NASA Personal Identity Verification (PIV) NASA Personal Identity Verification (PIV) High Level...
-
Upload
curtis-harrington -
Category
Documents
-
view
219 -
download
0
Transcript of NASA Personal Identity Verification (PIV) NASA Personal Identity Verification (PIV) High Level...
NASA Personal Identity Verification (PIV) NASA Personal Identity Verification (PIV) High Level System Overview
Tice F. DeYoung, PhD
14th Fed/Ed WorkshopDecember 14, 2006
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘062
NASA PIV System ConstraintsNASA PIV System Constraints
The NASA PIV System will meet the following constraints:• Utilize the existing and evolving NASA networks
• Utilize the NASA Operational Certificate Authority (NOCA)
• Integrate with NASA authentication services; specifically those provided by the Agency Public Key Infrastructure (PKI), the Agency Enterprise Directory, and the Agency Active Directory
• Integrate with existing and evolving identity data management products, tools and processes, specifically those provided by the NASA Integrated Services Environment (NISE)
• Meet HIGH IT Security information categorization for Personal Identity and Authentication and Security Management
• Reflect guidance, direction, and requirements provided by the NASA Office of the Chief Information Officer (OCIO), NASA Office of Security and Program Protection (OSPP), OMB and NIST
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘063
NASA PIV StatusNASA PIV Status
NASA Operational CA (NOCA) Key Generation Ceremony completed 22 September ‘06
PIV 1 process and PIV 2 compliance demonstrated with 27 October ‘06 cards issued to two people (Karen Petraska and Walter Hussey)
Completed draft of PIV Design Document Completed Biometrics Requirements Document Completed Test Card Procurement; production card award
in process Conducted successful PIV Preliminary Design Review
(PDR), 15 November ‘06 Received PDR comments; currently dispositioning them Complete biometrics Proof of Concept by 22 December ‘06
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘064
NASA PIV High Level RequirementsNASA PIV High Level Requirements
The NASA PIV System shall:• Comply with FIPS 201 requirements for applicant enrollment, card
production, and card issuance for Federal employees• Create and store new identities for new NASA employees, contractors and
partners• Track information related to identity proofing documents, fingerprints, and
background checks• Issue a PIV-II compliant Smart Card badge that contains a PKI identity
certificate and capability for optional PIV certificates • Manage the issuance lifecycle for PIV-II compliant Smart Cards• Flow information appropriately through interconnected NASA systems (AD,
CIMS, CBACS) • Produce NASA PIV cards for which CBACS is able to enable physical
access control • Provide NASA data via automated interface to Office or Personnel
Management (OPM) and/or Federal Bureau of Investigation (FBI) in acceptable format
• Support commercial bulk printing of NASA PIV cards as well as Face-to-Face NASA PIV printing
• Within all subsystem components, meet NIST 800-53 HIGH controls
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘065
IssuesIssues
Storage of fingerprints during PIV process?? Requirements for number of certificates to be
accommodated by data model and plan for implementation phasing??
Interim versus final identity proofing and registration processes• OPM questions (type 4 vs type 14, MOU, electronic links, etc.)
Document verification Roles clarification (PIV process – FIPS 201, HR
Desk Reference Guide, NASA OSPP processes and guidance, business architecture)
Processes for badges that require physical/logical access for fewer than 180 days
Training, change management and test strategy
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘066
Remaining Major TasksRemaining Major Tasks
Decision/Input Point for Batch versus F2F printing Finalizing production badge templates Complete Use Cases and processes for life cycle
management for card holders and cards Key Management process between Oberthur and
NASA Clarify CMS Card Identification Number (CIN) Complete Security Plan, Test Plan, Training Plan Complete Biometric Proof-of-Concept & procurement Workflow development and interface NOCA production transition Production card profiles and batch process
14th Fed/Ed Workshop 14 December ‘0614th Fed/Ed Workshop 14 December ‘067
IDMAX – Identity Management and Account ExchangeCIMS – Cyber Identity Management System
NASA PIV Target ArchitectureNASA PIV Target Architecture
CMS DB
IDMAX
NOCA
CertificateAuthority
CertificateAuthority
OCSP
Employee Data
Certificates & Requests
Verification Certificate
Employee Data, UUPIC
Smart CardContactless
BiometricLive Scan
Fargo Printer(w/ magstripe)
Digital Camera
Enrollment /Finalization
Enrollment /Finalization
Name, CHUID, Legacy Prox
ACL
PACSPACS
Enrollment & Encoding Data
Locator
Center DBCenter DB
HR
Account Authorization
PIV Events
PACS – Physical Access Control SystemLACS – Logical Access Control System
NDCAD
CIMSCIMS
PKIx.500
EnterpriseLDAP
BiometricServer
CMS / BMS
BIO DB
PIVServices
PIVServices Employee Data,
UUPIC
Employee Data, UUPIC
LACSLACS