What seemed like a simple objective, to develop and issue a standardized, electronically-verifiable identification card for civilian agency personnel, continues to encounter a barrage of technical and cultural challenges at a time when identification has become a critical component in the government’s efforts to embrace mobile and remote computing.
Despite the government’s aggressive push under the Identity, Credential and Access Management (ICAM) plan, only three departments are above minimum fielding levels and using the civilian personal identity verification (PIV) cards, said Paul Grant, director for cybersecurity policy in the Office of the DOD Chief Information Officer. And it remains unclear when the cards will be universally fielded across the civilian government.
Some agencies are fielding PIV cards and not using them while others are only using them for physical access, he said at a recent enterprise architecture conference in Washington, D.C.
Besides issuing the cards to federal agency and executive branch personnel, a related objective is to prompt personnel use the cards for a variety of transactions, from physical access of federal facilities to logging onto secure government computer networks and making acquisitions purchases. PIV cards are identical to the DOD’s common access (CAC) cards, he said.
One of the obstacles is how to deal with non-person, computer-based entities capable of operating on networks.
To support ICAM, the DOD is trying to eliminate all anonymous entities, person or non-person on its networks. This is a high priority goal for the department, but it isn’t there yet because it has not solved the non-person entity issue, Grant said.
Another step on this path is the installation of non-person identity credentials on mobile devices. These credentials would positively link a device to a specific user, he explained.
Continuous monitoring of mobile devices accessing and operating on DOD and federal networks is another part of the effort.
Grant noted that there may be as many as 8 million mobile devices running on DOD networks within a few years and the identity of all those devices must be monitored for security purposes.
On the civilian side, the government is taking steps to develop a near field wireless channel standard that will allow the microchips in CAC and PIV cards to communicate securely with a mobile device. This permits the definite identification of the user and the device. The technology would also help create a security process that could automatically remove a person or a device from the network if their identity is compromised.
The DOD is also working on a generic interface command set (GICS) standard to provide CAC and PIV cards with additional capabilities. The goal of this effort is to make secure access cards more useful to their users.
The DOD recently launched a pilot program with Washington D.C. and Philadelphia metropolitan transportation agencies to use the GICS standard to load metro fare data on the cards, to eliminate the need for cardholders to use a metro card. The goal is to expand this to PIV-I cards. “Making the card more valuable to our users is one of our objectives,” Grant said.
For mobile devices, the DOD has a joint mobile technology tiger team consisting of many different agency and service groups working together to help launch secure mobile device capabilities for the department. Despite multiple ongoing pilot programs, only BlackBerry devices are now fully accepted for secure messaging and communications within the DOD, Grant said.
One of the key requirements that the DOD wants in mobile devices are encrypted data at rest. The DOD has been working with mobile device makers to hammer out a set of requirements permitting handhelds to access both classified and unclassified networks.
The DOD has also issued a request for proposal to industry for a mobile device management system to help administer personal and agency-issued handhelds. One of the department’s requirements for an MDM system is the ability to support strong credentials identifying people and devices, Grant said.
At the highest security levels, BlackBerrys users with level 4 (secret) approved devices use card slides attached to their devices for secure communications. But this method is cumbersome and disliked by high ranking staff, Grant said. To streamline the credentialing process, the DOD is working with the National Institute of Standards and Technology to develop new standards supporting credentials that would link a person directly with a device.