Synopsis: Many visions, definitions, strategies and concepts on how “federation” should or would work currently abound when discussing Identity Management scenarios. The Federation for Identity and Cross-Credentialing Systems (FiXs) a not for profit Industry organization of more than 50 members/subscribers has actually built and operationalized, with the Department of Defense, one of the very first , if not the first such environment in existence today.
This presentation and discussion will focus on the journey travelled over the last four years of collaborative work between the DoD and FiXs on establishing this Federation between Industry and Government.
Participants will learn about the development of trust models, operating rules, policies on privacy and security, mandatory guidelines and standards, open technology solutions and the politics of making a Federation between Industry and Government actually operational.
The discussion leader is Dr. Michael J. Mestrovich, President of FiXs, and one who spent nearly thirty years within the Department of Defense and Federal Government developing, implementing and operating enterprise wide systems and infrastructures for personnel, health, business and command and control systems. Over the past few years, since he retired from DoD, he has focused on innovative ways to allow Industry and Government to work together in collaborative forums in solving National infrastructure issues.
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
Federated and Secure Identity Management in Operation
1. FiXs® - Federated & Secure Identity
Management in Operation
The Federation for Identity
and Cross-Credentialing Systems (FiXs)
www.FiXs.org
2. UNCLASSIFIED
FiXs - The Federation for Identity & Cross-Credentialing
Systems --- What is it?
A 501(c)6 not-for-profit trade association initially
formed in 2004 while working with the Department
of Defense to provide secure and inter-operable use
of identity credentials between and among
government entities and industry
A coalition of diverse companies/organizations
supporting development and implementation of
inter-operable identity cross-credentialing standards,
systems and end to end solutions for various
applications
Members/Subscribers include: government
contractors, technology companies, major firms,
small businesses, sole-proprietors, not-for-profit
organizations, Department of Defense, state
governments, etc.
2
UNCLASSIFIED
3. UNCLASSIFIED
FiXs is a Standards, C & A and Network Access
Organization
Complete Legal Governance structure for member firms
Certification and Accreditation program for issuing identity
credentials and securing personal identifying information
A secure network switch through which transactions can be
passed for PACS and LACS applications
Standards for interfacing with the network switch and
interoperability of applications
Secure Network access to certified service providers and
sponsors of individuals holding certified credentials
Clearinghouse for objective consideration of technologies,
business processes, rules and requirements
3
UNCLASSIFIED
4. UNCLASSIFIED
4.1301 Contract clause
The contracting officer shall insert the clause at 52.204-9, Personal Identity
Verification of Contractor Personnel, in solicitations and contracts when contract
performance requires contractors to have physical access to a federally controlled
facility or access to a Federal information system.
52.204-9 Personal Identity Verification of Contractor Personnel
(a) The Contractor shall comply with (b) The Contractor shall insert this
agency personnel identity verification clause in all subcontracts when the
procedures identified in the contract that subcontractor is required to have
implement Homeland Security physical access to a federally-
Presidential Directive-12 (HSPD-12), controlled facility or access to a
Office of Management and Budget (OMB) Federal information system.
guidance M-05-24, and Federal
Information Processing Standards
Publication (FIPS PUB) Number 201.
4
UNCLASSIFIED
5. UNCLASSIFIED
The Foundation
In January 2006 FiXs entered into a formal Memorandum of
Understanding (MOU) with the Department of Defense which
established terms and conditions under which FiXs & DoD will
use their respective systems as part of an identity suite of
systems the MOU was updated & renewed in February 2009.
The terms and conditions include:
an operational framework for inter-operability between
DoD & FiXs
specific operational responsibilities
legal governance structure
ATO Granted by DMDC in July 2007
5
UNCLASSIFIED
6. UNCLASSIFIED
Governance Structure
Defined Trust Model
Operating Rules
Security Guidelines
Policy Standards, including Privacy Act compliance
Technical Architecture Specifications & Standards
Implementation Guidelines
Formal, legal flow down agreements for members/
subscribers
6
UNCLASSIFIED
7. UNCLASSIFIED
The Basic Principles
Individual personal identifying information, such as
biometrics, SSN, & other unique personal identifying
information is captured once & accessed as required for
authentication of ones’ identity
This information is maintained in a federated manner,
whereby there is no single database of every individual’s
identifying information. The data is maintained in a
distributed manner under the authority and control of the
organization who “sponsors” the individual holding the
certified identity credential
Queries of this information are “logged” to support privacy
(akin to the processes followed when someone accesses your
credit report)
Structured to emulate the ATM & credit card network model
of the banking industry
7
UNCLASSIFIED
9. UNCLASSIFIED
Meeting Policy Objectives
Certified Credentials that can be trusted with
confidence
“FiXs network fully operational for worldwide use in support of
identity authentication purposes & applications” – DMDC July, 16,
2007
“The DoD shall establish & maintain the ECA program to support
the issuance of DoD-approved certificates to industry partners &
other external entities & organizations.” -- DoDI 8520
“FiXs credentials that include PKI certificates issued from DoD
ECA vendors are acceptable for use by DoD web based
systems”---ASD/NII July 11, 2008
Short term return on investment (ROI)
Existing highly available architectures for identity deployment &
revocation information -- immediate cost avoidance of CAC
issuance “outside of the fence”
9
UNCLASSIFIED
11. UNCLASSIFIED
Certified & Accredited Subsystems
FiXs Network - The Defense Cross Credentialing Identification System (DCCIS)
infrastructure and its interface to the FiXs Network are now fully operational for
worldwide use in support of identity authentication purposes and applications. The
architecture is in place today to inter-operate similarly with non-DoD organizations in
a secure manner.
Credential Issuers (CI) - Each CI undergoes an extensive and complete review in
accordance with the highest industry standards and cover all requirements of the
solution proposed in the solution. This is documented in detailed Certification and
Accreditation (C&A) reports.
Authentications Station - FiXs certified authentication stations enable FiXs and
Department of Defense (DoD) CAC credentials to be verified and accepted for
physical access authentication purposes by implementing the cross-credentialing
services supported by this combined network. Final decisions on physical access
privileges, whether at a government or vendor site, are local decisions.
11
UNCLASSIFIED
12. UNCLASSIFIED
Fixing the Identity Credentialing Problem
“Hardware tokens [FiXs] & associated certificates issued by the
ECA providers have the same assurance level as a Common
Access Card (CAC).” – EPMA
Note: Access privileges are granted under the purview of the Facility/
Application owner.
12
UNCLASSIFIED
13. UNCLASSIFIED
HSPD-12 Compliant & PIV Inter-operable Credential Management
FIPS 201 compliant lifecycle management of users, their identity devices,
& associated credentials…
… with the strength of DoD Medium Hardware Assurance
13
UNCLASSIFIED
14. UNCLASSIFIED
Multi-Levels of Vetting for Certified Credentials allow for multiple
levels of granting or denying physical & logical access control
All certificates on a FiXs credential
include an Organizational Unit ID
and identifies the FiXs vetting
assurance level as follows:
FiXs4, for FiXs credentials asserting FiXs
equivalent “High”
FiXs3, for FiXs credentials asserting FiXs
equivalent “Medium High”
FiXs2, for FiXs credentials asserting FiXs
equivalent “Medium”
FiXs1, for FiXs credentials asserting FiXs
equivalent “Low”
Application/ perimeter owner chooses
appropriate verification & authentication
levels.
14
UNCLASSIFIED
15. UNCLASSIFIED
Robust revocation processes
Certified Credentials issuers are required to maintain FiXs
enrollment, privacy, administrative control, revocation,
and audit information
Maintenance & updating of the revocation information is
the joint responsibility of the sponsoring organization &
the Certified Credential issuer
Card & Certificate Revocation Lists are issued
immediately upon revocation
“A revocation process must exist such that an
expired or invalidated credential is swiftly revoked.”
15
UNCLASSIFIED
16. UNCLASSIFIED
Facility, Installation and Network Access –
Today’s Problem
No uniform compliance
Vulnerability
Lack of vision
Who’s on - Who’s off
No threat flexibility
DHS NIMS code deployment plan
PX & commissary services
Suppliers to docks
Maintenance & repair access to grounds
Network applications
Occasional Visitors
16
UNCLASSIFIED
17. UNCLASSIFIED
Common Issues with Physical and Logical Security
How do we protect our facilities and systems, balanced with
ease of use?
Easy, secure access for those who belong
Simple identification verification of visitors & users
Identity assurance for contractors & suppliers must:
Incorporate strong vetting for those that require access
Follow DoD and all Federal guidelines
Access decisions must be automated & reliable
The facility or system owner is ultimately responsible--
so how do we help?
Improve decisions through interoperable electronic
authentication
Make it more secure, smarter & cost efficient per system
Develop applications that work with multiple level credentials
17
UNCLASSIFIED
18. UNCLASSIFIED
Do we re-invent the wheel?
Federated identity assurance policy &
standards have been developed
Vetting & security is in place for
FiXs, DoD/ECA CAC, & HSPD-12
All are secure identities
All can be used for access decisions
All provide 2 factor authentication
Its been done, decided, now lets use it.
18
UNCLASSIFIED
19. UNCLASSIFIED
FiXs & Certified Credentials Value Proposition & ROI
Inter-operable with DoD systems — can be used by
other Federal organizations
Under review to be accepted as PIV inter-operable
per Federal CIO Council guidance
Achieved enterprise-wide capability & best practices
Provides security & privacy of staff, systems, data &
facilities in compliance with latest identity assurance
& identity management processes
Comply with FAR contract requirements
Supports HSPD – 12 & NIST PIV
Proven uniform approach is possible & realistic
across government and industry
19
UNCLASSIFIED
20. UNCLASSIFIED
Contact Information
Dr. Michael Mestrovich, President - FiXs
Michael.Mestrovich@fixs.org
703 928 3157
Robert Martin, Corporate Secretary - FiXs
Bob.Martin@fixs.org
703 321 6951
Dan Turissini, Operations Committee Chair - FiXs
turissd@orc.com
703 401 1706
20
UNCLASSIFIED