PM-ISE shepherds secure data sharing tool from validation to expansion

Friday - 11/29/2013, 5:00am EST

Mike Kennedy, executive for assured interoperability, PM-ISE, Part 1

Download mp3

Mike Kennedy, executive for assured interoperability, PM-ISE, Part 2

Download mp3

Nearly two years in the making, the Justice Department proved that governing the online access of federal, state and local law enforcement officials to specific data is both possible and beneficial.

Through the back-end attribute exchange, agencies can have a standard way for different organizations to safely and securely share data.

And now DoJ's successful demonstration of identity management and access control is creating a thirst among other agencies. Other federal, state and local agencies are eyeing how they could use the concepts behind the back-end attribute exchange (BAE).

"We want to practice responsible information sharing by ensuring the correct attributes and ease of doing it. If it's not easy, it's not useful," said Mike Kennedy, the executive for assured interoperability for the Program Manager of the Information Sharing Environment (PM-ISE), in an exclusive interview with Federal News Radio. "With the ease of this, it makes providing attributes for the officers or for the agents or for the analysts or whomever is using it, it's transparent for them that the attributes are being provided and it's not difficult for them so they are more inclined to use it. Once it's in, then it's automated and required, and it protects your information from being disclosed to people who don't have the attributes that are required in order to get it. So in that case, it's perfect for safeguarding."

The BAE is a standard or specification that provides a way for agencies to share information securely through the use of identity management and access control procedures.

Real-world validation

Under the DoJ pilot, federal law enforcement officials shared data in the gang tattoo database with state and local police officers in Texas through the Regional Information Sharing System (RISSNet) program.

Kennedy said dozens of agencies took part in the pilot that lasted a few days with a goal of validating whether the BAE could work in real-world circumstances.

"It's more of the fact it was a proof of what was being piloted all along was ready to go operational," he said. "We proved BAE is ready to go operational at this point in time. We proved we could retrieve, were able to pass along information and were able rely on the information they got."

During the pilot, Texas Department of Public Safety users took an online course in order to qualify for the attribute to access the secured data.

"RISSNet hosted the protected information and relied on the attribute that Institute for Intergovernmental Research provisioned to the Texas DPS users in order to allow or deny access to the resource," Kennedy said. "In other words, that attribute would let the folks know automatically whether or not the user who was requesting the information had the privileges and the rights to do it. In addition to protecting and doing responsible information sharing, it has a key for privacy and civil liberties protections because it only provides the information that's required and not a conglomerate of information."

The communication between the officer and RISSnet was automatic and invisible to users. If a police officer stopped a suspect and they had a tattoo that the officer thinks was gang related, the official can query RISSNet to see if the suspect is wanted for a crime, and if so, make an arrest on the spot.

Previously, Kennedy said officers had to push paper, make phone calls and fax requests, which was a cumbersome and time-consuming process, to get the same data.

"With the BAE, all attributes don't have to reside on all computers in all networks. The attributes can be maintained by a third party somewhere else," he said. "When the request for information goes in, the owner of the information can send out a query to ask if this person has the required attributes to have access to this information. The query will go out to whomever holds the attribute, then the holder of the attribute will return it to the person who holds the information. At that point, the information is returned or not returned to the requestor."

Kennedy said the other key piece of the BAE is the information is updated as fast as the agency revises it with the holder of the attributes. So if someone leaves their job, the agency can cancel their access to information immediately instead of depending on a fax or email and hoping the relying parties update their lists in a timely manner.

Interest in the tool increasing

Kennedy said the ISE, which acts as a hub to bring interested parties together, is signing up more federal, state and local partners as relying parties, which means they trust each other because each organization promised to abide by the identity management and access control standards.