Identity Management and HSPD-12

Federal IT Summit
Carol Bales
Senior Policy Analyst
Office of Management and Budget

October 22, 2008

 Agenda
• Key Identity & Access Management Initiatives
– HSPD-12
– E-Authentication
– Federal PKI Policy Authority
• Facilitating E-Government through Identity and Access
Management
• Government-wide HSPD-12 status
• Benefits of HSPD-12 credentials
• Next Steps

2
 HSPD-12 Directive
HSPD-12 Objective: Improve the security of our federal facilities and information systems by
implementing common processes for identity proofing and ensuring interoperability through
use of standardized credentials for physical and logical access.

Directive – Homeland Security Presidential Directive 12

http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html

Standard – FIPS 201-1: Personal Identity Verification for Federal

Employees and Contractors, and associated publications (800-53A,
800-53B, 800-73, 800-76, 800-78, 800-79, 800-87, 800-96, 800-104 &
800-116)
http://csrc.nist.gov/publications/PubsSPs.html

OMB guidance – How agencies are to implement the Directive and

Standard (M-05-24, M-06-06, M-07-06, M-08-01, etc)
http://www.whitehouse.gov/omb/memoranda/index.html

GSA guidance – Focuses on interoperability of HSPD-12 system

components
http://www.smart.gov/awg/
3
 E-authentication Policy
E-Authentication Policy Framework

M-04-04, E-Authentication Guidance for Federal Agencies

• Describes four levels of identity assurance (Levels 1-4) for remote access.
• Applies to all transactions for which authentication is required, regardless of constituency
(e.g. individual user, business, or government entity).
• Requires agencies to review new and existing electronic transactions to ensure that
authentication processes provide the appropriate level of assurance. Agencies are to:
1. Conduct a risk assessment of the e-government system.
2. Map identified risks to the applicable assurance level.
3. Select technology based on e-authentication technical guidance.
4. Validate that the implemented system has achieved the required assurance level.
5. Periodically reassess the system to determine technology refresh requirements.

SP 800-63, Electronic Authentication Guidance

• Developed in response to Title II (Section 203) of the E-Government Act of 2002 which
called for federal management and promotion of electronic government services.
• Identifies minimum technical requirements for remotely authenticating the identity of users
over open networks.
• Recently updated to account for new developments in commercial authentication
technologies, and make it more flexible.

* SP 800-63-1 released for public comment in February 2008

4
 Federal PKI Policy Authority
The Federal Public Key Infrastructure (FPKI) Policy Authority is an
interagency body set up under the Federal CIO Council to enforce digital
certificate standards for trusted identity authentication across the federal
agencies and between federal agencies and outside bodies, such as
universities, state and local governments and commercial entities.
DOJ USPS
DOS
Treasury DOD

USPTO

GPO Federal Common

Policy CA
Illinois

Verizon
Business Federal ACES
Bridge CA

Entrust
SAFE

Treasury
Verisign
CERTIPATH
ORC GPO
5
DEA-CSOS Wells Fargo
 Facilitating E-Government through IdAM
E-authentication Guidance Establishes Multiple Levels of Identity Assurance to support transactions for
Government-to-Citizen, Government-to-Business, Government-to-Government, and Internal Effectiveness
and Efficiency. Federal PKI and HSPD-12 provide for assurance of identity up to Level 4.
OMB E-Authentication Guidance establishes
Four Assurance Levels for
Consistent Application of E-Authentication How do we credential users?
Across Government Level 1 & 2 E-authentication credential
service providers: USDA, OPM, DOD,
Treasury, GSA (covers citizens,
Level 1 Level 2 Level 3 Level 4 business partners, federal employees
and contractors)
Little or no Some High confidence Very high
confidence in confidence in in asserted confidence in Trust relationships with external entities
asserted asserted identity the asserted for Levels 1 & 2 (e.g. Fidelity, Wells
identity Fargo, IdenTrust, InCommon)
identity identity –
– – Digital –
Federal PKI provides up to Level 4
Self identified Userid/ Certificate/PIN Smart Card/PIN assurance and is a key enabler of trust
user with Password (multi-factor) (multi-factor)
in HSPD-12 credentials.
password (Single factor)
(e.g. first responder (e.g. officer
(e.g. citizen Other internal agency capabilities.
(e.g. citizen accesses disaster accesses law
accesses website
changes address reporting website to enforcement
using self-
of record through share operational database with
registered
SSA website) information) criminal records)
userid/password)

Increased Need for Identity Assurance

GSA is currently restructuring its identity and access management services and capabilities to
provide a more unified approach for identity and access management services and governance. 6
 HSPD-12 Implementation Status

Government-wide status as of September 1, 2008:

PIV credentials issued to Employees: 1 million (20%)

PIV credentials issued to Contractors: 278K (21%)

Background investigations completed for Employees: 2.5 million (51%)

Background investigations completed for Contractors: 511K (38%)

Remaining Employees Requiring PIV credentials: 5 million

Remaining Contractors Requiring PIV credentials: 1.3 million

* Above listed data is based on incomplete agency reports. Until all agencies are reporting and providing
complete data, the percentages could change significantly.
* “Total Number of Employees Requiring PIV credentials” includes US military personnel.
* Numbers are approximate.

7
 Benefits of HSPD-12 Credentials

• Provide for digital signature, encryption, and archiving of documents

to improve security and facilitate information sharing. 

• Attain very high trust in identity credentials during disaster response,

disaster recovery, and reconstitution of government scenarios. 

• Attain a very high confidence in an asserted identity when logging

onto government networks from remote locations. 

• Protect PII on government laptops by enabling full disk encryption

using the PIV credential as the encryption key.

• Use a single authentication token for physical and logical access to

all applications within and across domains.

8
 What’s Next?

• SIMC to determine additional activities based on

recommendations of the NSTC IdM Task Force
• GSA to focus on:
– Reducing authentication system development & acquisition costs
– Facilitating more cost effective solutions for providing credentials
to business partners or, through trust relationships, leverage
credentials issued by external entities
– Ensuring interoperability
• Agencies to complete issuance of HSPD-12 credentials
while also implementing plans to upgrade infrastructure
to use the credentials
• GSA and CIO Council groups to develop the Federal
Identity Management Handbook

9
 http://www.whitehouse.gov/omb
http://www.idmanagement.gov
http://csrc.nist.gov/piv-project
http://www.fedidcard.gov/

OMB contact: Carol Bales, 202-395-9915 Carol_Bales@omb.eop.gov

GSA E-authentication contact: Judy Spencer, 202-208-6596

Product Testing Inquiries: David Temoshok, GSA, 202-208-7655
HSPD-12 Shared Services Inquires: Mike Butler, HSPD12@gsa.gov

10