Justice moves closer to secure sharing

Wednesday - 4/21/2010, 7:14am EDT

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

Soon user names and passwords will no longer be necessary for law enforcement officials across the country to access federal information.

The Justice Department is expanding a pilot program nationwide to implement federated identity management capabilities for popular databases such as the Law Enforcement Online (LEO), the Homeland Security Information Network (HSIN) and Regional Information Sharing Systems (RISS).

"Federated identity management is about leveraging identity management work being done by individual organizations so they can be used elsewhere," says Jeremy Warren, Justice's chief technology officer. "If you are a detective and you are trying to access some system at the Immigration and Customs Enforcement or DoJ or the Chicago Police, then those organizations are going to need to look you up, verify your identity and decide if you are trustworthy. They will have to give you a user name and password and it's very wasteful. It takes a lot of time and wastes a lot of money."

Warren, who spoke Tuesday on a panel discussion about information sharing during a breakfast sponsored by the AFCEA chapter in Bethesda, Md., says federated identity management standards and processes can end all that wasted time, effort and money.

The federation, which is similar to the federal public key infrastructure bridge run by the General Services Administration, would let different agencies go to a single portal where they can access law enforcement databases based on their roles and responsibilities.

"It's based on trust and whether or not you trust the other organization to do their work and do it effectively," he says. "There is good basis for it because it's very difficult to do this work from afar. The key part is coming up with standards and policy, [that says] you have to do this or that, if you fire someone, they are out of the system immediately. Once people agree to that, and once there is some scheme to verify that people are following these processes, audits and certification, then there should be solid foundation for trust."

Warren says Justice began working on this federation a few years ago with a pilot program that grew from a few hundred to a few thousand users.

The real-world test let law enforcement officials at all levels of government access specific databases using their agency's credentials.

"We were trying to get actual users solving actual problems and dealing with actual hurdles you may never see in a lab," he says. "It's providing value because we understand the cost and the challenges about doing it on a national scale."

Warren says the pilot was a success and the department's Criminal Justice Information Services (CJIS) is taking the lead to expand it nationwide by the end of this year.

"It will enable any law enforcement organization across the country that meets the policy standards to join up and start participating either by accepting users to come to access their resources or by enabling their users to access other people's resources," Warren says. "In the future, the user can use whatever credentials they have today and go to a broker, and there is a portal on the broker where all of the different systems that are out there are being advertised. If you meet these requirements, you can access this system."

Warren says the benefits of the portal are obvious, including better data access and better cybersecurity because the single sign-on requires at least two-factor authentication. He adds that many agencies are spending a lot of money managing user names and passwords, and the federation will put an end to that effort.

"On the application side, it's not just saving money with password resets, there is much greater security," he says. "When you talk about a CJIS system like LEO providing access to a user with the Los Angeles police department, LEO has no way of knowing on a timely basis when a user is no longer at LAPD or no longer should have access. Also they have manage another password for them that they have no way of knowing how secure someone's being with that password and it's way too expensive for CJIS to be giving out multi-factor credentials to everyone."

For federal, state or local agencies to join the federation, they will have to sign a memorandum of understanding saying they will abide by the standards and policies, and must certify or have their compliance audited.