Tuesday, May 13 Track A
Identification Applications & Policy
Session: Federal Government ID Use Cases
Time: 3:30 PM – 5:00 PM
Room: W202 B&C Moderator: John Bys
VP Global Alliances CoreStreet
Speakers:
Reynold Schweickhardt CTO
Government Printing Office
Paul Hunter Customs and Border Protection, Office of Information Technology, WHTI Project,
Passenger Systems Program Office Department of Homeland Security
Carter Morris Sr.
VP American Association of Airport Executives
John Schwartz
Asst Director TWIC Transportation Security Administration
David Temoshok
Director, Identity Policy & Management GSA Office of Governmentwide Policy
1
CTST 2008Passcard and Enhanced Driver’s License
Panel Discussion
Track A14 Federal Government ID Use Cases
Paul Hunter
May 13, 2008
2CTST May 13, 2008
TopicsWhy do we need the Western Hemisphere Travel Initiative (WHTI)?
What are the current vulnerabilities?
What are the challenges at land borders?
Why vicinity and not proximity?
What is an Enhanced Driver’s License?
What will the US Passport Card look like?
What information does a WHTI tag contain?
What about privacy?
How will RFID work at the border?
Panel discussion
2
3CTST May 13, 2008
Implements Section 7209 of the Intelligence Implements Section 7209 of the Intelligence Reform and Terrorism Prevention Act of 2004 Reform and Terrorism Prevention Act of 2004
Identifies the security vulnerability posed by document exemption and the myriad of travel documents presented at U.S. ports of entry.
The 9/11 Commission Report States:“Americans should not be exempt from carrying biometric passports or otherwise enabling their identities to be securely verified when they enter the United States; nor should Canadians or Mexicans.”
Why Do We Need the Western Hemisphere Travel Initiative (WHTI)?
4CTST May 13, 2008
WHTI addresses the vulnerabilities of multiple documents, which result in the challenge of verifying identity and citizenship. Standardization will address that vulnerability and improve efficiencies.
What are the Current Vulnerabilities?
3
5CTST May 13, 2008
What are the Challenges at Land Borders?On a typical day CBP processes 900K people*Over 308K privately owned vehicles a day*Extreme weather; northern and southern bordersSecurity versus facilitation – U.S. Citizens deserve both
Border wait times are a significant and sensitive issue for border communities
* Land border FY07 data
Approximately 7.1 million U.S. citizens on southern border and 4.6 million U.S. citizens on northern border lack WHTI-acceptable travel documents.
6CTST May 13, 2008
Why Vicinity and Not Proximity?Vicinity RFID requires little or no action for the traveling public
Simply make the document available (on seat, dashboard, etc.)
Enables CBP Officers to view pre-queued information on individuals seeking to enter the US and automate primary processing queries in advance of the vehicle pulling up to the primary inspection booth
Vicinity RFID offers the opportunity to eliminate ‘physical steps’ of the inspection process
Document collection and reviewScan and/or manual input of dataReturn of documents to the vehicle driver
4
7CTST May 13, 2008
Why Vicinity and Not Proximity?
0
50
100
150
200
250
Ve
hic
leQ
ue
ue
0
10
20
30
40
50
60
Wa
it T
ime
(m
inu
tes)
Vehi
cle Q
ueue
Vehi
cle W
ait T
ime (
minu
tes)
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 121 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12
050
100150200250
Hour
10
0
20
30
40
50
6041.0 seconds
39.9 seconds
41.0 seconds
39.9 seconds
60+ minute peak wait
250-car peak
170-car peak
45 minute peak wait
Small decreases in processing time can lead to large
traffic benefits
Impact from a 1 second decrease in processing time at one congested port
8CTST May 13, 2008
Why Vicinity and Not Proximity?Vicinity RFID time savings can cut wait times significantly
Average 6-8 seconds per inspection is eliminated, up to 14 seconds per vehicle in time savedAt peak traffic there would be a 40% reduction to wait time witha cumulative effect of eliminating wait times during the day
DHS plans to upgrade the port of entry (POE) infrastructure with RFID technology at 39 land border POEs (62 crossings) in 2008, starting with Blaine (WA) and Nogales (AZ)
39 POEs represent 95% of all land border crossings
Data derived from Time and Motion Studies conducted at 19 POEs, example provided is Bridge of the Americas in Laredo TX
5
9CTST May 13, 2008
What is an Enhanced Driver’s License?
EDL = Identity and CitizenshipMeet minimum security standardsFacilitative technology (OCR/MRZ & RFID)Uniform processing & method of validation for CBP Officers
MRZ/OCR(new to a drivers license)US Flag
“Enhanced” Designation
Min 23mm white space
NewNew
10CTST May 13, 2008
What will the US Passport Card look like?
Presentation purposes only –product may not appear as depicted
6
11CTST May 13, 2008
What information does a WHTI tag contain?
High-level filter option
3 bits
Filter Value
Determines Company
Prefix length
3 bits
Partition Value
Allows for over 2 trillion unique
values
Equates to four digits, allowing up to 10,000
document types
Equates to eight digits to uniquely identify an organization such as DHS/ CBP, DoS, WA
state, etc.
0010 1100[Static, Binary value]
41 bits14 bits27 bits8 bits
Serial Number Document Type Company PrefixHeader
EPCglobal/GS1 allocated and managed.
An organization could define and filter for up to 10,000 document types. Example: the number 1 = motorcycle , 2 = auto, etc. Defined by Card/Tag Issuer
Used for unique serial number Example: 00101101011011101 Defined by Card/Tag Issuer
DHS has requested ‘001’ be reserved to represent ‘travel document’
01010101010101010101010101010101010101010101010101010101010101
12CTST May 13, 2008
What About Privacy?Only a number on the chip, no personally identifiable information (PII) stored in the tag
PII stored in secure databases transmitted over secure networks
Attenuation sleeve issued with all RFID enabled travel documents
Presentation of photo reduces risk of cloned tags being used successfully at the border
Implementation of TID will virtually eliminate successful use ofcloned tags
7
13CTST May 13, 2008
How will RFID Work at the Border?
14CTST May 13, 2008
How will RFID Work at the Border?
8
15CTST May 13, 2008
Panel Discussion
Paul Hunter703-440-3176
Our MissionWe are the guardians of our Nation’s borders.
We are America’s frontline. We safeguard the American homeland at and beyond our borders.
We protect the American public against terrorists and the instruments of terror. We steadfastly enforce the laws of the United States while fostering our nation’s
economic security through lawful international trade and travel.We serve the American public with vigilance, integrity and professionalism.
Our MissionWe are the guardians of our Nation’s borders.
We are America’s frontline. We safeguard the American homeland at and beyond our borders.
We protect the American public against terrorists and the instruments of terror. We steadfastly enforce the laws of the United States while fostering our nation’s
economic security through lawful international trade and travel.We serve the American public with vigilance, integrity and professionalism.
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
Transportation Worker Identification Credential (TWIC)
CTST 2008May 13, 2008
John Schwartz May 13, 2008 2
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
Program OverviewPurpose:
Ensure that only workers who satisfactorily complete a security threat assessment (STA) gain unescorted access to Secure Areas of the maritime transportation system.
TSA responsible for: enrollment; completing the STA; issuing credentials; operating the TWIC systemCoast Guard responsible for: establishing and enforcing access requirementsAll U.S. merchant mariners are also required to obtain a TWIC
TWIC Fee:Workers pay for credential$132.50 for a five year card$27.25 discount for current, comparable security threat assessment
John Schwartz May 13, 2008 3
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
Two-Phase Program ImplementationPhase I
Rule now requires workers to obtain TWICRule will require facility and vessel operators to visually inspect TWIC once initial enrollment is complete in each port as determined and ordered by Coast Guard Sector Commander
Phase IISecond TWIC rule will require facility and vessel operators to biometrically verify identity and check that the card has not been revokedOperators will be responsible for the purchase and operation of readers and access control systemsTo implement, will require contactless card readers that function in the maritime environment
John Schwartz May 13, 2008 4
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
TWIC Enrollment Metrics
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
2/12/0
8
2/19/0
8
2/26/0
83/4
/08
3/11/0
8
3/18/0
8
3/25/0
84/1
/084/8
/08
4/15/0
8
4/22/0
8
Date
Volu
me
Total Pre-enrollments: 318,739Total Pre-enrollments: 318,739
Total Enrollments: 244,470Total Enrollments: 244,470
Total Activations: 72,056Total Activations: 72,056
• 100+ Enrollment Centers open nationwide
• Estimated population: 1.2 Million +
Data as of April 24, 2008Data as of April 24, 2008
John Schwartz May 13, 2008 5
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
Lessons LearnedModified Capture Process to Allow for Large Hands
Decreased FBI Reject Rates
Fingerprint Matching Algorithm Must be OptimizedMade significant improvements in quality; continuing to work with NIST and FBI
Need to Rapidly Adjust Resources to Handle Fluctuating DemandRegional demand differencesRequirements for flexible hours
Self-Service Options:Checking Card StatusGeneral InformationScheduling Appointments
John Schwartz May 13, 2008 6
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
Program SuccessesPre-enrollment Capability: Reduces Overall Enrollment TimeExtensive use of Metrics and Dashboard: Allows objective identification of trends to take corrective actionsUse of 1:1 Biometric Match and Quality Algorithm at Enrollment: Minimizes FBI RejectsBiometric Uniqueness Check for all Applicants: Ensures Each Holder has Only One TWIC
o Possible Hits Include…− Duplicate Applications, Lost/Stolen Cards, Renewals, False
Matches
John Schwartz May 13, 2008 7
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
SAFE Port Act Pilot Test
Pilot Test Requirements:Evaluate technical performance of TWIC card / biometric reader functionEvaluate operational and business process impact of conducting biometric verification of identity in various maritime facility and vessel operating scenarios
ParticipantsPorts of NY/NJ; Long Beach; Los Angeles; Brownsville; and, ChicagoVessel operations: inland river tug/towing operations Vicksburg, MS; and, small passenger vessel operation in Annapolis, MD
John Schwartz May 13, 2008 8
Copyright 2008 Lockheed Martin Corporation. All rights reserved.
TWIC Information / Resources• Website: www.tsa.gov/twic
o Link to Pre-enrollment website− English and Spanish
o Schedule, press releases, FAQs, rulemaking documentso Outreach/communication materials
− Flyers− Quick Reference Guides− English and Spanish
o Link to Coast Guard Homeport website
• TWIC Help Desk: 1-866-DHS-TWIC• (1-866-347-8942)
o 8:00 AM ET - 12:00 AM ETo English and Spanish
1
SID_Presentation2_G.001-001.jpg
SID_Presentation2_G.002-002.jpg
2
SID_Presentation2_G.003-002.jpg
SID_Presentation2_G.004-002.jpg
3
SID_Presentation2_G.005-002.jpg
SID_Presentation2_G.007-002.jpg
4
SID_Presentation2_G.008-002.jpg
SID_Presentation2_G.009-002.jpg
5
SID_Presentation2_G.010-001.jpg
SID_Presentation2_G.011-001.jpg
6
SID_Presentation2_G.012-001.jpg
SID_Presentation2_G.013-001.jpg
7
SID_Presentation2_G.014-001.jpg
SID_Presentation2_G.015-001.jpg
8
SID_Presentation2_G.016-001.jpg
SID_Presentation2_G.017-001.jpg
9
SID_Presentation2_G.033-001.jpg
SID_Presentation2_G.034-001.jpg
10
SID_Presentation2_G.035-001.jpg
SID_Presentation2_G.036-001.jpg
11
SID_Presentation2_G.037-001.jpg
SID_Presentation2_G.038-001.jpg
12
SID_Presentation2_G.041-001.jpg
SID_Presentation2_G.042-001.jpg
13
SID_Presentation2_G.043-001.jpg
SID_Presentation2_G.044-001.jpg
14
SID_Presentation2_G.045-001.jpg
SID_Presentation2_G.046-001.jpg
15
SID_Presentation2_G.047-001.jpg
SID_Presentation2_G.048-002.jpg
16
SID_Presentation2_G.049-001.jpg
SID_Presentation2_G.050-001.jpg
17
SID_Presentation2_G.050-002.jpg
SID_Presentation2_G.051-001.jpg
18
SID_Presentation2_G.051-002.jpg
SID_Presentation2_G.052-001.jpg
19
SID_Presentation2_G.052-002.jpg
SID_Presentation2_G.053-001.jpg
20
SID_Presentation2_G.054-001.jpg
SID_Presentation2_G.055-001.jpg
21
SID_Presentation2_G.056-001.jpg
SID_Presentation2_G.062-002.jpg
22
SID_Presentation2_G.063-003.jpg
SID_Presentation2_G.064-003.jpg
23
SID_Presentation2_G.064-004.jpg
SID_Presentation2_G.066-001.jpg
24
SID_Presentation2_G.067-001.jpg
SID_Presentation2_G.068-001.jpg
25
SID_Presentation2_G.069-001.jpg
SID_Presentation2_G.070-002.jpg
26
SID_Presentation2_G.071-002.jpg
SID_Presentation2_G.073-001.jpg
27
SID_Presentation2_G.074-001.jpg
SID_Presentation2_G.076-001.jpg
28
SID_Presentation2_G.078-002.jpg
SID_Presentation2_G.079-001.jpg
29
SID_Presentation2_G.080-001.jpg
SID_Presentation2_G.081-002.jpg
30
SID_Presentation2_G.082-001.jpg
SID_Presentation2_G.083-001.jpg
31
SID_Presentation2_G.084-001.jpg
SID_Presentation2_G.085-002.jpg
32
SID_Presentation2_G.086-001.jpg
SID_Presentation2_G.087-001.jpg
33
SID_Presentation2_G.088-001.jpg
SID_Presentation2_G.089-001.jpg
34
SID_Presentation2_G.090-001.jpg
SID_Presentation2_G.091-001.jpg
35
SID_Presentation2_G.092-002.jpg
SID_Presentation2_G.093-001.jpg
36
SID_Presentation2_G.094-001.jpg
SID_Presentation2_G.095-002.jpg
37
SID_Presentation2_G.095-003.jpg
SID_Presentation2_G.095-004.jpg
38
SID_Presentation2_G.095-005.jpg
SID_Presentation2_G.095-006.jpg
39
SID_Presentation2_G.096-002.jpg
SID_Presentation2_G.096-003.jpg
40
SID_Presentation2_G.097-001.jpg
SID_Presentation2_G.098-001.jpg
41
SID_Presentation2_G.099-001.jpg
SID_Presentation2_G.100-001.jpg
42
SID_Presentation2_G.106-002.jpg
SID_Presentation2_G.107-001.jpg
1
The Government-wide Interoperability of HSPD-12
David Temoshok Director, Identity Policy and Management
GSA Office of Governmentwide Policy
CTST/Smart Card Alliance ConferenceMay 12, 2008
2
The HSPD-12 Mandate
Home Security Presidential Directive 12 (HSPD-12):“Policy for a Common Identification Standard for Federal Employees and Contractors”
-- Signed by President: August 27, 2004
HSPD-12 has Four Control Objectives:
Issue Identification based on sound criteria to verify an individual’s identity.
Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation.
Personal Identity can be rapidly authenticated electronically.
Issued by providers who’s reliability has been established by an official accreditation process.
3
Timeline Agency/Department Requirement/Milestone
August 27, 2004 HSPD-12 signed and issued
Not later than 6 months(February 27, 2005)
NIST Issue standard (FIPS-201)
Not later than 8 months following issuance of standard(October 27, 2005)
Compliance with FIPS-201 Part One:Identity Proofing and Enrollment.PIV-I
Not later than 20 months following issuance of standard(October 27, 2006)
Commence deployment of FIPS-201 compliant Identity Credentials (FIPS-201 Part Two). PIV-II
Convert all employees to PIV standard (October 27, 2008)
Compliance with FIPS-201 Part Two for all employees and contractors.
Key Milestones
4
Government-wide Implementation Strategy
• OMB provides policy and implementation guidance.
• NIST provides HSPD-12 process and technical requirements (FIPS 201 and associated Special Publications).
• Government-wide interoperability is required. Implementation is controlled through acquisition process.
• GSA designated as “Executive Agent for Acquisition” for the implementation of HSPD-12.
• GSA designated as Government-wide Shared Service Provider to provide shared services and infrastructure for government-wide implementation (MSO).
• Extremely aggressive milestones are needed to maintain focus andmomentum.
5
The Quest for Interoperability
“…Diverse systems and organizations to work together (inter-operate).”Wikipedia
“…Two or more systems or components to exchange information and to use the information that has been exchanged.” IEEE
“…Any government facility or information system, regardless of PIV issuer, to verify a cardholder’s identity using the credentials on the PIV card.” FIPS 201-1
“…Two or more devices, components, or systems to exchange information in accordance with defined interface specifications and to use the information that has been exchanged in a meaningful way.” GSA
Interoperability is defined as the ability of:
6
The Starting Gate for Government-wide Interoperability
• PIV standard data model- FIPS 201
• PIV interoperability and security standards- FIPS 201 and associated Special Publications
• PIV data interface specifications- FIPS 201 and associated Special Publications
• Standard Testing Programs - Products- GSA FIPS 201 Evaluation Program- NIST - FBI- NVLAP
• Reference Implementations - data interface specifications
• Standard Testing Program - data interface specifications
7
GSA – Executive Agent for Acquisition
• Establish FIPS 201 Evaluation Program to ensure that commercial products comply with all normative requirements of FIPS 201.
• Establish Approved Products List to publicly post all approved products/services requiring FIPS 201 compliance.
• Establish Special Item Number (SIN) 132-62 on GSA MAS IT 70 for FIPS 201 compliant products and qualified services.
• Provide full-range of qualified products and services. • Test agency-specific implementations for product compliance. • Test agency-specific implementations for compliance to interface
specifications.• Certify labs for product testing• Provide for Configuration Management of Approved Products and agency
implementations.
8
GSA FIPS 201 Evaluation Program Status
• GSA administers the FIPS-201 Evaluation Program to determine conformance to FIPS-201 normative requirements.
- Certified laboratories perform all FIPS 201 compliance evaluations- Approved Product List posted at http://fips201ep.cio.gov/
• GSA/NIST identified 23 categories of products/services which must complywith specific normative requirements contained in FIPS 201
- e.g., PIV smart cards, smart card readers, fingerprint scanners, fingerprint capture stations, facial image capture stations, card printing stations, etc.
• Current product and services approvals:- 350+ products on FIPS 201 Approved Product List
• Current certified labs:- Require NVLAP accreditation, GSA FIPS 201 EP Certification- Atlan Laboratories, InfoGard Laboratories- Several more lab certifications in progress
9
APL Products for PIV Architecture Components
PIV Enrollment
PIV IDMS(SIP)
OPM/FBINational Criminal
History Check NACI
Card Production and Management
SystemCard Issuance/
Activation
Fingerprint Capture StationFacial Image Capture Camera/StationFacial Image Capture (middleware)FP Template GeneratorFP Template Matcher
FP Template GeneratorFP Template Matcher
PIV CardPIV MiddlewarePIV Card Printer StationPIV Card Electronic Personalization (product, service)PIV Card Graph. Personalization PIV Card Delivery
Single FP Capture DeviceFP Template GeneratorFP Template MatcherCryptographic modulesCard Sleeve
Authentication Use Cases
PIV Card Reader – TransparentPIV Card Reader – CHUIDPIV Card Reader – Auth KeyPIV Card Reader – BiometricPIV MiddlewareCryptographic modules
Fingerprint Capture Station
10
Authentication Use Cases
Authentication Use Cases
PIV IDMS(SIP)PIV IDMS
(SIP)
HSPD-12 Architecture Interface Specifications
PIV Enrollment
PIV IDMS(SIP)
OPM/FBINational Criminal
History Check NACI
Card Production and Management
SystemCard Issuance/
ActivationAuthentication
Use Cases
Agency HR/Sponsors
2
1
1
1
14
4
PKI SSPsPKI SSPsPKI SSPs
1
3
Interface Specifications posted at HSPD-12 AWG website: http://www.smart.gov/awg/
11
HSPD-12 Systems – Shared and Stand-Alone
Stand-Alone• DOL• DHS• ED• EOP• EPA• FAA• FHFB• FTC• HHS• HUD• IBB• NASA• NCUA• SBA• SSA• VA
Shared• GSA• Dept. State• DoD
Total = 19 HSPD-12 systems government-wide
12
Status of HSPD-12 Interface Specifications• Interface Specifications are needed for interoperability in order to
successfully exchange data between HSPD-12 systems and systems components
• OGP established the inter-agency HSPD-12 Architecture Working Group in FY 2006 to develop Interface Specifications for government-wide use.
• 10 Interface Specification Documents have been developed and issued in final
All Interface Specifications are posted at http://www.smart.gov/awg/
• MSO is developing and currently testing Reference Implementation for the Agency – SIP (Systems Infrastructure Provider) Interface Specification.
The MSO Reference Implementation will be the standard for all MSO agencies to interface to EDS.
• Two new Interface Specifications are currently under development for MSO and government-wide use
SIP – OPM (Office of Personnel Management) for all fingerprint data to OPM and FBI Back-end authentication for physical and logical access control (numerous use cases and Interface Specifications needed)
13
Where We are Today…
Extend PIV infrastructure to newCommunities (FRAC, Healthcare)
Stabilize issuance operations Across 19 HSPD-12 systems
Complete conversion to PIV Credentials for all employees
Implement and test standard interface Specifications across PIV systems
Complete conversion to PIV Credentials for all contractors
Build and test standard use case applications
Manage configurations across Govt for new technologies/requirements
We’re still climbing the first step…
14
For More Information
● Visit our Websites:http://www.idmanagement.govhttp://www.cio.gov/ficchttp://www.cio.gov/fpkipahttp://www.csrc.nist.gov/piv-project
● Or contact:
David TemoshokDirector, Identity Policy and Management [email protected]
NOTES