Security Processes Cross Lines

August 2004
By Maryann Lawlor
E-mail About the Author

Adm. Walter Doran, USN, commander, U.S. Pacific Fleet, is processed for the first Common Access Card (CAC) in the Pacific Fleet at the Personnel Support Detachment in Pearl Harbor. The U.S. Defense Department began rolling out CACs in October 2000.
Military and industry test interoperable identity management for joint work environment.

The U.S. Defense Department and defense contractors are learning a lesson about security from the financial world. In a current government-industry project, authentication experts in both communities are examining how to create a cross-credentialing approach that will facilitate access to military, government and corporate facilities while at the same time boost security. The effort does not focus on issuing yet another security token but rather on establishing standard processes. These processes foster a level of trust that can be accepted between agencies and companies.

Phase one of the Federated Identity and Cross-credentialing System/Defense Cross-credentialing Identification System (FiXS/DCIS) pilot project began in April and is set to be complete by the end of this month. The goal of the initial work is to examine an identity management and credential verification system between the Defense Department and defense contracting firms for facility access. In the second phase of the project, the department aims to extend the solution to include network access control.

The Defense Manpower Data Center (DMDC), Monterey, California, and the Office of Information Assurance at the Office of the Assistant Secretary of Defense for Network and Information Integration, Washington, D.C., are sponsoring the project. The Federated Electronic Government Coalition (FEGC), a consortium primarily of industry associations, is conducting the project. Among the government organizations participating in the FiXS/DCIS pilot are the Defense Department’s Public Key Infrastructure Program Management Office, the National Security Agency, the Defense Information Assurance Program, the Department of Interior and the U.S. Postal Service. Northrop Grumman Information Technology, Data Systems Analysts (DSA) Incorporated, BearingPoint Incorporated, EDS Incorporated, SRA International Incorporated, Anteon International Corporation and Lockheed Martin Corporation are among the companies participating in the initial phase.

The pilot project is set up at several sites, including both military and commercial facilities. Among the military installations are DMDC’s East Coast and West Coast facilities, the office complex at Wright-Patterson Air Force Base in Ohio and the office complex at Kirkland Air Force Base, New Mexico. Corporate sites include Northrop Grumman offices in McLean and Reston, Virginia; SRA International in Fairfax, Virginia; and EDS in Alexandria, Virginia.

William Boggess, chief, access and authentication technology division, DMDC, explains that, in many ways, this project just adds a technological twist to the way business was conducted many years ago. In the past, people would ask colleagues or friends for recommendations, and they might have received a formal letter of introduction prior to entering into a business arrangement with a company or contracting for a professional service. This practice was one way to verify that potential service providers were whom they said they were and that they would provide reliable service. Likewise, in small towns, law enforcement personnel would know residents by name, so identification verification was not necessary.

But in a global economy with global threats, this personal verification is no longer possible or practical. Yet the need still exists to confirm that people are whom they represent themselves to be, Boggess offers. This requirement increased significantly after September 11, 2001, when the new mantra became “authenticate first,” he adds.

The FiXS/DCIS approach would set the standards for identity verification and credentials authentication in a number of ways. First, organizations would be required to request comparable forms of identification from everyone applying for a security token. Second, all tokens would include a high-resolution facial photograph. Third, the token would include biometric information in the form of two fingerprints.

The Defense Department’s Common Access Card (CAC) meets security standards; however, only military personnel and contractor employees who work full-time in a military facility are eligible to receive a CAC. The department does not currently have a chain of trust for facility visitors such as contractors, personnel from other government agencies or delivery and repair personnel. Defense contractors who only occasionally visit facilities must present their company credentials each time they visit a site, and firms have a variety of processes for issuing company security badges. For example, some companies accept a driver’s license as identification verification while others require a birth certificate or passport, and still others may only ask a current employee to vouch for a new employee’s identity.

Key to the success of the FiXS/DCIS project is interoperability, which is achieved through a common trust exchange policy, operating rules and technical specifications that allow organizations to exchange information equally. Currently, when Defense Department visitors arrive at a military base, they are directed to the visitors’ center where personnel can verify their credentials and allow access to the base. Boggess explains that FiXS/DCIS adds a similar verification capability for defense contractors who need to gain access to military facilities. The contractor would present a company-issued card, and base personnel would enter the card number into the system to verify identity. The process still leaves the final access decision up to the individual facility, Boggess says. In addition, military personnel who visit secure corporate sites will be able to use their CACs to enter the facility.

Many of the concepts that FiXS/DCIS is employing are based on rules used in the electronic payment industry, where specific operating rules establish standard formats and a uniform business and legal framework for exchanging financial payments. These regulations allow institutions with varying internal procedures to process payments, a situation that is analogous to the military-contractor relationship where a multitude of companies with different processes and technical platforms must agree on a common system for issuing and verifying credentials. NACHA–The Electronic Payments Association, Herndon, Virginia, supplied the expertise used in developing FiXS/DCIS operating rules.

Defense contractors who work on site at military facilities are issued CACs for secure access. The Federated Identity and Cross-credentialing System/Defense Cross-credentialing Identification System (FiXS/DCIS)  pilot project is examining how to extend this type of secure access to personnel in all defense contracting firms. In addition, military personnel would be able to use their CACs to enter contractor facilities.
Dr. Michael J. Mestrovich, co-chairman, FEGC, explains that the pilot program aims to satisfy current policies, standards and processes with a set automated access control system, including compatible trust policies for both physical and network access. In addition, the objective is to create a federated credentialing system between government and industry where the information on individuals remains with and under the control of their parent organizations. During the pilot project, metrics are being collected to determine how the system works and what improvements can be made, he adds.

From a technology standpoint, Web-based interfaces facilitate communications among all organizations. Hardware security modules ensure secure server-to-server communications. The FiXS/DCIS domain server provides four types of Web-based access. The enrollment Web site issues the basic identity token, binds the biometric information and high-resolution photograph, and then submits the record to the DCIS database. The authentication Web site collects initial data, such as the person’s name and place of employment, then checks with the domain server and compares biometrics. The domain server also accepts requests for data from a FiXS/DCIS trust broker and sends biometric information. Finally, an administrative interface enables management of the local site. When security personnel enter identification information into the authentication workstation, the system displays a stored photograph, compares biometric information, and sends a match/no-match determination to the local site’s security manager. Despite this free flow of information, the data remains under the control of the parent organization.

Mestrovich says this approach is breaking new ground in two ways. First, identification management is being viewed as a shared responsibility between the Defense Department or any other government agency and its industry partners. Second, it is the first time that the government is willing to share biometric data with its industry partners. “The interoperability and trust models are a real breakthrough,” he says.

Perry Tsacoumis, project manager, FiXS/DCIS, Northrop Grumman Information Technology, says that one of the most important factors of the pilot project is that it is not about technology. “Right now, different companies have different procedures for getting identification cards. People working at government facilities must have an I-9 certification, which requires an original birth certificate and other forms of identification. Northrop Grumman requires all of its employees to get this, but not all companies do,” he explains.

From an architectural and technological standpoint, the FiXS and the DCIS are the same. The names are different because FiXS refers to a federation of organizations—not all associated with the Defense Department—but it is the same type of system, Tsacoumis relates.

The ability to verify a person’s identity is only one of the security aspects of the system. Tsacoumis points out that an important element is the operating rules that will be set up and agreed upon regarding updating the database. For example, if a person leaves a company or employment is terminated, the credentials must be removed from the database within 24 hours. Northrop Grumman would like to see this time interval reduced to six hours, he says.

The FiXS/DCIS addresses privacy concerns as well, he adds. Concerns have been raised about government agencies collecting and storing too much personal information in their databases. Some worry that the information could be lost or stolen by hackers. Tsacoumis points out that this concern is unwarranted because only biometric information is being collected and stored and not personal information such as a home address or social security number. In addition, contractors store the data using secure socket layer technology, and the Defense Department’s information security is based on its public key infrastructure technology.

Douglas Wagoner, vice president and general manager of the capital region at DSA, points out that the FiXS/DCIS offers additional benefits. For example, the system creates an audit trail so organizations can better track who visits their facilities. In addition, agreeing on a single credential verification system saves organizations money because personnel need only one security token rather than several. “I probably have six or seven security badges, and to obtain every single one involved a completely different process,” he states.

DSA is responsible for collecting the metrics during the pilot to evaluate the project. Wagoner explains that these will include such items as how many times the system was used, the number of successes and failures in identifying individuals, and the reliability of the hardware and software.

Tsacoumis says the pilot project is going very well. After deploying the technology to all of the participating organizations, the FEGC team began focusing on interoperability and mutual trust. Changing the culture in organizations has been the biggest challenge because each has its own processes in place that do not always meet the FiXS/DCIS requirements. Part of the pilot project involves collating this data about procedures. This information will be included in the final report to the DMDC.

Tsacoumis says that once the Defense Department has reviewed the information about the pilot project, he anticipates the FiXS/DCIS will be added to the Defense Federal Acquisition Regulation within a year, then put into the Federal Acquisition Regulation soon afterward. The U.K. Ministry of Defence also is very interested in the pilot project, he adds, because international companies want to be able to work with the U.S. Defense Department as well as to collaborate securely with each other.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.