1. 1 National Capital Region � First Responder Partnership Initiative �� “A Scalable Standards-based � Identity Solution � for Incident Management”��
Mr. Thomas J. Lockwood Director, ONCRC, DHS�
2. 2 Joint Federal Committee Requirement �(Tasked August 4, 2004 to ONCRC)� Rationale: 2001-2005 NCR “Incident Snapshot”
Sep 11, 2001 Terrorist attack on Pentagon
Anthrax crisis
Sniper incident
W. Wilson Bridge “rush-hour” attempted suicide
Washington Monument “tractor man”
2005 Anthrax scare
May 11, 2005 “no fly zone” violation during JFC update
3. 3 The Response…leveraged opportunity�
Federal:
HSPD 12 signed 27 August 04
Implemented NLT 27 October 2005
Must identify “Emergency Response Officials” (COOP/COG/ESF)
State and Local:
NIST FIPS PUB 201 released on 25 February 2005
Leveraged for NCR common identity trust model
Own, control, and manage First Responder identity and attribute
Smart “identification” card:
Identity verified through standard architecture
attribute validated via PKI public key (COOP, COG, ESF, etc.)
Deliberate and urgent identity verification:
Daily “routine use” identity card becomes “crisis” identity card
No requirement to issue another identification card
4. 4 HSPD – 12 Identification Verbiage "Secure and reliable forms of identification" for purposes of this
directive means identification that:
is issued based on sound criteria for verifying an individual employee's identity;
is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
can be rapidly authenticated electronically; and
is issued only by providers whose reliability has been established by an official accreditation process.
The Standard will include graduated criteria, from least secure to
most secure, to ensure flexibility in selecting the appropriate level
of security for each application
5. 5 These are all links to different policy driversThese are all links to different policy drivers
6. 6 PKI identity smart card will provide the relying party with machine-read information to determine access privileges for granting access into, out of, and within various areas in a trusted and secure manner as required This slide shows the several different entities that will benefit from trusted and secure identity confirmation. The entities listed are Amtrak, first responders, police, DOD, Metro (subway system). Each has people who want access into a disaster recovery area, and the point of managing identity verification is to make sure that only trusted people enter.
The text based portion reads: PKI identity smart card will provide the relying party with machine-read information to determine access privileges for granting access into, out of, and within various areas in a trusted and secure manner as requiredThis slide shows the several different entities that will benefit from trusted and secure identity confirmation. The entities listed are Amtrak, first responders, police, DOD, Metro (subway system). Each has people who want access into a disaster recovery area, and the point of managing identity verification is to make sure that only trusted people enter.
The text based portion reads: PKI identity smart card will provide the relying party with machine-read information to determine access privileges for granting access into, out of, and within various areas in a trusted and secure manner as required
7. 7 This slide shows that the emergency management community encompasses many groups. Those listed with corresponding photos include: Federal Community, Medical Community, Fire and Rescue Community, Transportation/HAZMAT Community, Infrastructure Community (like construction workers and builders), Military and National Guard, Resident/Tribal/Non Governmental Organization Community, Volunteer Community, Force Protection Community (like police), Retail Community, Local Community and State Community. This slide shows that the emergency management community encompasses many groups. Those listed with corresponding photos include: Federal Community, Medical Community, Fire and Rescue Community, Transportation/HAZMAT Community, Infrastructure Community (like construction workers and builders), Military and National Guard, Resident/Tribal/Non Governmental Organization Community, Volunteer Community, Force Protection Community (like police), Retail Community, Local Community and State Community.
8. 8 This slide talks about Enrollment and Issuance process for IDs. It shows that certain populations like those in State Databases, volunteers, medical and others who are a part of the Emergency/Response/Recovery Community need a process. In this case there is an issuance authority and an issuance workstation which have a common interface. The issuance engine together with the Authoritative Individual Data source directly interfact with the Public Key Infrastructure’s Shared Service Provider to provide for the following;
Card management system
Certificate Authority
Validation Authority and
Web secure application
In the end, the person with a credential (the bearer) has a credential that is valid and recognized. This slide talks about Enrollment and Issuance process for IDs. It shows that certain populations like those in State Databases, volunteers, medical and others who are a part of the Emergency/Response/Recovery Community need a process. In this case there is an issuance authority and an issuance workstation which have a common interface. The issuance engine together with the Authoritative Individual Data source directly interfact with the Public Key Infrastructure’s Shared Service Provider to provide for the following;
Card management system
Certificate Authority
Validation Authority and
Web secure application
In the end, the person with a credential (the bearer) has a credential that is valid and recognized.
9. 9 PKI Interoperability This slide regarding Public Key Infrastructure (PKI) Interoperability shows different credential issuers like DOD/CAD, VA/NCR/FRAC, MD/FRAC and TSA/TWIC all issuing ID Cards. Then certified revocation lists are produced. Out of those come privleged lists (for each population). They all go through a validation authority as does a First Responder Attribute Authority. What is produced are compressed and signed validation lists which are produced and synchronized every 24 hours at minimum. All of these feed into authorized handheld reading devices which are used “on the ground or at the scene”.This slide regarding Public Key Infrastructure (PKI) Interoperability shows different credential issuers like DOD/CAD, VA/NCR/FRAC, MD/FRAC and TSA/TWIC all issuing ID Cards. Then certified revocation lists are produced. Out of those come privleged lists (for each population). They all go through a validation authority as does a First Responder Attribute Authority. What is produced are compressed and signed validation lists which are produced and synchronized every 24 hours at minimum. All of these feed into authorized handheld reading devices which are used “on the ground or at the scene”.
10. 10 This slide shows pictures of various responders (police, fire, ambulance and military) and how their PDA information format is the same: Data, text and image.
The information feed from Federal, State, Local and rpivate all feed into one validation center (the first Responder Validation Authority which is produced and synchronized nightly) so that the ID can be validated “on the ground or at the scene”. This slide shows pictures of various responders (police, fire, ambulance and military) and how their PDA information format is the same: Data, text and image.
The information feed from Federal, State, Local and rpivate all feed into one validation center (the first Responder Validation Authority which is produced and synchronized nightly) so that the ID can be validated “on the ground or at the scene”.
11. 11
12. 12 This slide shows that all different reasons we need a One Identity Framework which is a Common Framework for Identity Proofing, Issuance and Verification. The reasons shown are:
First Responder COOP/COG State/Local
Feds & Contractor
Electronic Corporate Espionage
ID theft Banking Card Valid/Intended Bearer
GPEA Fed and Contractors
DHS Info share HSIN, HSDN
Utility Emergency Response and Preparedness
Medical Volunteers and E-patient records
Education and Student Tracking
State Real ID Drivers License
This slide shows that all different reasons we need a One Identity Framework which is a Common Framework for Identity Proofing, Issuance and Verification. The reasons shown are:
First Responder COOP/COG State/Local
Feds & Contractor
Electronic Corporate Espionage
ID theft Banking Card Valid/Intended Bearer
GPEA Fed and Contractors
DHS Info share HSIN, HSDN
Utility Emergency Response and Preparedness
Medical Volunteers and E-patient records
Education and Student Tracking
State Real ID Drivers License
13. 13 Take Away: Public Key Infrastructure (PKI)� Identity Interoperability NCR credential requirement
Leveraged response
Policy drivers
Incident identity management
Targeted population
Enrollment / issuance process
PKI technical requirements
Mobile identity management
PKI identity proofing requirements
Benefits / outcome This shows what people take away or learn from the presentation on PKIThis shows what people take away or learn from the presentation on PKI
14. 14 Benefits / Outcome Machine-read vs. discretionary identity management
Federal, State, Local PKI certificate-based identity interoperability
Multi-jurisdictional conformance (Federal, State, Local, Tribal, NGO, other)
Enables trust and cooperation for collaboration in a distributed environment
Scalable for use in other regions & cost effective implementation
Functional and reliable in a “communication-out” environment
Provides for standards-based technology migration opportunities
Supports mutual aid human resources asset management
Supports National Incident Management System (NIMS) integration of
defined Emergency Support Functions (ESFs)
15. 15 This refers to an exercise that was hosted by the DOD, Pentagon Force Protection Agency and coordinated by the Office of National Capital Region Coordination at DHS.This refers to an exercise that was hosted by the DOD, Pentagon Force Protection Agency and coordinated by the Office of National Capital Region Coordination at DHS.
16. 16 Multi-Jurisdictional Trust Model�Integrated/Collaborative Planning Framework This slide demonstrates with a complex diagram that a Multi-Jurisdictional Trust Model Integrated/Collaborative Planning Framework must provide a continual process improvement loop to incorporate best practices across jurisdictions and ensure continued architectural alignment and interoperability. Use in the example are different organization’s strategic plans, mandates from NIST and Homeland Security Presidential Directives and State, regional, county and local and private sector planning. In this case Virginia, DC and Maryland are highlighted because they are in the National Capital Region. Interoperability of systems is the key.
This slide demonstrates with a complex diagram that a Multi-Jurisdictional Trust Model Integrated/Collaborative Planning Framework must provide a continual process improvement loop to incorporate best practices across jurisdictions and ensure continued architectural alignment and interoperability. Use in the example are different organization’s strategic plans, mandates from NIST and Homeland Security Presidential Directives and State, regional, county and local and private sector planning. In this case Virginia, DC and Maryland are highlighted because they are in the National Capital Region. Interoperability of systems is the key.
17. 17 Strategic Objectives� Establishment of a multi-jurisdictional identity trust model in accordance with existing standards and technology that enables interoperability for dynamic identity and emergency attribute management
Categorize all emergency response or critical infrastructure support personnel in accordance with the National Response Plan (NRP) or National Infrastructure Protection Plan (NIPP)
Integrate identity and NRP/NIPP category information into existing authoritative human resources databases/directories for use with current technology tool sets that support the electronic proliferation of trusted and secure information for access decisions
Standardize NRP/NIPP occupation sub-categories and qualifications in accordance with national and international personnel qualification standards as appropriate
Conduct exercises to integrate use with response requirements and applications development for trusted and secure electronic incident management with accountability
Proof of concept of key capabilities: personnel accountability / physical access, incident muster list, EOC notification/cross agency personnel visibility, time keeping/reimbursement; post-event notification, enhanced COOP/COG processes
18. 18 Winter Fox validated the capability to use the public-key infrastructure (PKI) to establish a multi-jurisdictional identity trust model by electronically binding PKI smart ID card, issued from different back-end infrastructures, to authorized responder in a communication-in or out environment In Winter Fox they validated how Virginia Department of Transportation (VDOT) Smart Traffic Center, Pentagon Federal Office Building II, the Maryland Department of Transportation Port of Baltimore and Frederick County, MD used their PKI to establish a multi-jurisdictional identity trust model by electronically binding PKI smart ID card, issued from different back-end infrastructures, to authorized responder in a communication-in or out environment
In Winter Fox they validated how Virginia Department of Transportation (VDOT) Smart Traffic Center, Pentagon Federal Office Building II, the Maryland Department of Transportation Port of Baltimore and Frederick County, MD used their PKI to establish a multi-jurisdictional identity trust model by electronically binding PKI smart ID card, issued from different back-end infrastructures, to authorized responder in a communication-in or out environment
19. 19 Targeted Population
Targeted Participation
Participation for this exercise was focused primarily on
federal, state, regional, local, private sector, and public safety
leadership to grasp a better understanding of the PKI identity
trust model that provides multi-jurisdictional interoperability
and can be leveraged for incident management of responding
human resource assets.
20. 20 This slide shows two scenarios and how the perimeter Access controls worked for federal and state. They tracked how individuals were either authenticated with their existing badges or were not. Those who were not were required to be escorted. There was a Staging Area Incident Scene on the outer perimeter, a mobile ID unit, an Incident scene Second perimeter staging area, a simulated incident scene which was the third perimeter staging area. At each point authentication was required to proceed. This slide shows two scenarios and how the perimeter Access controls worked for federal and state. They tracked how individuals were either authenticated with their existing badges or were not. Those who were not were required to be escorted. There was a Staging Area Incident Scene on the outer perimeter, a mobile ID unit, an Incident scene Second perimeter staging area, a simulated incident scene which was the third perimeter staging area. At each point authentication was required to proceed.
21. 21 Winter Fox Data Sample This slide shows a sample of the data. The six area of data collection included the following:
TimeStamp
Cardholder Name
Card Issuer
ID Type
Summary
Operator
One is able to see when an individual tried to come on the scene. If they entered it also showed their exit time. It showed who issued their card and what type. Some were Smart cards but some were Drivers Licenses. The summary showed whether the attempt to enter was successful or rejected and why (wrong PIN number for example).This slide shows a sample of the data. The six area of data collection included the following:
TimeStamp
Cardholder Name
Card Issuer
ID Type
Summary
Operator
One is able to see when an individual tried to come on the scene. If they entered it also showed their exit time. It showed who issued their card and what type. Some were Smart cards but some were Drivers Licenses. The summary showed whether the attempt to enter was successful or rejected and why (wrong PIN number for example).
22. 22 Winter Fox � (data sample a closer look) � This slide shows a closer look at a few slices of the data. They were able to use this to analyze who tried to enter, how long they stayed and what kinds of cards worked and what kinds did not. This slide shows a closer look at a few slices of the data. They were able to use this to analyze who tried to enter, how long they stayed and what kinds of cards worked and what kinds did not.
23. 23 Winter Fox Identity Transaction Metrics Locations:
285 total scans recorded:
138 scans into VDOT Smart Traffic Center
87 scans into Pentagon Federal Property
35 scans into Baltimore Incident Area
25 scans Frederick County, MD
Transactions:
206 Success: Card Validation
79 Failure: Pin Verification
Technology:
5 Drivers license bar code, no bind to card
263 FRACs (w/ digital photo) plus PIN verification
16 CACs (w/o photo) plus PIN verification
1 TWIC (w/o photo) plus PIN verification
24. 24 Winter Fox Validated Proof of Concepts Validated key capabilities:
A multi-jurisdictional identity trust model at a Pentagon federal facility, Virginia State facility, Maryland State port, and Maryland County municipality
Routine electronic physical access into federal and state facilities
Incident area first, second and third perimeter control using electronic identity validation for incident management
Secure access through a local municipality-controlled check point
In-transit visibility of COOP/COG human resource assets in a communication-in and/or out environment
Satellite communications (SATCOM) manifest tracking of sponsoring agency personnel to a relocation sites
Federal, state, and local EOC notification and cross agency personnel visibility
Time keeping/reimbursement; post-event notification
25. 25 Next Steps Continue working with Partnership members for FIPS 201 implementation in all of Virginia, Maryland and NCR
Work with the public/private sector practitioner communities for coordinated FIPS 201 implementation
Coordinate and integrate NIMS qualifications with electronic identities and attribute systems of records
Standardize FIPS 201 products /services / application development
Include FRAC interoperability as a performance measure in all future exercises (federal, state, regional) for incident area, physical and logical access control procedures
26. 26 This slide shows a screen shot of what a handheld authentication and validation screen would show the person scanning the credential. The screen shows shows the categories listed on the slide and an image or photograph of the person to whom the card was actually issued. This slide shows a screen shot of what a handheld authentication and validation screen would show the person scanning the credential. The screen shows shows the categories listed on the slide and an image or photograph of the person to whom the card was actually issued.
27. 27 NCR Implementation Timeline Phase I: Dates
Regional “as-is” and “to be” analysis 3/15/06-5/15/06
Includes 19 Jurisdictions + the states of Md and Va
Limited implementation for interface analysis 3/15/06-5/15/06
Mobile device and interoperability analysis 3/15/06-5/15/06
Provide recommendations and implementation plan 06/01/06
Pentagon sponsored Winter Fox exercise Done
NCR sponsored pilot exercise planning 5/15/06-6/15/06
Phase II: Dates
NCR sponsored pilot exercise 7/06
Commence regional implementation 6/1/06- 9/1/06
NCR sponsored exercises 8/1/06- 10/1/06
FEMA sponsored Forward Challenge 06 06/19/06 - 06/22/06
Phase III: Dates
Complete implementation of UASI 05 Funding 9/1/06-11/1/06
NCR sponsored exercises 11/15/06-12/15/06
28. 28 GSA Support Enable State/Local government economies of scale for FIPS 201 procurement off GSA schedule
Extend invitation for NCR S/L participation in FIPS 201 authorized equipment list evaluation
Use NCR as incubator for equipment analysis
Include FBCA level II in RFI/RFP infrastructure selection to support non-UASI covered First Responders
29. 29 End state: Preparedness Identity Management Incident Management:
To get the right people with the right attributes to the right places at the right times
thus reducing response/recovery times and promoting restoration to pre-incident quality of
life conditions
Intended benefit:
Emergency response officials will possess public-key infrastructure (PKI) identity cards
that align with federal standards and enable electronic validation of identity and emergency
attribute information for determining access privileges
Additional benefit:
Emergency response officials will possess PKI identity cards issued by respective
sponsoring agencies in a distributed environment that can be integrated into standards-
based physical and logical access systems
30. 30 Questions?
FRACSupport@dhs.gov
Office of National Capital Region Coordination
202-254-2301
Craig A. Wilson
Partnership Coordinator
202-254-2305 (office)
703-597-4113 (cell)
craig.a.wilson@associates.dhs.gov
