Interagency Advisory Board (IAB) Meeting

August 09, 2005

Agenda• National Institute of Standards and Technology (NIST)

Discussion on Reference Implementation and Conformance Testing

• IAB Working Group Updates

• Training Partnership Discussion

• Common Handheld Requirements Status

• National Aeronautics and Space Administration (NASA) Status Update

• How to Check Authenticity of Personal Identity Verification (PIV)

• Other IAB Initiatives

• Credential Card Migration Strategy

3

NIST Discussion on Reference Implementation and Conformance

Testing

SP800SP800--73 Reference 73 Reference ImplementationImplementation

Jim DrayIAB MeetingAugust 2005

ComponentsComponents

• SP800-73/Part 3 PIV card simulatoro Written in C++ for wintel platformso Runs TLP224 protocol on a local porto Native code simulation of a PIV cardo Can load JavaCard(tm) applets via Sun’s kit

• PIV middlewareo Implements the Part 3 client API

PurposePurpose

• Provides a worked example for developers• NOT a deployable commercial product• No code that can be loaded onto a real card

o JavaCard loader would allow this but NIST is not providing reference JavaCard applets

o PIV functionality expressed in C++/Windows• Supports conformance test development

ConformanceConformance

• It is not possible to ‘conform’ to the reference implementation

• The reference implementation provides an example that conforms to the PIV specs

• Conformance testing proves that an implementation conforms to specifications

• Reference implementations are developed for clarity, not performance

AvailabilityAvailability

• Publicly available at http://csrc.nist.gov/piv-project

• Will be updated on an as-needed basiso New versions will be posted along with change

noticeso Old versions will be archived, available on

request• Basis for a possible PIV software toolkit

PIV Middleware and PIV PIV Middleware and PIV Card Application Card Application Conformance Testing Conformance Testing ToolkitToolkit

Ramaswamy Chandramouli (Mouli)IAB MeetingAugust 2005

Agency A Application

PIV Client Application Programming Interface

PIV Card Command Interface

Card Reader Driver

Card Reader

PIV Card Application

PIV Data Model

PIV Card Command Interface

PIV

MIDDLEWARE

Host PC

Smart Card Reader

PIV CARD

CSP/Bio API / Etc.

Agency B Application

Agency C Application

CSP/Bio API / Etc.

CSP/Bio API / Etc.

Agency A Application

PIV Client Application Programming Interface

PIV Card Command Interface

Card Reader Driver

Card Reader

PIV Card Application

PIV Data ModelPIV Data Model

PIV Card Command Interface

PIV

MIDDLEWARE

Host PC

Smart Card Reader

PIV CARD

CSP/Bio API / Etc.

Agency B Application

Agency C Application

CSP/Bio API / Etc.

CSP/Bio API / Etc.

Scope Scope –– Tests & SpecsTests & Specs• Test Suite has two Broad Categories of Tests

o PIV Middleware (End-Point) Testso PIV Card Application (End-Point) Tests

• SP 800-73 Specifications Coveredo End-Point Client API – Chapter 6 of SP 800-73.o End-Point PIV Card Application Card Command

Interface – Chapter 7 of SP800-73.o PIV Data Objects & Representations (Chapter 4

& 5 of SP 800-73) o PIV Authentication Use Cases (C.1.2 and C.1.4

of Appendix C of SP 800-73)

PIV Middleware Tests ConfigurationPIV Middleware Tests Configuration

• The Test Toolkit• The vendor provided PIV middleware

which is the subject of this test• The contact and contactless smart card

readers or a dual interface reader• A dual interface FIPS 201-compliant test

PIV card or a PIV card emulator.

PIV Middleware Tests SummaryPIV Middleware Tests Summary

• Tests all the 9 Functions in PIV Client API (Chapter 6 of SP 800-73)

• Tested for Response to all Valid and Error Return Codes

PIV Card Application Tests PIV Card Application Tests ConfigurationConfiguration

• The test toolkit • Contact and a contactless smart card readers

or a dual interface reader• An PIN input device• A biometric fingerprint reader• A PIV card that support contact and

contactless interface which is the subject of this test.

PIV Card Application Tests PIV Card Application Tests ––Card Command Interface TestsCard Command Interface Tests

• Tests all 8 commands in card command interface (Chapter 7 of SP 800-73)

• Card interface type (contact vs. contactless)• Precondition for use (PIN verified,

Currently Selected Application value)• Expected Response status codes• Right Content and Encoding for returned

data• Appropriate State Variables set in the card.

PIV Card Application Tests PIV Card Application Tests –– Data Data Objects Representation & Objects Representation & Authentication Use Cases TestsAuthentication Use Cases Tests

• Tests all 6 Mandatory data objects and any published of the 5 Optional data objects for

- Correct Tag Codes & Lengths- Overall size limits for the buffer

• Authentication Use Case Tests consists of- Parsing Data and Checking for values of

key fields such Expiration Date in CHUID,FASC-N etc

- Verifying signatures are valid

Toolkit Features SummaryToolkit Features Summary• The toolkit has a Graphical User Interface• Provides a configuration file to enter valid

parameter values for validation of data returned in responses to function calls.

• Each of the two broad categories of tests –PIV Middleware Tests & PIV Card Application Tests can be loaded separately.

18

IAB Working Group Updates

19

Foreign National Working Group

Initial meeting held on Thursday, July 14th

Included representatives from:− Department of State− Department of Energy− Department of Commerce− Department of Interior− Department of Defense

Shared information on current processes for vetting foreign nationals within respective organizations

Discussed potential challenges accommodating Personal Identity Verification (PIV)

Shared compiled list of challenges with Office of Management and Budget (OMB) policy working group

20

Aggregate Buy Working Group

Initial meeting held on Monday, July 25th

Outlined lessons-learned from the DoD to help other agencies avoid known pitfalls within the issuance process

Reviewed initial draft specifications for contact and contactless technologies as it pertained to mandatory and optional contract line item numbers (CLIN)

Aggregate buy will provide for:− Cards− Printers− Printing consumables− Smart card middleware− Contact and contact-less readers

21

Physical Access and Integration Working Group

The PAIWG is updating the Physical Access Control System (PACS) 2.2 guidance to conform with FIPS 201 and SP 800-73

Tiger Team created a gap analysis that outlines the discrepancies between the documents

22

Training Partnership Discussion

HSPDHSPD--12 TRAINING 12 TRAINING MODULES UPDATEMODULES UPDATE

IntroductionIntroduction

►► Developing a series of webDeveloping a series of web--based training modules and based training modules and assessment tools to assist assessment tools to assist management, administrators management, administrators and users in complying with and users in complying with FIPS 201FIPS 201

►► The series will assist in the The series will assist in the consistent implementation of consistent implementation of FIPS 201 across the Federal FIPS 201 across the Federal GovernmentGovernment

BackgroundBackground

►► Training will be focused on:Training will be focused on:increasing awareness,increasing awareness,ensuring compliance,ensuring compliance,promoting the utility and benefits, andpromoting the utility and benefits, andclarifying misunderstandings relating clarifying misunderstandings relating to HSPDto HSPD--12 implementation.12 implementation.

►► The depth of the training content The depth of the training content will vary from highwill vary from high--level overviews level overviews to details concerning roles and to details concerning roles and responsibilities; including responsibilities; including certifications, where necessary.certifications, where necessary.

Timelines and ModulesTimelines and Modules

►► Delivery on 10/03/2005 Delivery on 10/03/2005 includes:includes:

Module 1: PIV Roles and Module 1: PIV Roles and Responsibilities Responsibilities

►► Delivery on 12/31/2005 Delivery on 12/31/2005 includes:includes:

Module 2: PIV OverviewModule 2: PIV OverviewModule 3: Privacy AwarenessModule 3: Privacy AwarenessModule 4: AdministratorModule 4: AdministratorModule 5: Appropriate UsesModule 5: Appropriate Uses

Module 1 Module 1 –– 10/3/2005 10/3/2005

►► Module 1 includes:Module 1 includes:An overview of the An overview of the issuance processissuance processThe The specific roles and specific roles and responsibilities responsibilities associated with PIVassociated with PIV--1 1 compliancecomplianceCertification of Certification of employees in the employees in the specified roles at the specified roles at the conclusion of the conclusion of the trainingtraining

Modules 2Modules 2--5 5 –– 12/31/200512/31/2005

►► Module 2: PIV OverviewModule 2: PIV Overview-- overview of HSPDoverview of HSPD--12 for all 12 for all government employees, government employees, the the impact on agencies, and card impact on agencies, and card issuanceissuance

►► Module 3: Privacy Module 3: Privacy AwarenessAwareness –– explains explains the the uses of personal identity uses of personal identity information collected and will information collected and will dispel concerns about misuse dispel concerns about misuse of personal data within the of personal data within the systemsystem

Modules 2Modules 2--5, cont.5, cont.

►► Module 4: AdministratorModule 4: Administrator ––provides a basic overview of the provides a basic overview of the technologies and approaches (i.e. technologies and approaches (i.e. Smartcards, Biometrics, Card Smartcards, Biometrics, Card Management)Management)

►► Module 5: Appropriate UsesModule 5: Appropriate Uses–– discusses how the PIV card can discusses how the PIV card can be used for building access be used for building access (physical) and logical access (i.e. to (physical) and logical access (i.e. to Federally controlled information Federally controlled information systems)systems)

30

Common Handheld Requirements Status

Information and Technology for Better Decision MakingMD DC

3131August 2005

Information and Technology for Better Decision MakingInformation and Technology for Better Decision MakingInformation and Technology for Better Decision Making

Interagency Advisory BoardInteragency Advisory Board

Joint Program Handheld/Mobile Joint Program Handheld/Mobile Device Status forDevice Status for

Government Smart CardGovernment Smart Card

Presented by

Mike ButlerDirector, Smart Card Programs and Operations

Defense Manpower Data Center

Presented by

Mike ButlerMike ButlerDirector, Smart Card Programs and Operations

Defense Manpower Data Center

August 2005

Information and Technology for Better Decision MakingMD DC

3232August 2005

Plan of ActionPlan of ActionGather Requirements from User CommunityConsider DBIDS Lessons LearnedContract for Handheld Expertise SupportFinalize Consolidated RequirementsMarket Survey of Products Capable of Customization and Modularity * Industry Capabilities Briefings* Statement of Work (SOW) for Development* Request for Proposal (RFP) for Development of Custom and Modular Handheld/Mobile Device(s)

Gather Requirements from User CommunityConsider DBIDS Lessons LearnedContract for Handheld Expertise SupportFinalize Consolidated RequirementsMarket Survey of Products Capable of Customization and Modularity * Industry Capabilities Briefings* Statement of Work (SOW) for Development* Request for Proposal (RFP) for Development of Custom and Modular Handheld/Mobile Device(s)

* Only if COTS does not exist to meet our needs.

Information and Technology for Better Decision MakingMD DC

3333August 2005

Handheld/Mobile Device Market PlaceHandheld/Mobile Device Market Place

Information and Technology for Better Decision MakingMD DC

3434August 2005

Questions?Questions?

Mike Butler(703) 696-7396

Michael.Butler@osd.pentagon.mil

Mike Butler(703) 696-7396

Michael.Butler@osd.pentagon.mil

35

National Aeronautics and Space Administration (NASA) Status Update

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 36

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASACommon Badging and Access

Control System (CBACS)

Marshall Space Flight Center

August, 9 2005Government Smart Card

Inter-Agency Advisory Board

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 37

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS – Initial Scope – Smart Cards

MISSION: (2002/2003)The Implementation of a multi-application, multi-technology smart card program with an Agencywide user base

VISION:To issue a common credential token (physical and logical identifier) that is….Used by NASA employees, contractors, and other people approved by NASA….Who require routine access to NASA physical and information resources.An inter-agency Federal Identity Credential conforming with emerging federal policy and technical interoperability

During Site Surveys, issues were determined on several fronts: diversity of existing PACS, need for common processes, difficulties in logical roll-out, and flexibility/ease of use of system

During Site Surveys, issues were determined on several fronts: diversity of existing PACS, need for common processes, difficulties in logical roll-out, and flexibility/ease of use of system

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 38

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS – Project Re-Direction

Goals: (2004)Achieve High Business Value Through a Common Badging and Access Control System That Integrates with Smart Cards Provide Physical (versus Logical) Deployment of Smart Cards Initially

Provides a Common Consistent and Reliable Environment Into Which to Release the Smart CardGives Opportunity to Develop Agencywide Consistent Processes, Practices and PoliciesEnables Enterprise Data Capture and ManagementPromotes Data Validation Prior to SC IssuanceAvoids Further Investment in Current PACS Systems

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 39

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS - DescriptionAn Integrated Services and IT Security Environment That Fulfills NASA and Homeland Security Presidential Directive (HSPD-12) Requirements for:

NASA Identity Management System – IDMS• Central Authoritative Source for Personnel Identification• Warehouse for Personnel Security Investigation Determinations• Warehouse for Clearance Issuance & Uniform Universal Person Identification

Code (UUPIC)Enterprise Physical Access Control System – E-PACS

• Software for Common Badging Application• Area Access Management• Visitor Management System (Optional)• Alarm Monitoring Application• Integrated Digital Video Recording and Archiving System

Smart Card Physical Access – SC• Hybrid Smart Card • Utilized with E-PACS for Physical Access• Provide Logical Access to NASA Computerized Systems During Final Phase of

ImplementationCentral Card Management System – CCMS

• Contact and Contact-less Smart Card Encoding• Provides Logical Certificates to the Smart Card from the NASA CA• Smart Card Life Cycle Management

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 40

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS - Conceptual Drawing

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 41

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS - System Life Cycle

IDMS E-PACS Smart Card CCMS

Initiation

Development and Acquisition

Implementation

Disposal

Complete

Complete

Ongoing

Complete

Ongoing

Ongoing

Complete

Ongoing

Complete

Ongoing

None None

Lab

None

Lab

None

Operations and Maintenance None None None None

NIST 800-18 Phasing Model View

GSC-IAB 8/10/2005IS05: Tim BaldridgePage 42

Explore.Discover.

Understand.

People,Technology, &

InformationWorking

Together ForNASA

CBACS - Planning Approach

New Work Planning Documents Compliance Reason for not complying or N/A

OMB Circular A-11 – Business Plan Complies

NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems

Complies

NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems

Complies

NPR 7120.5C, Sections 3.2, 3.4 3.5.2, and 3.5.3

Will Comply Evaluation underway to ensure compliance

NPD 8710.1, Emergency Preparedness Programs

Complies

NPR 1620.1, Security Procedures and Guidelines

Complies

NPR 2810.1 Security of Information Technologies

Complies

NPR 7150.2, NASA Software Engineering Requirements, and NASA Standard 8739.8, Software Assurance Standard

Will Comply Evaluation underway to ensure compliance

43

How to Check Authenticity of PIV

44

Other Federal Agency VisitorsChecking the Authenticity of PIV

Challenge:An individual from Housing and Urban Development (HUD) visits a Department of Homeland Security (DHS) facility and presents HUD PIVHow will the DHS facility know that this PIV is authentic, held by the right person, and still valid?

Requirement:FIPS 201 (section 6.2) requires card issuers to provide the capability for credentials to be authenticated by other Federal Agencies

45

What Is Currently Done Within DoD?

DoD components utilize the Defense National Visitors System (DNVS)− XML− Simple Object Access

Protocol (SOAP)− Java

46

47

48

Proposal

Propose establishing a focus group to:− Scope out the different ways in which credential cross

recognition could be accomplished− Examine and recommend a common approach and

process for all Federal Agencies− Examine and recommend ways to maximize/leverage

current investments

49

Current Environment• Issuing Smart Cards for over 5 Years• Issued over 8.5 million cards to DOD personnel/contractors

(3.2 mil. are active)• Submitted on June 27, 2005, OMB mandated plan to

become PIV compliant (plan approved)− Deploying a dual-interface card utilizing V2 applets and new PIV applet

at issuance or post issuance− Any new cards introduced must be backwards compatibility to cards

previously fielded

50

Architecture

JavaCard Runtime

GCApplet

OtherApplets

Access Control

PKIApplet

CCC

AccessControl

AccessControl

AccessControl

BioActionApplet

AccessControl

Security Domain

Access ControlApplet

PIN, Secure

Channel,ExternalAuthority

OP Domain

API

PIVApplet

MOC LibAccess

API

Controls which applets are placed on card

Controls who is granted access to the applets

AccessController

Applet

MOC LibAccess

API

AccessController

Applet

MOC LibAccess

API

Secure Transport

BioAccess

ControllerApplet

MOC LibAccess

API

51

Other IAB Initiatives

52

DoD Key Ceremony and System Tour

Who:Government and Primary Contractor Support Personnel ONLY

What:DoD Key Management 101 and System Tour

When:Session 1: Thu, Aug 11th (1-4pm)Session 2: TBD

Where:EDS DMDC Account office (1600 N Beauregard Street, Suite 100, Alexandria, VA 22311)

Why:To assist government personnel in determining individual key management policies and procedures

Please send your RSVP to Winn Whaley at:winifrid.whaley.ctr@osd.pentagon.mil by Tuesday, August 9th

53

Located 5 min off of I-395, the DMDCB/EDS office is south of the Pentagon and north of the Springfield “Mixing Bowl”.

Location is NOT metro accessible (15 min+ taxi from Eisenhower stop).

Electronic Data Systems1600 North Beauregard StreetAlexandria, VA 22311Front Desk: 703-820-0200

From DC:1. Take I-395 S to Exit 4 - Seminary Road West (veers to the right).

Once on Seminary Road, immediately begin moving towards the lefthand lane.

2. At 2nd light turn left onto N Beauregard Street3. At 2nd light turn right (Clyde's entrance). Sign will read 1600 EDS. 4. Continue straight and at 2nd left, turn left until you see Bldg 1600. 5. Please do not park in the spaces marked "Clyde's" or you may be

towed.

54

HSPD-12 Reminders

Implementation plans were due to OMB on June, 27 2005

Other dates:− August 19, 2005: Public comment on Special Publication (SP) 800-85− August 27, 2005: Additional programs identified to OMB that must be

Personal Identity Verification (PIV) compliant− October 27, 2005: PIV I Notional − October 27, 2006: PIV II Notional

SP 800-79 - Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations− Published in July 2005− Establishes the attributes required of organizations in order to reliably

perform appropriate identity “proofing” and issuing of cards − Describes methods for determining if a PIV issuer exhibits the required

attributes− Provides guidance to Federal agencies in establishing or obtaining the

services of an issuer whose reliability is accredited

55

IAB Status Report

IAB status report and dashboard

Provides a monthly update of IAB:− Working group activities− Educational

opportunities− Announcements− Upcoming meetings

56

IAB Website

www.smart.gov/iab

Initial presence

Next iteration scheduled for September

Credential Card Migration Strategy

IAB9 August 2005

Card Migration StrategyMigration to attain PIV II compliance by 10/06 but start now

•Dual-Interface (DI) 64k Java Card 2.2

•Current GSC applets

•Printed in accordance with FIPS-201 guidelines

Existing GSC-IS applets

64K Chip

Card purchases starting now

•DI 64k Java Card 2.2

•Current GSC applets

•Printed in accordance with FIPS-201 guidelines

•PIV-II End State Applet: Available and FIPS certified

Existing GSC-IS applets

New PIV II applet

64K Chip

Movement to 10/06

PIV-II Compliant

Card Migration StrategyMigration to attain PIV II compliance by 10/06 but start now

DI cards issued pre 10/06

Existing GSC-IS applets

New PIV II applet

64K Chip

PIV-II Compliant

Issued DI cards will be post managed through a post management portal

DI Cards come back to portal, load PIV II cert onto PIV II applet(contains CHUID, bio container ,cert and security object)

Post-Issuance Update: all Pre 2/06 DI Cards

Existing GSC-IS applets

64K Chip

New PIV II applet

Previously Issued Dual Interface Cards: PIV-II Compliant

October 2006

Technical Notes• PIV-II applet will be loaded aside existing GSC applet

set– The PIV-II certificate, CHUID, biometric containers, and

security object will be loaded into the new PIV II applet ( Note: bio container only populated when SP 800- 76 issued

• Middleware will be upgraded to support the additional PIV-II applet and data

• Physical Access (PA) systems will be upgraded to support use cases for PA authentication over the contactless interface

• All other data and credentials not mandatory in FIPS-201 and SP800-73 will remain in the GSC applet set

Conclusions

• This approach allows agencies to start issuing currently available dual interface smart card platform now

• Enables agencies to upgrade once PIV-II certified products are available

• Disagreement with this approach technically?