Interagency Advisory Board (IAB) Meeting February 15, 2006.

Interagency Advisory Board (IAB) Meeting

February 15, 2006

Agenda• First Responder Partnership in National Capital Region

(NCR) – Tom Lockwood (DHS) and Regional Partners

• Handheld RFI Update - Frank Jones (DoD)

• FIPS-201 Evaluation Program Progress – Judy Spencer (GSA)

• Physical Access Synergy – Tony Cieri

• Status Training Modules – Andrew Goldsmith (DOI)

• Backend Authentication Scheme Working Group (BASWG) – TBD

• Document Revision Progress – Curt Barker (NIST)

• Cryptographic Migration Plan – Tim Polk (NIST)

• Press Wrap-up

First Responder Partnership Initiative

Planning Approach for Trust & Verification of Identity and Role Across Multi-Jurisdictions

Mr. Tom Lockwood/NCR FRPI

(Detailed Objectives)

EPAStrategicPlan

HHSStrategicPlan

DOJStrategicPlan

DHSStrategic

Plan

StateStrategic

Plan

LocalStrategic

Plan

Federal State Local

Regional Emergency Support Functions

WashCOG REG-ECP (2002)8 Commitments to Action (2002)UASI Strategy CAO-SPG Priorities

HSPDNIMS/NRPNIPPGuidanceTemplate

Regional NCRStrategic Plan

Model COOP Plan Model COOP Plan DevelopmentDevelopment

Faron SmithEd Hilliard

Christina HigginsBill DelGrosso

#1Trans

#2Comm

#3PW/

Engin

#4Fire

#5EmergMgmt

#6MassCare

#7ResSupp

#8Health

#9UrbanS&R

#10Hazmat

#11Agric

#12Energy

#13PublicSafety

#14Recov& Mitig

#15Ext

Affairs

ProfitCritical

InfrastructureAssociationsChambers

Private Sector

Not-For-ProfitCommunity

Round TableOrganizations

Private Sector

RegionalOrgs

&Hosted

International

Planning Approach Trust & Verification of identity & role across multi-jurisdictions


Incident Management:

To get the right people with the right attributes to the right places at the right times thus reducing response/recovery times and promoting restoration to pre-incident quality of life conditions

“What are we doing?”


Strategic Objectives1. Establishment of a multi-jurisdictional identity trust model in

accordance with existing standards and technology that enables interoperability for dynamic identity and emergency attribute management

2. Categorize all emergency response or critical infrastructure support personnel in accordance with the National Response Plan (NRP) or National Infrastructure Protection Plan (NIPP)

3. Integrate identity and NRP/NIPP category information into existing authoritative human resources databases/directories for use with current technology tool sets that support the electronic proliferation of trusted and secure information for access decisions

4. Standardize NRP/NIPP occupation sub-categories and qualifications in accordance with national and international personnel qualification standards as appropriate

5. Conduct exercises to integrate use with response requirements and applications development for trusted and secure electronic incident management with accountability

Planning Approach Trust & Verification of identity & role across multi-

jurisdictions

Goal: Multi-jurisdictional Identity Interoperability To demonstrate multi-jurisdictional identity interoperability by electronically binding personalized First Responder Authentication Cards (FRACs), that

were issued from different back-end infrastructures, to authorized responder in a communication-in or out environment

Police

First R

espo

nder

DOD

Amtrak

Disaster recovery area

Metro

within

Planning Approach Trust & Verification of identity & role across multi-

jurisdictions

Common Process

1) Applicant - Existing, or new enrollee

2) Sponsor - Practitioner/stakeholder community authoritative official

3) Enrollment Official - PIV data and documents collection/verification

4) Registrar - PIV data and documents validation/confirmation

5) Issuance Official - PKI certificate download and card distribution

6) Validation & Revocation Authority – Sponsor’s authoritative database/directories trigger for OCSP distribution

Logical access Physical access

Preparedness Identity Management


“HSPD – 12”

“FRAC”

http://www.didya.com/G-EZ100PR-PC-SC-Smart-Card-Reader.asp

EPAStrategicPlan

HHSStrategicPlan

DOJStrategicPlan

DHSStrategic

Plan

CountyStrategic

Plan

CountyStrategic

Plan

Federal

County & Local

Planning ApproachTrust & Verification of identity & role across multi-jurisdictions

VirginiaStrategicPlan

CountyStrategic

PlanPM

NCRC

D.C.StrategicPlan

MarylandStrategicPlan

PC

ProfitCritical

InfrastructureAssociationsChambers

Not-For-ProfitCommunity

Round TableOrganizations

Private Sector

Private Sector

RegionalOrgs

&Hosted

International

Regional

Provide a continual process improvement loop to

incorporate best practices across jurisdictions and ensure

continued architectural alignment and interoperability.

FIPS-201

HSPD…H.R. 418

UASI Funded

NIPPNRP


Federal - Lemar Jones, Director, Antiterrorism/Force Protection Directorate, Pentagon Force Protection Agency– Gordon Woodrow, Regional Director, Region 3 U.S. Department of Health and

Human Services

NCR - Robert LeGrande, Deputy Director, Office of the Chief Technology Officer, District of Columbia

Virginia - Mike McAllister, Deputy State Director, Security and Emergency Management, Virginia Department of Transportation

Maryland - Brad Jewitt, Director, Office of the Fleet, Facilities and Administrative Services, Maryland Department of Transportation

Private – John N. Petrie, Assistant Vice President for Public Safety & Emergency Management, The George Washington University

Partnership Members

FairfaxCounty

Montgomery County

Prince George’s County

Washington, D.C.

Loudoun County

Prince William County

Bowie

Gaithersburg

GreenbeltRockville

Fairfax

Montgomery

Falls ChurchManassas

Park

Manassas

College Park

Takoma Park

Arlington

Public SafetyHealthTransportationEmergency Preparedness

Information


Information


Information


Information

LEGENDExisting Fiber Connected I-Net Site or Hub

Candidate I-Net Site

Existing I-Net Fiber

Candidate I-Net Fiber

Broadband Wireless Phase 1

Information

Broadband Wireless Phase 2

Broadband Wireless Future Phases

Field Mobile Operations

Data & Applications

OfficesEOCs

Government Centers

Operational Centers

“Tracks”

“Tracks” “Tra

cks”

“Users”

“Trains”

“Users”

Core ElementsShared ServicesStandardsGovernanceOutreach

Prince George’s

Alexandria

Washington, DC

NCR Data Interoperability Communications Architecture

AD

MIN

UI

Jurisdiction - Jurisdiction - 22

Jurisdiction - Jurisdiction - 11

Jurisdiction - NJurisdiction - N

Jurisdiction - 3Jurisdiction - 3

DATAEXCHANGE

DATASEARCH

APPLICATIONACCESS

D A T A E X C H A N G E H U B

ESF-2 ESF-1

ESF-2 ESF-1

ESF-1 ESF-2

ESF-1 ESF-2

FEDERAL INFORMATION

EXECUTIVEADMIN

ESF-1..N USERS FEDERAL USERS

PUBLIC USERS

EXECUTIVE USERS

FEDERAL SOURCES

C R E D E N T I A L I N G

Data Exchange Hub Concept of Operations

ARCHITECTUREREVIEW BOARD

PKI identity smart card will provide the relying party with machine-read information to determine access

privileges for granting access into, out of, and within

various areas as required

Police

First R

esponder

DOD

Amtrak

Disaster Recovery Area

Metro

within

Goal: Standardized Incident Identity Management

Multi-Jurisdictional Recognition(mobile identity management)

INFORMATION FEED: FEDERAL

STATE LOCAL

PRIVATE

PDA INFORMATION FORMAT:• DATA• TEXT• IMAGE

First Responder Validation Authority(Produced and Synchronized Nightly)

Proposed Implementation TimelinePhase I:Regional “as-is” and “to be” analysis01/03/06 - 02/28/06Limited implementation for interface analysis 01/03/06 - 02/28/06Mobile device and interoperability analysis 01/03/06 - 02/28/06

Phase II:NCR sponsored pilot exercises 03/15/06 - 03/30/06Commence regional implementation 04/01/06 - 07/30/06NCR sponsored exercises 04/03/06 - 04/27/06FEMA sponsored Forward Challenge 06 06/19/06 - 06/22/06

Phase III: Complete implementation 07/30/06 - 09/30/08NCR sponsored exercises 09/04/06 - 09/30/08

I-Net Project BB Project EOC Int Project

DEH Project

High level Pilot plansLight up at least 4 regional fiber connections(Locations TBD)

High level Pilot plans

External to District Pilots, but interoperable to DC

• 1x EVDO –RE-A• WI MAX• 4.9 GHz• WI FI• Flarion• Mesh

High level Pilot plans

• Web EOC to Web EOC Pilot

• Web EOC to/from other CIMS

(DC-Montgomery)• Federal (TBD)• Web EOC to/from DEH

High level Tech assessments

Tech Assessment of Existing Solutions

• CAPWIN• CAP STAT• HSIN• SHIELD• Research Other Options

NCR Program DeliverablesPilot Objectives: Leverage existing technologies to better define long term solutions.

May ‘05

Design SOW TBD. Depends on completion of requirements work

Design SOW TBD Depends on completion of requirements

NCR Requirements Efforts

Requirements and design SOW Awarded Req. RFP Due out 9-10 Requirements and

design SOW AwardedAwarded

NCR Design Effort

Interoperability Program summaryInteroperability

ImperativesTask Description Project Benefit to the National

Capital Region

Offices Operational Centers

Connect Emergency Operations Center s(EOCs). Leverage existing off-the-shelf solutions to seamlessly integrate the Emergency Operations Centers. Select a jurisdiction to develop a pilot application and serve as an NCR model. This will facilitate testing and validation of the EOC interoperability solution

This integration will allow for increased coordination, faster regional response times , and backup in case of system failure or center outages.


Design and procure the physical pathways (I-Net) necessary for interconnection among regional public network. Engineer and procure an integrated solution for interoperable interconnection. Develop pilot application for incident command and control management and sharing o public safety resources related to E9-1-1, and protocols for interoperating in a regional crisis.

Specific benefits of private network interconnections (I-Nets) include the ability to interconnect the region’s 9-1-1 Centers, and to create an interoperable regional communications fabric supporting public safety broadband wireless systems.


Design a regional interoperable /interconnected broadband wireless network providing outdoor coverage for the NCR. Collect NCR first responder broadband application security, functional and performance requirements.

A regional wireless broadband network will significantly enhance first responder communication capabilities, and will provide the infrastructure to enable true voice/data interoperability via voice over IP technology.

Data & Applications

Deploy a high performance search capability (neutral host) to allow authorized users access to data housed in individual jurisditions’ locations. This functionality will be available to any browser-based user whether connected throught eh Internet (VPN), or through a browser-compatible wireless service. A centrlized security model will insure authorized access. All data will remain under the administrative and technical control fo the owner jurisdiction

By allowing real-time electronic exchange of data for public safety, emergency preparedness officials at all levels should realize immediate improvements and cost reductions in Homeland Security data communication activities.

FRAC Implementation & Strategic Objectives

Presenter: W. Duane StaffordAgency: Virginia Department of TransportationOffice: Security & Emergency Management DivisionDate: February 15, 2006

Virginia & DHS Partnership

● The Commonwealth of Virginia is currently issuing First Responder Authentication Cards (FRACs) to Federal, State and local governments.

● Virginia is working with DHS to implement FIPS 201 as a part of its FRAC Initiative.

● VDOT’s Security and Emergency Management Division (SEMD) Transportation Protective Security Section (TPS) is currently responsible for:

VDOT has adopted a standard FRAC for use in :

● Identifying a person’s status within the Agency (Employee or Contractor)

● Gaining physical access

● Site access to identified critical incident areas as an Emergency Responder.

FRAC Credential

- FRAC development- Testing- Implementation- Maintenance of the FRAC

credentials and policies.

VDOT FRAC Design

FRAC Policy & Procedures● VDOT has developed a FRAC policy which establishes:

Procedures regarding the issuance and use of VDOT FRAC.

Clarification regarding FRAC eligibility

● The policy embraces and supports both HSPD-12 and FIPS PUB 201.

● VDOT has developed a FRAC Usage Policy which establishes expectations for FRAC Holders.

● The policy explains:

Uses of the FRAC Care and display of the FRAC Fraudulent use/abuse of the FRAC FRAC restrictions.

FRAC Request Form

● VDOT, in conjunction with DHS, has developed a standard “First Responder Authentication Card (FRAC) Request” Form (SEMD 201-05).

● VDOT is currently anticipating converting the SEMD 201-05 paper form to an electronic form.

Note: The FRAC Request Form was derived originally from the Personal Identity Verification (PIV) Request for USDA ID Badge Form

FRAC Marketing & Training

● VDOT has developed a FRAC “Frequently Asked Questions” brochure to hand out to all First Responders who are issued a FRAC through VDOT.

● The brochure explains to the FRAC holder what the FRAC is and how it is different from their regular Access Control and Identification Card.

Post Winter Fox

● Further develop PIV Roles and pre-register individuals.

● Develop, test and implement Logical and Physical Access Control System (Pegasys) enhancements to track FRAC credentials with reports and management.

● Develop and implement a structured way of identifying First Responders requiring FRACs throughout the Commonwealth of Virginia.

FRAC Issues to Resolve

● The cardholder’s digital photo must be accessible prior to PIN input.

● Approved Products/Vendor Lists and Accreditation (GSA).

● NACI requirement solution for State governments.

● Cardholder Naming convention must be clarified.

● Color-Coding for Employee Affiliation must be clarified.

Post Winter Fox

● Further develop PIV Roles and pre-register individuals.

● Develop, test and implement Logical and Physical Access Control System (Pegasys) enhancements to track FRAC credentials with reports and management.

● Develop and implement a structured way of identifying First Responders requiring FRACs throughout the Commonwealth of Virginia.

FRAC Issues to Resolve

● The cardholder’s digital photo must be accessible prior to PIN input.

● Approved Products/Vendor Lists and Accreditation (GSA).

● NACI requirement solution for State governments.

● Cardholder Naming convention must be clarified.

● Color-Coding for Employee Affiliation must be clarified.

Status Brief: IAB Meeting 2/15/2006

Maryland First Responder Authentication Card • Port of Baltimore ACS Upgrade• Partnership with Baltimore Metro First Responders• Alpha Testing Phase: 2000 FRAC Seats (Mobile Solution)

– Winter Fox Demonstration 2/23/2006– Concept of Operations / Business Rules

• Beta Testing: Brick and Mortar Site • Penetration:

– MD National Guard– Coast Guard– 8 of 23 Counties and Baltimore City (After Alpha Testing)

• NCR / Baltimore

• Future:– Strategic implementation plan for State across all ESFs

• Public sector may not be able to sustain needs of private entities such as GW with population of 20,000+ members and over 125 facilities.

• Allows for continuous provision of critical services and access to sensitive facilities or research centers.

• Promotes self sufficiency and less reliance on first responders and public sector thus allowing resources to be utilized elsewhere.

• Provides creditability to private sector responders/incident teams by using universally recognized credentials.

• Eases access for thousands of employees commuting from MD, VA, WV, and PA who are separated by layers of local, state, and federal law enforcement agencies each with control points or perimeters.

The George Washington UniversityPrivate Sector Credentialing










• Press Wrap-up

Information and Technology for Better Decision MakingMD DC

3333February 2006

Information and Technology for Better Decision MakingInformation and Technology for Better Decision Making

Interagency Advisory Board (IAB)Interagency Advisory Board (IAB)

Joint Program Handheld/Mobile Joint Program Handheld/Mobile Device Status forDevice Status for

Government Smart CardGovernment Smart Card

Presented by

Frank JonesFrank JonesDoD Access Card Office

February 15, 2006

February 2006


3434February 2006

Gather Requirements from User Community Consider DBIDS Lessons Learned Contract for Handheld Expertise Support Finalize Consolidated Requirements Market Survey of Products Capable of Customization and

Modularity Release Request for Information (RFI) RFI Vendor Responses Received

RFI Summary Report

Plan of Action

12/16/2005

3/21/2006

9/30/2005

8/03/2005

8/03/2005

10/26/2005

10/26/2005

1/18/2006


3535February 2006

Questions?

Frank Jones(703) 696-0179

[email protected]










• Press Wrap-up

Office of Governmentwide PolicyOffice of Technology Strategy

Judith Spencer15 February 2006

FIPS 201 Evaluation Program

Presentation Agenda

• Card/Reader Interoperability Task• Lab Development Task• Call for Industry Support

Card/Reader Interoperability Task

• Update– 66% complete – FIPS 201 Category List revised

• 19 remaining categories• Categories Mapped to Requirements Traceability Matrix• Reader categories by use case

– Test fixture prototype developed– Card/reader requirements nearing completion

• Next major milestone– Card/reader interoperability requirement validation

Lab Development Task

• Update– 20% complete – CONOPS completed– Configuration Management Plan completed– Approval Procedure Template completed

• Next major milestone– Web enabled information source review

Looking for Assistance from Industry

• Evaluation Program Technical Working Group (EPTWG)– More technical input from reader & card manufacturers

desired– Starting Subgroup for reader & card technical

representatives• Weekly, in person, whiteboard meetings• March thru end of April• Review/comment/revise reader & card test procedures• Engineers preferred

Questions ?

April Giles

Contact information:

Email: [email protected]

Website: http://www.smart.gov/fips201apl

Phone: 1.202.501.1123

mailto:[email protected]

RFI Results

• 71 Unique Responses• ~13 Indicated Turnkey Service Capability• General consistency in the cost data

– Some questions concerning what is included

• Conclusion – Industry is prepared to provide the services required by FIPS-201 for Enrollment and Card Management.

Next Steps

• Develop High Level Architectural Concept• Start tightening up the technical specifications and

requirements definitions (including business requirements) for a managed solution

• Recognize differences between the ‘ramp up’ and the ‘normalized’ activities

• Awaiting results from two agency data calls – due Feb 24, 2006.

• Update Performance Metrics based on RFI feedback










• Press Wrap-up

46

Physical Access Synergy

Physical Access Control System

(PACS)

PAIIWG SCA

SIA

Synergy in Federal

Requirements & Industry

Standards

PACS

Objective

• No conflict or ambiguity in FIPS-201 or related documentation as they apply to PACS

• Ensure that Industry Standards are developed by SIA that are in synergy to Federal Requirements

PACSM. Butler IAB Chair

A. Cieri Coordinator

PAIIWGM. Sulak

T. Baldridge

S. Howard

K. Kozlowski

L.J. Neve

L. Kull

D. Vanderweele

J. Zok

K. Stewart

R. Martin

B. Gilson

SCA

C. Medich

D. Pfeiffer

R. Vanderhoof

M. Regelski

R. Merkert

E. Widlitz

T. Damalos

SIA

R. Zivney

S. D’Agostino










• Press Wrap-up

HSPD-12/FIPS 201 HSPD-12/FIPS 201 TRAINING MODULES TRAINING MODULES

UPDATEUPDATE

IntroductionIntroduction Continuing development of a series of Continuing development of a series of

web-based training modules and web-based training modules and assessment tools to assist assessment tools to assist management, administrators and users management, administrators and users in complying with FIPS 201in complying with FIPS 201

The series will assist in the consistent The series will assist in the consistent implementation of HSPD-12/FIPS 201 implementation of HSPD-12/FIPS 201 across the Federal Governmentacross the Federal Government

Timelines and Timelines and ModulesModules

Delivery on 10/03/2005 included:Delivery on 10/03/2005 included:– Module 1: PIV Overview Module 1: PIV Overview – Module 2: PIV Roles and Responsibilities Module 2: PIV Roles and Responsibilities

Delivery in Spring 2006 includes:Delivery in Spring 2006 includes:– Module 3: Privacy AwarenessModule 3: Privacy Awareness– Module 4: Administrator (technical Module 4: Administrator (technical

explanation)explanation)– Module 5: Appropriate UsesModule 5: Appropriate Uses

Hosting of ModulesHosting of Modules

Working with USALearning to host all five Working with USALearning to host all five modulesmodules

There may be two versions of each There may be two versions of each module: module:

1.1. Base module-meeting a baseline set of Base module-meeting a baseline set of specifications from OPM so every department specifications from OPM so every department may access the training may access the training

2.2. Secondary module-will utilize a multi-media Secondary module-will utilize a multi-media approach, including streamingapproach, including streaming

Modules FormatModules Format Modules include three windows:Modules include three windows:

– Video streaming, including interviews with Video streaming, including interviews with government officialsgovernment officials

– PowerPoint slidesPowerPoint slides– Transcript with hyperlinks to important Transcript with hyperlinks to important

topics for more detailstopics for more details

Module 1 and 2Module 1 and 2 Module 1-Overview is available on Module 1-Overview is available on

USA Learning (USA Learning (http://www.http://www.usalearningusalearning..govgov//coursecatalogcoursecatalog/index./index.cfmcfm??fuseactionfuseaction==oltovervieoltovervie))

Module 2 is available from your Module 2 is available from your agency HSPD-12 representative (agency HSPD-12 representative (www.vodium.com/goto/blm/hspd12.awww.vodium.com/goto/blm/hspd12.aspsp))

http://www.usalearning.gov/coursecatalog/index.cfm?fuseaction=oltovervie












Modules 3-5Modules 3-5 In the process of finalizing Power In the process of finalizing Power

Point slides and narrationPoint slides and narration Video shoot week of March 6Video shoot week of March 6thth

– Scheduling Subject Matter Experts to Scheduling Subject Matter Experts to interview on camerainterview on camera

– Preparing for video shoots throughout Preparing for video shoots throughout Washington, DC Washington, DC

Module 3-Privacy AwarenessModule 3-Privacy Awareness Objectives for module:Objectives for module:

– Explanation of individual’s privacy and Explanation of individual’s privacy and means taken to secure informationmeans taken to secure information

– Explanation of information collected and Explanation of information collected and how it is protected how it is protected

Module 3-Privacy Module 3-Privacy Awareness, cont.Awareness, cont.

The training will answer the following The training will answer the following questions:questions:– What technology innovations on the PIV What technology innovations on the PIV

Card itself help protect both my identity Card itself help protect both my identity and my privacy?and my privacy?

– What information about me is on the PIV What information about me is on the PIV Card?Card?

– What information is collected – and why What information is collected – and why – in order to get a PIV Card?– in order to get a PIV Card?

Module 3-Privacy Module 3-Privacy Awareness, cont.Awareness, cont.

– How will my information be How will my information be safeguarded, and what controls are in safeguarded, and what controls are in place? place?

– Who can I talk to if I have questions or Who can I talk to if I have questions or concerns?concerns?

Module 4 – Module 4 – AdministratorAdministrator

Objectives for module: Objectives for module: – Users will understand the components Users will understand the components

within the technical infrastructure and within the technical infrastructure and all of the dependencies at the 1000 foot all of the dependencies at the 1000 foot level ( not the 1 foot level) level ( not the 1 foot level)

– Explains what is needed to issue a PIV Explains what is needed to issue a PIV CredentialCredential

Module 4 – Module 4 – Administrator, cont.Administrator, cont.

The training will answer the following The training will answer the following questions:questions:

What are all of the components of a What are all of the components of a credential?credential?

What personal data is needed and how will What personal data is needed and how will the data be saved or deleted?the data be saved or deleted?

Module 4 – Administrator, Module 4 – Administrator, cont.cont.

How does issuance of the credential work? How does issuance of the credential work? How is data stored on a card?How is data stored on a card? How is the credential configured with PKI How is the credential configured with PKI

and biometrics to enable it to be used for and biometrics to enable it to be used for physical and logical access?physical and logical access?

Module 5 –Uses of the Module 5 –Uses of the CredentialCredential

Objectives for module: Objectives for module: – Explains migration from flash pass and Explains migration from flash pass and

passwords to electronic verificationpasswords to electronic verification– Explains the physical and logical use of Explains the physical and logical use of

the credential across domains (across the credential across domains (across entire federal enterprise)entire federal enterprise)

– Explains Public Key EnablingExplains Public Key Enabling

Module 5 –Uses, cont.Module 5 –Uses, cont. The training will answer the following The training will answer the following

questions:questions:– What are the primary credential uses?What are the primary credential uses?

How will physical and logical access work?How will physical and logical access work? What is OMB Memorandum 04-04 and 05-What is OMB Memorandum 04-04 and 05-

05?05?– What are other uses for the credential?What are other uses for the credential?










• Press Wrap-up

Backend Authentication Work Group (BAS WG)

15 February 2006

Status

• Membership has met several times over the last month as government only

• Expanding membership to include other interested parties (Industry or government):

Meeting Type:Conference CallDate: Tuesday, 28 FebruaryTime: 2-4pm EST

• All interested parties should provide contact information to [email protected]

mailto:[email protected]










• Press Wrap-up

HSPD #12 Document Revision Status

National Institute of Standards and TechnologyFebruary 15, 2006

Current Activities

• FIPS 201-1 accommodation of OMB Memorandum M-05-24

• Special Publication 800-73 adjustments to accommodate Special Publication 800-76

• Reformatting of Special Publication 800-85 to separate card command conformance testing from data model conformance testing

• Federal Register Notice request for recommendations for revision of FIPS 201-1 and associated guidelines

FIPS 201-1 Accommodation of OMB Memorandum M-05-24

• Provides for interim issuance of credentials based on National Criminal History Check and requires electronic indication of interim issuance on the PIV card.

• FIPS 201-1 signed by the NIST Director and forwarded to DoC for signature.

• Awaiting signature of the Secretary of Commerce.

Special Publication 800-73 Adjustments to Accommodate

Special Publication 800-76• Biometric storage format changes• Incorporation of previously posted errata• Elimination of requirement to provide user

PIN before permitting access to public PKI certificate information

• Proposed changes posted for public comment (comments before March 2006)

Reformatting of Special Publication 800-85

• Separates card command conformance testing from data model conformance testing

• SP 800-85A to be posted February 16 at http://csrc.nist.gov/piv-program

• SP 800-76 data model conformance requirements being included in SP 800-85B

Revision of FIPS 201-1 and Associated Guidelines

• Federal Register Notice requesting change recommendations being staffed

• Anticipate posting shortly• Plan workshops to discuss recommended

changes– Need for change– Impact on standards stability– Priority and schedule determination










• Press Wrap-up

HSPD #12 Cryptographic Migration Plan

Tim PolkNational Institute of Standards and Technology

February 15, 2006

Relevant Specifications

• FIPS 201 does not explicitly specify key sizes or cryptographic algorithms

• FIPS 201 incorporates NIST Special Publication 800-78 and the FPKI Common Policy by reference– Both specifications stated requirements for

algorithms and key sizes– Requirements for public key algorithms were

stated inconsistently

Rationale for Cryptographic Specifications, Part One

• Moore’s Law is not negotiable!– 80 bit cryptography is mostly dead

• 1024 bit RSA and 160 bit ECC can not be relied upon for cryptographic services to achieve HSPD #12’s goals after 2010

• For authentication keys, 80 bit strength is fine through 2010

• For signatures and confidentiality, need to transition before 2010

Rationale for Cryptographic Specifications, Part Two

• Protect Legacy Implementations– 80 bit strong RSA (1024 bit keys) is widely use,

so it is permitted by the Common Policy and NIST SP 800-78

• Avoid Unnecessary Transitions– 80 bit strong ECC (160 bit keys) is not widely

used, so force ECC implementers to curves with 224+ bits

Common Policy

• Common Policy predates FIPS 201, and has a broader scope– Version 1 recognized only RSA

• 1024 bit RSA, SHA-1 acceptable• Established migration timelines for 2048 bit RSA and SHA-

256 based on certificate issuance date

– ECC added in 3/05 to support FIPS 201• 163 bit through 283 bit keys• SHA-1 and SHA-224 may be used with 163 and 224 bit keys• Migration timelines consistent with RSA

NIST SP 800-78

• Supports FIPS 201 and only 201– Developed after FIPS 201, published 4/05

• Established migration timelines based on certificate expiration date– More forgiving, since agencies can issue short

lifetime certs after dates in Common Policy– More consistent with Moore’s Law since it

focuses directly on usage period for the key

Summary

• HSPD #12 Cryptographic Migration timeline is as pragmatic as possible, but our options are constrained by Moore’s Law

• The Common Policy and SP 800-78 state migration timelines differently– Consistency is being pursued by NIST

Questions?










• Press Wrap-up

86

Press Wrap-up

Interagency Advisory Board (IAB) Meeting February 15, 2006.

Documents

Transcript of Interagency Advisory Board (IAB) Meeting February 15, 2006.