March 14, 2011

Biometric National ID Card

Real ID Deadline Pushed Back to January 2013

Law requires states to collect, store and share personal information from drivers

March 8, 2011

Federal Computer Week - The Homeland Security Department has pushed back the final deadline for states to comply with the the controversial Real ID Act national identity management standards to Jan. 15, 2013.

DHS published a notice of the new deadline in the Federal Register on March 7. Under the previous rule, the final deadline was this May 11.

Congress passed the Real ID law in 2005 as an anti-terrorism measure, but it has gotten significant opposition. Compliance by states has been delayed several times.

Under the law, states must comply with certain standards for drivers’ licenses, including standards for collecting and storing personal information from drivers, and sharing that information electronically with other states. More than 20 states have passed legislation or nonbinding resolutions to oppose or reject Real ID.

In January 2008, DHS promulgated a final rule for implementing the law and extended the compliance data from May 2008 to this May.

In 2009, Homeland Security Secretary Janet Napolitano supported national legislation that would have loosened some of the requirements of Real ID.

DHS setting new deadlines for Real ID
New bill seeks to replace Real ID with Pass ID

Deadline Looms for Personal Identity Card Plans

March 11, 2011

Federal Computer Week - The clock is ticking as agencies rush to complete their plans for fully implementing the use of Personal Identity Verification Cards by the deadline, coming in less than three weeks.

The process started seven years ago with Homeland Security Presidential Directive 12.

Most government employees and contractors now have the cards, and readers and backend systems exist to use them, but hurdles remain to getting everything in place.

The Office of Management and Budget on Feb. 3 directed agencies to “develop and issue an implementation policy, by March 31, 2011, through which the agency will require the use of the PIV credentials as the common means of authentication for access to that agency’s facilities, networks, and information systems.”

The timeline in OMB Memo 11-11 is tight, but it should come as no surprise, said Judith Spencer, former co-chair of the Federal CIO Council’s Identity, Credential and Access Management Subcommittee.
“It’s not really new,” said Spencer, who this year left [retired from] government to become policy management authority chair at CertiPath LLC. “OMB has been telling agencies they need to use these cards. All the memo says is, ‘do it.’”

From the Federal Employees 2009 Salary Database:
SPENCER, JUDITH A OFFICE OF GOVERNMENTWIDE POLICY District of Columbia District of Columbia WASHINGTON MISCELLANEOUS ADMINISTRATION AND PROGRAM GS 15 $149,025 $0

From CertiPath LLC Press Release, January 31, 2011:

CertiPath, the trusted credentialing authority, today announced respected identity expert and former co-chair of the Federal Identity, Credential, and Access Management Subcommittee (ICAMSC) for the U.S. General Services Administration, Judith Spencer, has joined the company as Policy Management Authority chair. In this role, Spencer will set and maintain policies and drive consensus on a wide range of security issues affecting the CertiPath community. Spencer spent the last 36 years working for the federal government

From CertiPath LLC website:
With less than one month remaining for all federal agencies to file implementation plans for a federated identity credential access and management (FICAM) strategy as defined by the Office on Management and Budget Memo 11-11, CertiPath offers agency heads an accelerated path to compliance with a complete range of expert services that can both meet the fast-approaching deadline and help them execute their implementation strategy.

CertiPath provides the aerospace and defense industry's only public key infrastructure (PKI)-based communications bridge where information can be shared widely, securely, effectively and affordably between partners, suppliers and customers – regardless of the size and scope of the supply chain. CertiPath's solution tears down the burdensome and costly company, employee- and program-centric approaches to identity assurance. Today, organizations in the U.S., U.K. and Europe including Boeing, BAE Systems, Citibank, EADS, Exostar, Lockheed Martin, Northrop-Grumman, Raytheon, SITA and the U.S. Federal Bridge (FBCA) are members of this fast-growing community.
The tools are available for using the smart PIV Cards, which contain cryptographic signing keys, digital certificates and biometric information for electronically verifying the identity of the holder, Spencer said.
“The technology is absolutely at a place where we can do this,” she said. “This is not rocket science.”
But NASA’s Tim Baldridge -- who is a rocket scientist -- said implementing the technology is not necessarily easy.

The challenge comes because identity management for controlling access to physical facilities has traditionally been separate from controlling access to IT resources. said Baldridge, who is also NASA’s Identity, Credential and Access Management architect.. Merging the two under a single interoperable card is not necessarily simple, but the establishment of a standardized set of electronic credentials under HSPD-12 is making it possible.
“We’ve made a lot of progress,” Baldridge said. “Today we have a consistently deployed card that is interoperable across all enterprises.” At NASA, “we have a very mature access control methodology around IT systems, and we are using that same methodology on physical access.”
NASA began working on smart cards for identification in 2002, two years before HSPD-12, said Baldridge, who was project manager for the Common Badging and Access Control System. But CBACS was a program for physical access control, separate from the NASA Account Management System being developed for computer access control. The two efforts were merged after the release of HSPD-12 as ICAM.
“We have been extremely fortunate,” in that NASA’s work done on smart ID card development prior to the presidential directive was not wasted, and was able to be incorporated into the standardized PIV Card system, Baldridge said.
NASA is not alone in fielding effective physical access control systems for PIV. The General Services Administration is using the electronic card for physical access without problems, as iss the State Department. The Federal Emergency Management Agency and other agencie are successfully implementing it.
Still, “physical access is where the federal government will face the challenge,” Spencer said. “The integrator community has to be educated.”
Electronically enabled access control is more mature for IT systems than for physical facilities, said Jeff Nigriny, CEO of CertiPath, which operates a certificate authentication bridge for the defense and aerospace industry that is cross-certified with the Federal Bridge Certification Authority, and also evaluates physical access systems for agencies.
“On the logical side, there are a lot of standards for PKI access,” he said. “PKI for physical access doesn’t have nearly the same body of work available.”
Physical facilities, which can include individual offices, old and new buildings, campuses and bases, have access control systems that range from rudimentary and outdated to state-of-the-art. These are updated less frequently that computer systems are refreshed, and replacing them can require more physical labor than upgrading software or IT hardware.

Upgrades will not necessarily solve all problems. Many of the systems do not work as advertised, and the people installing them did not understand the Public Key Infrastructure that underlies certificate authentication, Nigriny said. It is not that the hardware and software of physical access control systems do not work, but they often are not configured properly to accept the proper certificates, Nigriny said.
“There is a basic lack of understanding about how PKI works,” he said. “That is what we are finding again and again.”
For this reason, Nigriny expects that a good number of agencies will fail to make the deadline for completing acceptable plans for PIV implementation. “Clearly, not every agency is going to be able to do this,” he said.

But he does not believe that the OMB mandate is premature.
“You need to start somewhere,” he said. “It’s not too early, but it’s the early days. Now is not a bad time to require it. You have to lead the technology when you’re a policy maker at the OMB level.” Companies will have time for their solutions to mature, he said. “Installation won’t begin for about a year, and industry moves very quickly.”

Baldridge agreed. “The technology is ready,” he said. “The timing of the OMB memo is based on that realization. It’s ready to use, so you need to use it.”

No comments:

Post a Comment