Interagency Advisory Board (IAB) MeetingBusiness Architecture Creating new . policies where . needed...
Transcript of Interagency Advisory Board (IAB) MeetingBusiness Architecture Creating new . policies where . needed...
Interagency Advisory Board Meeting Agenda, Wednesday, July 27, 2011
1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. A TWIC Program Status and Update (John Schwartz, TSA)
3. CAC/PKI Logon to Warriorgateway.org (Devin Holmes, Warrior
Gateway)
4. A Federal Security Professional PACS Perspective since the Signing of HSPD 12 (Ron Martin, HHS)
5. Closing Remarks (Mr. Tim Baldridge, IAB Chair)
A Federal PACS perspective since the
signing of HSPD 12
From head-in-the-sand to the AWAKENING!
Ron Martin, CPP
Physical Security View of IT interference with system design
Initial Convergence Cooperation Between IT and Physical Security
Less Today than Yesterday
OVERVIEW
“…we must have a human to technological mix to perform the security mission of the future...”
Convergence is more than the joining of Physical Security and Information Technology
It will touch all of us
Ron Martin, CPP PSTN Interview 2002
Keeping up with the ”state of the art” in terms of new technology, new concepts, new studies, changing laws, and industry trends is a very personal as well as a professional necessity, especially for those in leadership roles.
SIA Government Sales Summit - June 2005 50
What ‘s A Stovepipe System?
A Stovepipe System ties up the activity of the system from bottom to top. – It prevents information exchange at
intermediate levels – It prevents component substitutions from
other sources – It limits innovation and defers product
improvements
SIA Government Sales Summit - June 2005 51
Standards Break Stovepipes Apart
Many Existing Standards For Interconnection Of Field Devices But Some Work Still Needed
Interfaces To Edge Devices Are A Current Focus
Standard Middleware Application Interfaces and Infrastructure To Meet System Architecture Requirements
Head-end Application Interfaces Where Needed for Provisioning, User Interfaces
User Interface
Shared IT Resources
Infrastructure & Middleware
Edge Devices
Field Devices
NT + OP = EOP
20%
80%
Hardware/Software Storage
IDMS Services
Application Integration
Defining functional/business
requirements
Defining Business Architecture
Creating new policies where
needed
Determining laws, regulations, mandates
to be followed Identity Management is a broad capability
and requires an integrated solution
Reviewing policies
Determining budget requirements
Entity Management Credentialing
Access Management Facilities
Components of the Process
Policy, Planning,
Politics and Management
Technology
FIPS 201
CONTROL MEASURES
The Three Sides of HSPD-12
PIV - 1
Accreditation
Compliance
Conformance
Physical
Logical
POLICIES
Systems
Technology
Laws, Policies, R
ules
Processes HSPD-12
Federal Information Security Management Act
FIPS 201
Physical Security & OCIO Responsibilities
Ensuring the development of a baseline solution that meets FIPS 201 compliance
Ensuring entry control points or general access to Agency facilities comply with HSPD-12
Identifying and offering common solution options that leverage economies of scale
Provide security training courses
Assisting with the rollout of CMS & IDMS
Centralized reporting to OMB
General Responsibilities
Developing a Bureau implementation plan that meets OMB’s due dates and FIPS 201 requirements
Processing Investigations
Establishing controlled access at Level 3, 4 & 5 facilities
Purchasing and maintaining future PCIF equipment (fingerprint & card readers etc.)
Participate in HSPD-12 Working Group meeting and reporting Bureau progress
RESPONSIBILITIES
Convergence must start within the Department
2006 Discussions
Copyright © 2011 Deloitte Development LLC. All rights reserved. 57 Confidential and Proprietary
HSPD-12 Policy Retrospective “As promptly as possible... the heads of executive departments and agencies shall… require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.”
– Homeland Security Presidential Directive 12 (HSPD-12), August 27, 2004
“[For] Risk Based Facility Access – Use the appropriate card authentication mechanism… with minimal reliance on visual authentication.” “Compliance with the Standard requires the activation of at least one digital certificate on the identity credential for access control. Agencies must require the use of the identity credential for system access.”
– OMB M-05-24, August 5, 2005
“We want to ensure business processes are being followed in order to foster the trusted environment needed for the credentials to be accepted by Departments and agencies...”
– M-07-06, January 11, 2007
“If your agency has not already completed its plan for incorporating the use of PIV credentials with physical and logical access control systems, we ask you to ensure these plans are developed as soon as possible and in coordination with officials from your agency’s personnel, physical security, budget, and other appropriate offices.”
– OMB Guidance for HSPD-12 Implementation, May 23, 2008
“The target state … reflects full implementation of the PIV card for electronic physical access for employees and contractors ...” “In the target state... it is intended that agencies will leverage the various capabilities of the PIV card, particularly the PIV authentication digital credential, to grant access to applications at all levels of assurance.”
– FICAM Roadmap and Implementation Guidance, November 19, 2009
2004
2005
2006
2007
2008
2009
2010
Copyright © 2011 Deloitte Development LLC. All rights reserved. 58 Confidential and Proprietary
NIST Workshop : first call for industry solutions
HSPD-12 Retrospective Part two
OMB Requires the use of the Approved Products and service provider lists
– OMB Guidance for HSPD-12 M-06-18
M-10-28 gives HSPD-12 Authority for Implementation to The Department of Homeland Security -OMB issues Continuing Guidance for the Implementation of HSPD-12 M-11-11
2004
2005
2006
2007
2008
2010
2011
NIST Cooperative Research and Development Agreement (CRADA) Second Call for Industry solutions
Compendium of Standards
CONVERGENCE SUBCOMMITTEE
Interagency Security Committee (ISC)
E. O. 12977
The convergence subcommittee develops mechanisms to support Federal agencies' integration of information management controls with security programs.
CHARTER
Mission
• To provide agencies with mechanisms to support security programs while integrating controls.
Scope • Develop specific strategies with accompanying
templates that will enable the agency’s physical security specialist to assess, plan, procure, budget, evaluate and accredit programs and systems.
PACS Reality Check
“…The Physical Access Control System is a significant security component of any enterprise. These systems are an inherent and essential part of the overall security protection environment and must be interfaced to the enterprise Identification Management System (IDMS) and a Card Management System (CMS) to provide full HSPD-12 interoperability and FIPS 201-1 compliance. ..”
Ron Martin, CPP April 2007
The PACS is an Application that resides on the organization’s enterprise. It therefore must adhere to all of the Logical Access Control protocols.
A PACS Model from SP 800-116 Unrestricted, Controlled, Limited, Exclusion
•Controlled
•area
•Limited
•area •Exclusion
•area
•Facility services
•Admin
•Buildings
•HQ
•Lab
•Space •Trade Secret
•Access
•Point
•A
•Access
•Point
•B
•Access
•Point
•C
•Controlled
•area •Limited •area
•Exclusion
•area
•Facility services
•Admin
•Buildings
•HQ
•Lab
•Space Very Important stuff
•Access
•Point
•A
•Access
•Point
•A
•Access
•Point
•B
•Access
•Point
•B
•Access
•Point
•C
•Access
•Point
•C
Unrestricted Area
Important stuff Stuff
Traditional Architecture Relationships
Identifies User Functional Requirements
Provides Common Specs and Standards
IDs New Technologies
“What we do”
“Specs we use”
VIEWS
“How we do it”
A1 C
omma
nd &
Con
trol IN
BN
Ops
A1.1
Exec
ute I
N BN
Miss
ions
A1.1.
1 Com
mand
IN B
N
A1.1.
2 Con
trol T
actic
al Op
s
A1.1.
3 Main
tain U
pdate
d En
emy S
ituati
onA1
.1.4 C
oord
inate
Effec
ts fo
r Cu
rrent
Ops
A1.1.
5 Main
tain S
U/CO
PA1
.1.6 A
dvise
& A
ssist
BN
CDR
A1.2
Plan
s & C
oord
inates
Co
mbat
Ops
A1.2.
1 Plan
Futu
re O
psA1
.2.2 C
oord
inate
Curre
nt
Ops
A1.2.
3 Main
tain S
U/CO
P
A1.3
Coor
dinate
CSS
A1.3.
1 Sup
ervis
e Rea
r CP
Ops
A1.3.
2 Coo
rdina
te Lo
gistic
s Su
ppor
t
A2 P
rovid
e CS
& CS
S
A2.1
C2/S
ustai
n HHC
Ops
A2.1.
1 Plan
s HHC
Ops
A2.1.
2 Dire
cts H
HC O
ps
A2.1.
3 Main
tain S
u/COP
A2.1.
4 Sus
tain H
HC O
ps
A2.1.
5 Sup
port
BN C
P Op
s
A2.2
Prov
ide
Comm
unica
tions
A2.2.
1 Rec
eive D
irecti
on
ABCSAllow automated database updating
ABCSDisseminate tailored, initial and updated geo-spatial
ABCSEstablish Common Database (Common
ABCSImplement bandwidth conservation measures
ABCSProvide Command and Control on the move
ABCSProvide Commander with a multi-level secure,
ABCSProvide Commander with accurate battlefield
ABCSProvide Commander with timely battlefield situational
ABCSProvide Commanders the capability to input CCIRs
ABCSProvide Common Look and Feel in HW/SW for every
ABCSProvide for continuity of operations due to planned
ABCSProvide VTC and Whiteboard capability for
System Functions
OPERATIONAL
TECHNICAL SYSTEM
Relates System Elements And Capabilities To Operational Requirements
M-11-11
Office of Management and Budget (OMB) Memorandum M-11-11, issued on February 3, 2011, provides additional guidance for agencies in the continued implementation of HSPD-12.
It requires that agencies designate a lead official for ensuring issuance of a policy requiring the use of the PIV credential as the common means of authentication. Additionally, an agency’s policy must include the following requirements: • All new systems under development must be enabled to use PIV credentials prior to being made
operational. • All existing physical and logical access control systems must be upgraded to use PIV credentials prior to
the agency using development and technology refresh funds to complete other activities. • Procurements for services and products involving facility or system access control must be in
accordance with HSPD-12 policy and the FAR. • Agencies must accept and electronically verify PIV credentials issued by other
federal agencies. • Agencies implementations must align with the Federal Identity, Credential, and Access Management
(FICAM) Roadmap and Implementation Guidance.
INTEROPERABILITY VERSION 1 CONCEPT
2005 NIST Discussion
67
Credential Management Systems Architecture Design
Visitor PIV, CAC, Card Holder Driver Lic, Passport
Visitor Groups
Visitor Check-in Certificate Check,
Biometric & Picture (optional)
Physical Convergence Management
Sponsor Request Portal
Convergence Server
Card Provisioned in
PACS
Unescorted Access
Visitor Badge Issued
CRL 1 (DOD)
OCSP Check
CRL 2 (Federal Bridge)
CRL n (Other)
Cert Issuer to CRL Mapping
Escorted Access
Per Policy
Visitor Kiosk
Future
OMB M-11-11 Requirement
Identity Store
LACS
69 U.S. Department of Health and Human Services
Conceptual System Architecture – Department View (Waterfall)
Identity Verification
Enrollment Visitor Mgmt
Short-term Foreign National Visitors
Virtual Directory Services
Unique Person Identifier Service
Role Mgmt (Future)
Identity Management
Services
Credential Management
Services
Issuance (PIV, HHS PIV-I)
Sponsorship - Identity and Access Administration
People Management – EHRP, OPDIV systems (NED, CDC Neighborhood, etc.)
Access Management
Logical Physical
Post Issuance Support
Identity Lifecycle Services
Directory Services
Role Management
Services
Provisioning Services
Account Provisioning
Credential Provisioning
70
Certificate Validation for non-HHS Smart Cards
OCSP
FBCA
Independent PACS
CDC
Credential Provisioning and Gateway Service
COTS Connectors
SCMS Services
Enterprise PACS
FDA
NIH
PSC HQ Industry Bridges HHS
IHS
AHRQ
CMS
Credential Provisioning and Gateway Service (Close up)
71
Current State PACS
Client Server with PACS
Software/Database
Multi Door Controller
Contactless PIV Reader
Reader Interface
72
End State PACS Option A
Option B
Multi Door Controller with local certificates (updated daily)
Contactless PIV Reader
Reader Interface
Smart Reader Interface (to verify certificates)
Multi Door Controller
Contact PIV Reader
73
Enterprise End State
Server with PACS Software/Database Client
Multi door Controller
Contactless PIV Reader
(CAK)
Reader Interface
Card Authentication Key (CAK)
• The Asymmetric CAK optional now; mandatory soon (FIPS 201-2)
• CAK is read contactless • Can be handled in the same manner as the PIV
Authorization Certificate • The Symmetric CAK can be use locally
Card Authentication Key (CAK) Security Considerations
• The security of the device hosting the authentication
• The location where authentication is performed • The data available to the authentication process • Added processing power to execute the
authentication
Card Authentication Key (CAK) Cost Savings
• Few to Many • Comparison of the cost to apply
authentication to servers vs. many readers • Hosting in servers conform to cloud
computing
ICAM Target Vision
As part of complying with OMB M-11-11, agencies will need to bring their implementations into alignment with the architecture and direction found in the FICAM Roadmap and Implementation Guidance. Key features of the anticipated target state include: • Increased automation and streamlining of business processes • Establishment of authoritative sources for identity data and the capability
to exchange that data between systems • Full implementation of PIV credentials for employees, contractors, and
affiliates accessing physical and logical resources • Creation of enterprise-wide ICAM services to eliminate redundancy • Adoption of standards and commercially-available products • Increased emphasis on high levels of identity assurance • Improved trust and interoperability across agencies and with external
communities • Enhanced capabilities for handling external users • Protecting privacy in all process and system improvements
The enterprise PACS is depicted as a piece of the larger Security Management System (SMS), which has interconnections with other physical security elements.
FICAM Recognition
•Fire Alarm Systems
•Video Surveillance (Closed Circuit Television)
•Short-term visitor MGT
•Intercoms and Emergency Management Notification
•Security Officer touring
•Intrusion and explosive detection systems
•END-USERS
•INTEGRATORS
•ROLE RESULT
•SOLUTIONS
•MANUFACTURERS •PRODUCTS
•REQUIREMENTS
•TO
MEE
T O
R S
ATIS
FY
•TO
SPE
CIFY
The implementation of M-11-11 is applicable to end-users, integrators/solution providers and manufacturers/developers
I AM EXCITED NOW!!!!
HSPD – 12
Resistance is Futile!
LOGICAL & PHYSICAL ACCESS WILL BE ASSIMILATED INTO THE SMART CARD!
MARCH 2006
R. Martin, CPP
M-11-11: Normatively referenced SP 800-116 and The FICAM Roadmap FIPS 201: FIPS 201-2 “the Standard” will be revised to include Physical Access Requirements FICAM PART “B” Phase 2 and FIPS 201-2 will be finished CY-2011