Federated ICAM Introduces New Capabilities for First Responders
Public safety stakeholders seek to advance trusted information-sharing capabilities.
Public safety agencies are seeking ways to reliably grant mission-critical information access to authorized users while also ensuring security and data integrity. Technical pilot projects sponsored by the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency demonstrated cross-domain federated identity, credential and access management for secure information sharing for first responders in Texas and Tennessee.
The ability to dynamically manage access to information systems whether it involves data about drug overdoses, sensitive federal threats, criminal justice information, geographical information system (GIS) mapping, or physical access to a crime scene or response perimeter, is central to today’s public safety information technology environment. Identity, credential and access management (ICAM) is responsible for the governance, policies and technologies needed to make this happen.
The Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA) co-sponsored pilot projects with the Texas Department of Public Safety and the Tennessee Dangerous Drugs Task Force to test public safety communications and ICAM technologies. Both organizations play active roles in supporting public safety communications nationwide. A federated ICAM solution allows one organization to accept another organization’s identity processes and procedures such as identity proofing, credentials and attributes based on inter-organizational trust.
Among other functions, CISA manages federal support to SAFECOM and the National Council of Statewide Interoperability Coordinators, stakeholder-supported public safety communications programs that promote interoperability. The ODNI supports the President’s National Security Strategy of 2017, which calls for defending communities from illegal fentanyl and opioid threats, some coming from transnational criminal organizations. This project advances the nation’s objectives in today’s dynamic public safety environment to prepare agencies for the First Responder Network Authority (FirstNet), nationwide 911 improvements and other information technology advances. The federated ICAM demonstrations conducted in Texas and Tennessee highlighted the importance of secure information sharing for public safety.
ICAM addresses authentication and authorization to access logical and physical resources. ICAM concepts have been adopted for criminal justice, intelligence and national defense operations; however, implementing advanced ICAM solutions in other public safety domains remains a challenge. The pilots were done in coordination with the Georgia Tech Research Institute—the nonprofit applied research arm of the Georgia Institute of Technology—to demonstrate two different approaches to federated ICAM using standardized multifactor authentication technologies: Personal Identity Verification-Interoperable (PIV-I) cards and mobile Fast Identity Online (FIDO) authenticators. Both technologies have the potential to advance information sharing between public safety agencies and to mitigate cybersecurity risks associated with unauthorized access in a federated environment.
Federated ICAM opens many new use cases for public safety users by enabling agency- or identity-provider-managed identities to access sensitive information and other resources offered by trusted partners. The concept of federation is not new, and its benefits have been realized in other sectors as ICAM technologies, and federated identity tools have become commoditized and readily available. As organizations continue to deploy cloud services, federated ICAM technologies have become an essential part of seamless and transparent single sign-on solutions. The same single sign-on technologies commonly used for enterprise services can be leveraged for trusted information sharing in public safety. Federated ICAM is also widely used in consumer markets such as online shopping, social media and other experiences in which users can log in to multiple sites using a single credential from Facebook, Google or PayPal, among others. These technologies enable one business to leverage the identity proofing and credentialing processes performed by another, allowing transactions while keeping the details largely transparent to the user. The risks associated with social media and retail transactions may be less than those associated with public safety information sharing, but the basic concepts of federation and single sign-on are transferable from one domain to another.
To capitalize on advancements in federated ICAM technologies, state, local, tribal and territorial public safety agencies must first address gaps in identity management governance, policy and subject matter experts say. In today’s environment, agencies must not only manage legacy duties but also address an ever-increasing need to protect and share sensitive information. However, due to budget shortfalls, public safety organizations often are forced to choose between much-needed operational personnel, vehicles or network enhancements and cybersecurity experts versed in ICAM.
With these challenges in mind, the ICAM pilots focused on deploying commonly used technologies that when combined with federated ICAM allowed public safety users to view sensitive information they otherwise could not access. The pilots also leveraged the Trustmark Framework, an advanced technical framework for managing trust relationships and information sharing risks among partner agencies, and the National Identity Exchange Federation (NIEF), an identity federation that serves the public safety community. Public safety participants included members from the SAFECOM and National Council of Statewide Interoperability Coordinators ICAM Working Group, which consists of representatives from national and state public safety organizations as well as ICAM subject matter experts.
Prior to the pilot, this working group identified scenarios where federated ICAM would improve public safety operations, including specific use cases that required multijurisdictional information sharing. These scenarios guided pilot design and helped participating users consider the applicability and value of federated ICAM to their own operations.
The pilot consisted of two on-site demonstrations: in Austin, Texas, with the Texas Department of Public Safety and its partners, and with the Tennessee Dangerous Drugs Task Force and its partners in Chattanooga, Tennessee. During the demonstrations, first responders presented their identity proofing evidence, such as a driver’s license, received either a PIV-I or FIDO credential and executed various test scenarios to access restricted information from partner agencies using those credentials. These technologies were chosen for their wide adoption and applicability to public safety requirements. Using these credentials, agencies were able to improve their cybersecurity postures while enabling information sharing with business partners. The pilot introduced the Foundation for Trusted Identity as a new identity provider in NIEF, with Texas Department of Public Safety’s Texas Maps GIS platform, the Tennessee Drug Investigation and Intelligence Integration System, and the Regional Information Sharing Systems Secure Cloud as relying parties.
Agency users and relying parties used a prototype version of the Trustmark Framework to convey their unique information-sharing requirements, including security policies, access control requirements and technical interoperability criteria. The framework enabled the agencies to establish trust in each other without the use of explicit bilateral information-sharing agreements.
Pilot participants represented a range of public safety roles and technical expertise. The demonstrations received positive feedback from both participants and observers. The processes instituted to proof individuals and issue and leverage credentials for multifactor authentication did not overwhelm any of the participating agencies. Users indicated that the credential technologies used in the pilot were easier and more secure than traditional login methods such as passwords.
In Texas, a first responder used their PIV-I smartcard to access the Texas Maps web service to obtain the floor plan of a local school. Participants were previously unaware of such capabilities and expressed that a school schematic or similar information could be invaluable in a response event. Tennessee users experienced a different use case, but a law enforcement officer shared a similar breakthrough where two local jurisdictions were able to share information and identify a suspect in an opioid investigation with the support of federated ICAM. FirstNet phones were tested and proved to be interoperable with FIDO credentials as well as the single sign-on technologies used in the pilot. Local drug counselors were integrated with law enforcement in the Tennessee Dangerous Drugs Task Force demonstrations to support community needs.
Beyond its operational impact, the pilot demonstrated that PIV-I and FIDO credentials can be cost-effective while also improving the cybersecurity posture of public safety agencies. These solutions could offer a certain level of affordability and product selection for large parts of the public safety community. The return on investment for PIV-I smartcards includes not only logical multifactor authentication access but also dual-use physical access to secure facilities. The PIV-I specification is also interoperable with the widely deployed PIV standard for federal employees and contractors. The FIDO standard supports logical credentials for mobile and desktop solutions.
Federated ICAM offers a web-based solution compatible with modern data platforms. End users simply open a browser and enter a service name URL and federated authentication, and single sign-on occurs seamlessly in the background. As long as the user has been identity-proofed and credentialed by their home agency, they can view the information, subject to applicable access controls. The displayed data does not need to be reformatted or transposed as in legacy systems. When used in conjunction with web-enabled services and integrated cloud services, federated ICAM can help remove many obstacles to interoperability and usability and can reduce costs and decrease time to market.
The Texas Department of Public Safety, the Tennessee Dangerous Drug Task Force, CISA, ODNI and other pilot partners will continue to explore additional opportunities and work with the public safety community to advance federated ICAM initiatives for first responders. The demonstration sponsors identified three additional preliminary findings:
(1) In the future, FirstNet could play a role in a federated ICAM environment as an identity provider, offering a hosted identity-as-a-service to the public safety community.
(2) State GIS applications such as Texas Maps could be augmented on a nationwide scale to help the Department of Homeland Security and other federal agencies better understand and protect gas and oil pipelines, refineries and other critical infrastructure in emergencies.
(3) Flexible software tools are required to mature the Trustmark Framework from a limited-scale prototype into a scalable trust management solution. This work is ongoing and includes Department of Homeland Security Science and Technology Directorate-sponsored development of software tools and additional Trustmark Framework development sponsored by the Public Safety Communications Research Division at the National Institute of Standards and Technology.
Based on the outcome of these pilot projects and feedback from participants, the sponsors and other public safety stakeholders seek to further advance the community’s federated ICAM and trusted information-sharing capabilities. Information sharing and data access have become indispensable parts of public safety operations, and federated ICAM provides the necessary tools to improve mission efficiency, safeguard sensitive information and protect individual privacy by limiting data access to those who need it.
Col. Mike Grebb, USAF (Ret.), has 30 years of intelligence service in signals intelligence, all-source analysis, intelligence support to the combatant commands, intelligence community acquisition and collection policy, program analysis and strategic planning in industry and government.
David Nolan is currently assigned to the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), Emergency Communications Division (ECD). Nolan serves as a communications engineer and chief of the Advanced Technologies Branch of ECD and has over 30 years of experience in networking and communications.
Gabriel A. Martinez is a senior communications engineer who has been working in support of national security and emergency preparedness communications for over two decades. Martinez currently works for CISA within the DHS. Some of the key areas that Martinez covers include public safety communications and emerging technologies in the areas of cybersecurity, interoperability and information sharing.