GSA to update FIPS 201 offerings
On deck: New procurement, bigger chips, easier enrollment and activation
20 December, 2010
category: Digital ID, Government, Library
The General Services Administration’s HSPD-12 Managed Service Office (MSO) has quite the task ahead of it–enrolling, issuing and activating credentials for hundreds of thousands of federal employees nationwide and beyond.
Steve Duncan, program manager at the MSO, updated the Government Smart Card Interagency Advisory Board on its activities and challenges in the process to procure and maintain PIV compliant credentials.
Since the office started operations in August 2007 it has enrolled 504,000 applicants into the system, according to Duncan, accounting for 71% of the MSO clients’ eligible populations.
The MSO has actively begun reaching out to individuals by telephone if they have not yet enrolled and gotten their credentials. They are behind–by maybe ten to twenty thousand–on activated credentials, explains Duncan. “We’re working on that,” he adds.
The MSO handles credentialing for more than 80 customer agencies, commissions, and boards, and that number is growing. “We actually, just added one last week,” Duncan says. “So we keep adding to our numbers.”
The GSA has an enrollment infrastructure of about 340 stations across the country, stretching from Puerto Rico to Alaska and Hawaii. Still says Duncan, “we’re not at all the places we need to be.”
He says there are at least 10 more sites that at which they would like to have shared stations. At about 80% capacity, the current infrastructure can support more than 160,000 enrollments per month.
Duncan explains that they have started mobile circuits where the equipment is transported to remote locations by truck or FedEx. “We’ve done this a couple of times, and it’s worked out pretty well,” he says. “We did 350 remote locations with 44 stations and reached to about 50,000 people.”
There is at least one more of these mobile circuits in the planning stages to assist early adopters who are now reaching the end of the lifecycle for their certificates or awarded contracts.
Centralized production
After an applicant is enrolled in the system the data is sent to a centralized card production facility. The card is then sent back to the enrollment site where the applicant can activate the card. Enrollment and activation have been a problem for some federal employees because of the distance they have to travel.
In an effort to simplify this, the GSA introduced the Light Enrollment and Light Activation solution. The enrollment package is sent out in a suitcase and enables direct connectivity to the USAccess central infrastructure via a public Internet connection. “This reduces or eliminates physical space, set up costs, the number of peripherals including dedicated hardware and VPN, and station certification,” Duncan says.
Light activation is another solution that uses some software, a couple of card readers, fingerprint scanners and some installation instructions. Users can install this on any desktop or laptop that has connectivity to the Internet, and perform activations there, Duncan says.
Agencies can have their cards sent to their internal security office and then the applicant simply has to go a shorter distance, someplace closer to get their credential activated. The GSA did a pilot of this solution in March before going live as a full production in the middle of June.
The GSA is working on something that can solve both the enrollment and activation issues. “We haven’t solved the entire piece,” Duncan says. “We hope (that by) late September, early October we will have what we call Light Credentialing.”
It will encompass the enrollment and activation application on the same PC or laptop and get rid of the cross match machines, which Duncan notes drives costs. “There are devices out there that don’t require you to do slaps (fingerprints) and we can still capture the roles and individuals in the same forty-eight pound suitcase,” he says. “Then agencies will have a real solution to moving these things around and getting to those isolated pockets or the ones that aren’t close enough.”
What’s next?
The GSA released a request for information in July asking for thoughts and ideas on how the MSO can offer a better service to agencies. One thing is certain–they will move to a larger memory capacity card. “Our card is pretty full which is causing us grief on the key history,” Duncan says.
A key question surrounds how to offer a solution for key recovery/key histories and support that going forward with the SHA-256 encryption algorithm.
Other questions include whether to:
- offer another PKI provider?
- support more than one card issuer, or manufacturer?
- change the business model or the management structure?
- offer PKI validation as a service?
For dispersed locations that don’t have an enrollment station but have a group of people needing credentials, the MSO is considering using enrollment brokers. “Where somebody that’s one of my customer agencies could sit down at another’s enrollment stations,” explains Duncan. “They can enroll them and port that data to us … we can send it off to our personalization people and then print credential.”
The MSO is considering how it can expand the service. “Our core service has always been the enrollment and issuance of PIV credentials,” Duncan says. But he suggests there are other areas they could assist.
“We can capture fingerprints and send them to the Office of Personnel Management … (so) why can’t we do the same with the FBI?”
The GSA has a huge enrollment infrastructure that could be offered as a service to do national criminal history checks, for example, which are outside the process of receiving a credential. Duncan notes that the FBI slowed down for four days because of the huge number of criminal history checks being performed during the employment of the Census workers. This service could be used to assist in situations like this one.
As the GSA ponders the future of the MSO, it’s clear that it will continue to be a force for innovation in identification and credentialing.
State CIOs explore strong credentials
High-tech IDs getting serious attention at state level
When state CIOs were surveyed on their top 10 priorities, identity and access management made the list. At the National Association of State CIOs (NASCIO) mid-year meeting 30 members participated in a session where an ad hoc working group was formed to look into identity and access management issues.
At the NASCIO annual conference in September the group plans to provide a report to members on different technologies and what some states have in progress, says Chad Grant, a policy analyst with NASCIO. “The main emphasis is to see what states are doing and get a lay of the land,” he says.
The group is also working to create a roadmap for states to follow, Grant says, suggesting that they are mainly investigating federated identity approaches and technology that would be interoperable from one state to another.
Though Grant downplayed the significance of this working group, some federal smart card officials think this could lead to states issuing PIV-I credentials. It could also help as states consider issuance of digital IDs as a part of the National Strategy for Trusted Identities in Cyberspace.