The Call for Advanced Credentialling
Identity management experts see an overdue need for innovation.
The U.S. federal government needs to elevate the use of certain security measures that enable physical access to buildings—such as the common access card, or CAC—to more digitally integrated, holistic systems, experts say. The COVID-19 pandemic has heightened the need for innovation, especially as some agencies in desperation are pursuing the lowest cost, lowest technically acceptable solutions and making technical decisions without full knowledge of the key standards, such as the Federal Identity, Credential, and Access Management, or FICAM program, and Homeland Security Presidential Directive 12, commonly known as HSPD12, several officials advised yesterday at the Federal Identity Virtual Collaboration Event.
The conference, known as FedID, virtually brought together experts from around the globe to discuss trends in governmental next-generation identity solutions. The officials included: Chris Chamberlin, implementor, Future Identities branch in the U.S. Department of Homeland Security (DHS)’s Office Of Biometric Identity Management (OBIM); Garrett Golubin, manager, Business Development, Strategic Partnerships at Johnson Controls Government Technologies; Maria Vachino, director of Digital Identity, Easy Dynamics Corp.; Alex Wellman, team leader, Marketing And Communications, E-Residency, Republic of Estonia; and moderator Rebecca Nielsen, director of Technology Integration, PKH Enterprises.
Additional panelists discussed the role mobile devices and digitally based identification could play in the future.
Wellman, an American working for the Estonian government in Estonia, shared that the country first deployed a digital identity (ID) card to its citizens in 2002. And although the country only has 1.3 million people, making it “a little easier for us” to implement innovative ID tools on a smaller scale, Wellman said. The United States could employ similar measures, including Estonia’s so-called X road, a data exchange layer of the ID system that is used by all of its agencies.
Moreover, people in Estonia place a higher amount of trust in their government’s ID solutions than other digital access tools, he emphasized. “We have a ‘once only’ principle, meaning that if you give certain data to the government, you don’t ever have to give it again,” he explained.
In the United States, at OBIM’s three-year old Future Identities branch, officials are working on advanced ID tools, and in Chamberlin’s department, they are advancing solutions to help DHS internally, Chamberlin shared, with a focus on identifying new biometric and ID services. They are currently prototyping voice and contactless fingerprint readers, and advanced face reading services. “We are looking at new and different ways to adjust those [facial recognition] services, given what we are hearing and seeing,” he said.
— Kimberly Underwood (@Kunderwood_SGNL) September 9, 2020
The Future Identities branch is also working on a new face image quality standard to guide image collection. “And over the last 18 to 20 months we’ve been very involved in enhancing data standards of immigration data,” Chamberlin mentioned.
At Johnson Controls, which develops and manufactures security, access control, intrusion detection, video surveillance, cloud and other solutions for the identity management sector, the company is seeing more customers asking for a comprehensive, enterprise platform, Golubin said. And although the CAC itself may be a “smart” card with an integrated circuit chip, it is not being used to the extent it could be by the U.S. government.
As a federal policy, HSPD12—which was introduced by President George W. Bush—was intended to enhance security, increase governmental efficiency and implement a common identification standard for federal employees and contractors. This initiative has not been fully embraced in each agency, and there is a lack of greater interoperability, Golubin noted. Appropriately credentialed government officials cannot go, for example, from a Department of Energy building to a Department of Defense facility. He suggests that while the Office of Management and Budget does realize that there are of lot deficiencies in the government’s physical infrastructure, it may come down to a lack of funding.
Garrett Golubin, Business Development Manager @johnsoncontrols: We are seeing a need to go to a more of an enterprise model, w/physical access controls with CAC cards and how that ties into the whole agency #FedID #AFCEA
— Kimberly Underwood (@Kunderwood_SGNL) September 9, 2020
In addition, Golubin advised that more buildings and facilities should consider employing a more sophistication system than a single-factor identification platform. “For most facilities, especially if you are going with HSPD12 guidelines, you are going to have multifactor authentication,” he said. “In certain secure environments, you will need three- or four-factor type of authentication to meet FIPS [Federal Information Processing Standards].”
The pandemic, naturally, has exasperated the government’s ID technology gap situation, Golubin continued. Under COVID, some agencies are simply pursuing the lowest cost, lowest technically acceptable solutions and may be making technical decisions without full knowledge of the key standards, including FICAM and HSPD12.
Vachino warned that U.S. officials do need to address the large amounts of legacy infrastructure and outdated methods already in place, before being able to fully innovate.
“There is the physical infrastructure, the software infrastructure, the legacy networks and then there is also the legacy organizational structure, where you have the police, and physical access control that is still being provided by security guards, who are still making decisions regarding HSPD12,” she stated.