Transcript HSPD-12 - PowerPoint Briefing for HUD Management 9-9-05

Homeland Security
Presidential Directive 12
(HSPD-12)
“Personal Identity Verification (PIV) of
Federal Employees and Contractors”
October 27, 2005
HSPD-12 Briefing Outline




Executive Summary
Implementation Highlights
Where We Are Now
Issues
2
Executive Summary
HSPD-12

Homeland Security Presidential Directive 12
was signed by President Bush Aug. 27, 2004



“…It is the policy of the United States to
enhance security, increase government
efficiency, reduce identity fraud, and protect
personal privacy…”
Improved personal identity verification (PIV) of
all federal employees and contractors.
Interoperable ID badges/“smart cards.”
3
Executive Summary
HSPD-12 Control Objectives
“Secure and reliable forms of identification”
must be:




Issued based on sound criteria for verifying an
individual employee’s identity.
Strongly resistant to identity fraud, tampering,
counterfeiting, and terrorist exploitation.
Able to be rapidly authenticated electronically.
Issued only by providers whose reliability has been
established by an official accreditation process.
4
Executive Summary
To implement, we must…




Strengthen and standardize identity verification
process.
Operate a comprehensive PIV card
authentication and personal identity verification
system.
Procure standard ID badges/ smartcards,
readers, and PKI services per FIPS 201.
Capture index fingerprints on PIV card, and
store fingerprints in database.
5
Executive Summary
Guidance and Standards



Federal Information Processing Standards 201
(FIPS) for HSPD-12 developed by NIST.
FIPS 201 breaks down requirements into
“PIV I” and “PIV II.”
Includes NIST Special Publications





SP
SP
SP
SP
SP
800-73
800-76
800-78
800-79
800-85
–
–
–
–
–
Smart card requirements.
Biometric requirements (fingerprints).
Cryptographic requirements (PKI).
Certification and accreditation (C&A).
Testing procedures for PIV products.
6
Executive Summary
FIPS 201 (Part 1 & II)

PIV I – the process




Strengthens “identity-proofing” and background
investigations.
Defines credential issuance process.
Mandates privacy protections.
PIV II - components of the PIV system





Interoperable PIV Card.
Card Management Subsystem.
Access Control Subsystem.
Identity Management System (IDMS).
PKI credential.
7
Implementation Highlights
Due Dates



By Oct. 27, 2005: PIV-I:

Identity proofing and credential issuance process complies with FIPS 201,
part 1. Completed.
By Oct. 27, 2006: PIV-II:

New employees/ contractors: Issue only PIV-II compliant cards and require
use for both physical and logical access.

Existing employees/ contractors: Begin replacing cards.

FBI National Criminal History (fingerprint) Check portion of background
investigation before PIV Card issuance.

Full National Agency Check with Inquiries (NACI) must follow.
By Oct. 27, 2007:

Finish replacing cards for current employees/ contractors and require use for
both physical and logical access.

All federal employees with less than 15 years of service and all contractors
must be identity proofed with a minimum of a NACI.
8
Where We Are Now









Currently compliant with all FIPS 201 requirements for PIV I.
PIV I Guidance issued.
New PIV I form being utilized.
New HR hiring practices are in place.
Conducted training for all OSEP employees associated in PIV I
process.
CPO conducted Contracting Officers training.
New HUDAR clause is written.
OSEP has started Certification and Accreditation process.
GSA currently working on hiring contractor support for future
DSX upgrades and additional hardware.
9
Government Wide
HUD Involvement




Federal Identity Credentialing Committee (FICC)
Interagency Partnership Working Group meetings
Smart Card Interagency Advisory Board (IAB)
Interagency Privacy Committee
10
Next Steps

Future Issues:





High project implementation costs.
Integration of DSX to HUD infrastructure.
HUD computer network access will require use of PIV card
(including PKI credential).
PKI credential has never been used in HUD environment.
Procurement risks:



Currently there are no products or services that are certified
to be FIPS 201 compliant.
GSA will require purchases of products using Schedule 70
(HITS?).
GSA will not have new Schedule 70 in place until May 2006.
11