Agencies finally figuring out how HSPD-12 cards can improve security

Thursday - 10/11/2012, 6:01am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

It's been more than eight years since the White House issued Homeland Security Presidential Directive-12 requiring the issuance of secure identity cards.

While civilian agencies have been slow to put them into use, new governmentwide initiatives and a few large agencies are providing hope that the secure identity cards finally will be more than "glorified ID cards," as the Government Accountability Office said last year.

The Homeland Security Department and the IRS are among those who are finally are figuring out how to use HSPD-12 to make their agency more secure.

"The biggest practical driver is that we have issued these smart cards and HSPD-12 has been around since 2004, so that's a long time to get to where we need to be," said Tom McCarty, director of DHS' identity credential and access management program office, during a panel discussion Wednesday sponsored by the AFCEA-Bethesda, Md. chapter. "We are like all the other agencies and we have a big curve to climb. We want to be compliant, but also a leader in that. The challenge on the budget side is the time for new money to do these initiatives is either gone or going quickly. The expectation is we need to be more aggressive and innovative in becoming compliant with what we have."

Cloud identity exchange

The National Institute of Standards and Technology, the General Services Administration and the Information Sharing Environment are providing that innovative spark so agencies can use these smart cards more widely.

NIST and GSA are leading an effort to create a process to do identity exchange in the cloud.

Naomi Lefkovitz, a senior privacy policy advisor at NIST, said the goal of the exchange is to get the government to be an earlier adopter of the National Strategy for Trusted Identities in Cyberspace (NSTIC) standards, which call for open and interoperable standards and systems where users can trust each other to complete online transactions. The idea is to get rid of passwords and move to secure online identity exchanges.

"The primary focus is on lowering barriers to agency acceptance of externally issued credentials, and really improving the customer experience for citizens," she said. "They shouldn't have to get, for example, five credentials to interact with five agencies."

The cloud exchange would let agencies plug into a back-end federated service and avoid the need for different credential providers and protocols.

"We are giving very serious attention to privacy issues around this," she said. "We are cautiously optimistic we will break new ground."

Sources say NIST is close to announcing a pilot using this cloud exchange for this fall or winter. Sources say the test could be with a large agency whose main focus is to interact with the public.

NIST is taking a two step approach with NSTIC. Along with the push inside government, it just awarded five pilots a total of $10 million to test out the concepts of NSTIC in the private sector.

Verifying roles and responsibilities

A second governmentwide initiative is the creation of back-end attribute exchange. GSA and ISE are leading this effort and the idea behind it is to show how agencies can attach roles and responsibilities to information to promote more secure sharing.

Kshemendra Paul, the program manager for the ISE, said the goal is for a governmentwide service to be used by everyone from financial managers to acquisition to law enforcement.

Kshemendra Paul, program manager, ISE

"If you want to be able to do responsible information sharing, you have to build a federated trust so you securely exchange attributes about a person, their identity, their privileges that are entitled to them and also the information they are trying to access," he said. "What are those attributes? How do manage them? The back-end attribute exchange is all about who do you share them in a trusted, authoritative way."

Paul said the ISE is working with the law enforcement community to do a use case in sharing criminal intelligence information.

Both the cloud exchange and the back end attribute exchange are related. Lefkovitz said the need to convey those attributes and roles is important piece to making the cloud exchange work well.

While these governmentwide efforts could be viable in the medium or long-term, DHS and IRS are trying to get the cards their employees already possess in use sooner.

McCarty said more than 250,000 DHS employees now have the cards and his office is charged with ensuring employees can use them to get into the building and to log on to the computer network.

Getting control of different efforts

DHS used OMB's PortfolioStat to help understand where the money is going for identity management across the agency.

"What we really need to do is understand what are the requirements we are talking about, where are the investments being made and where does it make sense for some investments, not all, to be lifted up to an enterprise level, and where does it make sense for a lot of this identity management to be managed local?" he said. "I don't think the end result will be consolidation into one thing, but better management of what we have and leveraging from there."

McCarty said the PortfolioStat added to the path they were on, especially around IT governance.

DHS also is testing two other uses of the secure ID cards.

One is to use the concepts of NSTIC to let state and local law enforcement and emergency management officials use the Homeland Security Information Network (HSIN) more easily and to let federal employees use HSPD-12 cards to log into HSIN.

DHS also wants to test the use for a system that requires level-2 assurance credentials, which requires the agency to have good confidence the person who is performing the transaction is who they say they are.

The IRS is a bit ahead of DHS, but still isn't using its secure ID cards widely.

Sharon James, the director of cyber architecture and implementation at the IRS, said the bureau is moving to logical access using the secure ID cards in several hundred applications. The IRS also is using the cards in about 60 percent of their buildings for physical access.

James said the IRS also is looking externally to improve its identity management.

"We've just stood up our first Level-2 authentication service with a pilot application for transcripts where banks are allowed to have customers come in and authenticate and request a transcript," she said. "We've stood that up with Level-2 using our own internal data. Right now, we have a big data source at the IRS for taxpayers and in the coming year we will be looking for Level-3 authentication and going to cloud-based authentication through a service."

James said there still are a lot of policy and union questions that need to be answered for internal and external identity management.

Help needed in buying hardware, software

Many of these efforts rely on industry providing open and interoperable hardware and software. Many agencies have spent the last eight years preparing for HSPD-12, buying or at least looking to buy card readers and middleware to allow for single sign-on or to connect disparate systems.

Now, agencies need to buy the software that is interoperable across the different platforms.

ISE's Paul said that means there's a need for a standards based acquisition approach.

To that end, ACT-IAC, GSA and the ISE are putting out a draft white paper at the end of October detailing how a standards based acquisition approach could work.

Paul said the impact of standards based acquisition is real and offered an example based on the Justice Department's National law enforcement data exchange (NDEX) system.

Paul said the Integrated Justice Information Systems (IJIS) Institute estimated it would cost $250,000 to interconnect police records management systems (RMS) with NDEX.

"Through the standards based approach using National Information Exchange Model, the cost today to interconnect on a modern RMS implementation is less than $10,000," he said. "Why is that? Because of industry adoption of the standards. That's just the up-front cost. Imagine the operations and maintenance costs on that tail going out. It's really a different business model."

The draft white paper will seek recommendations about how contracting officers and vendors are using the current tools and techniques, whether more or different training is needed and a host of other issues around developing a standards based acquisition model.

"We chose to do this work not within the four walls of government but outside with industry because it doesn't work, you can't clap with one hand," Paul said. "We need to be able to do this as a partnership. We are pretty excited."

RELATED STORIES:

Agencies using HSPD-12 as 'glorified ID cards'

White House team tackles identity management in the cloud

GSA office working on data-sharing tool

Agencies getting tools to 'innovate with less'