Award-winning PKI projects streamline processes, increase convenience
12 August, 2013
category: Digital ID, Government, Health, Smart Cards
Federation winner – DMDC
JPAS system migrates from passwords to PKI
The Joint Personnel Adjudication System (JPAS) made the transition from the Defense Security Service to the Defense Manpower Data Center (DMDC) in June 2010. Shortly following the transition, the compliance process began with the Joint Task Force-Global Network Operations Tasking Order 07-15 – a mandate for Public Key Infrastructure implementation for all Defense Department credentials.
What is JPAS?
The Joint Personnel Adjudication System (JPAS) is a consolidated Department of Defense database for verifying and distributing security clearance for DOD personnel across agencies.
Spanning military, government and civilian personnel, as well as industry contractors, JPAS creates an almost real-time, single source for clearance-granting information. Prior to JPAS, security clearance was monitored through an assortment of databases managed by numerous agencies.
JPAS is accessible through the Internet and enables submission of new clearance requests and updates to personal from virtually anywhere. Security managers can interact with clearance information and directly submit clearance requests to Central Adjudicating Facilities and other responsible agencies.
The primary challenge for the jump to PKI was the tens of thousands of users who utilize JPAS but did not qualify to possess a Defense Department-issued PKI credential. The population includes more than 20,000 private sector users, external federal agency personnel and contractors.
JPAS’ solution was to accept all Defense Department approved hardware-based credentials at medium assurance levels. Moreover, JPAS’ new system is compliant with USB tokens or smart cards, individual corporate-issued smartcards and PIV-I credentials.
In January 2012, JPAS officially removed its username/password authentication method becoming one of the first Defense Department Web applications to accept approved external PKI credentials.
“When the JPAS application login is requested, the user’s certificate information is provided to the JPAS application,” explains Autumn Crawford-Grijalva, project manager with DMDC. “JPAS then conducts Certificate Policy Identifier filtering to ensure that only FIPS 140-2 compliant hardware cryptographic modules are being used, mitigating the risk of users sharing software credentials.”
The Defense Manpower Data Center has three specific methods to ensure proper identification across the various forms of approved credentials. “For Defense Department Common Access Card certificates, the unique value is the DOD Identifier, for PIV and other approved certificates, the unique value can be the Federal Agency Smart Credential Number or a unique value that has been amalgamated from the credential itself,” reveals Crawford-Grijalva.
In the event that an external user’s unique identifier is not found in JPAS – for example a first time user – the JPAS application will redirect to a self-registration screen where the user’s JPAS account can be linked with their certificate via an additional knowledge-based authentication factor.
The DMDC is confident that the JPAS solution will provide a more user-friendly and secure authentication experience. “The primary benefit for the end user is that it eliminates the need to remember and maintain username/passwords, while at the same time increasing application security and privacy protection,” explains Crawford-Grijalva. “Users no longer need to create a new 15-character password with specific sets of uppercase/lowercase, numbers and special characters every 6 months.”
The benefits of the new system are penetrating other aspects of authentication as well. An ancillary benefit to the users who had not previously held a PKI credential is that they can use their certificates for digital signing of electronic forms or email messages and receiving encrypted email,” reveals Crawford-Grijalva.
While the solution is providing promising results already, the DMDC already has an eye on the horizon. “Several other Defense applications have approached JPAS to assist in similar PKI solutions for their web applications,” reveals Crawford-Grijalva. “The Industrial Security Facilities Database, Secure Web Fingerprint Transmission, Defense Central Index of Investigations and the Defense Contract Management Agency have all expressed interest.”
The JPAS initiative is an extensive one, drawing expertise from a wide range of both Federal and industry players.
Collaboration winner – Cancer Institute
Research processes accelerated with cloud-based PKI
The National Cancer Institute integrated PKI-based, interoperable digital identities into its Cancer Therapy Evaluation Program.
Through the use of PKI, the institute enables government and industry cancer researchers to accelerate the start-up phase of clinical trials by securely accessing, reviewing, signing and exchanging cloud-based documents. It is a pioneering use of interoperable digital identities that demonstrates how clinical trial initiation can be accelerated while simultaneously reducing costs.
“Company researchers used digital identities acquired from a provider compliant with the PKI-based SAFE BioPharma standard and the U.S. Government’s Federal Bridge,” says Steven Friedman, chief of Clinical Trials Operations and Informatics at the institute.
The solution cross-certifies SAFE BioPharma – the identity trust hub serving the biopharmaceutical and health care industries – along with the Federal Bridge, enabling each to trust the other’s credentials.
Cancer Institute researchers participated in the first phase of a pilot study that tested the use of PKI-based interoperable digital identities and cloud-based digital signatures to eliminate reliance on paper forms in clinical trials.
The pilot study included researchers from both the National Cancer Institute’s Cancer Therapy Evaluation Program and Bristol-Myers Squibb. The Cancer Institute researchers were issued digital identities from the Federal Bridge while the Bristol-Myers Squibb participants received certificates from SAFE BioPharma.
Cross-certification of the Federal Bridge and SAFE-BioPharma identities ensures interoperability, allowing the digital identities to be asserted by one and trusted by the other.
Friedman explains that doctors and medical researchers are a busy and surprisingly mobile group, and the benefit of PKI is its ability to streamline their daily routine.
“The new solution simplifies the user experience by expanding the number and kinds of devices that can be used for authenticating and signing,” explains Friedman. “Researchers are no longer tethered to the computer, they can now use their smart phone to authenticate to a site and electronically sign documents.”
As with the Federal sector, legally binding signatures are a vital utility in health care. The pilot at NCI is further proof of this.
“As more and more businesses and governments convert from paper operations to online services, they will benefit from trusted authentication, digital signing of electronic documents and above all the ability to assert a trusted identity,” says Friedman.