer
Defined
Customer
Defined
Managed Services Central Site
Enrollment Sites
Security Infrastructure
Cisco
501 VPN
UPEK TouchChip
Smartcard Reader
Backup
Server
Nokia 350
Firewall
WelchAllyn
Barcode
Reader
Startek
FP Scanner
Cisco VPN
Concentrator
Credential Mgmt Server
Infrastructure
(2) 750MHz
4GB RAM
Web Server
HP
A Class
MagStripe
Reader
Dell
GX280
HP DL385
SL500
Tape Library
DNS
Servers
Help Desk
LexMark
Printer
Olympus C7070
Camera
Epson 4990
Scanner
AssureTec
Document Reader
HP DL145
Procurve
5372
Central
Switch
h p p rocurve
switch 5372XL
J4848A
3TB
Storage
Managment
J4820A 24 port 10/100TX
System Console
HP Workstations
1000BT
1000BT
Card Activation Sites
1000BT
Cisco
501 VPN
Data Center
J4820A 24 po rt 10/100TX
J4820A 24 po rt 10/100T X
BECATM Enrollment Workstation
(2) 2.4GHz
4GB RAM
(2) LTO3
30 Slots
Qlogic Switch
Cluster
SAN
StorageTek
Flex210
Mass Card Production
1000BT
Smart Card
Printer
Startek
FP Scanner
Dell
GX280
Epson 4990
Scanner
Smart Card
Printer
AFIS
Certificate Authority
AssureTec
Document Reader
Credential Issuance Station
PKI Certificate
Server
Card Management Server
Card
Management Server
PMI Certificate
Server
AFIS
Server
IDMS
Biometric Transaction
Controller
(6) 1GHz
Cluster
12GB RAM
IDMS
Cluster
(4) 3GHz
4GB RAM
HP DL145
(16) 1GHz
64GB RAM
HP DL145
HP 4440
HP 4440
HP 4440
HP RP 7420
LOGICAL & PHYSICAL ACCESS WILL BE
ASSIMILATED INTO THE SMART CARD!
R. Martin, CPP
M-11-11:
Normatively referenced SP 800-116 and The FICAM Roadmap
FIPS 201:
FIPS 201-2 “the Standard” is about to be revised
FICAM PART “B” Phase 2 and FIPS 201-2 will be finished CY-2011
A PACS Model from SP 800-116
Unrestricted, Controlled, Limited, Exclusion
Unrestricted
area
Controlled
Limited
Limited
area
area
area
Exclusion
Important stuff
Lab
Access
area
Access
Space
TradeImportant
Very
Secret stuff
Point
C
Point
B
Facility services
HQ
Access
Point
A
Admin
Buildings
PIV Implementation Maturity Model (PIMM)
•
Maturity Level 1—Ad Hoc PIV Verification: A site has the ability to authenticate PIV Cards by
performing required authentication mechanisms on an ad hoc, on-demand basis. For example, card
and cardholder authentication is achieved with a handheld terminal or a specific PC, for special or
occasional uses.
•
Maturity Level 2—Systematic PIV Verification to Controlled Area: At the outer perimeter of the
site (Controlled area), PIV Cards are accepted as proof of identity, possibly in addition to legacy
PACS credentials. A visitor registration procedure exists to accept PIV Cards and if necessary convert
PIV authentication to a temporary legacy PACS credential.
•
Maturity Level 3—Access to Exclusion Areas by PIV : Access to Exclusion areas (the most
sensitive areas) is permitted by PIV authentication or "exception" only. Here, exceptions are the
exceptions to PIV issuance (e.g., less than six months association). However, all access to exclusion
areas is also subject to authorization, and authorization would typically only be granted to PIV
cardholders. The exception case might be applied to exclusion areas for VIP visitors, for example. At
Level 3, legacy PACS or badges are not acceptable for authentication to exclusion areas.
•
Maturity Level 4—Access to Limited Areas by PIV: Access to Limited areas (generally, those
permitting clearance level- or role-based authorization) is permitted by PIV authentication or exception
only. At level 4, legacy PACS or badges are not acceptable for authentication to Limited areas.
•
Maturity Level 5—Access to Controlled Areas by PIV: Access to Controlled areas (showing
evidence of organizational affiliation, or registration for a visitor, with or without escort) is permitted by
PIV authentication or exception only. At level 5, legacy PACS or badges are not acceptable for
authentication to controlled areas.
NOTE: Maturity levels are progressive: for example, Maturity Level 1 must be achieved before Maturity
Level 2 can be achieved. Maturity levels can be applied to individual facilities, or by extension to
multiple facilities within an organization. When applied to multiple facilities, a maturity level is achieved
when each of the facilities in the group has achieved the maturity level individually.
FICAM Chapter 10 Solution
Architecture
FICAM Recognition
The enterprise PACS is depicted as a piece of the larger Security
Management System (SMS), which has interconnections with other
physical security elements.
•Fire Alarm Systems
•Video Surveillance
(Closed Circuit Television)
•Short-term visitor MGT
•Intercoms and
Emergency Management
Notification
•Security Officer touring
•Intrusion and explosive
detection systems
R. Martin, CPP
Budget and
Conformance
M-11-11 FIVE Tenets
1. Effective immediately, all new systems under development must be
enabled to use PIV credentials
2. Effective the beginning of FY2012, existing physical and logical
access control systems must be upgraded to use PIV credentials
3. Procurements for services and products involving facility or system
access control must be in accordance with HSPD-12 policy and the
Federal Acquisition Regulation.
4. Agency processes must accept and electronically verify PIV
credentials issued by other federal agencies.
5. The government-wide architecture and completion of agency
transition plans must align as described in the Federal CIO Council’s
“FICAM”
R. Martin, CPP
A Physical Access Control System is Information
Technology
BUDGET
OMB Memorandum May 23, 2008 titled Guidance for Homeland Security
Presidential Directive (HSPD) 12 Implementation :
“… agencies should continue to follow the requirements of Office of
Management and Budget (OMB) policy, such as A-130, “Management of
Federal Information Resources” and A-11, “Preparation, Submission and
Execution of the Budget,” when developing plans…”
Tenet 1 and 2
•Effective immediately, all new systems under development must be
enabled to use PIV credentials
• Effective the beginning of FY2012, existing physical and logical access
control systems must be upgraded to use PIV credentials
PIV enablement is more than door card readers.
PIV cards are to be used to access PACS
CONFORMANCE
Part 1
Tenet 3:
Procurements for services and products involving facility or system
access control must be in accordance with HSPD-12 policy and the
Federal Acquisition Regulation.
OMB M-06-18: Two Federal Acquisition Regulation requirements
Subpart 4.13--Personal Identity Verification
4.1301 Contractual implementation of personal identity
verification requirement.
4.1302 Acquisition of approved products and services for
personal identity verification.
Subpart 52.204-9 -- Personal Identity Verification of Contractor
Personnel.
CONFORMANCE
Part 2
ID Store
4. Agency
processes must
accept and
electronically verify
PIV credentials
issued by other
federal agencies.
Sponsor Request
Visitor
PIV, CAC, Card
Holder Driver Lic,
Passport
Visitor Kiosk
Visitor
Groups
Visitor Check-in
Certificate Check,
Biometric & Picture
(optional)
Per
Policy
Server
Cert Issuer
to CRL
Mapping
CRL 1
(DOD)
Card
Unescorted Access
Provision
ed in
PACS
OCS
P
Chec
k
CRL 2
(Feder
al
Bridge
)
CRL n
(Other
)
Visitor
Badge
Issued
Escorted Access
OMB
Requirement
CONFORMANCE
FICAM
Tenet 5:
The government-wide architecture and completion of agency transition plans must
align as described in the Federal CIO Council’s “FICAM”
FICAM Implementation Roadmap – November 2009
FICAM Implementation Roadmap – PART “B” Phase 1 – February 2011
FICAM Implementation Roadmap – PART “B” Phase 2 – TBD CY 2011
FICAM Implementation Roadmap – PART “B” Phase 2 – TBD CY 2011
Part “B” Phase two will have these chapters:
Chapter 7. Initiative 5: Streamline Collection and Sharing of Digital
Identity Data.
Chapter 8. Initiative 6: Fully Leverage PIV and PIV-interoperable
Credentials.
Chapter 12. Initiative 9: Implement Federated Identity Capability.
•REQUIREMENTS
•INTEGRATORS
•SOLUTIONS
•MANUFACTURERS
•PRODUCTS
•ROLE RESULT
The implementation of M-11-11 is applicable to end-users,
integrators/solution providers and manufacturers/developers
•TO MEET OR SATISFY
•TO SPECIFY
•END‐USERS